Hi. I followed the sticky directions except that I could not run a Kaspersky scan. It kept getting hung up and I couldn't generate a report. So, I did a Panda scan. Below is a copy of those scan results along with a HJT log. Ugh. I've been wrestling with this stupid thing for days. Hope someone can help me. Panda Scan: ;*********************************************************************************************************************************************************************************** ANALYSIS: 2010-06-17 19:56:51 PROTECTIONS: 1 MALWARE: 6 SUSPECTS: 6 ;*********************************************************************************************************************************************************************************** PROTECTIONS Description Version Active Updated ;=================================================================================================================================================================================== Charter Security Suite 9.01 9.01 No Yes ;=================================================================================================================================================================================== MALWARE Id Description Type Active Severity Disinfectable Disinfected Location ;=================================================================================================================================================================================== 00003428 adware/memorywatcher Adware No 0 Yes No hkey_classes_root\vbrad.trayicon 00007432 Univ Virus No 0 Yes No c:\program files\charter high-speed security suite\fsaua\content\aquawin32\1276725026\cran.cvd 00167726 Cookie/Tickle TrackingCookie No 0 Yes No c:\documents and settings\guest\application data\mozilla\firefox\profiles\gdzrpwmd.default\cookies.txt[.tickle.com/] 00167726 Cookie/Tickle TrackingCookie No 0 Yes No c:\documents and settings\guest\application data\mozilla\firefox\profiles\gdzrpwmd.default\cookies.txt[.tickle.com/] 01313177 Generic Malware Virus/Trojan No 0 Yes No c:\program files\wildtangent\components\wtpropertybag0200.dll 03898858 Generic Malware Virus/Trojan No 0 Yes No c:\program files\photodex presenter\pxplay.exe 06541065 Trj/Dropper.JTL Virus/Trojan No 1 Yes No c:\documents and settings\hp_owner\my documents\my downloads\sopcast\setup-sopcast-2.0.4-2007-11-26.exe ;=================================================================================================================================================================================== SUSPECTS Sent Location ;=================================================================================================================================================================================== No c:\documents and settings\hp_owner\application data\mozilla\plugins\nppxplay.dll No c:\documents and settings\hp_owner\application data\netscape\plugins\nppxplay.dll No c:\documents and settings\hp_owner\desktop\downloads\install_photomoviemaker_for_hp.exe No c:\hp\recovery\wizard\swr_wizard.exe No c:\program files\charter high-speed security suite\hips\fshs.sys No c:\program files\photodex presenter\pxdown.exe ;=================================================================================================================================================================================== VULNERABILITIES Id Severity Description ;=================================================================================================================================================================================== ;=================================================================================================================================================================================== HJT Log: Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 9:00:44 AM, on 6/18/2010 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\windows\system\hpsysdrv.exe C:\WINDOWS\AGRSMMSG.exe C:\HP\KBD\KBD.EXE C:\WINDOWS\ALCMTR.EXE C:\WINDOWS\system32\hphmon06.exe C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe C:\Program Files\Pure Networks\Network Magic\nmapp.exe C:\Program Files\Common Files\Java\Java Update\jusched.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE C:\Program Files\Java\jre6\bin\jqs.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\HPZipm12.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE C:\Program Files\Charter High-Speed Security Suite\Common\FSHDLL32.EXE C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe C:\WINDOWS\explorer.exe C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file) O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Charter High-Speed Security Suite\NRS\iescript\baselitmus.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll O3 - Toolbar: Browsing Protection Toolbar - {265EEE8E-3228-44D3-AEA5-F7FDF5860049} - C:\Program Files\Charter High-Speed Security Suite\NRS\iescript\baselitmus.dll O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAudPropShortcut.exe O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe" O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe" O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe /boot O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 5.3\THGuard.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user') O4 - .DEFAULT User Startup: AutoTBar.exe (User 'Default user') O8 - Extra context menu item: Add To HP Organize... - C:\PROGRA~1\HEWLET~1\HPORGA~1\bin/module.main/favorites\ie_add_to.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204 O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper200711281.dll O16 - DPF: {4DCA1E08-4147-4A3D-8CA6-E095DF189FAB} (CPlayFirstNightshiftControl Object) - http://games.bigfishgames.com/en_nightshift-legacy-the-jaguars-eye/online/Nightshift2Web.1.0.0.9.cab O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155054091156 O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://aolsvc.aol.com/onlinegames/ghtumblebugs/axhost.cab O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://72.32.179.44/filter/cameraviewer/isetup.cab O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} (Pure Networks Security Scan) - http://nmreports.linksys.com/nmscan/download/WebDiag.4.5.8056.1-ship-WD.V1.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://signin3.valueactive.com/Register/Branding/olr3313/OCX/v1018/flashax.cab O16 - DPF: {DBA8E419-0D5F-439B-A3CC-D01C768D9B51} (DVCDownloaderControl Object) - http://aolsvc.aol.com/onlinegames/sonydavincicode/DVCDownloaderControl.cab O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - O16 - DPF: {E93E9DF0-3E59-4331-A269-F1E077C66F00} (GameTap Web Plugin) - http://cnn-5.vo.llnwd.net/c1/static/client/browserplayer/gtplugin.cab O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5173/mcfscan.cab O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize2/pcpitstop2.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - Unknown owner - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe O23 - Service: FSMA - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE O23 - Service: F-Secure ORSP Client (FSORSPClient) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\ORSP Client\fsorsp.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe O23 - Service: Pure Networks Platform Service (nmservice) - Cisco Systems, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing) -- End of file - 10794 bytes
to my untrained eye you are loaded with nasties.this is something i would handle on my own machine,but am hesitant to advise another on.what i did was google the entries on my hijack this log to see exactly what they were.then i made the determination whether to delete them or not.some things on a log may or may not be malware.in this case,if in doubt most articles (google)will tell you if they are necessary or can be deleted.if in doubt seek help.download malware bytes,update,and run scan.check and delete anything it finds.then run another hijack this log and compare the two.post back with results.
the free version of malwarebytes will do also after malwarebytes run C Cleaner to clean up your temp files, and empty reg keys ect..
run Kaspersky in safemode\administrator. what version of spybot are you using as 1.6.2 is latest if i'm correct? what is this "Charter High-Speed Security Suite"?
