Multiple pop-ups on multiple user system

[stretched]

Having troubles logging in here with this account, keeps making me put my password with every page and I am selecting remember me....

This is user account: "manny"

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:31:40 AM, 1/19/2006
+ Report-Checksum: 1A39040

+ Scan result:

HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Downloads -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning


::Report End

Webroot Spysweeper LOG

********
11:35 AM: | Start of Session, Thursday, January 19, 2006 |
11:35 AM: Spy Sweeper started
11:35 AM: Sweep initiated using definitions version 602
11:35 AM: Starting Memory Sweep
11:38 AM: Memory Sweep Complete, Elapsed Time: 00:03:20
11:38 AM: Starting Registry Sweep
11:38 AM: Found Adware: websearch toolbar
11:38 AM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
11:39 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
11:39 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
11:39 AM: Registry Sweep Complete, Elapsed Time:00:01:05
11:39 AM: Starting Cookie Sweep
11:39 AM: Found Spy Cookie: pointroll cookie
11:39 AM: hehehe@ads.pointroll[1].txt (ID = 3148)
11:39 AM: Found Spy Cookie: advertising cookie
11:39 AM: hehehe@advertising[1].txt (ID = 2175)
11:39 AM: Found Spy Cookie: ask cookie
11:39 AM: hehehe@ask[1].txt (ID = 2245)
11:39 AM: Found Spy Cookie: atlas dmt cookie
11:39 AM: hehehe@atdmt[2].txt (ID = 2253)
11:39 AM: Found Spy Cookie: centrport net cookie
11:39 AM: hehehe@centrport[1].txt (ID = 2374)
11:39 AM: Found Spy Cookie: questionmarket cookie
11:39 AM: hehehe@questionmarket[1].txt (ID = 3217)
11:39 AM: Found Spy Cookie: tribalfusion cookie
11:39 AM: hehehe@tribalfusion[1].txt (ID = 3589)
11:39 AM: zakariya@ads.pointroll[2].txt (ID = 3148)
11:39 AM: zakariya@atdmt[1].txt (ID = 2253)
11:39 AM: zakariya@centrport[1].txt (ID = 2374)
11:39 AM: zakariya@tribalfusion[2].txt (ID = 3589)
11:39 AM: Cookie Sweep Complete, Elapsed Time: 00:00:08
11:39 AM: Starting File Sweep
12:12 PM: File Sweep Complete, Elapsed Time: 00:33:09
12:13 PM: Full Sweep has completed. Elapsed time 00:37:54
12:13 PM: Traces Found: 24
12:17 PM: Removal process initiated
12:17 PM: Quarantining All Traces: websearch toolbar
12:17 PM: websearch toolbar is in use. It will be removed on reboot.
12:17 PM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
12:17 PM: Quarantining All Traces: advertising cookie
12:17 PM: Quarantining All Traces: ask cookie
12:17 PM: Quarantining All Traces: atlas dmt cookie
12:17 PM: Quarantining All Traces: centrport net cookie
12:17 PM: Quarantining All Traces: pointroll cookie
12:17 PM: Quarantining All Traces: questionmarket cookie
12:17 PM: Quarantining All Traces: tribalfusion cookie
12:17 PM: Removal process completed. Elapsed time 00:00:19
********
12:49 PM: | Start of Session, Tuesday, January 17, 2006 |
12:49 PM: Spy Sweeper started
12:49 PM: Sweep initiated using definitions version 602
12:49 PM: Starting Memory Sweep
12:52 PM: Memory Sweep Complete, Elapsed Time: 00:02:58
12:52 PM: Starting Registry Sweep
12:53 PM: Found Adware: websearch toolbar
12:53 PM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
12:53 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
12:53 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
12:53 PM: Registry Sweep Complete, Elapsed Time:00:01:04
12:53 PM: Starting Cookie Sweep
12:53 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
12:54 PM: Starting File Sweep
1:30 PM: File Sweep Complete, Elapsed Time: 00:36:18
1:30 PM: Full Sweep has completed. Elapsed time 00:40:36
1:30 PM: Traces Found: 13
1:33 PM: Removal process initiated
1:34 PM: Quarantining All Traces: websearch toolbar
1:34 PM: websearch toolbar is in use. It will be removed on reboot.
1:34 PM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
1:34 PM: Removal process completed. Elapsed time 00:00:21
1:47 PM: IE Security Shield: found: C:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\SPYBOTSD.EXE -- IE Security modification allowed at user request
11:34 AM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
11:35 AM: | End of Session, Thursday, January 19, 2006 |
********
12:47 PM: | Start of Session, Tuesday, January 17, 2006 |
12:47 PM: Spy Sweeper started
12:48 PM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
12:49 PM: | End of Session, Tuesday, January 17, 2006 |
****************************************

