Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

trojan.zapchast and sysavxjgdu.exe [RESOLVED]


  • This topic is locked This topic is locked

#1
poemsmith

poemsmith

    New Member

  • Member
  • Pip
  • 6 posts
i seem to have some malware. i had a mywallpaper.bmp take over my desktop. and also, i've run spyware doctor which said i had this trojan.zapchast. is there some way to get rid of it without buying a program? i also found sysavxjgdu.exe and believe it is spyware. is this the same as the trojan? can i just delete them? how should i get rid of them? much thanks.
  • 0

Advertisements


#2
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Welcome to geekstogo! I'm Ryan, and I'll be helping you clean your computer.

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform full scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & paste the entire report in your next reply. I would also like to see an Uninstall List in your next reply.

    Open HijackThis, click Config, click Misc Tools
    Click "Open Uninstall Manager"
    Click "Save List" (generates uninstall_list.txt)

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

-Ryan
  • 0

#3
poemsmith

poemsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
thank you Ryan. Here is the HijackThis scan, the uninstall log and the malwarebyte log: Please let me know if you need anything else.

Malwarebytes' Anti-Malware 1.09
Database version: 573

Scan type: Full Scan (C:\|F:\|G:\|H:\|I:\|)
Objects scanned: 118680
Time elapsed: 47 minute(s), 27 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
c:\WINDOWS\sysavxjgdu.exe (Trojan.FakeAlert) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{2C70168B-97CE-4f31-B85D-1FEC5002721D} (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\sysavxjgdu.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Monica E. Smith\My Documents\Unzipped\MovieSnapshot_v0.4\MovieSnapshot.exe (Spyware.WOW) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP95\A0010208.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP95\A0010210.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP95\A0010211.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\zysalwhkkw.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zysapghucv.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\zysaxyczld.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.

UNINSTALL LIST:


2 Pic
Ad-Aware SE Personal
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop CS2
Adobe Reader 8.1.2
AIM 6
Alarm Clock
AOLIcon
Apple Mobile Device Support
Apple Software Update
ArcSoft Panorama Maker 3
ArcSoft PhotoImpression 5
ArcSoft VideoImpression 2
AVG Anti-Spyware 7.5
Avira AntiVir PersonalEdition Classic
CamStudio
CCleaner (remove only)
CleanUp!
Clickie
CoffeeCup Free FTP
Conexant D850 56K V.9x DFVc Modem
Dell CinePlayer
Dell Digital Jukebox Driver
Dell Driver Reset Tool
Dell Resource CD
DellSupport
Digital Content Portal
Digital Dream Studio V2
Digital Line Detect
Documentation & Support Launcher
Easy Thumbnails (Remove only)
EducateU
ELIcon
EMBARQ Online Security
ESPNMotion
EZ Photo Creations
FLV Player 1.3.3
Free CD to MP3 Converter
Free DVD Decrypter version 1.2
Free Video to iPod Converter version 2.4
FreeRIP v3.07
FrontPage Express 2.0.2.1131
Games, Music, & Photos Launcher
GemMaster Mystic
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
HP Memories Disc
HP OfficeJet/PSC Scrubber
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
IncrediMail Xe
Intel Matrix Storage Manager
Intel® PRO Network Connections Drivers
Intel® PROSet for Wired Connections
Intel® Quick Resume Technology Drivers
Intel® Quick Resume Technology Drivers
Intel® Viiv™
IntelliMover
iSofter DVD Ripper Platinum 1.0.2006.912
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
Legacy 6.0
LegalSounds Music Downloader 1.4
M4P MP3 Converter 1.0
Magentic
MAGIX Photo Clinic 4.5 (US)
Malwarebytes' Anti-Malware
Merge Version 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office PowerPoint Viewer 2003
Microsoft Plus! Digital Media Edition
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Word 2002
Microsoft Works
Microsoft Works 2004 Setup Launcher
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Mozilla Firefox (2.0.0.13)
MSXML 6.0 Parser (KB933579)
MyHeritage Family Tree Builder
NetWaiting
NVIDIA Drivers
OfotoNow
Otto
PageBreeze Free HTML Editor
Paint.NET v3.22
Picasa 2
picture-shark 1.0
Plaxo Toolbar for Internet Explorer
Plaxo Toolbar for Windows
Playback Poet ver 1.0.0
Prism
QuickTime
RealPlayer
Roxio DLA
Roxio MyDVD LE
Roxio RecordNow Audio
Roxio RecordNow Copy
Roxio RecordNow Data
SadMan Software: SnapShot
Security Update for Windows Internet Explorer 7 (KB938127)
Slideshow pro
Sonic Activation Module
Sonic Encoders
Sonic Update Manager
Spark Audio Converter (Remove only)
Spyware Doctor 5.5
Switch
TribalPages XP Publisher Plugin
Tweak UI
USB 2.0 Wireless LAN Card Utility
VGA USB Camera
VMN Toolbox 4
WavePad Uninstall
WebCyberCoach 3.2 Dell
WildTangent Web Driver
Windows Defender
Windows Imaging Component
Windows Installer Clean Up
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
WinZip
WordPerfect Office 12
Yahoo! Browser Services
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Search Protection
Yahoo! Toolbar

HIJACKTHIS SCAN:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:54:20 AM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\FSGK32.EXE
C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\EMBARQ Online Security\Common\FSMB32.EXE
C:\WINDOWS\system32\LxrSII1s.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PRISMSVC.EXE
C:\Program Files\EMBARQ Online Security\Common\FCH32.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe
C:\Program Files\EMBARQ Online Security\Common\FAMEH32.EXE
C:\Program Files\EMBARQ Online Security\FSPC\fspc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PRISMSVR.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\EMBARQ Online Security\FSGUI\fsguidll.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Plaxo\3.8.1.1\PlaxoHelper_en.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Alarm Clock\AlarmClock.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Dell Wireless\PRISMCFG.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fssm32.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsav32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\cidaemon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://admin.isp.net...sp.netscape.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Plaxo - {81CA3009-6200-4a6d-93C6-F1E9A6821C7F} - C:\Program Files\Plaxo\IE Toolbar\1.0.0.11\plx_tlbr.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\EMBARQ Online Security\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\EMBARQ Online Security\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [PlaxoUpdate] C:\Program Files\Plaxo\3.8.1.1\PlaxoHelper_en.exe -a
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Alarm Clock.lnk = C:\Program Files\Alarm Clock\AlarmClock.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Wireless USB 2.0 WLAN Card Utility.lnk = C:\Program Files\Dell Wireless\PRISMCFG.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: (no name) - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra 'Tools' menuitem: Parental... - {200DB664-75B5-47c0-8B45-A44ACCF73F01} - C:\Program Files\EMBARQ Online Security\FSPC\fspcmsie.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Upload - {FD4E2FF8-973C-4A19-89BD-8E86B3CFCFE1} - C:\WINDOWS\system32\shdocvw.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www2.snapfish...fishActivia.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1168499264890
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgall..._2/axofupld.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - http://www.photodex.com/pxplay.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://www.kemba.org/swflash.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel® Quick Resume Technology\ELService.exe
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\EMBARQ Online Security\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel® Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Lexar Secure II (LxrSII1s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrSII1s.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PRISMSVC - Conexant Systems, Inc. - C:\WINDOWS\system32\PRISMSVC.EXE
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe

--
End of file - 14428 bytes
  • 0

#4
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
== Remove Programs ==

Please go to Add/Remove Programs in the Control Panel, and remove the following programs
Java 2 Runtime Environment, SE v1.4.2_03
Reboot your computer.


== Install Latest Java ==

Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.

Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.

Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.

Once it has finished downloading, double click it, and follow the prompts to install.

If it asks to reboot, select Yes.



== Clear Temporary Files ==

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.


== Clear System Restore==

Let's make a new restore point and clear the others:Go - Start>Programmes>Accessories>System Tools>System Restore>Create a New Restore point.
Go - Start>Programmes>Accessories>System Tools>Disc Cleanup>"More Options" Tab>Remove All But Most Recent Point. Please do this for each hard drive that you have connected to the computer


== Kaspersky Web Scanner ==

Please do an online scan with Kaspersky WebScanner
You will need to use Internet Explorer to do this

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

== Request Logs ==

Please post the log from the Kaspersky scan.

