# Solved: Please help with unknown virus (blue wallpaper stating "SPYWARE INFECTION..."



## syd999

My wallpaper is blue with a black rectangle in the center with the message "SPYWARE INFECTION Your system is infected with spyware. Windows recomments you to use a spyware removal tool" etc. My taskbar tray has a red "X" on it that pops up with "Your computer is infected" etc. I have some new processes running that I've never seen before (most notably paytime.exe). Below is my hijackthis log. Any help would be IMMENSELY appriciated. Many thanks in advace.

Logfile of HijackThis v1.99.1
Scan saved at 6:54:51 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\igps.exe
C:\Program Files\Messenger\msmsgs.exe
C:\winstall.exe
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\pgws.exe
C:\PROGRA~1\COMMON~1\uimz\uimzm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\COMMON~1\uimz\uimza.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [uimz] C:\PROGRA~1\COMMON~1\uimz\uimzm.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125904347363
O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


----------



## brendandonhu

Run *HijackThis* and click *Do a system scan only*
Put a checkmark next to each of the following entries and click *Fix Checked*:
*
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKCU\..\Run: [uimz] C:\PROGRA~1\COMMON~1\uimz\uimzm.exe
*​

Please save or print these instructions before beginning

Go to *Start*>>*Control Panel*>>*Add or Remove Programs*
Uninstall *SpyAxe* if it appears in the list
Uninstall *Quick Links* if it appears in the list
Delete the folder *C:\Program Files\SpyAxe\* if it exists

Save *smitRem* to your *Desktop* and run *smitRem.exe*

Download and install *Ewido Security Suite*
During the installation, uncheck the following under *Additional Options*:
*
Install background guard
Install scan via context menu
*​
Run *Ewido* and click *OK* when prompted to update the program
On the left side of the screen, click *update*>>*Start*
When the update is finished, exit *Ewido*

Start your computer in *Safe Mode*

Open to *smitRem* folder and run *RunThis.bat*. Follow the onscreen prompts

Run *Ewido Security Suite*
Click *scanner*>>*Complete System Scan*
Click *OK* when prompted to clean the problems found
When the scan is finished, click *Save Report* and save a copy of this log to your *Desktop*
Exit *Ewido*

Go to *Start*>>*Control Panel*>>*Internet Options*>>*Programs*
Click *Reset Web Settings*>>*Apply*>>*OK*

Go to *Start*>>*Control Panel*>>*Display*>>*Desktop*
Click *Customize Desktop*>>*Web*
If you see an entry called *Security info* or something similar, select it and click *Delete*>>*OK*>>*Apply*>>*OK*

Locate and delete any of the following files that appear on your computer:
*
C:\secure32.html
C:\WINDOWS\system32\paytime.exe
C:\WINDOWS\system32\igps.exe
C:\winstall.exe
*​
Locate and delete any of the following folders that appear on your computer:
*
C:\PROGRA~1\COMMON~1\uimz\
*​

Restart your computer

Run *Kaspersky Online Scanner* and post the results here

Post the contents of *smitfiles.txt* from the *smitRem* folder

Post the contents of the *Ewido Security Suite* report that you saved to your *Desktop* earlier

Run *HijackThis* and click *Do a system scan and save a log file*
Your *HijackThis* log will open in *Notepad*. Post the contents of the log here


----------



## syd999

U da man--the system is working fine now. Here's the smitfiles.txt log, the ewido log, and the hijackthis log. Instead of finding a SpyAxe directory in Program Files, I found a new directory I never created called SpySheriff, so I deleted that. Thanks again bro!

smitRem © log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: 12/11/2005 
The current time is: 19:52:09.52

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

Install.dat

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

desktop.html

~~~ Drive root ~~~

winstall.exe

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 [email protected]
Killing PID 772 'explorer.exe'
Killing PID 772 'explorer.exe'

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

desktop.html

