Moved to seperate thread. Read the announcements called **READ BEFORE POSTING**

I too have the same problem as the original poster. I have done everything in this thread to a "T" but with no success. I am using AboutBuster, CWShredder, Adaware, and Hijack this.

Here's my HijackThis log right after my start up:

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\winlc32.exe
C:\AIM\aim.exe
C:\WINNT\Santa Fe Stucco.bmp:yopjt
C:\WINNT\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spam\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 213.177.232.193:8080
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C7FEB52A-8FCB-3586-286B-07E44B09039B} - C:\WINNT\system32\winxi32.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ipog32.exe] C:\WINNT\system32\ipog32.exe
O4 - HKLM\..\Run: [syspd32.exe] C:\WINNT\system32\syspd32.exe
O4 - HKLM\..\Run: [syscy32.exe] C:\WINNT\system32\syscy32.exe
O4 - HKLM\..\Run: [winlc32.exe] C:\WINNT\system32\winlc32.exe
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Billminder.lnk = C:\Program Files\Quicken\billmind.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\digfilt.dll

Anything I check and "fix" with HijackThis does nothing. It just comes back. I went into regedit and anything I did was undone right away. Usually I can get rid of this crap, but not this time.

I'm so lost.

Just found this BTW and so far it's doing nothing.

Close but no cigar.

Hiya,
Sorry about the long response time.

1. Download AboutBuster http://www.downloads.subratam.org/AboutBuster.zip

Unzip it to your desktop but don't run it yet.

2. Download Ad-aware from here. Open the Ad-aware program and near the bottom click the Check For Updates link. This will open the update manager. Follow the prompts to update your Ad-aware Reference File. Close Ad-aware for now, we will use it later.

3. You may want to print out these instructions for further reference when completing the following steps.

4. Make sure your PC is configured to show hidden files

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked. Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

5. Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Scroll down and find the service called "Network Security Service". When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

6. Then reboot your PC into Safe Mode. If you don't know how to do this, see here for further instructions.

7. Restart Hijack This and put a checkmark next to the following entries:


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\dqhau.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {C7FEB52A-8FCB-3586-286B-07E44B09039B} - C:\WINNT\system32\winxi32.dll
O4 - HKLM\..\Run: [ipog32.exe] C:\WINNT\system32\ipog32.exe
O4 - HKLM\..\Run: [syspd32.exe] C:\WINNT\system32\syspd32.exe
O4 - HKLM\..\Run: [syscy32.exe] C:\WINNT\system32\syscy32.exe
O4 - HKLM\..\Run: [winlc32.exe] C:\WINNT\system32\winlc32.exe
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\digfilt.dll

Then delete the following files and folders:
C:\WINNT\system32\ipog32.exe
C:\WINNT\system32\syspd32.exe
C:\WINNT\system32\syscy32.exe
C:\WINNT\system32\winlc32.exe

8. Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

9. Scan with Adaware and let it remove any bad files found.

10. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure that Temporary Files, Temporary Internet Files and Recycle Bin

11. Reboot to normal mode

12. Finally, pay a visit to Housecall. Scan for and remove any infected files found on your system.

Post a fresh HijackThis log and the AboutBuster report back here please. (Please ensure you include the whole log, including the top bit)

did all that, its still here.

edit: btw, only one of the four files was there to delete, winlc32.exe

You haven't posted the new Hijack This log and About:Buster log as requested...

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\scagent.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spam\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = 213.177.232.193:8080
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKCU\..\Run: [AIM] C:\AIM\aim.exe -cnetwait.odl
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
O18 - Protocol: icoo - {4A8DADD4-5A25-4D41-8599-CB7458766220} - (no file)
O18 - Filter: text/html - {EE7A946E-61FA-4979-87B8-A6C462E6FA62} - C:\WINNT\digfilt.dll






-- Scan 1 ---------------------------
About:Buster Version 3.0
Reference List : 15


Removed Data Streams:
C:\WINNT\acycf.txt:fqnok
C:\WINNT\discover.exe:nbrge
C:\WINNT\FeatherTexture.bmp:epkex
C:\WINNT\FeatherTexture.bmp:fckmy
C:\WINNT\folder.htt:ydcra
C:\WINNT\helprfb.dll:ienwu
C:\WINNT\mdm.ini:huvbh
C:\WINNT\mdm.inifwki
C:\WINNT\msxmidi.exe:iicft
C:\WINNT\NOTEPAD.EXE:zwvrq
C:\WINNT\ockodak.log:evpkx
C:\WINNT\ockodak.logvktd
C:\WINNT\ockodak.log:rxowk
C:\WINNT\odbng.txt:kyzcn
C:\WINNT\podnl1.exe.bak:czrhh
C:\WINNT\Prairie Wind.bmp:zpnma
C:\WINNT\regedit.exe:spgrc
C:\WINNT\River Sumida.bmp:kqyww
C:\WINNT\SchedLgU.Txt:bopkf
C:\WINNT\SchedLgU.Txt:vqtrz
C:\WINNT\sdkto.exe:drjky
C:\WINNT\twain_32.dll:hszqi
C:\WINNT\upwizun.exe:hhrad
C:\WINNT\upwizun.exebzhl
C:\WINNT\winnt.bmp:sfoqn


Deleted 2 Service Keys Successfully!
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!



I cannot get digfilt.dll to go away for anything. Housecall couldnt delete it because "it was running", I couldnt manually do it, and with HijackThis, it just continues to pop back up. In fact, both O18's listed in HijackThis log i posted are continuing to come back.

For now it seems gone, to be honest I'm afraid to open my internet explorer from the desktop. Last time it seemed to be gone for about 2 openings, then it came back slowly, with my homepage getting stuck at about:blank, then being at about:blank and having the popups and crap.

I'll try to just walk away from the computer until I'm told I'm fine.

Thanks!

Could you do the following for me:

Go to - Run. Copy and paste the bold text in the box ‘open’:

regedit /e c:\txtprtcl.txt "HKEY_CLASSES_ROOT\PROTOCOLS\Filter\text/plain"

Click OK.

A file will be made called txtprtcl.txt that can be found in the root (c:\txtprtcl.txt).

Upload this file with your next reply by clicking Manage Attachments and selecting the file.

no file to be found in the c drive.