Jump to content


Photo

New BHO file


  • Please log in to reply
1 reply to this topic

#1 cessna152

cessna152

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 06 July 2004 - 06:08 AM

C:\Windows\system32\msvg.dll

I can't find this file on my system. If I delete the entry using HT or regedit it reappears when I log on again.
I suspect this is the cause of IE hijack problem - frequent pop ups (from my local system), changes to IE's search, default URL, homepage etc.

Used up-to-date spybot but it's not much help.

Used HT to fix browser problems but there must be something I'm missing.
Can anyone help?

Attached Files



#2 cessna152

cessna152

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 07 July 2004 - 07:44 AM

Well, I think I've finally cleared this stuff off my system.
I'm not sure what actually did this, it could have been removing the CLSID associated with the BHO by using regedit whilst running in safe mode. I also ran AboutBuster, this didn't find the BHO but something else:
LEGACY___NS_Service_3 Key
(it removed this but it does this every time AboutBuster is run so I'm not sure what's going on)

I also found where the popup image files were hidden. These were in a file named "MSFT", which was located in each user's Local Settings\Temporary Internet Files folder (this is on XP Home). It was necessary to be logged on as another user to 'see' this hidden folder. Also, the main html file named 'console' or any of the other files could not be found using windows file search. They were also not cached. Crafy sods.

I'd still like to find out how a spoof CLSID entry for a non-existant dll can cause such problems. Microsoft have a lot to answer for by allowing BHO's to be so powerful and for having such an obscure and complicated architecture.

Thanks to all involved who provide the information for us to control this malware.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button