Jump to content


Photo

spyware on my comp Please help


  • Please log in to reply
6 replies to this topic

#1 jdrew

jdrew

    Member

  • New Member
  • Pip
  • 4 posts

Posted 26 May 2004 - 12:48 PM

Hello i have tried to run adaware and spybot they both tell me the spyware is removed but i re boot and there back please help here is my log from highjack this


Logfile of HijackThis v1.97.7
Scan saved at 12:49:45 PM, on 5/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\GEARSEC.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\Dit.exe
C:\WINNT\system32\pgimuz.exe
C:\WINNT\DitExp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\Cacheman\Cacheman.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\tools\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signin.ebay.c...SAPI.dll?SignIn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shawneelink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shawneelink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shawneelink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ShawneeLink
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A9EEF0D7-5695-45BA-8943-ED3B95A50BD2} - C:\WINNT\system32\CheckUrl.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [inzoofcp] C:\WINNT\system32\pgimuz.exe
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwLocalManager.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: SL Users (HKCU)
O9 - Extra button: SL Home (HKCU)
O9 - Extra button: SL WebMail (HKCU)
O9 - Extra button: SL Support (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.shawneelink.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36832295-6AEE-401D-B558-FCFAEF0D7330}: Domain = shawneelink.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{C82DC0BA-B4DF-4024-88B6-BDAF3EB0F6CE}: Domain = shawneelink.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{C82DC0BA-B4DF-4024-88B6-BDAF3EB0F6CE}: NameServer = 216.240.66.19
O17 - HKLM\System\CS2\Services\Tcpip\..\{36832295-6AEE-401D-B558-FCFAEF0D7330}: Domain = shawneelink.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{36832295-6AEE-401D-B558-FCFAEF0D7330}: Domain = shawneelink.net

Thanks jdrew

#2 jdrew

jdrew

    Member

  • New Member
  • Pip
  • 4 posts

Posted 26 May 2004 - 02:06 PM

hello anyone please? help

#3 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 26 May 2004 - 02:55 PM

Just so that you know you are not being ignored - I will handle this case for you but I need to ask for your patience while I review the log

Please keep an eye on this message for a resolution shortly.

#4 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 26 May 2004 - 03:04 PM

We need to remove a program called "Twain-Tec". To do this, first you need to disable System restore as per the instructions at here . Twiantec.dll is a transponder. HijackThis will detect it as a BHO but it must not be removed using HijackThis. This is because of the remaining registry entries and files which can be dangerous. Instead the following method of removal is preferable and complete:
Go to "Add/Remove Programs" => Uninstall "Twain-Tech". Reboot the computer to SAFE mode - How do I boot into "Safe" mode?. Delete twaintech.dll and twaintec.ini If twaintech.dll is in use, then you would need to rename it, reboot the computer, and then delete it.

Run HijackThis and delete the following:
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {000020DD-C72E-4113-AF77-DD56626C6C42} - C:\WINNT\twaintec.dll
O2 - BHO: (no name) - {A9EEF0D7-5695-45BA-8943-ED3B95A50BD2} - C:\WINNT\system32\CheckUrl.dll
O4 - HKLM\..\Run: [inzoofcp] C:\WINNT\system32\pgimuz.exe

The following is a resource hog and is optional to delete:
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Cacheman] C:\PROGRA~1\Cacheman\Cacheman.exe <= This only needs to be run once, not constantly. It is safe to remove

Please reboot into safe mode - How do I boot into "Safe" mode?

Please cleanup temporary files etc. Browse to and select all contents in the following folders (Windows may be WINNT or WIN98 etc.), and delete (Make sure to delete the sub-folders, but not the Temp folders themselves!):
  • C:\Windows\Temp (all contents)
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents) <=This will delete all your cached internet content including cookies. This is recommended and strongly suggested.
  • C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files(all contents)
  • C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
  • Empty your "Recycle Bin".
  • C:\WINNT\system32\CheckUrl.dll
  • C:\WINNT\system32\pgimuz.exe
Reboot again and log in normally, repost a new HijackThis log into this message for further review.

#5 jdrew

jdrew

    Member

  • New Member
  • Pip
  • 4 posts

Posted 26 May 2004 - 04:33 PM

Thank you i will do as you has instructed thank again

#6 jdrew

jdrew

    Member

  • New Member
  • Pip
  • 4 posts

Posted 26 May 2004 - 05:38 PM

It didnt take it out i still have it on spybot
here is my new log
Logfile of HijackThis v1.97.7
Scan saved at 5:37:48 PM, on 5/26/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINNT\system32\GEARSEC.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINNT\Dit.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINNT\DitExp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\system32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Documents and Settings\Administrator\Desktop\tools\spyware\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://signin.ebay.c...SAPI.dll?SignIn
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shawneelink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.shawneelink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.shawneelink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = ShawneeLink
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar2.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_02\bin\jusched.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwLocalManager.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: hpoddt01.exe.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - Global Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\winnt\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\winnt\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://c:\winnt\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\winnt\GoogleToolbar2.dll/cmtrans.html
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Encarta Encyclopedia (HKLM)
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia (HKLM)
O9 - Extra button: Define (HKLM)
O9 - Extra 'Tools' menuitem: Define (HKLM)
O9 - Extra button: ICQ Pro (HKLM)
O9 - Extra 'Tools' menuitem: ICQ (HKLM)
O9 - Extra button: SL Users (HKCU)
O9 - Extra button: SL Home (HKCU)
O9 - Extra button: SL WebMail (HKCU)
O9 - Extra button: SL Support (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.shawneelink.net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macr...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36832295-6AEE-401D-B558-FCFAEF0D7330}: Domain = shawneelink.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{C82DC0BA-B4DF-4024-88B6-BDAF3EB0F6CE}: Domain = shawneelink.net
O17 - HKLM\System\CCS\Services\Tcpip\..\{C82DC0BA-B4DF-4024-88B6-BDAF3EB0F6CE}: NameServer = 216.240.66.19
O17 - HKLM\System\CS2\Services\Tcpip\..\{36832295-6AEE-401D-B558-FCFAEF0D7330}: Domain = shawneelink.net
O17 - HKLM\System\CS3\Services\Tcpip\..\{36832295-6AEE-401D-B558-FCFAEF0D7330}: Domain = shawneelink.net

thank youagain

#7 PGPhantom

PGPhantom

    Superman of SWI

  • Emeritus
  • PipPipPipPipPip
  • 3,494 posts

Posted 27 May 2004 - 08:53 AM

Your log looks clean to me - What is it that is back? What is the exact problem that you are experiencing?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button