Logfile of HijackThis v1.99.1
Scan saved at 12:20:01 PM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.activision.com/spider-man
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


YES that last post was about rocky account, and thank you very much for all the toiling...

[tetonbob]

Out of curiousity, are you running Ewido in safe mode? If not, next user account, do so. Ewido should be able to remove the websearch toolbar. SpySweeper is getting it though.

It appears as though this HJT log was taken from safe mode due to the lack of running processes. I'm not too concerned, as this looks like we've cleaned it fairly well, but be sure all HJT logs are taken from normal mode, please.

Fix these with HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing

I don't think Kaspersky will find anything.....as we've banged on this system pretty well, and it's scan is global in nature (all acounts). However, let's run it on this account. If this one is clean, we can move more rapidly on your last 2 accounts (I think that's what's left, right?)

Post a new HJT log for manny, and any Kaspersky results.

[stretched]

you asked about was I running ewido in safe mode i was not, i will. also i did not run the last hjt check and fix in safe mode.

then i deleted those items you said, but when i came back on line one of the dell myway's was on there again, maybe i missed it. i fixed it again. I ran the kapersky scan and it says it did not find anything.

Here is the newest log and all of this is for "manny" account:

Logfile of HijackThis v1.99.1
Scan saved at 8:54:49 PM, on 1/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\PROGRA~1\AMERIC~1.0\aolwbspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.activision.com/spider-man
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

You asked about how may accounts were left, you suggested two, but there are 8 altogether, and from what I see right now that means there are three left.

In any case, I will run the cleaners again on "faizah" which I had posted logs from in the very beginning, I sometimes used that and sometimes: "mommy" and sometimes when I booted in safe mode just "administrator" bla bla bla yuk.

So now that we got through the other ones, I will go on that one again and re-run everything, and post a log according to your instructions before about what to do with each account, unless you post otherwise about this one "manny."

[tetonbob]

Oh, crappo....I just now noticed you switched back and forth early on. I had thought we were cleaning mommy at the beginning.

Quote:

Originally Posted by tetonbob

Ok, so Mommy is the account we were working on all this time...right? It looks good to me.

manny is clean. zak is clean. Guest is clean. mommy is clean. Rocky is clean.

That leaves three to go, including Faizah.

Since Faizah was infected, and I don't think we finalised it, let's look at that once more. Run Ewido, SpySweeper, Kaspersky, then give me a HJT log for Faizah.

[stretched]

This is user account "Faizah"

