each time I open internet explorer, something loads the homepage
"res://dyyyc.dll/index.html#37049" and a pop-up loads for some spyware
ad.  the irony is that this is clearly spy/adware doing this.

I've tried to run spyware programs such as "pest patrol" to no avail
(not for lack of looking - it cleared out 200 other instances).  i've
also tried changing my start page back, and clearing all cookies.

what could be doing this, and how do i turn it off?

-andrwe

---

Request for Question Clarification by techtor-ga on 14 Jul 2004 18:59 PDT

Hello Andrewconrad,
It helps to have more than one spyware program installed in your
computer. Aside from Pest Patrol and CWShredder, Spybot and AdAware
are good additions to make doubly, even triply sure that spyware and
malware are removed. While it may not be complete, I suppose it will
get rid of the nastiest spyware around.

Hi,

After a 10 minute Google search I can figure out the following:

This kind of "hijackware" usually change their behaviour (name, files,
etc) from time to time. In some cases the latest version of Adaware,
for instance, is able to clean your computer. Be sure you run the
latest version of the software.If that doesn't work, you'll have to
try some manual procedures.
Another usefull software is HijackThis
(http://www.spychecker.com/program/hijackthis.html). Run it and post
the log here.

I'll give you some clues for you to start.
First, perform a search for the file "sdkqh32.dll". If it exists, it
may be the responsible for the hijacking.
Then, read this similar case:
http://forums.techguy.org/showthread.php?t=237754

Try some Google searches for:

sdkqh32.dll
index.html#37049
Browser Hijacking

Important: Always download the latest bug fixes from Windows Update!

Good luck.

Hello, wflash.
Would you please take a look at this log. Tell me if anything looks suspicious.
Thanks in advance.

Logfile of HijackThis v1.97.7
Scan saved at 7:35:35 PM, on 6/27/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\Pavsrv51.exe
C:\WINDOWS\system32\ZONELABS\vsmon.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\AVENGINE.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\APVXDWIN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\CallWave\IAM.exe (*this is internet answering machine)
C:\Program Files\Panda Software\Panda Titanium Antivirus 2004\WebProxy.exe
C:\wincmd\WINCMD32.EXE (*windows commander, something like good-old
Norton commander)
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\NEOTRA~1\NeoWait.exe (*Neotrace)
C:\Program Files\ACD Systems\ACDSee\ACDSee.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\CMMON32.EXE
D:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet
Settings,ProxyServer = 212.122.167.136:80
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A5366673-E8CA-11D3-9CD9-0090271D075B} -
C:\PROGRA~1\FLASHGET\jccatch.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} -
C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda
Titanium Antivirus 2004\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone
Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office10\OSA.EXE
O4 - Global Startup: Internet Answering Machine.lnk = C:\Program
Files\CallWave\IAM.exe
O8 - Extra context menu item: Download All by FlashGet - C:\Program
Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program
Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX
Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {26CBF141-7D0F-46E1-AA06-718958B6E4D2} -
http://download.ebay.com/turbo_lister/US/install.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class)
- http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C}
(CWDL_DownLoadControl Class) -
http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37876.8377777778
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash
Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl
Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF686E8A-4E86-48CB-9465-B4A622EA5A21}:
NameServer = 216.194.28.33 216.194.28.69

Hello ra_ar,

Apparently there's nothing suspicious. There are some processes that
might not need to be running, unless you use them often. Otherwise
they take your system resources. If you have plenty of memory and is
not experiencing a slow computer, let them run. Examples are: ACDSee,
Neowait.exe, Internet Answering Machine.
Actually I'm not an expert in identifying browser hijackers, but in
the case you suspect of something go to: http://forums.techguy.org.
Follow the link to the Security forum and post your question.
If you suspect of some strange running process or file (e.g. dlls), go
to http://www.liutilities.com/products/wintaskspro/processlibrary/ and
check in the list what the file do.
Another tip: Search Google :-).

Good luck,

Regards,

wflash.

Hello, wflash.
Thanks for the advise, I'll check everything on google.
And by the way, ACDSee and Neowait.exe are running only when I'm using
them, usually they're closed. And the Internet Answering Machine is
always running in case somebody's calling...

Thanks again,
ra_ar

This is the latest CoolWebSearch variant. It's a hell of a lot worse
than the old one - the popular CWShredder program (at
http://www.spywareinfo.com/~merijn/files/CWShredder.exe) can't kill
it, and that researcher has given up from this variant.

Nonetheless, removal is possible. The best instructions I've seen,
including links to tools, are at PCHell
(http://pchell.com/support/onlythebest.shtml).

Shawn

Use ad aware its free

where's my manners, here is the link to install adaware....
http://www.download.com/3000-2144-10045910.html?part=69274&subj=dlpage&tag=button