[yafim]

Hey all, a long time ago I had this problem, but I don't remember how I solved it.
My problem is that I entered a site, and then a small red circle with a white X on it appeared in the windows taskbar. I scanned my comp with Adaware and Spybot several times, and found some problems, I deleted what I could, but i'm not sure that's all, because there are still some problems and the red circle is still there on startup. If you know what I need to do and can tell me or direct me to a post already solveing this, i'll appriciate it a lot, thnx

Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 7:11:22 PM, on 11/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\csrss.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\system32\spoolsv.exe
C:\WINXP\VXNlcg\command.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\System32\igfxtray.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\ICQLite\ICQLite.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Documents and Settings\Spawn\Desktop\Hijack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINXP\System32\appwiz.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINXP\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINXP\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINXP\System32\igfxtray.exe
O4 - HKLM\..\Run: [StormCodec_Helper] "C:\Program Files\Ringz Studio\Storm Codec\StormSet.exe" /S /opti
O4 - HKLM\..\Run: [dptracker] C:\Program Files\DigitalPeers\CamTrack\dptracker.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ixproxy] C:\WINXP\ixproxy.exe
O4 - HKLM\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ixproxy] C:\WINXP\ixproxy.exe
O4 - HKCU\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKCU\..\Run: [klop] C:\WINXP\2DD.tmp
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] C:\Program Files\ICQLite\ICQLite.exe -trayboot
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {346685E3-C383-11CF-A5A4-00AA00A45705} (ActiveX Control) - http://web-imd.gonex.../SISActiveX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1115152777397
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D79B6F43-F214-4E7A-9ECB-CCC8771F2416} (LauncherV1 Class) - http://www.tapuz.co....in/launcher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v6.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: cert32 - C:\WINXP\SYSTEM32\cert32.dll
O20 - Winlogon Notify: igfxcui - C:\WINXP\SYSTEM32\igfxsrvc.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINXP\System32\enpfopnn.dll
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINXP\System32\ffgggkpm.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINXP\System32\phmbljkh.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINXP\VXNlcg\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


Tnx again.

[Advertisements]

Hi there yafim,
You have quite a few nsties running here

Please review the following instructions closely, Please print them out or save them to notepad in a handy place so that you have access to them,

Download CWShredder Here to its own folder.

Update CWShredder

• Open CWShredder and click I AGREE
• Click Check For Update
• Close CWShredder

Download smitRem.exe (Developed by noahdfear ) and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.
  
• Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
• Close out CWShredder

Now scan with HJT and place a checkmark next to each of the following items:
===================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINXP\System32\appwiz.dll
O4 - HKLM\..\Run: [ixproxy] C:\WINXP\ixproxy.exe
O4 - HKLM\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKCU\..\Run: [ixproxy] C:\WINXP\ixproxy.exe
O4 - HKCU\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKCU\..\Run: [klop] C:\WINXP\2DD.tmp
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O20 - Winlogon Notify: cert32 - C:\WINXP\SYSTEM32\cert32.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINXP\System32\enpfopnn.dll
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINXP\System32\ffgggkpm.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINXP\System32\phmbljkh.dll

===================================================
Make sure all open windows are closed and click on " Fix Checked"


Next,
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.


We will have a bit more to do after this so please be patient

[don77]

Hi there yafim,
You have quite a few nsties running here

Please review the following instructions closely, Please print them out or save them to notepad in a handy place so that you have access to them,

Download CWShredder Here to its own folder.

Update CWShredder

• Open CWShredder and click I AGREE
• Click Check For Update
• Close CWShredder

Download smitRem.exe (Developed by noahdfear ) and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop.

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Next, please reboot your computer in SafeMode by doing the following:

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.
  
• Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
• Close out CWShredder

Now scan with HJT and place a checkmark next to each of the following items:
===================================================
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: (no name) - {78364D99-A640-4ddf-B91A-67EFF8373045} - C:\WINXP\System32\appwiz.dll
O4 - HKLM\..\Run: [ixproxy] C:\WINXP\ixproxy.exe
O4 - HKLM\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKLM\..\Run: [timessquare] c:\windows\timessquare.exe
O4 - HKCU\..\Run: [ixproxy] C:\WINXP\ixproxy.exe
O4 - HKCU\..\Run: [PayTime] C:\WINXP\System32\paytime.exe
O4 - HKCU\..\Run: [klop] C:\WINXP\2DD.tmp
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O9 - Extra button: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O9 - Extra 'Tools' menuitem: Ò×Ȥ¹ºÎï - {DE60714F-AC17-427e-861A-FD60CBDF119A} - http://click2.ad4all...ge/url.asp?id=1 (file missing)
O20 - Winlogon Notify: cert32 - C:\WINXP\SYSTEM32\cert32.dll
O21 - SSODL: SysTray.Excn2 - {1722ECFF-4356-4f5b-B534-E67294FE75E9} - C:\WINXP\System32\enpfopnn.dll
O21 - SSODL: SysTray.Exsn - {2368D1FC-2F5C-4f1b-B124-E67214FC78E2} - C:\WINXP\System32\ffgggkpm.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINXP\System32\phmbljkh.dll

===================================================
Make sure all open windows are closed and click on " Fix Checked"


Next,
Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.


Open Ad-aware and do a full scan. Remove all it finds.


Run Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.
• You will need to step through the process of cleaning files one-by-one.
• If ewido detects a file you KNOW to be legitimate, select none as the action.
• DO NOT select "Perform action on all infections"
• If you are unsure of any entry found select none for now.
• When the scan is finished, click the Save report button at the bottom of the screen.
• Save the report to your desktop

Close Ewido

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut, then do a full system scan. Make sure the autoclean box is checked!
Save the scan log and post it along with a new HijackThis Log, the contents of the smitfiles.txt log and the Ewido Log by using Add Reply.
Let us know if any problems persist.


We will have a bit more to do after this so please be patient

[yafim]

Okay, I downloaded all the things you asked, and ran Ewido, then I tried to move on and start my system in safe mode, but when I entered my account in safe mode the CWshredder and Hijack programs just didn't work (i clicked on the icon and nothing happened), so do i choose "safe mode with networking" or somthing else?

[don77]

Run CWShredder in normal mode,
Are you the only user on this machine ? Do you have Admin rights ?

Post back the reort.txt from ewido along with a fresh HJT log please

[yafim]

I'm not the only user, but I have Admin rights i think, the other user is called "admin" but i don't know the password to it.

Anyhow, now the CWshredder and Hijcak (and probably everything else) isn't working in normal mode either... what's next?

[don77]

How did you post the orginal HJT log

[yafim]

I don't know, I downloaded the Hijack program and ran it, but then after i scanned my comp with ewido or maybe after the use of safe mode it stopped starting when i clicked on it.

[yafim]

Oh and another thing that might help you know what the problem is..
I downloaded "daemon tools" just before the spyware hit my comp, from a site that probably gave me the spyware, and the program didn't work that well, so i'm guessing it's a bad version and i wanted to delete it, but when i went to control panel --> add\remove and clicked to remove it, the computer shuts down as it's "preparing for uninstallation" etc... (this happens with other programs also i think).

Do you know how i should go on? (i heard of this new virus that doesn't allow you to work on any of your files, just see them, maybe that's what's happening here)....

[don77]

Download CWShredder again please, run it from normal mode soon as you download it,
Make sure it is updated and be sure and click the "Fix" button, let it run and fix whatever it finds please,

let me know how you make out with that

[yafim]

I dl'ed it again, but still, when i click on the exe file nothing happens, no program starts... should I try in safe mode again?

[don77]

See if you can run this online scan ActiveScan
When it has completed scanning it will give you an option to save the log please do so and post it back here for me please

[yafim]

The panda activescan didn't give me any "Save log" option, but it said that it found 0 viruses\spyware etc, meaning the scan ended with a clean report, nothing found... maybe it's not so good if it doesn't find anything, because i know there are some things wrong in my comp.
The problem i want to solve now is why programs like CWshredder won't start, and why my comp shuts down automatically when i try to uninstall my "Daemon Tools" and "Alchohol 120%" programs.

[yafim]

Do you have any clues as to what to do next?, i'm only nagging cause this is really urgent for me.. this comp problem is keeping me from working on my C++ homework...

[don77]

Sorry for the delay

Please download ewido security suite it is a trial version of the program.

• Install ewido security suite
• When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
• Launch ewido, there should be an icon on your desktop double-click it.
• The program will now go to the main screen

You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update
• Then click on Start Update

The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Once the updates are installed do the following:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• While the scan is in progress you will be prompted to clean files, click OK
• When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop.

Now close ewido security suite.

please post back the report.txt

[don77]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.