WEBROOT SPYSWEEPER

********
9:10 PM: | Start of Session, Thursday, January 19, 2006 |
9:10 PM: Spy Sweeper started
9:10 PM: Sweep initiated using definitions version 602
9:10 PM: Starting Memory Sweep
9:14 PM: Memory Sweep Complete, Elapsed Time: 00:03:18
9:14 PM: Starting Registry Sweep
9:14 PM: Found Adware: websearch toolbar
9:14 PM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
9:14 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
9:14 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
9:15 PM: Registry Sweep Complete, Elapsed Time:00:01:03
9:15 PM: Starting Cookie Sweep
9:15 PM: Found Spy Cookie: advertising cookie
9:15 PM: hehehe@advertising[2].txt (ID = 2175)
9:15 PM: Found Spy Cookie: centrport net cookie
9:15 PM: hehehe@centrport[1].txt (ID = 2374)
9:15 PM: Cookie Sweep Complete, Elapsed Time: 00:00:06
9:15 PM: Starting File Sweep
9:48 PM: File Sweep Complete, Elapsed Time: 00:33:20
9:48 PM: Full Sweep has completed. Elapsed time 00:37:59
9:48 PM: Traces Found: 15
9:52 PM: Removal process initiated
9:52 PM: Quarantining All Traces: websearch toolbar
9:52 PM: websearch toolbar is in use. It will be removed on reboot.
9:52 PM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
9:52 PM: Quarantining All Traces: advertising cookie
9:52 PM: Quarantining All Traces: centrport net cookie
9:52 PM: Removal process completed. Elapsed time 00:00:20
********
4:20 PM: | Start of Session, Tuesday, January 17, 2006 |
4:20 PM: Spy Sweeper started
4:20 PM: Sweep initiated using definitions version 602
4:20 PM: Starting Memory Sweep
4:23 PM: Memory Sweep Complete, Elapsed Time: 00:03:11
4:23 PM: Starting Registry Sweep
4:24 PM: Found Adware: websearch toolbar
4:24 PM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
4:24 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
4:24 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
4:24 PM: Registry Sweep Complete, Elapsed Time:00:01:00
4:24 PM: Starting Cookie Sweep
4:24 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
4:24 PM: Starting File Sweep
4:59 PM: File Sweep Complete, Elapsed Time: 00:34:20
4:59 PM: Full Sweep has completed. Elapsed time 00:38:28
4:59 PM: Traces Found: 13
5:49 PM: Removal process initiated
5:49 PM: Quarantining All Traces: websearch toolbar
5:49 PM: websearch toolbar is in use. It will be removed on reboot.
5:49 PM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
5:49 PM: Removal process completed. Elapsed time 00:00:15
9:10 PM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
9:10 PM: | End of Session, Thursday, January 19, 2006 |
********
4:19 PM: | Start of Session, Tuesday, January 17, 2006 |
4:19 PM: Spy Sweeper started
4:20 PM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
4:20 PM: | End of Session, Tuesday, January 17, 2006 |


EWIDO IN SAFE MODE

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:43:25 PM, 1/19/2006
+ Report-Checksum: 2D37C5D4

+ Scan result:

HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Downloads -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BFC9677B-8006-4336-9D49-2C797AEFCB9E} -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\hehehe\Cookies\hehehe@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\hehehe\Cookies\hehehe@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup


::Report End

KAPERSKY JUST NOW

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, January 20, 2006 11:55:53
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/01/2006
Kaspersky Anti-Virus database records: 172098
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 77156
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 3540 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

now running HJT....

Logfile of HijackThis v1.99.1
Scan saved at 12:01:13 PM, on 1/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [kagtolwq] c:\windows\system32\kagtolwq.exe kagtolwq
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


I ran the spysweeper last night, then ewido in safe mode before shutting down. Then today adaware, cwshredder, and kapersky.....

[tetonbob]

Fix these with HJT:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [kagtolwq] c:\windows\system32\kagtolwq.exe kagtolwq

Search for and delete this file if it exists:

c:\windows\system32\kagtolwq.exe

If it resists, boot to safe mode and delete from there. I don't think you'll find this file, but please let me know if it was present.

Post a new HJT log for Faizah, along with a set of logs for the next user account. I don't think Kaspersky will be required. The last 3 account scans have been clean and they are global in nature. So, SpySweeper, Ewido and HJT log, please.

[stretched]

Ok, im in faizah now, have to come back with the logs for the next here is the new HJT after those fixes in your last message:

Logfile of HijackThis v1.99.1
Scan saved at 3:52:25 PM, on 1/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

going and coming back....

[stretched]

OK SEE ABOVE POST FOR NEW FAIZAH HJT LOG REQUESTED/

These are the logs for the account:

"Fifiers"

SPYSWEEPER LOG

********
12:08 PM: | Start of Session, Friday, January 20, 2006 |
12:08 PM: Spy Sweeper started
12:08 PM: Sweep initiated using definitions version 602
12:08 PM: Starting Memory Sweep
12:12 PM: Memory Sweep Complete, Elapsed Time: 00:03:29
12:12 PM: Starting Registry Sweep
12:12 PM: Found Adware: websearch toolbar
12:12 PM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
12:13 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
12:13 PM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
12:13 PM: Registry Sweep Complete, Elapsed Time:00:01:08
12:13 PM: Starting Cookie Sweep
12:13 PM: Cookie Sweep Complete, Elapsed Time: 00:00:07
12:13 PM: Starting File Sweep
12:48 PM: File Sweep Complete, Elapsed Time: 00:34:14
12:48 PM: Full Sweep has completed. Elapsed time 00:39:13
12:48 PM: Traces Found: 13
12:53 PM: Removal process initiated
12:53 PM: Quarantining All Traces: websearch toolbar
12:53 PM: websearch toolbar is in use. It will be removed on reboot.
12:53 PM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
12:53 PM: Removal process completed. Elapsed time 00:00:17
********
12:08 PM: | Start of Session, Friday, January 20, 2006 |
12:08 PM: Spy Sweeper started
12:08 PM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
12:08 PM: | End of Session, Friday, January 20, 2006 |


Also already ran this:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 1:55:44 PM, 1/20/2006
+ Report-Checksum: 2AA7E10A

+ Scan result:

HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Downloads -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning
HKU\S-1-5-21-2034715575-3859179852-3284876818-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BFC9677B-8006-4336-9D49-2C797AEFCB9E} -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Safiyah\Application Data\Earthlink\6.0\wild-e-96@earthlink.net\Cookies\safiyah@bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Safiyah\Application Data\Earthlink\6.0\wild-e-96@earthlink.net\Cookies\safiyah@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Safiyah\Application Data\Earthlink\6.0\wild-e-96@earthlink.net\Cookies\safiyah@e-2dj6wfkywmdjeap.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Safiyah\Application Data\Earthlink\6.0\wild-e-96@earthlink.net\Cookies\safiyah@e-2dj6wfl4uidpikp.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Safiyah\Application Data\Earthlink\6.0\wild-e-96@earthlink.net\Cookies\safiyah@gde.adocean[2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Safiyah\Application Data\Earthlink\6.0\wild-e-96@earthlink.net\Cookies\safiyah@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Safiyah\Local Settings\Temporary Internet Files\Content.IE5\2RA92POL\mm[2].js -> Spyware.Chitika : Cleaned with backup


::Report End

Here is the newest HJT LOG

Logfile of HijackThis v1.99.1
Scan saved at 4:04:49 PM, on 1/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [zbvugea] c:\windows\system32\zbvugea.exe zbvugea
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe



::Report End

OK that is it for those programs for "Fifiers" user account.....

[tetonbob]

Was this file present in faizah?

c:\windows\system32\kagtolwq.exe

faizah is clean.

For Fifiers:

Fix these with HJT:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [zbvugea] c:\windows\system32\zbvugea.exe zbvugea

Delete this file if present (let me know if it was or was not present):

c:\windows\system32\zbvugea.exe

If it resists deletion, boot to safe mode and delete from there.

Post a new HJT log for Fifiers, and new logs for the next user account. I've lost track again....how many left? One or two?

We may want to look at the Uninstall lists for these accounts as well.....If there are any of those random lettered 'programs' like there were in mommy listed in any account, either attempt to uninstall from Add/Remove, or use HJT to remove it from the list using the previous instructions.

In general how is the system behaving?

[stretched]

I did fix that letter file in faizah with HJT

and the others in Fifiers

Here is the lasted HJT log for Fifers:

Logfile of HijackThis v1.99.1
Scan saved at 10:49:55 AM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/mor...on/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

There is one account left I will start the cleaners on that....
Regarding how its running now, there have been no pop ups for a long time now, ever since we started getting some of it done...so it looks good so far.

[stretched]

Ok here is the final account, and lets just call its name "final"

First I ran ccleaner. Then cwshredder, which did not find and cws, then Spysweeper:

********
11:11 AM: | Start of Session, Saturday, January 21, 2006 |
11:11 AM: Spy Sweeper started
11:11 AM: Sweep initiated using definitions version 602
11:11 AM: Starting Memory Sweep
11:13 AM: Memory Sweep Complete, Elapsed Time: 00:02:52
11:13 AM: Starting Registry Sweep
11:14 AM: Found Adware: websearch toolbar
11:14 AM: HKLM\software\toolbar\ (6 subtraces) (ID = 646240)
11:14 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 146513)
11:14 AM: HKU\WRSS_Profile_S-1-5-21-2034715575-3859179852-3284876818-1006\software\toolbar\ (2 subtraces) (ID = 646239)
11:15 AM: Registry Sweep Complete, Elapsed Time:00:01:07
11:15 AM: Starting Cookie Sweep
11:15 AM: Found Spy Cookie: 2o7.net cookie
11:15 AM: safiyah@2o7[1].txt (ID = 1957)
11:15 AM: Found Spy Cookie: pointroll cookie
11:15 AM: safiyah@ads.pointroll[2].txt (ID = 3148)
11:15 AM: Found Spy Cookie: ask cookie
11:15 AM: safiyah@ask[1].txt (ID = 2245)
11:15 AM: Found Spy Cookie: atlas dmt cookie
11:15 AM: safiyah@atdmt[2].txt (ID = 2253)
11:15 AM: Found Spy Cookie: questionmarket cookie
11:15 AM: safiyah@questionmarket[1].txt (ID = 3217)
11:15 AM: Found Spy Cookie: tribalfusion cookie
11:15 AM: safiyah@tribalfusion[1].txt (ID = 3589)
11:15 AM: Cookie Sweep Complete, Elapsed Time: 00:00:07
11:15 AM: Starting File Sweep
11:45 AM: File Sweep Complete, Elapsed Time: 00:30:35
11:45 AM: Full Sweep has completed. Elapsed time 00:34:54
11:45 AM: Traces Found: 19
11:50 AM: Removal process initiated
11:50 AM: Quarantining All Traces: websearch toolbar
11:50 AM: websearch toolbar is in use. It will be removed on reboot.
11:50 AM: HKLM: software\toolbar\ is in use. It will be removed on reboot.
11:50 AM: Quarantining All Traces: 2o7.net cookie
11:50 AM: Quarantining All Traces: ask cookie
11:50 AM: Quarantining All Traces: atlas dmt cookie
11:50 AM: Quarantining All Traces: pointroll cookie
11:50 AM: Quarantining All Traces: questionmarket cookie
11:50 AM: Quarantining All Traces: tribalfusion cookie
11:50 AM: Removal process completed. Elapsed time 00:00:25
********
11:10 AM: | Start of Session, Saturday, January 21, 2006 |
11:10 AM: Spy Sweeper started
11:10 AM: Warning: Failed to register registry notification for "HKLM\Software\Microsoft\Windows\CurrentVersion\Run": Access is denied
11:11 AM: | End of Session, Saturday, January 21, 2006 |

Then, IN SAFE MODE, Ewido:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 2:50:48 PM, 1/21/2006
+ Report-Checksum: 9A94FCEE

+ Scan result:

HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Downloads -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning
HKU\S-1-5-21-2034715575-3859179852-3284876818-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00A6FAF1-072E-44CF-8957-5838F569A31D} -> Spyware.MyWebSearch : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{26D73573-F1B3-48C9-A989-E6CE071957A1} -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{339BB23F-A864-48C0-A59F-29EA915965EC} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{87766247-311C-43B4-8499-3D5FEC94A183} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8952A998-1E7E-4716-B23D-3DBE03910972} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8DA5457F-A8AA-4CCF-A842-70E6FD274094} -> Spyware.HuntBar : Cleaned with backup
HKU\S-1-5-21-2034715575-3859179852-3284876818-1007\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{BFC9677B-8006-4336-9D49-2C797AEFCB9E} -> Dialer.Generic : Cleaned with backup


::Report End

Then in normal mode I ran HJT, and saved the log below, I noticed some things but wanted to wait since I suspected others too.

Logfile of HijackThis v1.99.1
Scan saved at 2:59:24 PM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [zango] c:\program files\zango\zango.exe
O4 - HKCU\..\Run: [kjecuy] c:\windows\system32\kjecuy.exe kjecuy
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Regarding this account - "final" this is the only cleaning activity done so far on THIS ACCOUNT. I did not run any cleaners or scanners other than the above mentioned on this account.

[tetonbob]

Uninstall Mailskinner and zango if present (I don't think they will be)

Fix these with HJT:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [MailSkinner] c:\program files\mailskinner\mailskinner.exe
O4 - HKCU\..\Run: [zango] c:\program files\zango\zango.exe
O4 - HKCU\..\Run: [kjecuy] c:\windows\system32\kjecuy.exe kjecuy

Search for and delete these files/folders if present:

c:\program files\mailskinner
c:\program files\zango
c:\windows\system32\kjecuy.exe

If any resist, boot to safe mode and delete from there.

Run a Kasperky online scan, and post any results, along with a new HJT log.

[stretched]

I fixed those entries in HJT and checked again via start/search and they were no longer present.

Kapersky did not have a log because it did not find anything.

Here is the latest HJT log from right now:

Logfile of HijackThis v1.99.1
Scan saved at 6:34:02 PM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\America Online 9.0\aolwbspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: X1IEHook Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\x1IEBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: ZeroBar - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - C:\Program Files\NetZero\toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{56218849-857B-4B5B-9C85-8FDFB8882AD5}: NameServer = 205.188.146.145
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[tetonbob]

Nice job, stretched! We're all but done. The family PC is almost back under control again.

I'd advise you install at the least SpywareBlaster, IESPYAD 2 (for multiple users), and the MVPS Hosts file. Links below. Update all protection regularly, and run scans once a week. Educate the other users about what downloading and clicking on just anything can do to a system. Consider making their accounts Limited, instead of Administrator. This will prevent some software installation without your OK. Password protect your user account, (and any admin account) and the account named Administrator to retain control.

Well done. Your logs are clean. Any more issues? If not you should be good to go. We still have a few items to address.


Reset hidden/system files and folders

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View tab.
• Deselect the Show hidden files and folders option.
• Select the Hide file extensions for known types option.
• Select the Hide protected operating system files option.
• Click Yes to confirm.
• Click OK.

Create a new System Restore point

• click Start >> Run - type SYSDM.CPL & press Enter
• select the System Restore Tab
• tick on the checkbox - "Turn off System Restore on all drives"
• click Apply
• then untick the same checkbox & click OK

Enable Windows Auto Update

• Go to Start>Run - type wuaucpl.cpl
• tick on the checkbox - "Keep my computer up to date"
• Under settings, choose "Automatically download the updates, and install them on the schedule that I specify".
• Click on "OK".

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programs:

• SpywareBlaster to help prevent spyware from installing in the first place.
  
• SpywareGuard to catch and block spyware before it can execute.
  
• SPYBOT - SEARCH & DESTROY
  Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here
  
• AD-AWARE
  Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
  
• IE-SPYAD
  IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here
  
• MVPS HOST FILE
  The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites form serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. It can be downloaded here - MVPS Hosts file
  
• ANTIVIRUS SOFTWARE
  It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  
  See this link for a listing of some online antivirus scanners:
  
  Anti-Spyware Tutorial
  
  Here are two very good free Antivirus products which are available:
  
• Avast!
• AVG
  
  It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
  
• Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here:
  Using Winpatrol to protect your computer from malicious software

If you do not have a firewall, here are 4 free ones available for personal use:

• ZoneAlarm
• Avast Antivirus/Firewall
• Tiny Personal Firewall
• OutPost Firewall

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

• HOW DID I GET INFECTED IN THE FIRST PLACE?
• THE ANTI-SPYWARE TUTORIAL
• MAKING INTERNET EXPLORER SAFER

Please respond to this thread one more time so we can mark this thread as resolved.

[stretched]

Thank you very much, whenever I can dontate I will since you guys have helped me more than once, I'd better do it, while having a wife and six kids here makes me constantly in debt, so it will be a little while before I can.

