1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

spyaxe crapola....

Discussion in 'Virus & Other Malware Removal' started by bshef, Jan 4, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. bshef

    bshef Thread Starter

    Joined:
    Nov 9, 2004
    Messages:
    62
    This sux.......
    Been awhile since I've had any problems.......but........er.........
    Seem to have gotten "caught" again with something ugly....!
    Any help much appreciated...

    I did the initial suggested steps.....
    * Restart your computer into safe mode now. Perform the following steps in safe mode:


    * Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
    Wait for the tool to complete and disk cleanup to finish.


    * Run Ewido:

    * Click on scanner
    * Click Complete System Scan and the scan will begin.
    * During the scan it will prompt you to clean files, click OK
    * When the scan is finished, look at the bottom of the screen and click the Save report button.
    * Save the report to your desktop



    * Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.


    * Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.


    * Restart back into Windows normally now.


    * Run ActiveScan online virus scan here

    When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
    - Save the results from the scan!

    Post a new HiJackThis log along with the results from ActiveScan


    Logfile of HijackThis v1.98.2
    Scan saved at 10:05:48 PM, on 1/3/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Nhksrv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\WINDOWS\MMKeybd.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\HDD Health\hddhealth.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Netropa\Traymon.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://story.news.yahoo.com/news?tmpl=index2&cid=964
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,TGBRFV_
    O1 - Hosts: 205.238.40.1 winmx.com
    O1 - Hosts: 205.238.40.1 www.winmx.com
    O1 - Hosts: 205.238.40.1 err.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file missing)
    O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://secure.mybroadline.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
    O16 - DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} (BwOutlook.OutlookIntegrator) - http://appserver.dca.broadvoice.com/commpilot/customcontrols/BwOutlook.CAB
    O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
    O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
    O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F3F322B5-26EE-46EB-8D03-030ACA4D6167} (Aurigma Image Uploader 2.5) - http://www.mpix.com/Customer/ImageUploader2.ocx
    O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
     
  2. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    first oif all that is an old version of HJT so

    go to here and download 'Hijack This!' self installer. Save it to the desktop or other suitable place. DO NOT just press run from the website Double click on the file and it will install to C:\program files\hijackthis and create an entry in the start menu and an optional shortcut on desktop.
    Click on the entry in start menu or on the desktop to run HijackThis
    Click the "Scan" button, when the scan is finished the scan button will become "Save Log" click that and save the log.
    Go to where you saved the log and click on "Edit > Select All" then click on "Edit > Copy" then Paste the log back here in a reply.
    It will possibly show issues deserving our attention, but most of what it lists will be harmless or even required,
    so do NOT fix anything yet.
    Someone here will be happy to help you analyze the results.
     
  3. bshef

    bshef Thread Starter

    Joined:
    Nov 9, 2004
    Messages:
    62
    Thanks Derek.....
    I'll post when I get home tonite!
     
  4. bshef

    bshef Thread Starter

    Joined:
    Nov 9, 2004
    Messages:
    62
    Logfile of HijackThis v1.99.1
    Scan saved at 4:28:46 PM, on 1/4/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Nhksrv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    C:\WINDOWS\MMKeybd.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\HDD Health\hddhealth.exe
    C:\Program Files\Netropa\Traymon.exe
    C:\Program Files\Netropa\OSD.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://story.news.yahoo.com/news?tmpl=index2&cid=964
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,TGBRFV_
    O1 - Hosts: 205.238.40.1 winmx.com
    O1 - Hosts: 205.238.40.1 www.winmx.com
    O1 - Hosts: 205.238.40.1 err.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com
    O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll (file

    missing)
    O3 - Toolbar: Big Fish Games Toolbar - {4E7BD74F-2B8D-469E-86BD-FD60BB9AAE3A} - C:\PROGRA~1\BFGTOO~1\BFGTOO~1.DLL (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
    O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program

    Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [HDDHealth] C:\Program Files\HDD Health\hddhealth.exe -wl
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
    O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - https://secure.mybroadline.com/CFIDE/classes/CFJava.cab
    O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
    O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
    O16 - DPF: {3D19135C-6D38-44AD-80F0-D9318F48726D} (BwOutlook.OutlookIntegrator) -

    http://appserver.dca.broadvoice.com/commpilot/customcontrols/BwOutlook.CAB
    O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) -

    http://zone.msn.com/bingame/rtlw/default/ReflexiveWebGameLoader.cab
    O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -

    http://a1540.g.akamai.net/7/1540/52...pple.com/borris/us/win/QuickTimeInstaller.exe
    O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
    O16 - DPF: {64D01C7F-810D-446E-A07E-16C764235644} (AtlAtomadersCtlAttrib Class) - http://zone.msn.com/bingame/amad/default/atomaders.cab
    O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx.com/player/DivXPlayerInstaller.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -

    http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://zone.msn.com/binGame/ZAxRcMgr.cab
    O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) -

    http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
    O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
    O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
    O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
    O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
    O16 - DPF: {F3F322B5-26EE-46EB-8D03-030ACA4D6167} (Aurigma Image Uploader 2.5) - http://www.mpix.com/Customer/ImageUploader2.ocx
    O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) -

    http://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab40641.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

    32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
    O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
    O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
     
  5. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    can you tell us what is wronmg or what problems you are having

    because apart from winMX I can't see anything obvious in the log
     
  6. bshef

    bshef Thread Starter

    Joined:
    Nov 9, 2004
    Messages:
    62
    Thanks for the reply.....
    The problem started with the SpyAxe dealio.......but then......I found another post here dealing with the same SpyAxe problem. I followed the suggested procedure from that post.......then.......I posted my hijack log.......to which you suggested I do another log with the updated version of hijack.

    So, I guess you are saying there is no longer any evidence of any malware, trojan, or bad stuff?
     
  7. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    I can see no signs of iyt now so if you have done the fixes that should have fixed it

    Have you stil got any problems or does the computer work properly
     
  8. bshef

    bshef Thread Starter

    Joined:
    Nov 9, 2004
    Messages:
    62
    appears to b working fine now.......
    Thanks Derek....
     
  9. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,223
    First Name:
    Derek
    Turn off system restore by following instructions here
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039
    That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable sytem restore & create a new restore point.

    go here http://forums.techguy.org/t208517/s.html for info on how to tighten your security settings and how to help prevent future attacks.

    and pay an urgent visit to windows update & make sure you are fully updated & get the bunch of new updates that are alleged to plug the security holes that let these pests on in the first place
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/430911

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice