Hi everybody!

My name is mat and this is my first post on the board.

I've run adaware and spybot search and destroy in there most updated forms.

Heres my problem;

My browser is constantly set to open to res://ovcrw.dll/index.html#96676

Also when I perform a search I get a second window that comes up with loans, viagra prescription, stuff like that.

Here is my hijackthis logfile and I just want to say thank you in advance to anybody that can help me out.

cheers;

-Mat

Logfile of HijackThis v1.98.0
Scan saved at 5:18:28 PM, on 31/07/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\d3ot32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\wintx.exe
C:\WINDOWS\SYSTEM32\tbctray.exe
C:\DOCUME~1\Mat\Desktop\Programs\FAST2.EXE
C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
C:\Program Files\TM1184\ControlUtility\ControlUtility.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mat\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ovcrw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ovcrw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ovcrw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ovcrw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ovcrw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ovcrw.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F0 - system.ini: Shell=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {44A73433-E13D-79D4-D26D-9CDD83E71551} - C:\WINDOWS\iedj32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [wintx.exe] C:\WINDOWS\wintx.exe
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\SYSTEM32\tbctray.exe
O4 - HKLM\..\RunOnce: [sdkqt.exe] C:\WINDOWS\sdkqt.exe
O4 - HKLM\..\RunOnce: [d3ot32.exe] C:\WINDOWS\system32\d3ot32.exe
O4 - HKLM\..\RunOnce: [javaof32.exe] C:\WINDOWS\system32\javaof32.exe
O4 - HKLM\..\RunOnce: [crio32.exe] C:\WINDOWS\system32\crio32.exe
O4 - HKCU\..\Run: [FAST Defrag] C:\DOCUME~1\Mat\Desktop\Programs\FAST2.EXE -tray
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [Ultimate Popup Blocker] C:\Program Files\Ultimate Pop-up Blocker\Ultimate Pop-up Blocker.exe
O4 - HKCU\..\Run: [SpeedswitchXP] C:\Program Files\SpeedswitchXP\SpeedswitchXP.exe
O4 - Global Startup: Dell Control Utility.lnk = ?
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - (no file)
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab?url=http://www.bmw.com/generic/ca/en/products/highlights/5series/sedan/phase_5/vet.htm
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/00003/chm.chm::/files/initial.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

Hi!

Please try the following:

1) boot into safe mode
2) Ensure the following processes are not running (using the task manager). If they are, stop them.

wintx.exe
C:\WINDOWS\sdkqt.exe
C:\WINDOWS\system32\d3ot32.exe
C:\WINDOWS\system32\javaof32.exe
C:\WINDOWS\system32\crio32.exe


3) Remove the following entries with hijackthis
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about_:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ovcrw.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://ovcrw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://ovcrw.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ovcrw.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about_:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ovcrw.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://ovcrw.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about_:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {44A73433-E13D-79D4-D26D-9CDD83E71551} - C:\WINDOWS\iedj32.dll
O4 - HKLM\..\Run: [wintx.exe] C:\WINDOWS\wintx.exe
O4 - HKLM\..\RunOnce: [sdkqt.exe] C:\WINDOWS\sdkqt.exe
O4 - HKLM\..\RunOnce: [d3ot32.exe] C:\WINDOWS\system32\d3ot32.exe
O4 - HKLM\..\RunOnce: [javaof32.exe] C:\WINDOWS\system32\javaof32.exe
O4 - HKLM\..\RunOnce: [crio32.exe] C:\WINDOWS\system32\crio32.exe
O4 - Global Startup: Dell Control Utility.lnk = ?
O8 - Extra context menu item: &iSearch The Web - res://C:\WINDOWS\System32\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - (no file)
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - (no file)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MT...phase_5/vet.htm
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - ms-its:mhtml:file://C:\ss.MHT!http://toolbar.isearch.com/install/...les/initial.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - C:\WINDOWS\msopt.dll

4) Do step 2 again.

5) Delete these files from your hard drive, making sure you have hidden files/folders visible

2) Ensure the following processes are not running (using the task manager). If they are, stop them.

c:\windows\wintx.exe
C:\WINDOWS\sdkqt.exe
C:\WINDOWS\system32\d3ot32.exe
C:\WINDOWS\system32\javaof32.exe
C:\WINDOWS\system32\crio32.exe

Hi, thanks for the reply ... 2 questions.

1) how do you boot into "safe mode"?

2) where do you find the files that you aske4d me to manually delete?

ALso I searched for these answers and read the forum ettiquette so sorry if I some how missed this inof in there.

Thanks again

Mat

To go into safe mode, you press the F8 key on your keyboard while the PC is loading, then select "Safe Mode" from the list.

Those files can be found by going into 'My Computer' and clicking on the 'Windows' directory on the left side - some of the files will be on the right after that, then clicking on 'system32' under 'Windows' on the left again, the rest of the files will be there.

You may need to click on "Show the contents of this folder" when you go into those folders, because usually they're hidden by default.

Welcome to Short-Media!

thanks ... I went into safe mode o.k. but a couple of things went wrong.

ALl of the registry keys did not show up when I ran hijackthis in safe mode. I deleted 15 od the 23 reccommended to me above. The other 8 were not there. Also I could not find the files I needed to delete manually. I made sure to put show all hiddden files. Maybe I will look again. Are the files I suppose to delete manually the 23 registry keys or the 4 items I am suppose to ensure are not running. the c:\windows ... ones?

The stuff I did delete obviously just came back.

Thanks for your help.

I used the search to try and find the files I need to manually delete.

I was looking for the file c:\WINDOWS\sdkqt.exe

Te only thing that came up on search was

c:\WINDOWS\prefetch ... sdkqt.exe-1e5ae6d3.pf

Is that the right file?

No, it's not. It's the prefetch cache for that file, but it's not the actual file. See, the problem is that every time you reboot, it comes back under a new name.... We need to find out the hidden reloader's name and delete that.