You can move it to finished and I can look at the final instructions there, I will have to do the last changes to the computer in the morning. But I have some questions. I do have spyblaster, and the webroot trial which will run out, and I think ewido will also, I have spybot, adaware, I had trouble installing AVG when it could not copy all of the files, I have the avast virus program but that will expire, I use Zone alarm on my system, and was think about puting that on the kids computer, ok you see where I am going with this? There is also the windows firewall on the Kids XP, I do not want to have to many things on at the same time, so what do you recommend, because I do not know if having AVG montior and Zone Alarm on at the same time, plus the windows fire wall - if such a thing is smart to do.....as I said, you can move this and I can review your instructions and recommendations in the previous post, as well as any other comments in reply to this post, and thanx a million once again!

[tetonbob]

Hi stretched -

First, don't worry yourself over a donation, unless you can truly part with it. We do this because we want to. Yes, the servers cost money, and our admin will appreciate anything no matter the amount, but take care of your family first.

Next, let's see if I can address some of your concerns.

Avast is freeware, and is free to register. I've been using it for 2 years now. For free. All you need to do is submit a registration form, and you will receive a registration key to input. There should be something about registering Avast either on the system tray icon by right clicking, or by opening the main program interface from Start>All Programs

It's every bit as good as AVG in my mind, so put Avast on all your systems if you need AV protection.

Next, ZoneAlarm is free, and works well with Avast. If you install ZoneAlarm, the Windows Firewall should be disabled. More than one Firewall or AV product active on a system can cause conflict.

Your webroot trial will be active for 90 days, I think is the version we used. A subscription for a year I think you can get for $30, sometimes they will offer it for $20, a good value for the tool...but I like and use the others you have (and they're free)...Adaware, Spybot (with TeaTimer enabled) SpywareBlaster (regularly updated)...I also use on all my systems IESPYAD - this disallows malware cookie installation, and the MVPS hosts file... this prevents the visiting of known bad sites by redirecting the attempt to 127.0.0.1, your own machine.

I'll leave this out here for a few days, in case you want to ask more questions....once you're comfortable with the info, post again, and we'll put this to bed.

[stretched]

There is a fundamental issue, regarding all of these accounts, I am going through and undo-ing show files, and system restore, but I should not have to do that system restore bit on each account right? I did more than one - three of them, and the second and third went very quickly as if it was telling me:"you just did this stupid"

Also it appears that each of these installed programs has to be updated on each user account, is that correct? So the question of this post is related to the different users, I plan to eliminate admin accounts as was mentioned before, but at this time I am going through what you said in the last post about system restore, and turning off show files and I plan to download those other items too, so the same question:

IESPYAD and the MVPS after I put them in "mommy" versus the different accounts. Alright I think you get the question here, I do not want to have something on there and think it is updated, only to realize later that it was not updated on this and that account.

Also, the windows defrag, should I run it as it has not been run on this computer since it was purchased, about 14 - 16 months ago? And do I have to do that on each account too????

[tetonbob]

Hi stretched -

Most actions performed from an Admin account are global...meaning they affect all users on the system. System Restore, defrag need only be addressed from one admin account.

IESPYAD2 is designed for systems with multiple users, and installs in the appropriate registry location to take care of all users. It needs updating only rarely....it's not like one of the scanning programs which should be updated more frequently, like Adaware and Spybot.

MVPS hosts file installs to the C drive, and affects all users as well, and doesn't require frequent updating.

SpywareBlaster needs only be updated from one admin account, but the protections of the user's restricted zones need to be applied per user.

Spybot S&D needs only be updated from one admin account. Be sure to immunize after updating. The immunization carries across all users.

Run Spybot and click on the 'Search for Updates' button. Install any updates that are available.

Now click Mode menu and choose 'Advanced Mode'. Next click on Immunize to your left. Click the Immunize button (green cross) on top to Immunize your computer - you should do this each time there is an update. Now go to Tools->Resident. Make sure you enable TeaTimer. What this will do is monitor any system/registry changes and will ask you for permission to change any of these settings.

Adaware SE Pro seemed to need to be updated from each account...not sure if the free version is the same....you may have to check it out.

I think that covers it...if not, let me know.

[stretched]

OK that's it then, we're done, thanks for answering that on top of all the help you have provided, we are very appreciative and can not express our gratitude enough.

See you next time
stretched