~~~ Drive root ~~~

winstall.exe

~~~ Miscellaneous Files/folders ~~~

winstall.exe

~~~ Wininet.dll ~~~

wininet.dll is missing!!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:47:22 PM, 12/11/2005
+ Report-Checksum: E2547EDE

+ Scan result:

HKU\S-1-5-21-725345543-1606980848-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
C:\drsmartload1.exe -> Downloader.VB.ri : Cleaned with backup
C:\inrh9400.exe -> Downloader.Small.bke : Cleaned with backup
C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
C:\Program Files\Common Files\uimz\uimza.exe -> Downloader.TSUpdate.l : Cleaned with backup
C:\Program Files\Common Files\uimz\uimzd\uimzc.dll -> Downloader.Small : Cleaned with backup
C:\Program Files\Common Files\uimz\uimzl.exe -> Downloader.TSUpdate.p : Cleaned with backup
C:\Program Files\Common Files\uimz\uimzm.exe -> Downloader.TSUpdate.n : Cleaned with backup
C:\Program Files\Common Files\uimz\uimzp.exe -> Downloader.TSUpdate.f : Cleaned with backup
C:\Program Files\QL\uninstall.exe -> Adware.Suggestor : Cleaned with backup
C:\Program Files\Winamp\winamp.exe -> Worm.Bagle.o : Cleaned with backup
C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\WINDOWS\country.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\desktop.html -> Hijacker.Generic : Cleaned with backup
C:\WINDOWS\hosts -> Trojan.Qhost.el : Cleaned with backup
C:\WINDOWS\kl.exe -> Logger.Small.dg : Cleaned with backup
C:\WINDOWS\system32\paytime.exe -> Hijacker.StartPage.agi : Cleaned with backup
C:\WINDOWS\tool1.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\tool2.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\tool3.exe -> Downloader.Small.bwr : Cleaned with backup
C:\WINDOWS\tool4.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\tool5.exe -> Trojan.Small : Cleaned with backup
C:\WINDOWS\toolbar.exe -> Downloader.VB.qr : Cleaned with backup
C:\winstall.exe -> Trojan.Small : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 10:08:25 PM, on 12/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\EwidoSecuritySuite\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\HijackThis!\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125904347363
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\EwidoSecuritySuite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe


----------



## brendandonhu

Looks good, you can mark this Solved under Thread Tools :up:


----------



## Keyser520

I had a similar problem. I think I fixed it, but I couldn't do all the tests. I just have the ewido and hijack this logs. Please tell me if it's fixed..

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:40:38 AM, 12/24/2005
+ Report-Checksum: C8FD742A

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
:mozilla.10:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.11:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.12:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.13:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.14:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.15:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.26:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.38:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.46:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.48:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.49:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\bsp[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Valuead : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\BSpellman\Local Settings\Temp\fkajopmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\BSpellman\Local Settings\Temp\hnonnjgc.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\BSpellman\Local Settings\Temp\jlphppmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\BSpellman\Local Settings\Temp\naifjpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\Documents and Settings\BSpellman\Local Settings\Temporary Internet Files\Content.IE5\U5HL8GPT\mm[2].js -> Spyware.Chitika : Cleaned with backup
C:\RECYCLER\S-1-5-21-1001587576-593839091-677931608-6569\Dc2\CWrapper.dll -> Adware.PSGuard : Cleaned with backup
C:\RECYCLER\S-1-5-21-1001587576-593839091-677931608-6569\Dc2\WinHound.exe -> Adware.PSGuard : Cleaned with backup

::Report End

HIJACK THIS

Logfile of HijackThis v1.99.1
Scan saved at 2:06:53 AM, on 12/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\BSpellman\Local Settings\Temporary Internet Files\Content.IE5\K5AZGTIZ\HijackThis[1].exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.axiomsys.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Http://Www.AxiomSys.Com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Axiom Systems (Www.AxiomSys.Com)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://Www.AxiomSys.Com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132711798974
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = axiomsys.com
O17 - HKLM\Software\..\Telephony: DomainName = AxiomSys.Com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = axiomsys.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = axiomsys.com
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = axiomsys.com
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


----------



## mervin2012

u know u dont need hijack this to solve the spyware problem with the blue screen. infact tbh hijack this is more complex than it needs to be i mean most mugs don't know wot the fuk all the writing is about an just copy and paste it thinkin it will do some good. wot u need to do is get four very simple, free and effective programs and it will clean the spyware away and help to prevent spyware and virusses. the first one is Ad-Aware SE Personal just search for it in google and it will be there. the next one is Spybot search and destroy again search for it in google and it will be there, next is windows antispyware (yes u do need both antispyware programs because spybot dus a bot search and windows antispyware dus a system and registry check) the last one is avg free antivirus now this is a class program. if you keep all of these programs up to date u can get rid of all if no most of the **** out there at no cost to urself. enjoy people!!!


----------



## Keyser520

Thanks,
It all started with WINHOUND, quite possibly one of the most annoying programs ever in existance. Who the heck would actually BUY virus and spyware software from a company that PUTS THAT CRAP ON YOUR COMPUTER in order to get you to pay them to remove it?

Stupid, stupid, stupid.

I have been using ewido, and it keeps finding hte same spyware cookies each time. any ideas?


----------



## brendandonhu

mervin2012 said:


> u know u dont need hijack this to solve the spyware problem with the blue screen. infact tbh hijack this is more complex than it needs to be i mean most mugs don't know wot the fuk all the writing is about an just copy and paste it thinkin it will do some good. wot u need to do is get four very simple, free and effective programs and it will clean the spyware away and help to prevent spyware and virusses. the first one is Ad-Aware SE Personal just search for it in google and it will be there. the next one is Spybot search and destroy again search for it in google and it will be there, next is windows antispyware (yes u do need both antispyware programs because spybot dus a bot search and windows antispyware dus a system and registry check) the last one is avg free antivirus now this is a class program. if you keep all of these programs up to date u can get rid of all if no most of the **** out there at no cost to urself. enjoy people!!!


Sorry, but none of those programs are able to remove SpyAxe. Also, Spybot does a system and registry check as well.


----------



## Flrman1

mervin2012 said:


> u know u dont need hijack this to solve the spyware problem with the blue screen. infact tbh hijack this is more complex than it needs to be i mean most mugs don't know wot the fuk all the writing is about an just copy and paste it thinkin it will do some good. wot u need to do is get four very simple, free and effective programs and it will clean the spyware away and help to prevent spyware and virusses. the first one is Ad-Aware SE Personal just search for it in google and it will be there. the next one is Spybot search and destroy again search for it in google and it will be there, next is windows antispyware (yes u do need both antispyware programs because spybot dus a bot search and windows antispyware dus a system and registry check) the last one is avg free antivirus now this is a class program. if you keep all of these programs up to date u can get rid of all if no most of the **** out there at no cost to urself. enjoy people!!!


First of all what you need to do is clean up your language. We don't tolerate foul language like that here. This is a family forum. DO NOT use such foul language here again.

Secondly, It's just plain rude of you to interupt this thread with such a contrary post. I suggest you leave the security matters to those who are experienced at dealing with them.


----------



## greenmark

Hi mate,

well, my was also infected, i have yet try the above methods but i will in a little bit, just want to answere you question.


TO REMOVE THOSE ANOYING email errors flooding all over the place.

i'm not sure what are the netsh.exe and netsh.dll does, and does it belong to the system. But everytime i boot up, netshh.exe is exercusing, what i did was, i went into SafeMode and rename it to *.bak (just incase i need to restore it, don't want to del it) and the email error msg is gone

COULD SOME address this matter in more details? that is wat i did and its work for me but does it do any harm to my computer?


----------



## Flrman1

Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

All the rest of you who have a similar problem please start a "New Thread". We cannot help multiple users in the same thread. It is too confusing.


----------

