spyware is back

Discussion in 'adware, spyware & hijack cleaning' started by akravets, Jul 9, 2004.

Thread Status:
Not open for further replies.
  1. akravets

    akravets Registered Member

    Joined:
    Jul 7, 2004
    Posts:
    3
    I read couple of threads here and was able to remove spyware from my pc, but now it's baaaack!
    I ran HijackThis but don't see anything unusual, can someone please help?

    Logfile of HijackThis v1.97.7
    Scan saved at 1:36:40 PM, on 7/9/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\PenguiNet\PenguiNet.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\mozilla.org\Mozilla\mozilla.exe
    C:\PROGRA~1\MOZILL~1\THUNDE~1.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\downloads\HijackThis1977.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JEANET~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JEANET~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JEANET~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\DOCUME~1\JEANET~1\LOCALS~1\Temp\sp.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = file://C:\DOCUME~1\JEANET~1\LOCALS~1\Temp\sp.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = file://C:\DOCUME~1\JEANET~1\LOCALS~1\Temp\sp.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://home.netscape.com/"); (C:\Documents and Settings\Jeanette Schaefer\Application Data\Mozilla\Profiles\default\8ku0plvl.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "http://www.google.com/"); (C:\Documents and Settings\Jeanette Schaefer\Application Data\Mozilla\Profiles\default\8ku0plvl.slt\prefs.js)
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O17 - HKLM\System\CCS\Services\Tcpip\..\{18B462D1-7602-4509-8B01-6C2AD4267A66}: NameServer = 12.127.17.71,12.127.16.67

    thanks,
    Alex
     
  2. Marianna

    Marianna Spyware Fighter

    Joined:
    Apr 23, 2002
    Posts:
    1,215
    Location:
    B.C. Canada
    Yep, that is a NEW CWS variant - let's give this one a try:

    Download and install:
    "FINDnFIX.exe" from:

    HERE
    or HERE

    Run the "!LOG!.bat" file, wait for the final output (log.txt)
    post the results....Along with fresh hijackthis log!
     
Thread Status:
Not open for further replies.