Hi guys,

My dad got a bunch of really nasty spyware on my computer this past weekend, and I've tried almost everything I could think of.

Adaware and SpyBot S&D don't work, and HijackThis catches the Registry Keys that redirect my homepage, search pages and 404 error pages to randomly-generated DLL's. Everytime I delete one of these DLL's, a new one comes up.

Anyway, here are my logs...please help if you can, I've tried everything I can think of.

-----------------------------------------------------------------------


Logfile of HijackThis v1.98.1
Scan saved at 5:48:17 PM, on 04/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AV\rtvscan.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\ipde.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\NORTON~1\vptray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINNT\d3rc32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xtsyq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xtsyq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xtsyq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xtsyq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xtsyq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xtsyq.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1A3F2126-C89C-8F9E-2C20-AF6AFEC46339} - C:\WINNT\system32\ieiq.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [d3rc32.exe] C:\WINNT\d3rc32.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe


Thanks a lot guys, I'd appreciate any help. :thumbsup:

Hi, I'm not an expert or anything but I would say try Ad-Aware 1 more time but follow these steps:

1) I'm guessing when you open Ad-Aware you click on 'start' and under 'Select Scan Mode' you use 'Perform smart system-scan'.
2) Well i'm going to say choose 'select drives/folders to scan' under 'Select Scan Mode' and choose drives C: and D: and than let Ad-Aware scan.

This should scan your whole Harddrive. It may take a while depending on the speed and how many files you have on you computer. (for me it takes around 20-25 mins)

By doing this I cleared 150 Adware, Spyware from the C: and D: etc.

Sorry, I can't help you woth your log...don't know what to remove.

Hope this helps in someway.

Thanks man, but no luck. It automatically deep scans Drive C:, which is my only hard drive.

I've updated all the programs, but still nothing. It's driving me crazy.

Wow...I see now that there are loads of Home Search Assistant problems, and none of them seem to have been fully resolved. This is crazy...it seems like a really serious issue.

You'll need to use About:Buster (http://www.ducky.atribune.org/) to fix this particularly nasty bug. The directions and the file are both on that page. You might have to run it twice. Post a fresh log here after running the program.

Here's the deal:

There's a hidden reloader. We can delete those entries as much as we'd like, but every time you re-launch an application, it will come back under a new name. currently the method of finding the reloader is pretty complex, and there's no easy way to communicate it over a forum post. It involves mounting the drive on a seperate machine and using logic and experience to identify which file is probably the reloader, and then manually deleting it. It is obviously not easy to do that over the forums.. I'm trying to think up a way to write a removal process into a guide.... Keep an eye on this thread.

Beaten to the draw by the mad dr. kwitko.....

You'll need to use About:Buster (http://www.ducky.atribune.org/) to fix this particularly nasty bug. The directions and the file are both on that page. You might have to run it twice. Post a fresh log here after running the program.


Thanks, it seemed to help, but the damn thing is still around.


Here's the new log:




Logfile of HijackThis v1.98.1
Scan saved at 11:39:13 PM, on 04/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AV\rtvscan.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\NORTON~1\vptray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\AboutBuster\AboutBuster.exe
C:\WINNT\system32\javaia32.exe
C:\WINNT\system32\apinu32.exe
C:\WINNT\system32\apinu32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jfqhg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jfqhg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jfqhg.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6881697D-FEE2-97E5-8C29-677E8AF0A992} - C:\WINNT\system32\d3py.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [javaia32.exe] C:\WINNT\system32\javaia32.exe
O4 - HKLM\..\RunOnce: [apinu32.exe] C:\WINNT\system32\apinu32.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe

Here's the deal:

There's a hidden reloader. We can delete those entries as much as we'd like, but every time you re-launch an application, it will come back under a new name. currently the method of finding the reloader is pretty complex, and there's no easy way to communicate it over a forum post. It involves mounting the drive on a seperate machine and using logic and experience to identify which file is probably the reloader, and then manually deleting it. It is obviously not easy to do that over the forums.. I'm trying to think up a way to write a removal process into a guide.... Keep an eye on this thread.


:mean: Man this thing is BAD! :banghead: Thanks a lot for your help anyhow, I'm gonna keep trying, but I guess I've got to deal with it for now.....formatting is an option I've considered, but I don't think I can do that, I've got a lot of MP3s and schoolwork I can't get rid of.