I need help, please.

I have run into the Spyaxe adware program and it is currently giving me the system intrusion detected pop up on my task bar. It has not taken over my homepage as of yet but I expect it to sometime.

I have run adaware and it did find one virus which it cleaned.

I have run the smitrem program and it found nothing.

I have AVG on the machine and it finds but 1 virus. (deleted)

I am posting a HJT log, CW Shredder log and Ewido log. Please
assist in any way possible,


Logfile of HijackThis v1.99.1
Scan saved at 11:36:10 AM, on 1/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Documents and Settings\Damon Foster\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O2 - BHO: HomepageBHO - {27150f81-0877-42e9-af13-55e5a3439a26} - C:\WINDOWS\system32\hpEC44.tmp (file missing)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=091705 serial=WS12WTX-9999998-UYR lang=EN
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab?affiliate=MEDIAGEN
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9BFC2253-B9D9-477E-9488-CA450232620D} (BinAg1 Class) - https://fastconnectkitsetup.cox.net/wizlet/CoxNA/static/controls/WebflowActiveX.CAB
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.incredigames.com/online2/zuma/popcaploader_v5.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

CW Shredder

**** Run Keys ****

RUN: [WordPerfect Office 1215] C:\Program Files\WordPerfect Office 12\Programs\Registration.exe /title="WordPerfect Office 12" /date=091705 serial=WS12WTX-9999998-UYR lang=EN
RUN: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
RUN: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

**** Browser Helper Objects ****

BHO: [HomepageBHO] C:\WINDOWS\system32\hpEC44.tmp

**** IE Toolbars ****


**** IE Extensions ****

IEExt: [Web Browser Applet Control] C:\WINDOWS\System32\msjava.dll
IEExt: [Messenger] C:\Program Files\Messenger\msmsgs.exe

**** Hosts File Entries ****

HOSTS: localhost
HOSTS: localhost

Ewido File
ewido anti-malware - Scan report

+ Created on:           12:35:07 PM, 1/6/2006
+ Report-Checksum:      F8C56A4A

+ Scan result:

C:\Program Files\SpywareStrike\SpywareStrike.exe -> Adware.Spyaxe : Cleaned with backup
C:\RECYCLER\S-1-5-21-2310379427-4074139075-3787411331-1005\Dc13.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\S-1-5-21-2310379427-4074139075-3787411331-1005\Dc26.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\S-1-5-21-2310379427-4074139075-3787411331-1005\Dc27.txt -> Spyware.Cookie.Sextracker : Cleaned with backup
C:\RECYCLER\S-1-5-21-2310379427-4074139075-3787411331-1005\Dc28.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP344\A0042785.exe -> Downloader.Zlob.dy : Cleaned with backup

::Report End

I originally tried to delete alot of the files associated with this virus, (originally around 200 infected files) most seem to be clean. I am however getting the obscene site pop ups and I have the constant and never ending System Intrusion Detected message popping up off of the task bar. I have learned that deleting from add remove programs seems to mutate the virus and also learned not to click on the task bar message

Currently it appears that the spyaxe virus is calling itself Spyware Strike. Any time I boot it comes back to see me in full form.

Anything you could help me with would be greatly appreciated

Thank you...

Recommended Answers

All 8 Replies

Spyaxe Removal. I used 'Remove SpyAxe. Removal instructions' to clean up my sister inlaw's computer when all else failed.

Thanks for the link but I refuse to purchase their product. I would buy a new computer before I would give in to them.

:?: You don't need to buy anything :!:
Look down the page about half way there's a batch file to download and run from safe mode, that's it!

Look for "Remove SpyAxe. Removal instructions"

Thanks for the link but I refuse to purchase their product. I would buy a new computer before I would give in to them.


Sorry about the misunderstanding, I went back to the page and it looks like you are talking about the smitrem.exe program where when opened you run the Run This Bat file. Unfortunately, I have run this already, along with about 5 others. I am still having problems and cannot seem to get this fixed.


I also tried the manual removal directions listed on the same page as the smitrem link.

Most of the problems seem to be gone but I am still getting the popup on the task bar.
I do not know if I am missing a reg key to delete or if it is something that I can delete from sys processes.

Any more suggestions?


Try disabling the Messenger service. (Control Panel, Admin. Tools, Services)
Firewall software may help too.

Post another hijackthis log when done please and I will take a look :).

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.