• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
superponcho

res://<random>.dll/sp.html#96676. problems...

11 posts in this topic

Yea i'm having problems wit the res://<random>.dll/sp.html#96676 hijacker...

I've tried to follow the tutorials on how to manually remove and I am experienced with spyware removal, yet i am still having problems, any help?

 

I boot in safe mode, run adware , remove whatever i can,

run hijack this, remove whatever i can

manually remove the 2 - 3 application files ( 9kb for application ) and 69 kb for dll files... I also remove the main random.dll file that displays your homepage... and also remove the 89kb random dll file in system 32... I also reboot 2 or 3 times in safe mode / normal mode and scan everything again and find nothing at all

 

I can completely clean my system of hidden files and it still reoccurs,

I use regedit to remove the ___Nvservices_3 or whatever in the

HKey_Local_Machine > system > Current control set > Enum or services

 

Any suggestions on what the problem is? is it because the file is tied into iexplore.exe and it reoccurs? If u have any suggestins or info about any other files i could be missing , it would be greatly appreciated...

 

Also, if u need to see my hijack this logs just ask and i will post them

Share this post


Link to post
Share on other sites

I guess u cant really explain good if i dont show u the hijack this log, so here it is

netev.exe is the current file thats running this, i decided i'd post a hijack this log after the system had all of the hijack problems reoccuring.

 

 

 

StartupList report, 6/28/2004, 3:13:10 PM

StartupList version: 1.52

Started from : C:\unzipped\hijackthis\HijackThis.EXE

Detected: Windows XP SP1 (WinNT 5.01.2600)

Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)

* Using default options

==================================================

 

Running processes:

 

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Creative\ShareDLL\CtNotify.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\ntgw32.exe

C:\Program Files\Creative\ShareDLL\MediaDet.Exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\netev.exe

C:\Program Files\Winamp\winamp.exe

C:\unzipped\hijackthis\HijackThis.exe

 

--------------------------------------------------

 

Listing of startup folders:

 

Shell folders Common Startup:

[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]

Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

 

--------------------------------------------------

 

Checking Windows NT UserInit:

 

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

 

NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

nwiz = nwiz.exe /install

 

--------------------------------------------------

 

Autorun entries from Registry:

HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

 

netev.exe = C:\WINDOWS\netev.exe

 

--------------------------------------------------

 

Autorun entries from Registry:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

 

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

Steam =

 

--------------------------------------------------

 

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

 

Shell=*INI section not found*

SCRNSAVE.EXE=*INI section not found*

drivers=*INI section not found*

 

Shell & screensaver key from Registry:

 

Shell=Explorer.exe

SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr

drivers=*Registry value not found*

 

Policies Shell key:

 

HKCU\..\Policies: Shell=*Registry key not found*

HKLM\..\Policies: Shell=*Registry value not found*

 

--------------------------------------------------

 

 

Enumerating Browser Helper Objects:

 

(no name) - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}

(no name) - C:\WINDOWS\system32\addly32.dll - {EC3AD07F-3DBE-C7B3-AD29-010A94FC8B05}

 

--------------------------------------------------

 

Enumerating Download Program Files:

 

[QuickTime Object]

InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx

CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

 

[Musicnotes Viewer]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\mnviewer.dll

CODEBASE = http://www.musicnotes.com/download/mnviewer.cab

 

[shockwave ActiveX Control]

InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll

CODEBASE = http://download.macromedia.com/pub/shockwa...director/sw.cab

 

[Web P2P Installer]

InProcServer32 = C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll

 

[{33564D57-0000-0010-8000-00AA00389B71}]

CODEBASE = http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

 

[{69432678-2906-2705-1128-068943397621}]

 

[update Class]

InProcServer32 = C:\WINDOWS\System32\iuctl.dll

CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/...7860.4654282407

 

[shockwave Flash Object]

InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx

CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

 

[McFreeScan Class]

InProcServer32 = C:\WINDOWS\McAfee.com\FreeScan\mcfscan.dll

CODEBASE = http://download.mcafee.com/molbin/iss-loc/...304/mcfscan.cab

 

--------------------------------------------------

 

Enumerating ShellServiceObjectDelayLoad items:

 

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll

CDBurn: C:\WINDOWS\system32\SHELL32.dll

WebCheck: C:\WINDOWS\System32\webcheck.dll

SysTray: C:\WINDOWS\System32\stobject.dll

 

--------------------------------------------------

End of report, 5,418 bytes

Report generated in 0.031 seconds

 

Command line options:

/verbose - to add additional info on each section

/complete - to include empty sections and unsuspicious data

/full - to include several rarely-important sections

/force9x - to include Win9x-only startups even if running on WinNT

/forcent - to include WinNT-only startups even if running on Win9x

/forceall - to include all Win9x and WinNT startups, regardless of platform

/history - to list version history only

Share this post


Link to post
Share on other sites

i also have the same exact problem.

which I posted under the subject SDKUQ32.DLL

the culprit I believe according to findnfix.

 

Timothy

Share this post


Link to post
Share on other sites

superponcho,

 

Please post a HijackThis log (that's a StartupList). After Scan, the Scan button changes to Save log. Click that, save it somewhere. Do Ctrl-A to Select all, and then copy and paste it here.

Share this post


Link to post
Share on other sites

cnm, is this what u want??

thnx for helping btw

 

 

 

Logfile of HijackThis v1.97.7

Scan saved at 12:16:49 AM, on 6/29/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\DRIVERS\CDANTSRV.EXE

C:\WINDOWS\System32\CTsvcCDA.EXE

C:\WINDOWS\System32\nvsvc32.exe

C:\WINDOWS\System32\MsPMSPSv.exe

C:\Program Files\Creative\ShareDLL\CtNotify.exe

C:\Program Files\Winamp\winampa.exe

C:\WINDOWS\ntgw32.exe

C:\Program Files\Creative\ShareDLL\MediaDet.Exe

C:\WINDOWS\netev.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Winamp\winamp.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\unzipped\hijackthis\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uqmis.dll/sp.html#96676

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://uqmis.dll/index.html#96676

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://uqmis.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\uqmis.dll/sp.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://uqmis.dll/index.html#96676

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\uqmis.dll/sp.html#96676

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {EC3AD07F-3DBE-C7B3-AD29-010A94FC8B05} - C:\WINDOWS\system32\addly32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\SBAudigy\Program\CTEaxSpl.EXE /run

O4 - HKLM\..\Run: [Jet Detection] C:\Program Files\Creative\SBAudigy\PROGRAM\ADGJDet.exe

O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe

O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe

O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [ntgw32.exe] C:\WINDOWS\ntgw32.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKLM\..\RunOnce: [netev.exe] C:\WINDOWS\netev.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...director/sw.cab

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {69432678-2906-2705-1128-068943397621} -

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7860.4654282407

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/...304/mcfscan.cab

Share this post


Link to post
Share on other sites

bump, cnm can u still help?

I rebooted in safe mode, had the latest ref file for ad-aware..

said 0 files found

i ran hijack this, removed all the rest of the problems

then manually checked registry and removed anything if it was left

i also removed the hidden dll's and hidden exe's in windows folder and system 32 that were 9 kb for application and 69 / 89 kb for dll

am i missing anything?

 

i can run safemode and nothing appears, it will not reoccur

but within the reboot of normal mode, its back

what the hell is going on?

Share this post


Link to post
Share on other sites

Hi superponcho,

 

cnm asked me to step in here and try to help. You can read the link that was posted, but the following should work for you.

 

Run HijackThis again and place a check beside each of the following items. Once done click the fix checked button.

 

O2 - BHO: (no name) - {EC3AD07F-3DBE-C7B3-AD29-010A94FC8B05} - C:\WINDOWS\system32\addly32.dll

O4 - HKLM\..\Run: [ntgw32.exe] C:\WINDOWS\ntgw32.exe

O4 - HKLM\..\RunOnce: [netev.exe] C:\WINDOWS\netev.exe

 

Download About:Buster from either of the following locations.

 

http://www.atribune.org/downloads/AboutBuster.zip

or

http://tools.zerosrealm.com/AboutBuster.zip

 

Make sure you have printed this page and close ALL Internet Explorer windows. This is a very important step!!

 

Run AboutBuster.exe, click ok, then start, then OK. This will scan your computer for the files responsible for hijacking your home and/or search settings/page.

 

Reboot and post a new HijackThis log along with the report from About:Buster.

Share this post


Link to post
Share on other sites

OSC & Cnm , You both are a f****** amazing!!

IT is gone!! All gone!!!

omg!

 

Whoever created that cws stuff should burn in hell.... at least thanks to ppl like cnm and osc, we have some pros that can help remove that crap!!

thank you again osc and cnm

Share this post


Link to post
Share on other sites

Glad we could help. :)

 

If you need this topic reopened, please request this by sending the moderating team an email with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0