• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Kondros

where to get hijack this, and how to solve this.

7 posts in this topic

I've got...

 

ADW scanportal A

Turown.A and C

JS Cidexploit B

I thought i also saw something with I rule you or whatever... Perhaps i can do like a check ?

 

I've tried everything... manny virus scanners, ad-aware, spybots, housecall, AVG, tauscan.

 

When i ran tauscan my other scanner AVG went crazy... They all show different files... I deleted some like setup_td.exe but i don't know if it will work... I read something about system restore but i don't understand it. I also don't know when i got these virusses, or spyware... whatever it is.

 

Can someone help me do a complete checkup with hijack... and where to get it

 

I would be so thankfull

Share this post


Link to post
Share on other sites

We need a closer look at what's happening.

Please download Hijack this

Copy it into its own folder, doubleclick HijackThis.exe, and hit "Scan".

 

When the scan is finished, the "Scan" button will change into a "Save Log" button.

Press that, save the log, do Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

Share this post


Link to post
Share on other sites

oke... btw, i did another scan... and the turown is back... he's in my system restore (and then a pile of letters and numbers) :)

 

 

how do i get rid of it from there.... i'm gonna download hijack and I'll post my results here :)

Share this post


Link to post
Share on other sites

Logfile of HijackThis v1.97.7

Scan saved at 11:57:37, on 26/06/2004

Platform: Windows XP SP1 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

 

Running processes:

C:\WINDOWS.000\System32\smss.exe

C:\WINDOWS.000\system32\winlogon.exe

C:\WINDOWS.000\system32\services.exe

C:\WINDOWS.000\system32\lsass.exe

C:\WINDOWS.000\system32\svchost.exe

C:\WINDOWS.000\System32\svchost.exe

C:\WINDOWS.000\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVG6\avgserv.exe

C:\WINDOWS.000\System32\nvsvc32.exe

C:\Program Files\Messenger Plus! 2\MsgPlus.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS.000\System32\rundll32.exe

C:\Program Files\D-Tools\daemon.exe

C:\WINDOWS.000\System32\devldr32.exe

C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS.000\explorer.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Winamp\WINAMP.EXE

C:\Program Files\Grisoft\AVG6\avgw.exe

C:\Documents and Settings\Billie\Desktop\HijackThis.exe

 

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS.000\System32\sb.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.seekseek.com/quicksearch.asp?se...8&version_id=18

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=proxy.pandora.be:8080

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)

O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: DefaultSearch.SeekSeek - {5074851C-F67A-488E-A9C9-C244573F4068} - C:\WINDOWS.000\ieasst.dll

O2 - BHO: NavErrRedir Class - {5D60FF48-95BE-4956-B4C6-6BB168A70310} - C:\PROGRA~1\INCRED~1\BHO\INCFIN~1.DLL

O2 - BHO: (no name) - {FE06A078-D13C-42D1-8440-F6ED0F89E994} - C:\WINDOWS.000\System32\mfcanns32.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS.000\System32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [AME_CSA] rundll32 amecsa.cpl,RUN_DLL

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [slmss] C:\Program Files\Common Files\slmss\slmss.exe

O4 - HKLM\..\Run: [Mwsvm] C:\WINDOWS.000\mwsvm.exe

O4 - HKLM\..\Run: [couponsandoffers] wjview /cp:p "C:\Program Files\couponsandoffers\System\Code" Main lp: "C:\Program Files\couponsandoffers"

O4 - HKLM\..\Run: [AEHKNR] C:\WINDOWS\AEHKNR.exe

O4 - HKLM\..\Run: [updater] C:\Program Files\Common files\updater\wupdater.exe

O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033

O4 - HKLM\..\Run: [fash] C:\WINDOWS.000\fash.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS.000\system32\NeroCheck.exe

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [Tau Monitor] C:\PROGRA~1\AGNITUM\TAUSCA~1.7\taumon.exe

O4 - HKLM\..\Run: [swatIt] C:\PROGRA~1\SWATIT~1.1\SwatIt.exe /tray

O4 - HKCU\..\Run: [MessengerPlus2] "C:\Program Files\Messenger Plus! 2\MsgPlus.exe" /WinStart

O4 - HKCU\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe /0

O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background

O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~1\Office10\EXCEL.EXE/3000

O9 - Extra 'Tools' menuitem: Turbo Download (HKLM)

O9 - Extra button: Messenger (HKLM)

O9 - Extra 'Tools' menuitem: Messenger (HKLM)

O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: ChatSpace Java Client 2.1.0.84N - http://about.chatspace.com/Java/cs4msn084.cab

O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab

O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab

O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwa...ector/swdir.cab

O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab

O16 - DPF: {33564D57-0000-0010-8000-00AA00389B71} - http://download.microsoft.com/download/F/6...922/wmv9VCM.CAB

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200305...meInstaller.exe

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} (GigexCtrl ActiveX) - http://www.gigex.com/tv/igor/gigexagent.dll

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab

O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/...7825.3237268519

O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab

O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator.com/v3/download/pdpplu...094_hd3sstb.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab

O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab

 

 

Oke, i hope this van help me... as i said i did another AVG scan and it said the turown A and C are in system restore files :'(

Share this post


Link to post
Share on other sites

Hey I had the same problem as you. Try this forum link and look on the second page of the posts.

 

http://www.dslreports.com/forum/remark%2C1...urity~mode=flat

 

It seems that the trojan resides in the following registry key:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Windows\

\AppInit_DLLs

 

EXCEPT when I used windows XP regedit the VALUE for the key was empty. When the key was viewed with RegLite (info below) alas there it was. Anyway I am providing the text from that forum thread in case you can't find it.

 

The following is from NexusUK who deserves all the credit for this solution

 

b4 following these instructions TURN OFF system restore(or it will just return)

 

1) Download reglite (http://www.resplendence.com/)

 

2) install "Reglite" and run it, enter HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs into the address bar.

 

3) Double click on AppInit_DLLs to open a "Data Editor" properties window, if the bottom textfield named "Value" contains a .dll file; then this is the hidden file you need to get rid off.

 

4) You should not be able to delete this file if you try to clear the value field, IMPORTANT: take note of the path and name of the .dll file. Write it down so you do not forget it.

 

5) Rename the Folder "Windows" (This is a purple "highlighted" folder in the left hand window) to NOTWINDOWS. Simply click on the folder, click on "Edit" in the menu bar and select "Rename".

 

6) Click AppInit_DLLs again and clear the value containing the .dll and ok it. This should have removed the .dll

 

7) Rename the windows folder back to its original name "Windows".

 

8) Run SpyBot, Ad-Aware and CWShredder to clean last bits away

 

My computer had been using way more memory than usual. But after using this fix everything is back to normal. One last thing- I now am using Mozillla browser Internet Explorer is junk, did you see the latest security flaw?

Share this post


Link to post
Share on other sites

Kandros.To disable system restore, right-click on My Computer.

Select the Properties option. Go to the system restore tab, and put a checkmark in the "turn off system restore" box. Click apply, OK.

 

Reboot. That will have removed all previous infected restore points.

Now repeat the above procedure, this time removing the checkmark.

 

Then set a clean restore point.

Go to Start>help & support.

Click on "undo changes to my computer with system restore."

Click on set a new restore point, and follow the prompts.

No registry editing, or running of CWShredder is needed.

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0