• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Theog

got jacked =(

11 posts in this topic

good day to all the hard working men & woman who care about people in need- got hijacked last night- here is my log---

 

Logfile of HijackThis v1.98.0

Scan saved at 2:10:17 AM, on 7/12/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\ieql32.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\System32\Atiptaxx.exe

C:\WINDOWS\system32\ntuk32.exe

C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

C:\Program Files\RAMIdle.exe

C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\jack spade\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hmrcs.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://hmrcs.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://hmrcs.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\hmrcs.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\hmrcs.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://hmrcs.dll/index.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {DA4303A4-7F0E-EE37-6476-E29A5C3B85F5} - C:\WINDOWS\syssu32.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [ntuk32.exe] C:\WINDOWS\system32\ntuk32.exe

O4 - HKLM\..\RunOnce: [ieql32.exe] C:\WINDOWS\system32\ieql32.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [ramidle] C:\Program Files\RAMIdle.exe

O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

 

 

 

pretty sure its ntuk32.exe but dont know what to do since cw doesnt see it---

ty very much in advance- :D

theo*g

Share this post


Link to post
Share on other sites

Download About:buster from http://downloads.subratam.org/AboutBuster.zip and unzip it to your desktop.

 

Click here for instructions on how to boot into safe mode.

 

Boot up in safe mode.

 

Run About:buster, click OK, Start, and OK again to start the scan. Let it scan and fix everything it finds. It should give you a log at this point, copy it into a text file and save it.

 

Reboot your computer in normal mode and post a fresh HJT log, and the log from about:buster.

 

Note: please include the ENTIRE contents of the logs, some of your first HJT log seems to be missing.

Share this post


Link to post
Share on other sites

ok-

 

i copyed whole hijack this log-) if items are missing i do not know why

 

 

Logfile of HijackThis v1.98.0

Scan saved at 1:44:12 PM, on 7/12/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\apiar.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\System32\Atiptaxx.exe

C:\WINDOWS\system32\ntuk32.exe

C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

C:\Program Files\RAMIdle.exe

C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe

C:\Program Files\Apoint\Apntex.exe

C:\Documents and Settings\jack spade\Desktop\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O2 - BHO: (no name) - {DA4303A4-7F0E-EE37-6476-E29A5C3B85F5} - C:\WINDOWS\syssu32.dll (file missing)

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [ntuk32.exe] C:\WINDOWS\system32\ntuk32.exe

O4 - HKLM\..\RunOnce: [apiar.exe] C:\WINDOWS\system32\apiar.exe

O4 - HKLM\..\RunOnce: [sysba32.exe] C:\WINDOWS\sysba32.exe

O4 - HKLM\..\RunOnce: [atltr32.exe] C:\WINDOWS\system32\atltr32.exe

O4 - HKLM\..\RunOnce: [d3lj.exe] C:\WINDOWS\d3lj.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [ramidle] C:\Program Files\RAMIdle.exe

O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

 

thanx 4 you patience

Share this post


Link to post
Share on other sites

First you need to show all hidden and system files if they aren't already. See here for instructions.

 

Next put Hijackthis in it's own folder (otherwise it will scatter backups all over your desktop).

 

Run Hijackthis and scan again. Put a tick against these items:

 

R3 - Default URLSearchHook is missing

 

O2 - BHO: (no name) - {DA4303A4-7F0E-EE37-6476-E29A5C3B85F5} - C:\WINDOWS\syssu32.dll (file missing)

 

O4 - HKLM\..\Run: [ntuk32.exe] C:\WINDOWS\system32\ntuk32.exe

 

O4 - HKLM\..\RunOnce: [apiar.exe] C:\WINDOWS\system32\apiar.exe

 

O4 - HKLM\..\RunOnce: [sysba32.exe] C:\WINDOWS\sysba32.exe

 

O4 - HKLM\..\RunOnce: [atltr32.exe] C:\WINDOWS\system32\atltr32.exe

 

O4 - HKLM\..\RunOnce: [d3lj.exe] C:\WINDOWS\d3lj.exe

 

Close all other windows apart from Hijackthis and click "Fix Checked".

 

Reboot your computer.

 

Find and delete these files:

 

C:\WINDOWS\system32\ntuk32.exe

C:\WINDOWS\system32\apiar.exe

C:\WINDOWS\sysba32.exe

C:\WINDOWS\system32\atltr32.exe

C:\WINDOWS\d3lj.exe

 

When you've deleted those, reboot and post a fresh Hijackthis log.

 

Also, is POP-Stopper-IE something you installed?

Edited by expertec

Share this post


Link to post
Share on other sites

show hidden files are on-

hjt in its own folder-

checked above items-

fixed checked , rebooted-

deleted all exe & uninstall pop stopper-

 

here is new log, still did not work =(

 

 

Logfile of HijackThis v1.98.0

Scan saved at 4:23:08 PM, on 7/13/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\netiy.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\System32\Atiptaxx.exe

C:\WINDOWS\system32\javawv32.exe

C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

C:\Program Files\RAMIdle.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\regedit.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvgfu.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qvgfu.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qvgfu.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qvgfu.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvgfu.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qvgfu.dll/index.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {6F75BAB9-BE16-C13A-26FA-CE58E0A63D03} - C:\WINDOWS\javayi32.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [ntuk32.exe] C:\WINDOWS\system32\ntuk32.exe

O4 - HKLM\..\Run: [javawv32.exe] C:\WINDOWS\system32\javawv32.exe

O4 - HKLM\..\RunOnce: [netiy.exe] C:\WINDOWS\netiy.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [ramidle] C:\Program Files\RAMIdle.exe

O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

 

 

 

 

ntuk32 & javawv32 are in run registry

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 2:02:00 AM, on 7/14/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\System32\ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\System32\Atiptaxx.exe

C:\Program Files\TGTSoft\StyleXP\StyleXP.exe

C:\Program Files\RAMIdle.exe

C:\Program Files\Apoint\Apntex.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\WINDOWS\System32\taskmgr.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvgfu.dll/sp.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://qvgfu.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qvgfu.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qvgfu.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvgfu.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qvgfu.dll/index.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {6F75BAB9-BE16-C13A-26FA-CE58E0A63D03} - C:\WINDOWS\javayi32.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKLM\..\Run: [javawv32.exe] C:\WINDOWS\system32\javawv32.exe

O4 - HKLM\..\RunOnce: [netiy.exe] C:\WINDOWS\netiy.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [ramidle] C:\Program Files\RAMIdle.exe

O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

Share this post


Link to post
Share on other sites

It is probably a good idea to save this to a text file or print it out as you won't be able to refer to here when you are in safe mode.

 

Run Hijackthis and scan. Check off these items:

 

O2 - BHO: (no name) - {6F75BAB9-BE16-C13A-26FA-CE58E0A63D03} - C:\WINDOWS\javayi32.dll

 

O4 - HKLM\..\Run: [javawv32.exe] C:\WINDOWS\system32\javawv32.exe

 

O4 - HKLM\..\RunOnce: [netiy.exe] C:\WINDOWS\netiy.exe

 

Close all windows apart from Hijackthis and click "Fix Checked".

 

Reboot the computer into Safe Mode, then find and delete these files:

 

C:\WINDOWS\system32\javawv32.exe

 

C:\WINDOWS\netiy.exe

 

Still in safe mode, run about:buster and save a copy of its log. Run it again and save a copy of the second log.

 

Reboot the computer into normal mode and post the about:buster logs and a fresh log from Hijackthis

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.98.0

Scan saved at 3:53:57 PM, on 7/21/2004

Platform: Windows XP (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 (6.00.2600.0000)

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Apoint\Apoint.exe

C:\WINDOWS\System32\Atiptaxx.exe

C:\Program Files\RAMIdle.exe

C:\Program Files\Apoint\Apntex.exe

C:\WINDOWS\System32\ati2evxx.exe

C:\WINDOWS\System32\svchost.exe

C:\HJT\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvgfu.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://qvgfu.dll/index.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qvgfu.dll/sp.html#28129

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qvgfu.dll/sp.html#28129

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://qvgfu.dll/index.html#28129

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.sony.com/vaiopeople

R3 - Default URLSearchHook is missing

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe

O4 - HKLM\..\Run: [AtiPTA] Atiptaxx.exe

O4 - HKCU\..\Run: [sTYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide

O4 - HKCU\..\Run: [ramidle] C:\Program Files\RAMIdle.exe

O4 - HKCU\..\Run: [POP-Stopper-IE] "C:\Program Files\POP-Stopper-IE\POP-Stopper-IE.exe"

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: Backward &Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Si&milar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople

 

 

 

About buster log-

 

-- Scan 1 --------

About:Buster Version 1.27

Removed! : C:\WINDOWS\mabln.dat

Removed! : C:\WINDOWS\gluha.dat

Removed! : C:\WINDOWS\qvgfu.dat

Removed! : C:\WINDOWS\qvgfu.dll

Attempted Clean Of Temp folder.

Removed Uninstall Key (HSA)

Removed Uninstall Key (SE)

Removed Uninstall Key (SW)

Pages Reset... Done!

Share this post


Link to post
Share on other sites

Try This:

 

Search for the following registry key:

 

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs

 

If its there, you absolutely have to remove this key. The value of this key may look blank for you, but it is not. They hide the value so you can't see it. This registry key tells Windows to load the trojan DLL (qvgfu.dll) every time ANY application is run giving it complete control to do whatever it wants. So you need to remove it so that the trojan DLL cannot load and keep re-infecting your pc.

 

The way to remove the registry key is not obvious. If you just delete it from regedit, since the trojan DLL is loaded, it will re-add it right back. (Try it. Delete the AppInit_DLLs registry key and hit F5. Notice that it's added right back by the trojan). So what you have to do is the following which worked for me.

 

1. Rename the HLM\Software\Microsoft\Windows NT\CurrentVersion\Windows folder to Windows2.

2. Now delete the AppInit_DLLs key under the Windows2 folder.

3. Hit F5 and notice that AppInit_DLLs doesn't come back.

4. Rename the Windows2 folder back to Windows.

 

Now that AppInit_DLLs is gone, run the latest Adaware 6 to remove the trojan for good. Reboot your machine. Check the registry and make sure AppInit_DLLs is still gone. Your computer should be free of this for good now."

 

 

hth

Share this post


Link to post
Share on other sites

Theog, did you make that Hijackthis log before you ran about:buster?

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0