Thread: Multiple pop-ups on multiple user system
View Single Post
Old 01-20-2006, 11:02 AM   #45 (permalink)
stretched
Registered User
 
Join Date: Aug 2005
Posts: 115
OS: Windows XP


This is user account "Faizah"

WEBROOT SPYSWEEPER

********
9:10 PM: | Start of Session, Thursday, January 19, 2006 |
9:10 PM: Spy Sweeper started
9:10 PM: Sweep initiated using definitions version 602
9:10 PM: Starting Memory Sweep
9:14 PM: Memory Sweep Complete, Elapsed Time: 00:03:18
9:14 PM: Starting Registry Sweep
9:14 PM: Found Adware: websearch toolbar
9:14 PM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
9:14 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
9:14 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
9:15 PM: Registry Sweep Complete, Elapsed Time:00:01:03
9:15 PM: Starting Cookie Sweep
9:15 PM: Found Spy Cookie: advertising cookie
9:15 PM: hehehe@advertising[2].txt (ID = 2175)
9:15 PM: Found Spy Cookie: centrport net cookie
9:15 PM: hehehe@centrport[1].txt (ID = 2374)
9:15 PM: Cookie Sweep Complete, Elapsed Time: 00:00:06
9:15 PM: Starting File Sweep
9:48 PM: File Sweep Complete, Elapsed Time: 00:33:20
9:48 PM: Full Sweep has completed. Elapsed time 00:37:59
9:48 PM: Traces Found: 15
9:52 PM: Removal process initiated
9:52 PM: Quarantining All Traces: websearch toolbar
9:52 PM: websearch toolbar is in use. It will be removed on reboot.
9:52 PM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
9:52 PM: Quarantining All Traces: advertising cookie
9:52 PM: Quarantining All Traces: centrport net cookie
9:52 PM: Removal process completed. Elapsed time 00:00:20
********
4:20 PM: | Start of Session, Tuesday, January 17, 2006 |
4:20 PM: Spy Sweeper started
4:20 PM: Sweep initiated using definitions version 602
4:20 PM: Starting Memory Sweep
4:23 PM: Memory Sweep Complete, Elapsed Time: 00:03:11
4:23 PM: Starting Registry Sweep
4:24 PM: Found Adware: websearch toolbar
4:24 PM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
4:24 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
4:24 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
4:24 PM: Registry Sweep Complete, Elapsed Time:00:01:00
4:24 PM: Starting Cookie Sweep
4:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
4:24 PM: Starting File Sweep
4:59 PM: File Sweep Complete, Elapsed Time: 00:34:20
4:59 PM: Full Sweep has completed. Elapsed time 00:38:28
4:59 PM: Traces Found: 13
5:49 PM: Removal process initiated
5:49 PM: Quarantining All Traces: websearch toolbar
5:49 PM: websearch toolbar is in use. It will be removed on reboot.
5:49 PM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
5:49 PM: Removal process completed. Elapsed time 00:00:15
9:10 PM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
9:10 PM: | End of Session, Thursday, January 19, 2006 |
********
4:19 PM: | Start of Session, Tuesday, January 17, 2006 |
4:19 PM: Spy Sweeper started
4:20 PM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
4:20 PM: | End of Session, Tuesday, January 17, 2006 |


EWIDO IN SAFE MODE

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:43:25 PM, 1/19/2006
+ Report-Checksum: 2D37C5D4

+ Scan result:

HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Downloads -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BFC9677B-8006-4336-9D49-2C797AEFCB9E} -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\hehehe\Cookies\hehehe@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\hehehe\Cookies\hehehe@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup


::Report End

KAPERSKY JUST NOW

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, January 20, 2006 11:55:53
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/01/2006
Kaspersky Anti-Virus database records: 172098
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 77156
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 3540 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

now running HJT....

Logfile of HijackThis v1.99.1
Scan saved at 12:01:13 PM, on 1/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kagtolwq] c:\windows\system32\kagtolwq.exe kagtolwq
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


I ran the spysweeper last night, then ewido in safe mode before shutting down. Then today adaware, cwshredder, and kapersky.....
stretched is offline