1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Please help with unknown virus (blue wallpaper stating "SPYWARE INFECTION..."

Discussion in 'Virus & Other Malware Removal' started by syd999, Dec 11, 2005.

Thread Status:
Not open for further replies.
Advertisement
  1. syd999

    syd999 Thread Starter

    Joined:
    Oct 9, 2005
    Messages:
    14
    My wallpaper is blue with a black rectangle in the center with the message "SPYWARE INFECTION Your system is infected with spyware. Windows recomments you to use a spyware removal tool" etc. My taskbar tray has a red "X" on it that pops up with "Your computer is infected" etc. I have some new processes running that I've never seen before (most notably paytime.exe). Below is my hijackthis log. Any help would be IMMENSELY appriciated. Many thanks in advace.

    Logfile of HijackThis v1.99.1
    Scan saved at 6:54:51 PM, on 12/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\paytime.exe
    C:\WINDOWS\system32\igps.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\winstall.exe
    C:\WINDOWS\system32\paytime.exe
    C:\WINDOWS\system32\pgws.exe
    C:\PROGRA~1\COMMON~1\uimz\uimzm.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\PROGRA~1\COMMON~1\uimz\uimza.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\HijackThis!\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: LinkTracker Class - {8B6DA27E-7F64-4694-8F8F-DC87AB8C6B22} - C:\Program Files\QL\qlink32.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
    O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
    O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
    O4 - HKCU\..\Run: [uimz] C:\PROGRA~1\COMMON~1\uimz\uimzm.exe
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1125904347363
    O18 - Filter: text/html - {3551784B-E99A-474f-B782-3EC814442918} - C:\Program Files\QL\qlink32.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
     
  2. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    • Run HijackThis and click Do a system scan only
    • Put a checkmark next to each of the following entries and click Fix Checked:

      R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
      R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
      R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
      R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
      O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
      O4 - HKLM\..\Run: [lspins] "C:\WINDOWS\system32\igps.exe"
      O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
      O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
      O4 - HKCU\..\Run: [uimz] C:\PROGRA~1\COMMON~1\uimz\uimzm.exe
    • Please save or print these instructions before beginning
    • Go to Start>>Control Panel>>Add or Remove Programs
    • Uninstall SpyAxe if it appears in the list
    • Uninstall Quick Links if it appears in the list
    • Delete the folder C:\Program Files\SpyAxe\ if it exists
    • Save smitRem to your Desktop and run smitRem.exe
    • Download and install Ewido Security Suite
    • During the installation, uncheck the following under Additional Options:

      Install background guard
      Install scan via context menu
    • Run Ewido and click OK when prompted to update the program
    • On the left side of the screen, click update>>Start
    • When the update is finished, exit Ewido
    • Open to smitRem folder and run RunThis.bat. Follow the onscreen prompts
    • Run Ewido Security Suite
    • Click scanner>>Complete System Scan
    • Click OK when prompted to clean the problems found
    • When the scan is finished, click Save Report and save a copy of this log to your Desktop
    • Exit Ewido
    • Go to Start>>Control Panel>>Internet Options>>Programs
    • Click Reset Web Settings>>Apply>>OK
    • Go to Start>>Control Panel>>Display>>Desktop
    • Click Customize Desktop>>Web
    • If you see an entry called Security info or something similar, select it and click Delete>>OK>>Apply>>OK
    • Locate and delete any of the following files that appear on your computer:

      C:\secure32.html
      C:\WINDOWS\system32\paytime.exe
      C:\WINDOWS\system32\igps.exe
      C:\winstall.exe
    • Locate and delete any of the following folders that appear on your computer:

      C:\PROGRA~1\COMMON~1\uimz\
    • Restart your computer
    • Post the contents of smitfiles.txt from the smitRem folder
    • Post the contents of the Ewido Security Suite report that you saved to your Desktop earlier
    • Run HijackThis and click Do a system scan and save a log file
    • Your HijackThis log will open in Notepad. Post the contents of the log here
     
  3. syd999

    syd999 Thread Starter

    Joined:
    Oct 9, 2005
    Messages:
    14
    U da man--the system is working fine now. Here's the smitfiles.txt log, the ewido log, and the hijackthis log. Instead of finding a SpyAxe directory in Program Files, I found a new directory I never created called SpySheriff, so I deleted that. Thanks again bro!


    smitRem © log file
    version 2.8

    by noahdfear


    Microsoft Windows XP [Version 5.1.2600]
    The current date is: 12/11/2005
    The current time is: 19:52:09.52

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    checking for ShudderLTD key

    ShudderLTD key not present!

    checking for PSGuard.com key


    PSGuard.com key not present!

    spyaxe uninstaller NOT present
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Existing Pre-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~

    Install.dat


    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~

    desktop.html


    ~~~ Drive root ~~~

    winstall.exe

    ~~~ Miscellaneous Files/folders ~~~




    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



    Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
    Copyright(C) 2002-2003 [email protected]
    Killing PID 772 'explorer.exe'
    Killing PID 772 'explorer.exe'

    Starting registry repairs

    Deleting files


    Remaining Post-run Files


    ~~~ Program Files ~~~



    ~~~ Shortcuts ~~~



    ~~~ Favorites ~~~



    ~~~ system32 folder ~~~



    ~~~ Icons in System32 ~~~



    ~~~ Windows directory ~~~

    desktop.html


    ~~~ Drive root ~~~

    winstall.exe


    ~~~ Miscellaneous Files/folders ~~~



    winstall.exe

    ~~~ Wininet.dll ~~~

    wininet.dll is missing!!



    ---------------------------------------------------------
    ewido security suite - Scan report
    ---------------------------------------------------------

    + Created on: 9:47:22 PM, 12/11/2005
    + Report-Checksum: E2547EDE

    + Scan result:

    HKU\S-1-5-21-725345543-1606980848-1957994488-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
    C:\drsmartload1.exe -> Downloader.VB.ri : Cleaned with backup
    C:\inrh9400.exe -> Downloader.Small.bke : Cleaned with backup
    C:\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup
    C:\Program Files\Common Files\uimz\uimza.exe -> Downloader.TSUpdate.l : Cleaned with backup
    C:\Program Files\Common Files\uimz\uimzd\uimzc.dll -> Downloader.Small : Cleaned with backup
    C:\Program Files\Common Files\uimz\uimzl.exe -> Downloader.TSUpdate.p : Cleaned with backup
    C:\Program Files\Common Files\uimz\uimzm.exe -> Downloader.TSUpdate.n : Cleaned with backup
    C:\Program Files\Common Files\uimz\uimzp.exe -> Downloader.TSUpdate.f : Cleaned with backup
    C:\Program Files\QL\uninstall.exe -> Adware.Suggestor : Cleaned with backup
    C:\Program Files\Winamp\winamp.exe -> Worm.Bagle.o : Cleaned with backup
    C:\stub_113_4_0_4_0.exe -> Downloader.TSUpdate.o : Cleaned with backup
    C:\WINDOWS\country.exe -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\desktop.html -> Hijacker.Generic : Cleaned with backup
    C:\WINDOWS\hosts -> Trojan.Qhost.el : Cleaned with backup
    C:\WINDOWS\kl.exe -> Logger.Small.dg : Cleaned with backup
    C:\WINDOWS\system32\paytime.exe -> Hijacker.StartPage.agi : Cleaned with backup
    C:\WINDOWS\tool1.exe -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\tool2.exe -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\tool3.exe -> Downloader.Small.bwr : Cleaned with backup
    C:\WINDOWS\tool4.exe -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\tool5.exe -> Trojan.Small : Cleaned with backup
    C:\WINDOWS\toolbar.exe -> Downloader.VB.qr : Cleaned with backup
    C:\winstall.exe -> Trojan.Small : Cleaned with backup


    ::Report End


    Logfile of HijackThis v1.99.1
    Scan saved at 10:08:25 PM, on 12/11/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\EwidoSecuritySuite\ewidoctrl.exe
    C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Winamp\winamp.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
    C:\Program Files\HijackThis!\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
    O4 - HKLM\..\Run: [HP SchedIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppschedindexer.exe
    O4 - HKLM\..\Run: [HP AutoIndexer] C:\Program Files\Hewlett-Packard\LaserJet 33xx\hppautoindexer.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125904347363
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\EwidoSecuritySuite\ewidoctrl.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
     
  4. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Looks good, you can mark this Solved under Thread Tools (y)
     
  5. Keyser520

    Keyser520

    Joined:
    Dec 24, 2005
    Messages:
    2
    I had a similar problem. I think I fixed it, but I couldn't do all the tests. I just have the ewido and hijack this logs. Please tell me if it's fixed..

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 1:40:38 AM, 12/24/2005
    + Report-Checksum: C8FD742A

    + Scan result:

