Jump to content


Photo

pztva.dll


  • Please log in to reply
1 reply to this topic

#1 jfpobrien

jfpobrien

    Member

  • New Member
  • Pip
  • 2 posts

Posted 26 June 2004 - 06:09 AM

Every time I start IE I get directed to a home page at res://pztva.dll/index#37049. I also get one of 4 different pop up overlays notifying me that I have a spyware infection and giving me a link to clear it. The link always takes me to
http://search-all-fa...spyware removal.
This presents a list of spyware removal products.

If I use a search engine, within seconds a new window opens full of smut from http://search-to-find.com/(my search term) &pin=37049

Ad aware finds and deletes stuff. Hijack this also identifies pztva items and I fix them. However, as soon as I restart IE it all recurs.

I have found one strange BHO
O2 - BHO: (no name) - {EEBDA647-16F8-72B7-4407-0E1262875BA6} - C:\WINDOWS\SYSTEM\NTQY32.DLL

There are also four unexplained 04 items
O4 - HKLM\..\Run: [SDKOJ.EXE] C:\WINDOWS\SDKOJ.EXE
O4 - HKLM\..\RunServices: [CRIH32.EXE] C:\WINDOWS\CRIH32.EXE
O4 - HKLM\..\RunServices: [NETTS.EXE] C:\WINDOWS\NETTS.EXE
O4 - HKLM\..\RunServices: [IENQ32.EXE] C:\WINDOWS\SYSTEM\IENQ32.EXE

None of these 4 programs is visible in C:\WINDOWS

I have followed instructions and read FAQs but my problems persist. HiJack log file follows

John
Logfile of HijackThis v1.97.7
Scan saved at 11:06:57, on 26/06/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE
C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSRTE.EXE
C:\WINDOWS\SYSTEM\TABLET.EXE
C:\WINDOWS\SYSTEM\D3BZ.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\ADAPTEC\DIRECTCD\DIRECTCD.EXE
C:\WINDOWS\SYSTEM\LVCOMS.EXE
C:\PROGRAM FILES\MCAFEE.COM\AGENT\MCAGENT.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHLD.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSESCN.EXE
C:\WINDOWS\LOADQM.EXE
C:\WINDOWS\SYSTEM\MSTMON_P.EXE
C:\WINDOWS\SDKOJ.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\MMKEYBD.EXE
C:\WINDOWS\RunDLL.exe
C:\PROGRAM FILES\ZONE LABS\ZONEALARM\ZONEALARM.EXE
C:\PROGRAM FILES\NETROPA\MULTIMEDIA KEYBOARD\TRAYMON.EXE
C:\PROGRAM FILES\NIELSENNETRATINGS\BIN\INSIGHT.EXE
C:\PROGRAM FILES\MEMORY TOOLKIT\MEMOKIT.EXE
C:\PROGRAM FILES\WACOM\TABUSERW.EXE
C:\PROGRAM FILES\MACOPENER\MACNAME.EXE
C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSFTSN.EXE
C:\WINDOWS\INTEGRATOR.EXE
C:\DOWNLOAD\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\pztva.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://pztva.dll/index.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://pztva.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system\pztva.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://pztva.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system\pztva.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:8010
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;setup.msn.com;memberservices.msn.com
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar2.dll
O2 - BHO: (no name) - {EEBDA647-16F8-72B7-4407-0E1262875BA6} - C:\WINDOWS\SYSTEM\NTQY32.DLL
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - C:\PROGRAM FILES\MCAFEE.COM\VSO\MCVSSHL.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Adaptec DirectCD] C:\Program Files\ADAPTEC\DIRECTCD\DIRECTCD.EXE
O4 - HKLM\..\Run: [LVComs] C:\WINDOWS\SYSTEM\LVComS.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\MCAFEE.COM\AGENT\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\MCAFEE.COM\AGENT\MCUPDATE.EXE
O4 - HKLM\..\Run: [VirusScan Online] "C:\PROGRA~1\MCAFEE.COM\VSO\mcvsshld.exe"
O4 - HKLM\..\Run: [LexStart] Lexstart.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\MCAFEE.COM\VSO\MCMNHDLR.EXE" /checktask
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [MacLicense] "C:\Program Files\MacOpener\MacLic.exe"
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [KONICA MINOLTA magicolor2300WStatusDisplay] C:\WINDOWS\SYSTEM\MSTMON_P.EXE
O4 - HKLM\..\Run: [SDKOJ.EXE] C:\WINDOWS\SDKOJ.EXE
O4 - HKLM\..\Run: [HPScanPatch] C:\WINDOWS\SYSTEM\HPScanFix.exe
O4 - HKLM\..\Run: [HPStart] c:\hp\hpcoach\hpstart.wsf
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MULTIMEDIA KEYBOARD] C:\Program Files\Netropa\Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\Run: [iPodManager] C:\Program Files\iPod\bin\iPodManager.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\RunServices: [TrueVector] C:\WINDOWS\SYSTEM\ZONELABS\VSMON.EXE -service
O4 - HKLM\..\RunServices: [MiniLog] C:\WINDOWS\SYSTEM\ZONELABS\MINILOG.EXE -service
O4 - HKLM\..\RunServices: [McVsRte] C:\PROGRA~1\MCAFEE.COM\VSO\mcvsrte.exe /embedding
O4 - HKLM\..\RunServices: [Tablet] C:\WINDOWS\SYSTEM\Tablet.exe
O4 - HKLM\..\RunServices: [CRIH32.EXE] C:\WINDOWS\CRIH32.EXE
O4 - HKLM\..\RunServices: [Keyboard Manager] C:\Program Files\Netropa\One-touch Multimedia Keyboard\MMKeybd.exe
O4 - HKLM\..\RunServices: [NETTS.EXE] C:\WINDOWS\NETTS.EXE
O4 - HKLM\..\RunServices: [IENQ32.EXE] C:\WINDOWS\SYSTEM\IENQ32.EXE
O4 - HKLM\..\RunServices: [JAVACV32.EXE] C:\WINDOWS\JAVACV32.EXE
O4 - HKLM\..\RunServices: [D3BZ.EXE] C:\WINDOWS\SYSTEM\D3BZ.EXE
O4 - HKCU\..\Run: [Taskbar Display Controls] RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\PROGRA~1\MESSEN~1\msmsgs.exe" /background
O4 - Startup: Nielsen NetRatings.lnk = C:\Program Files\NielsenNetRatings\bin\insight.exe
O4 - Startup: MemoKit.lnk = C:\Program Files\Memory toolkit\mk.exe
O4 - Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: AntiCrash.lnk = C:\Program Files\Dachshund Software\AntiCrash\AntiCrash.exe
O4 - Startup: Hare.lnk = C:\Program Files\Dachshund Software\Hare\Hare.exe
O4 - Startup: TabUserW.lnk = C:\Program Files\Wacom\TabUserW.exe
O4 - Startup: MacName.lnk = C:\Program Files\MacOpener\MacName.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O4 - Global Startup: NetShow PowerPoint Helper.lnk = C:\Program Files\NetShow Services\Tools\nsppthlp.exe
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .ivr: C:\PROGRA~1\INTERN~1\PLUGINS\NPRVRT32.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

#2 jfpobrien

jfpobrien

    Member

  • New Member
  • Pip
  • 2 posts

Posted 26 June 2004 - 01:02 PM

I have managed to clear this problem by using a combination of software products. I learned about them in other posts in this forum.

Before running software I disabled browser helper objects in internet options advanced.

I started with a new, free virus checker, Avast. Despite having MacAfee running permanently on my PC, Avanti identifies the Win32 Ralpha trojan.

I then went into safe mode and ran Ad aware resulting in 9 objects being quarantined and removed.

I then Ran HiJack This which identified 3 items clearly linked to pztva.dll. I fixed these.

Next I ran About Buster which found another 5 suspicious items which were dealt with.

I reset the internet options to my chosen home page, restarted in normal mode and all was fine.

Feeling confident, I now tried to reinstall the Google toolbar which had disappeared. In order to do this I had to re-enable browser helper objects.

As soon as I installed the google toolbar, Avast went mad and identified a new trojan Win32 Trojano - 180.

When I looked at my IE settings the pctva was back.

I had to go through it all over again. I deleted all references to Google toolbar in Hijack This. Avast identified 2 trojans Win32 trojano - 173 and Win32 Ralpha.
A further 6 infected files were identified and dealt with. Worryingly, there were 11 infected files in C:\_RESTORE\TEMP which could not be dealt with by Avast - it was denied access.

All seems to be stable now and I will never re-install the google tool bar, nor will I re-enable browser helper objects.

Thanks to other posters for their careful commentary on fixes.

John

Edited by jfpobrien, 26 June 2004 - 02:42 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button