Homepage hijack res://bvigz.dll/index.html#96676

I have a similar kind of homepage hijack problem. It's been two days and I've tried every possible virus scan, spyware, adaware, Hijackthis and what not.
I'm using IE 6 on WIN XP PRO
It points to dll file and whenever I delete it, something generates a new random dll file and then it points to the new one and makes a new homepage like now it is res://bvigz.dll/index.html#96676

Also, when I search for something on google, a new window comes up with the same search words and points to
URL. I tried the fix that comes up in google for this, for no use..

I tried
Adaware 6
Online virus scan from Panda
Spybot Search and destroy
Online virus scan from RAV
Spyware Blaster
Spyware Guard
Pestpatrol
Bazooka Spyware scanner
AVG Virus scan

Needless to mention I have updated every single piece of software I used.

One thing I couldn't try was Housecall Antivirus scan, because everytime I try to do that I get "internet explorer has encountered a problem" error. Send and don't send are the options and I have to close IE6. I tried it from Netscape for no use.

Below is Hijackthis log.
Logfile of HijackThis v1.97.7
Scan saved at 11:24:40 AM, on 6/16/2004
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ntub32.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\mfcrv32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\tyagi\Desktop\trash\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bvigz.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://bvigz.dll/index.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://bvigz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\bvigz.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://bvigz.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\bvigz.dll/sp.html#96676
O2 - BHO: (no name) - {1BA6BE38-0B92-7349-0153-401D02C17347} - C:\WINDOWS\mfcrv32.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [Sasser Patch v1 ] msconf.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Net Cfg ] service.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [SpyStopper] C:\Program Files\SpyStopper\spystopper.exe
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [crpq32.exe] C:\WINDOWS\system32\crpq32.exe
O4 - HKLM\..\Run: [mfcrv32.exe] C:\WINDOWS\mfcrv32.exe
O4 - HKLM\..\RunServices: [Sasser Patch v1 ] msconf.exe
O4 - HKLM\..\RunServices: [Microsoft Update] xoifzpv.exe
O4 - HKLM\..\RunServices: [Windows Net Cfg ] service.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Sasser Patch v1 ] msconf.exe
O4 - HKCU\..\Run: [Windows Net Cfg ] service.exe
O4 - HKCU\..\Run: [System Update4] c:\docume~1\tyagi\applic~1\logon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\Netscape\Communicator\Program\AIM\aim.exe -cnetwait.odl
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O16 - DPF: {2C8EEB84-6D60-11D4-BD64-0050048A82BF} (eshare communications NetAgent Customer ActiveX Control version 2) - URL
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - URL
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - URL
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - URL
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - URL
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - URL
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - URL
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - URL
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - URL
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - URL
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - URL
O16 - DPF: {F2A84794-EE6D-447B-8C21-3BA1DC77C5B4} (SDKInstall Class) - URL

I have the exact same problem.

Somehow my computer was infected this morning from a website, not sure which site. The browser has been taken over calling a file from res://C:\WINDOWS\system32\funuz.dll/. When this file is deleted and the registry has been fixed, the browser works once and then upon closing the browser the files are regenerated and the home page and search page etc. are set to a version of this funuz.dll. There is also a file called hshjs.dat that appeared at the same time as the funuz file in my system32 folder. Two other files sys32_app.dat and sys32_app.dll appeared in C:\WINDOWS\ these were deleted as well. I have run ad-aware, spybot, a2guard, lop remover, cwshredder, HJT and bazooka to no avail. The file appears to be linked to lookfor.cc, lookingfor.cc and search-to-find.com. There are pin numbers associated with these. Adaware detects the files and removes them but they appear again the next time a browser window is closed.

When the browser is opened up, the funuz.dll file is the homepage, there are a bunch of links on that page to different topics. On any web page, the program searches for common words and then sets up links through 0-2u.com. The search result page is search-what.net. When searching using google, a popup will appear with search results for the same query at lookingfor.cc and search-to-find.com. There are also popups that come up randomly while browsing the web. The html files for these popups appear to be located on my computer at C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\MSFT\console.html This isn't a file that was easily accessible. I was able to find the folder using my browser history and deleted the files. There are two other files that i'm not sure about, ejvym.dat and jdsff.dat. Never seen these before. They are also in C:\WINDOWS\system32\.

Anyone have any ideas?

I found a page called URL (HS stands for Home Search which you should notice the title of the damn page that comes up). My computer is free of it so far..... for 5 minutes and 1 restart but that is better than where I was at.

Hi pmurthy,

If you would like someone to check over your HijackThs log, make sure you reboot since you have run the hsremove tool and post a new log. Keep in mind there is a fix already available for your infection and the hsremove tool has not been widely approved by the anti-malware community. Use at your own risk!

Hi neotheleo,

If you would like someone to check over you HijackThis log, please start a new thread and someone will take a look at it.

Tom