The Charter High Speed Security Suite is the F-Secure antivirus and firewall program that comes from the internet provider.
if this was me,and its not,i would google all the hjt entries and remove the followingO2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) . O2 - BHO: LitmusBHO - {C6867EB7-8350-4856-877F-93CF8AE3DC9C} - C:\Program Files\Charter High-Speed Security Suite\NRS\iescript just check fix on the hjt results.by the way,ive had good luck running the windows firewall,avira free antivirus,spyware blaster,and super antispyware for my security needs.all free and dont slow your computer down.not familiar with charter but looks like a hell of a lot of processes associated with it.just my humble opinion.
Ok. I'm making some progress. I finally got a partial scan done with Kaspersky. I just don't know what to do with the results now. Do I delete those files or do something else? I haven't done anything else yet. I'd like some direction please. Thanks. Saturday, June 19, 2010 Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Last database update: Saturday, June 19, 2010 12:23:34 Records in database: 4296164 Scan settings scan using the following database extended Scan archives yes Scan e-mail databases yes Scan area My Computer C:\ D:\ E:\ F:\ G:\ H:\ I:\ J:\ Scan statistics Objects scanned 21583 Threats found 3 Infected objects found 3 Suspicious objects found 0 Scan duration 02:21:34 File name Threat Threats count C:\Documents and Settings\HP_Owner\My Documents\My Downloads\couponprinter.exe Infected: not-a-virus:AdWare.Win32.Coupons 1 C:\Documents and Settings\HP_Owner\My Documents\My Downloads\GMVegasSetup.exe Infected: Trojan-Dropper.Win32.Delf.fqm 1 C:\Documents and Settings\HP_Owner\My Documents\My Downloads\SetupAnyDVD6088.exe Infected: Backdoor.Win32.Agent.ahyk 1 Scanning stopped by the user.
delete them & empty the recycle bin. update, immunize twice then run your spybot s&d in both safemode & normal mode.
I should have put the whole instruction/description info. Here it is. Shall I do this and if so, how? Trojan-Dropper.Win32.Delf.se Detected Jan 27 2006 20:47 GMT Released Jan 27 2006 20:47 GMT Published Apr 03 2006 11:21 GMT Technical Details Payload Removal instructions Technical Details This Trojan program is designed to install other files and programs to the victim machine without the user's knowledge or consent. The Trojan's main file is a Windows PE EXE file approximately 142KB in size, written in Delphi and packed using UPX. The unpacked file is approximately 223KB in size. Payload When launched, the Trojan drops the following file to the Windows root directory: %Windir%\inst_cassovia_apps.exe It also creates a file called svchost.exe in the following folder: %Program Files%\Common Files\Microsoft Shared\MSInfo\svchost.exe This files will be detected by Kaspersky Anti-Virus as not-a-virus:AdWare.Win32.BargainBuddy.ak. These files will then be launched for execution. The Trojan will also terminate the processes listed below: APVXDWIN.EXE ashDisp.exe aswUpdSv avast! Antivirus avast! Mail Scanner avast! Web Scanner AVENGINE.EXE AvltMain.exe BackWeb Plug-in - 4476822 bdmcon.exe bdnagent.exe bdoesrv.exe BGLiveSvc BlackICE blackice.exe bullguard.exe CAISafe ccApp.exe ccEvtMgr ccProxy ccSetMgr FAMEH32.EXE FCH32.EXE F-Prot Antivirus Update Monitor FSAV32.exe FSAW.exe fsbwsys F-Sched.exe F-Secure Gatekeeper Handler Starter fsgk32.exe fsguidll.exe fshttps FSM32.exe FSMB32.EXE fspc.exe fspex.exe fsqh.exe FSRW.exe fssm32.exe fssw.exe F-StopW.exe InoTask ispnews.exe KAVPF.exe kpf4gui.exe LavasoftFirewall lpfw.exe LUCOMS~1.EXE mantispm.exe McAfeeFramework McShield McTaskManager naPrdMgr.exe navapsvc NMain.exe NOD32krn nod32kui.exe NPFMntor NSCService Outpost Firewall main module outpost.exe OutpostFirewall PAVFIRES PAVFNSVR PavProt PavPrSrv pccguide.exe PCCMAIN.EXE PcCtlCom PersonalFirewal PREVSRV ProtoPort Firewall service PSIMSVC realmon.exe SHSTAT.EXE SmcService SNDSrvc SPBBCSvc Symantec Core LC SyncEvnt.exe TBMon.exe Tmntsrv tmproxy UmxAgent UmxTray.exe UpdaterUI.exe WebProxy.exe WebrootDesktopFirewall.exe WebrootDesktopFirewallDataService WebrootFirewall zlclient.exe Removal instructions Manual removal: 1. Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu). 2. Delete the following file: %Windir%\inst_cassovia_apps.exe %Program Files%\Common Files\Microsoft Shared\MSInfo\svchost.exe 3. Delete the original Trojan file (the location will depend on how it originally penetrated the computer). 4. Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
