Home Search, Shopping Ass't, Popups...help please.
Hi guys,
My dad got a bunch of really nasty spyware on my computer this past weekend, and I've tried almost everything I could think of.
Adaware and SpyBot S&D don't work, and HijackThis catches the Registry Keys that redirect my homepage, search pages and 404 error pages to randomly-generated DLL's. Everytime I delete one of these DLL's, a new one comes up.
Anyway, here are my logs...please help if you can, I've tried everything I can think of.
Logfile of HijackThis v1.98.1
Scan saved at 5:48:17 PM, on 04/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AV\rtvscan.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\ipde.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\NORTON~1\vptray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINNT\d3rc32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xtsyq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xtsyq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xtsyq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xtsyq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xtsyq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xtsyq.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1A3F2126-C89C-8F9E-2C20-AF6AFEC46339} - C:\WINNT\system32\ieiq.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [d3rc32.exe] C:\WINNT\d3rc32.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
Thanks a lot guys, I'd appreciate any help.
My dad got a bunch of really nasty spyware on my computer this past weekend, and I've tried almost everything I could think of.
Adaware and SpyBot S&D don't work, and HijackThis catches the Registry Keys that redirect my homepage, search pages and 404 error pages to randomly-generated DLL's. Everytime I delete one of these DLL's, a new one comes up.
Anyway, here are my logs...please help if you can, I've tried everything I can think of.
Logfile of HijackThis v1.98.1
Scan saved at 5:48:17 PM, on 04/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AV\rtvscan.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\ipde.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\NORTON~1\vptray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINNT\d3rc32.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xtsyq.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://xtsyq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://xtsyq.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\xtsyq.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\xtsyq.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://xtsyq.dll/index.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {1A3F2126-C89C-8F9E-2C20-AF6AFEC46339} - C:\WINNT\system32\ieiq.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [d3rc32.exe] C:\WINNT\d3rc32.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe
Thanks a lot guys, I'd appreciate any help.
0
Comments
1) I'm guessing when you open Ad-Aware you click on 'start' and under 'Select Scan Mode' you use 'Perform smart system-scan'.
2) Well i'm going to say choose 'select drives/folders to scan' under 'Select Scan Mode' and choose drives C: and D: and than let Ad-Aware scan.
This should scan your whole Harddrive. It may take a while depending on the speed and how many files you have on you computer. (for me it takes around 20-25 mins)
By doing this I cleared 150 Adware, Spyware from the C: and D: etc.
Sorry, I can't help you woth your log...don't know what to remove.
Hope this helps in someway.
I've updated all the programs, but still nothing. It's driving me crazy.
There's a hidden reloader. We can delete those entries as much as we'd like, but every time you re-launch an application, it will come back under a new name. currently the method of finding the reloader is pretty complex, and there's no easy way to communicate it over a forum post. It involves mounting the drive on a seperate machine and using logic and experience to identify which file is probably the reloader, and then manually deleting it. It is obviously not easy to do that over the forums.. I'm trying to think up a way to write a removal process into a guide.... Keep an eye on this thread.
Thanks, it seemed to help, but the damn thing is still around.
Here's the new log:
Logfile of HijackThis v1.98.1
Scan saved at 11:39:13 PM, on 04/08/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Norton AV\defwatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Norton AV\rtvscan.exe
C:\PROGRA~1\SYMPAT~1\ACCESS~1\app\pppoeservice.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\Explorer.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe
C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\NORTON~1\vptray.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe
C:\Program Files\NetAssistant\bin\mpbtn.exe
C:\Program Files\AboutBuster\AboutBuster.exe
C:\WINNT\system32\javaia32.exe
C:\WINNT\system32\apinu32.exe
C:\WINNT\system32\apinu32.exe
C:\Program Files\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://jfqhg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://jfqhg.dll/index.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = res://jfqhg.dll/index.html#96676
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\jfqhg.dll/sp.html#96676
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {6881697D-FEE2-97E5-8C29-677E8AF0A992} - C:\WINNT\system32\d3py.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [taskmanager] c:\windows\taskmgr.com
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NORTON~1\vptray.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot
O4 - HKLM\..\Run: [javaia32.exe] C:\WINNT\system32\javaia32.exe
O4 - HKLM\..\RunOnce: [apinu32.exe] C:\WINNT\system32\apinu32.exe
O4 - Global Startup: NetAssistant.lnk = C:\Program Files\NetAssistant\bin\matcli.exe