Similar to the mshp.dll problem below, i am getting a bzxlc.dll homepage

it looks like the sysqz32.exe is spawning a lot of executables when the changeover occurs. Also a new MSMSGS.EXE messenger pops up during these times, i'm not sure what that is doing.

I noticed these pop up:

mfcl032.exe
mshg32.exe
apitr32.exe
appwd32.exe
msdj32.exe
mfcjp32.exe

Here are the links to 4 snapshots of the reg monitor of various points. I don't want a direct picture since there so big and take up the whole page.


http://www.public.iastate.edu/~ajross/Sc01.JPG
http://www.public.iastate.edu/~ajross/Sc02.JPG

http://www.public.iastate.edu/~ajross/Sc03.JPG

http://www.public.iastate.edu/~ajross/Sc04.JPG

 

Ok, i tried it again, watching the process explorer, when i run hijack, i delete all entries, including the sysqz32.exe. When i open IE and search around, close, reopen. After a while a popup comes. Soon after that, as MSMSGS.exe messenger opens under the SVCHOST.EXE and then closes. Once that IE window is closed and reopened, its been changed. Although i remove the reg entry for sysqz32.exe, it is still a running process. So i don't konw if that still has anything to do with it. With this last test, i did not see anything being called by the sysqz32.exe. But watching process explorer, every once in a while, a new MSMSGS.EXE opens up then closes quickly. Watching closely, it looks like when a new messenger opens, it then closes the old one. So it keeps refreshing the messenger with a new copy!?

 

i tried to disable it through control panel -> Admin Tools -> Services ...

I changed to disable, but when i did the hijack and IE test again, it still opened up.

I will go safemode and change the messenger file

 

only the best popup problem - i have noticed a couple of things:
1. There is a file in the C: directory root called install.htm which contains some strange code (see below)

the html code
HTML>
<HEAD>
<TITLE>Express</TITLE>
<SCRIPT language="Javascript">
self.blur();
self.resizeTo(10,10);
self.moveTo(10,10);
</SCRIPT>
</HEAD>
<BODY onLoad="self.close()" onFocus="self.blur()">
<OBJECT classid="clsid:1C78AB3F-A857-482e-80C0-3A1E5238A565" codebase="C:\install.cab" id="toolbar" height=0 width=0>
<PARAM name="userId" value="00015">
</OBJECT>
</BODY>
</HTML>

2. the browsers always seem to point to sp.html in a temporary directory. I opened this up using dreamweaver and changed it to google homepage. Then I saved it into the same place overwriting the original (malware) and set it to read only. Since then I have had no popups (yet!)

this does not address the underlying problem but represents a quick fix

 

Why do Dll's come back....is it because you havent deleted all of them?