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Internet Update\{357A87ED-3E5D-437d-B334-DEB7EB4982A3} -> Trojan.Agent.eo : Cleaned with backup
    :mozilla.10:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    :mozilla.11:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    :mozilla.12:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    :mozilla.13:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    :mozilla.14:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    :mozilla.15:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    :mozilla.26:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    :mozilla.38:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
    :mozilla.39:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
    :mozilla.41:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
    :mozilla.45:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    :mozilla.46:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    :mozilla.48:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    :mozilla.49:C:\Documents and Settings\BSpellman\Application Data\Mozilla\Firefox\Profiles\1edwiwke.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Valuead : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
    C:\Documents and Settings\BSpellman\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
    C:\Documents and Settings\BSpellman\Local Settings\Temp\fkajopmd.exe -> Trojan.Dialer.ay : Cleaned with backup
    C:\Documents and Settings\BSpellman\Local Settings\Temp\hnonnjgc.exe -> Trojan.Dialer.ay : Cleaned with backup
    C:\Documents and Settings\BSpellman\Local Settings\Temp\jlphppmd.exe -> Trojan.Dialer.ay : Cleaned with backup
    C:\Documents and Settings\BSpellman\Local Settings\Temp\naifjpmd.exe -> Trojan.Dialer.ay : Cleaned with backup
    C:\Documents and Settings\BSpellman\Local Settings\Temporary Internet Files\Content.IE5\U5HL8GPT\mm[2].js -> Spyware.Chitika : Cleaned with backup
    C:\RECYCLER\S-1-5-21-1001587576-593839091-677931608-6569\Dc2\CWrapper.dll -> Adware.PSGuard : Cleaned with backup
    C:\RECYCLER\S-1-5-21-1001587576-593839091-677931608-6569\Dc2\WinHound.exe -> Adware.PSGuard : Cleaned with backup


    ::Report End







    HIJACK THIS

    Logfile of HijackThis v1.99.1
    Scan saved at 2:06:53 AM, on 12/24/2005
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    C:\WINDOWS\System32\tlntsvr.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
    C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\MSN Messenger\MsnMsgr.Exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\BSpellman\Local Settings\Temporary Internet Files\Content.IE5\K5AZGTIZ\HijackThis[1].exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.axiomsys.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Http://Www.AxiomSys.Com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Axiom Systems (Www.AxiomSys.Com)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [WatchDog] C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: DVD Check.lnk = C:\Program Files\InterVideo\DVD Check\DVDCheck.exe
    O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
    O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
    O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
    O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
    O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=Http://Www.AxiomSys.Com
    O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1132711798974
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = axiomsys.com
    O17 - HKLM\Software\..\Telephony: DomainName = AxiomSys.Com
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = axiomsys.com
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = axiomsys.com
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = axiomsys.com
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
    O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
     
  6. mervin2012

    mervin2012

    Joined:
    Dec 20, 2005
    Messages:
    2
    u know u dont need hijack this to solve the spyware problem with the blue screen. infact tbh hijack this is more complex than it needs to be i mean most mugs don't know wot the fuk all the writing is about an just copy and paste it thinkin it will do some good. wot u need to do is get four very simple, free and effective programs and it will clean the spyware away and help to prevent spyware and virusses. the first one is Ad-Aware SE Personal just search for it in google and it will be there. the next one is Spybot search and destroy again search for it in google and it will be there, next is windows antispyware (yes u do need both antispyware programs because spybot dus a bot search and windows antispyware dus a system and registry check) the last one is avg free antivirus now this is a class program. if you keep all of these programs up to date u can get rid of all if no most of the **** out there at no cost to urself. enjoy people!!!
     
  7. Keyser520

    Keyser520

    Joined:
    Dec 24, 2005
    Messages:
    2
    Thanks,
    It all started with WINHOUND, quite possibly one of the most annoying programs ever in existance. Who the heck would actually BUY virus and spyware software from a company that PUTS THAT CRAP ON YOUR COMPUTER in order to get you to pay them to remove it?

    Stupid, stupid, stupid.

    I have been using ewido, and it keeps finding hte same spyware cookies each time. any ideas?
     
  8. brendandonhu

    brendandonhu

    Joined:
    Jul 8, 2002
    Messages:
    14,681
    Sorry, but none of those programs are able to remove SpyAxe. Also, Spybot does a system and registry check as well.
     
  9. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    First of all what you need to do is clean up your language. We don't tolerate foul language like that here. This is a family forum. DO NOT use such foul language here again.

    Secondly, It's just plain rude of you to interupt this thread with such a contrary post. I suggest you leave the security matters to those who are experienced at dealing with them.
     
  10. greenmark

    greenmark

    Joined:
    Dec 29, 2005
    Messages:
    2
    Hi mate,

    well, my was also infected, i have yet try the above methods but i will in a little bit, just want to answere you question.


    TO REMOVE THOSE ANOYING email errors flooding all over the place.

    i'm not sure what are the netsh.exe and netsh.dll does, and does it belong to the system. But everytime i boot up, netshh.exe is exercusing, what i did was, i went into SafeMode and rename it to *.bak (just incase i need to restore it, don't want to del it) and the email error msg is gone

    COULD SOME address this matter in more details? that is wat i did and its work for me but does it do any harm to my computer?
     
  11. Flrman1

    Flrman1

    Joined:
    Jul 26, 2002
    Messages:
    46,329
    Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

    All the rest of you who have a similar problem please start a "New Thread". We cannot help multiple users in the same thread. It is too confusing.
     
  12. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/424361

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice