I uninstalled EVERYTHING on the machine except Windows XP and antiviruse stuff before I started the whole process. I ran Ewido, Ad-Aware, AVG more times than I can remember always in safe mode an always after doing smitrem. Hijackthis never showed anything unusual. Here was a typical hijackthis file WHILE the machine was infected:
Logfile of HijackThis v1.99.1
Scan saved at 11:10:26 PM, on 12/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.armstrongmywire.com/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.armstrongmywire.com/index.php
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -
http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3DC2E31C-371A-4BD3-9A27-CDF57CE604CF} (MSN Money Charting) -
http://moneycentral.msn.com/cabs/pmupd806.exe
O16 - DPF: {544EB377-350A-4295-9BEB-EAB8392E09C6} (MSN Money Charting) -
http://fdl.msn.com/public/investor/v13/invinstl.exe
O16 - DPF: {712D42CD-3513-473E-96E8-019C9AD78F1A} (MSN Money QuickList) -
http://moneycentral.msn.com/cabs/pmupdate2.exe
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -
http://download.zonelabs.com/bin/promot ... r37490.cab
O16 - DPF: {963BE66B-121D-4E6C-BF9F-1A774D9A2E41} (MSN Money Charting) -
http://moneycentral.msn.com/cabs/pmupdate.exe
O16 - DPF: {EF0DBA6F-43CE-4B26-9808-2AB38FA0DB29} (MSN Money Ticker) -
http://fdl.msn.com/public/investor/v13/ticker.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B65476B8-EAE6-4329-9EC1-B4A15467A181}: NameServer = 67.36.244.32,67.36.240.32
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Here was a typical smitrun file
smitRem © log file
version 2.8
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 12/28/2005
The current time is: 22:05:01.87
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Online Security Guide.url
Online Security Guide.url
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003
Craig.Peacock@beyondlogic.org
Killing PID 1628 'explorer.exe'
Starting registry repairs
Deleting files
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
Online Security Guide.url
Online Security Guide.url
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
I ran these programs and went thru the whole restart safemode process running scans with ewido, adaware, and AVG ant-virus at least a dozen times and it always came back. Kaspersky was finally run and it found this:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, December 28, 2005 20:53:19
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 29/12/2005
Kaspersky Anti-Virus database records: 168084
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 45209
Number of viruses found: 5
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 4227 sec
Infected Object Name - Virus Name
C:\buchxx.chm/on-line.exe Infected: Trojan.Win32.Dialer.ce
C:\buchxx.chm Infected: Trojan.Win32.Dialer.ce
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP581\A0067235.exe Infected: not-a-virus:AdWare.Win32.Gator.d
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP581\A0067236.exe Infected: not-a-virus:AdWare.Win32.Gator.d
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP581\A0067291.exe Infected: not-a-virus:AdWare.Win32.Gator.a
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP581\A0067292.exe Infected: not-a-virus:AdWare.Win32.Gator.a
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP657\A0084631.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP658\A0085635.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP658\A0085669.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP660\A0085744.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP660\A0085778.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP660\A0086800.tlb Infected: Trojan-Downloader.Win32.Zlob.dk
C:\System Volume Information\_restore{CA98B46E-CC96-43F1-9390-221132F9EBFB}\RP660\A0086804.exe Infected: Trojan-Downloader.Win32.Zlob.bv
System Restore was NEVER run at all during my many hours of scanning. Not untill I removed the above items from the system restore did the spyaxe popup finally go away. I was pretty damn close to f-disking the whole thing before I ran Kaspersky. AVG ran so many times I can't remember and never found anything. AdAware and Ewido would always find the same items and remove them (but they NEVER found anything in the system restore). Kaspersky was the only program to finsd something that when that something was removed, the infection was gone.
Really doesn't make sense since a system restore was NEVER run, but clearing out the system restore finally kicked spyaxe and it's damn pop up off the machine for good......
Considering adding a second harddrive and migrating everything except microsoft products to it. That way when some jackass kid in some part of the world invents something new to corrupt windows/explorer/outlook, etc, Only one drive will be messed and all other files (pics, music, spreadsheets, word files, etc) will be safe elsewhere. Then the simple way is just to kill windows on the 'microsoft drive' and start over. Spent over 14 hours getting rid of that thing. F-disk and re-install would have been much faster.......