First off thank you so much to who ever takes a minute to help me. I SO appreciate it!!!
I have been having some major problems start the other night. I get numerous "antiVirus" pop ups, I have seen several [bleep] pop ups, and my home page changes. I do have Norton Antivirus and internet security installed and it alerted me of several things ( Spy Sheriff, Error safe, ultimate defender, and many others). It did delete some of them. I also ran all the things listed to do (Clean up, swshredder,Spybot S&D, smitRem, Panda, ewido, ad-aware, Trend housecall, windows update) Here are my logs from this:
Panda Active scan:
Incident Status Location
Adware:adware/pornmagpass Not disinfected c:\windows\system32\ishost.exe
Adware:adware/systemdoctor Not disinfected c:\windows\system32\isnotify.exe
Adware:adware/securityerror Not disinfected c:\windows\system32\ot.ico
Spyware:Cookie/Malwarewipe Not disinfected C:\Documents and Settings\Owner\Cookies\owner@malwarewipe[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Desktop\smitRem.exe[smitRem/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G0FYTGUA\smitRem[1].exe[smitRem/Process.exe]
I ended up running that again and the first one listed (pornmagpass)was gone in the second scan, everything else remained the same.
SmitRem Log:
smitRem © log file
version 3.2
by noahdfear
Microsoft Windows XP [Version 5.1.2600]
"IE"="6.0000"
The current date is: Fri 10/13/2006
The current time is: 9:13:28.71
Running from
C:\Documents and Settings\Owner
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Pre-run SharedTask Export
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Appinitdll check ........ Thank you Grinler!
dumphive.exe ©2000-2004 Markus Stephany
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
XP Firewall allowed access
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
checking for ShudderLTD key
ShudderLTD key not present!
checking for PSGuard.com key
PSGuard.com key not present!
checking for WinHound.com key
WinHound.com key not present!
checking for drsmartload2 key
drsmartload2 key not present!
spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present
AlfaCleaner uninstaller NOT present
SpyFalcon uninstaller NOT present
SpywareQuake uninstaller NOT present
SpywareSheriff uninstaller NOT present
Trust Cleaner uninstaller NOT present
SpyHeal uninstaller NOT present
VirusBurst uninstaller NOT present
BraveSentry uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Existing Pre-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
amcompat.tlb
ismini.exe
issearch.exe
ixt*.dll
nscompat.tlb
~~~ Icons in System32 ~~~
ot.ico
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Starting registry repairs
Registry repairs complete
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SharedTask Export after registry fix
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Deleting files
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Remaining Post-run Files
~~~ Program Files ~~~
~~~ Shortcuts ~~~
~~~ Favorites ~~~
~~~ system32 folder ~~~
~~~ Icons in System32 ~~~
~~~ Windows directory ~~~
~~~ Drive root ~~~
~~~ Miscellaneous Files/folders ~~~
~~~ Wininet.dll ~~~
CLEAN!
EDWIDO Scan Log:
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 1:25:14 AM 10/13/2006
+ Scan result:
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll -> Trojan.Small : No action taken.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Adware.Generic : Cleaned with backup (quarantined).
C:\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run\\kernel32.dll -> Trojan.Small : Cleaned with backup (quarantined).
::Report end
AD Aware log
ArchiveData(auto-quarantine- 2006-10-13 07-44-36.bckp)
Referencefile : SE1R126 12.10.2006
======================================================
WIN32.TROJANDOWNLOADER.ZLOB
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=Process : C:\WINDOWS\System32\ishost.exe
obj[1]=Process : C:\WINDOWS\system32\isnotify.exe
ALEXA
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[2]=RegValue : .DEFAULT\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
obj[3]=RegValue : S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
obj[4]=RegValue : S-1-5-21-220523388-583907252-725345543-1003\software\microsoft\internet explorer\extensions\cmdmapping "{c95fe080-8f5d-11d2-a20b-00aa003c157a}"
TRACKING COOKIE
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[5]=IECache Entry : Cookie:[email protected]/
obj[6]=IECache Entry : Cookie:[email protected]/
ArchiveData(auto-quarantine- 2006-10-13 07-53-57.bckp)
Referencefile : SE1R126 12.10.2006
======================================================
0 POSSIBLE NEW MALWARE 0
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
obj[0]=File : C:\System Volume Information\_restore{E572A28E-1EE7-4156-AF89-0B27A78920BA}\RP38\A0001071.exe
HI JACK THIS:
Logfile of HijackThis v1.99.1
Scan saved at 2:23:38 PM, on 10/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\SPOOL\DRIVERS\W32X86\3\DLBFPSWX.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Norton Password Manager\AcctMgr.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\igfxpers.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Borland\Interbase\Bin\IBServer.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\HighJackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=192.168.0.1:87
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = systemcontrolcenter.com;HughesNetsupport.com;192.168.0.1;<local>
O2 - BHO: (no name) - {206F32D4-84C8-1F6E-5506-01E8F86FF820} - C:\WINDOWS\system32\qkzskpb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [AcctMgr] C:\Program Files\Norton Password Manager\AcctMgr.exe /startup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ntwcvfh.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ntwcvfh.dll,kktgapd
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell....iler/SysPro.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?LinkID=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.t...ivex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - http://a248.e.akamai...ol/SymDlBrg.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: winpsa32 - C:\WINDOWS\SYSTEM32\winpsa32.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBGuard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\Interbase\Bin\IBServer.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
Thanks so much for any help you can give.
~ Robin