-Ryan
  • 0

#5
poemsmith

poemsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Ryan, here is the KASPERSKY scan:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 01, 2008 11:52:07 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/04/2008
Kaspersky Anti-Virus database records: 675855
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 79169
Number of viruses found: 2
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:13:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\F-Secure\logs\FSMA\fsma.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03302008-163316.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_4106792396_1057488896_16024 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{13CFF90E-C430-4193-8384-AB80898F2E89}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Monica E. Smith\Application Data\acccore\nss\cert8.db Object is locked skipped
C:\Documents and Settings\Monica E. Smith\Application Data\acccore\nss\key3.db Object is locked skipped
C:\Documents and Settings\Monica E. Smith\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Monica E. Smith\Desktop\DOWNLOADS\freeripmp3.exe/file25 Infected: not-a-virus:AdTool.Win32.MyWebSearch.br skipped
C:\Documents and Settings\Monica E. Smith\Desktop\DOWNLOADS\freeripmp3.exe Inno: infected - 1 skipped
C:\Documents and Settings\Monica E. Smith\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Monica E. Smith\Local Settings\Application Data\AOL OCP\AIM\Storage\data\verslibrist222\localStorage\common.cls Object is locked skipped
C:\Documents and Settings\Monica E. Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Monica E. Smith\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Monica E. Smith\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Monica E. Smith\Local Settings\Temp\Perflib_Perfdata_660.dat Object is locked skipped
C:\Documents and Settings\Monica E. Smith\Local Settings\Temp\~DF301B.tmp Object is locked skipped
C:\Documents and Settings\Monica E. Smith\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Monica E. Smith\ntuser.dat Object is locked skipped
C:\Documents and Settings\Monica E. Smith\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\EMBARQ Online Security\Anti-Virus\dbupdate.log Object is locked skipped
C:\Program Files\EMBARQ Online Security\Anti-Virus\deleteme_msg.log Object is locked skipped
C:\Program Files\EMBARQ Online Security\Anti-Virus\fsqh.exe.Qrt.log Object is locked skipped
C:\Program Files\EMBARQ Online Security\Anti-Virus\perf.dat Object is locked skipped
C:\Program Files\EMBARQ Online Security\Anti-Virus\power.dat Object is locked skipped
C:\Program Files\EMBARQ Online Security\Common\policy.bpf Object is locked skipped
C:\Program Files\EMBARQ Online Security\Common\policy.ipf Object is locked skipped
C:\Program Files\EMBARQ Online Security\FSAUA\fsbwupst.log Object is locked skipped
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.dbg Object is locked skipped
C:\Program Files\EMBARQ Online Security\FSAUA\program\fsaua.log Object is locked skipped
C:\Program Files\EMBARQ Online Security\FSPC\csdk\Stlst\StatListDb.dat Object is locked skipped
C:\Program Files\EMBARQ Online Security\FSPC\csdk\Stlst\StatListDb.idx Object is locked skipped
C:\Program Files\EMBARQ Online Security\FSPC\csdk\urlcache\domainNames.dat Object is locked skipped
C:\Program Files\EMBARQ Online Security\FSPC\csdk\urlcache\domainNames.idx Object is locked skipped
C:\Program Files\EMBARQ Online Security\FSPC\csdk\urlcache\urlCacheDb.dat Object is locked skipped
C:\Program Files\EMBARQ Online Security\FSPC\csdk\urlcache\urlCacheDb.idx Object is locked skipped
C:\Program Files\EMBARQ Online Security\FSPC\logs\fspcwld.dat Object is locked skipped
C:\Program Files\EMBARQ Online Security\FSPC\logs\fspcwli.dat Object is locked skipped
C:\Program Files\EMBARQ Online Security\Spam Control\log\fs_sa_log.txt Object is locked skipped
C:\Program Files\VMN Toolbox 4\vmntoolbar\vmntoolbarsetup.exe/data0146 Infected: not-a-virus:AdWare.Win32.BHO.w skipped
C:\Program Files\VMN Toolbox 4\vmntoolbar\vmntoolbarsetup.exe NSIS: infected - 1 skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\0001000F.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP105\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D850 56K V.9x DFVc Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3F9BF733-22AA-4E4C-BDD3-283464314415}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{92E2B8F6-FB37-429D-9539-E4DA302B4C88}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\AVP4559.tmp Object is locked skipped
C:\WINDOWS\Temp\AVP455A.tmp Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5e4.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#6
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Delete the following:
C:\Documents and Settings\Monica E. Smith\Desktop\DOWNLOADS\freeripmp3.exe
C:\Program Files\VMN Toolbox 4\vmntoolbar\vmntoolbarsetup.exe

How's the computer running?

-Ryan
  • 0

#7
poemsmith

poemsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
done and done.

now running VERY well. quick, no "weird" things happening. :)

monica
  • 0

#8
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Congratulations, your log is clean :)

For information on how to protect yourself in the future, read Infection Prevention

Do you have any other questions or concerns? This thread will be left open for a few more days, so feel free to ask.

-Ryan
  • 0

#9
poemsmith

poemsmith

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
no, not at this time. thank you so much, ryan. you have no idea the grief/stress you have saved me. i greatly appreciate your time and your expertise. you're amazing, for doing this. much thanks.
  • 0

#10
Ryan

Ryan

    Member 4k

  • Member
  • PipPipPipPipPipPipPip
  • 4,867 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP