"only the best" variant: flvku.dll

Tried and did not work:

1. Norton AV Corporate 7.6 fully patched
2. Symantec fix instructions for Trojan.Byteverify
3. CW Shredder 1.59.0
4. Ad Aware
5. Spybot
6. uninstal, reinstall ie explorer
7. Hyjack this (see log below)
8. Removed Microsoft Java VM (JVM)
9. manually removed offending keys from the registry only to find them back each time I opened IE explorer.

"only the best" pop up persists, and search and home pages cannot
be permanently changed. I hardly ever use explorer, I prefer Firefox, but this problem has me pissed off like the rest of you.

I would appreciate any help you can offer.

thanks for your help

mbenzy

Log:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\PGPsdkServ.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\mfcad32.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\MsgSys.EXE
C:\WINDOWS\mspo.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\PGP Corporation\PGP for Windows XP\PGPtray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\ag\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\flvku.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://flvku.dll/index.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://flvku.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\flvku.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://flvku.dll/index.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\flvku.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {9CF55B4C-92A9-FCA0-F3F7-8F235449A8F8} - C:\WINDOWS\system32\netqr.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [mspo.exe] C:\WINDOWS\mspo.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QBCD Autorun] D:\autorun.exe restart QB_SEQUENCE first
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKLM\..\RunOnce: [mfcad32.exe] C:\WINDOWS\mfcad32.exe
O4 - HKLM\..\RunOnce: [syskw.exe] C:\WINDOWS\system32\syskw.exe
O4 - HKLM\..\RunOnce: [sdkop.exe] C:\WINDOWS\sdkop.exe
O4 - HKLM\..\RunOnce: [apiew.exe] C:\WINDOWS\system32\apiew.exe
O4 - HKLM\..\RunOnce: [windy32.exe] C:\WINDOWS\windy32.exe
O4 - HKLM\..\RunOnce: [msmr.exe] C:\WINDOWS\msmr.exe
O4 - HKLM\..\RunOnce: [iptm.exe] C:\WINDOWS\iptm.exe
O4 - HKLM\..\RunOnce: [msdu32.exe] C:\WINDOWS\msdu32.exe
O4 - HKLM\..\RunOnce: [appba32.exe] C:\WINDOWS\appba32.exe
O4 - HKLM\..\RunOnce: [mswe.exe] C:\WINDOWS\system32\mswe.exe
O4 - HKLM\..\RunOnce: [iebx32.exe] C:\WINDOWS\system32\iebx32.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: PGPtray.lnk = ?
O4 - Global Startup: QuickBooks Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\QBDAgent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://files.member.yahoo.com/dl/installs/sbc/yinsthdlk.cab
O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppDirectory/P4Apps/FileSharing/en/filesharingctrl.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

 

OK I had this same problem and it took me about 2 hrs to fix it once I followed what chaslang told svengali to do. Read this thread and follow it to the letter (all three pages).

http://www.majorgeeks.com/vb/showthread.php?t=35165

Also check my last entry on

http://www.majorgeeks.com/vb/showthread.php?p=375305

for a very quick summary of how I fixed the problem.

Note that with the svengali thread you need to work out which files to delete as the names will be different on your computer. I recommend you print out svengali's thread and any links mentioned. Print your logfiles and highlight the files that need to go, use the search function to find them and delete them (there will be more than one copy of some of them and they will be in more than one place).

DO NOT USE MY THREAD AS YOUR GUIDE IT DOESN'T HAVE ENOUGH INFO!

The only thing I didn't do that chaslang said was to open the ?????.dll file, delete the content and then save as an empty file. I just deleted everything. I wouldn't recommend leaving out anything else.

MAKE SURE you have hidden files turned off so you can see everything.