TechSpot

Please interpret virus scan logs

By nelliegrl
Mar 18, 2009
  1. Hey guys~ this is my first post and I'm a little nervous because I don't know much about computers, but I have been reading some other posts here and am so thankful to find a forum that may be able to help. So thanks in advance.

    Computer specs:
    CD drive is not currently working.
    Windows: Windows XP5.1 (Build 2600) Service Pack 3
    Internet Explorer: 6.0.2900.5512
    Memory (RAM): 511 MB
    CPU Info: Intel(R) Celeron(R) M processor 1500MHz
    CPU Speed: 1496.2 MHz
    Sound card: SigmaTel Audio
    Display Adapters: Intel(R) 82852/82855 GM/GME Graphics Controller | Intel(R) 82852/82855 GM/GME Graphics Controller | NetMeeting driver | RDPDD Chained DD
    Monitors: 1
    Screen Resolution: 1024 X 768 - 32 bit
    Network: Network Present
    Network Adapters: Intel(R) PRO/Wireless LAN 2100 3A Mini PCI Adapter - Packet Scheduler Miniport | Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport | WAN (PPP/SLIP) Interface
    CD / DVD Drives: D: PHILIPS CDRW/DVD CDD5263
    COM Ports: COM3 | COM1
    LPT Ports: LPT1
    Mouse: 2 Button Mouse Present
    Hard Disks: C: 27.9GB
    Hard Disks - Free: C: 3.7GB
    USB Controllers: 4 host controllers.
    Firewire (1394): 1 host controllers.
    PCMCIA (Laptops): Not Installed
    Manufacturer: Dell Inc.
    Product Make: Latitude D505
    AC Power Status: OnLine
    BIOS Info: AT/AT COMPATIBLE | 09/03/04 | DELL - 27d40903
    Time Zone: Eastern Standard Time
    Battery: High
    Motherboard: Dell Inc. 0H2049
    Modem: Conexant D480 MDC V.9x Modem

    Well, I didn't mean to copy everything but now that it's there I'll just leave it since I'm not sure what info. you need & what you don't.
    BTW my computer is mostly for personal use and I also use it for my small business- mostly Microsoft office programs.

    Some problems I've been having:
    1) For quite awhile now- Google search results are not the same site that I click on (redirected)
    2) About a week ago- when I logged onto my computer as "main" my desktop icons & start tab were missing, only thing showing was background art. I figured out that if I logged on under the other user on my computer and switched users everything was seemingly normal. That lasted a few days, then didn't work either.
    (BTW the other user rarely if ever uses my computer).

    Things I've done to try & fix it:
    1)Tried right clicking on desktop- nothing.
    2) Tried ctrl/alt/del on desktop-nothing.
    3) A friend installed Avast & Spybot S&D a few days ago. The Avast scan found numerous things it put in the 'chest' but also found many things it said it was unable to scan. My friend said after the 2 scans finished I should see the icons in the lower right corner but they aren't there- I think something is blocking anti-virus programs from protecting me from incoming content and that they're only able to scan content that's already on my computer (my opinion).
    4) Started in safe mode and tried to do a system restore but was unable to choose a month other than March- couldn't get the calendar to move up or back by month. So I chose a date near the beginning of March. But when system restore was finished it said it could not be done and that nothing had been changed. But strangely enough my icons came back!
    5) Found this website & did the 8 steps, although had a little trouble downloading HJT- had to try several times before succeeding. (BTW the HJT scan barely lasted a few seconds before it was done so I'm not sure what happened there). Restarted computer AND shut down computer and now Google search seems to be working & icons are still there!

    But things seem to be running somewhat slowly and I still don't have any protection from incoming threats (at least I don't have any anti-virus icons in the lower right corner).
    Should I do anything else?
    Thanks so much- logs are attached.
     

    Attached Files:

  2. mflynn

    mflynn TS Rookie Posts: 2,655

    To
    you did a good job on the 8 steps.

    Another run indicated!
    OK there were found/removed items in MBAM and SAS so we need to run again as the first run likely exposed things that were not even seen the first time.

    So another run Quick Scan will likely find more. So UPDATE and run both again.

    Post logs!

    Mike
     
  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Don't be nervous Nellie- I haven't bitten anyone of the other side of the screen yet!
    Here is why you should never attempt a System Restore when malware is suspected:

    These are from the SAS log. System Volume is the restore points. I've copied just one of each file to show you that there is malware in the restore points:
    As the end of a cleaning, we have you drop all the old restore points and set a new clean one.

    To prevent the Tracking Cookies:
    Update Java:
    For the scans:
    You are going to need to disable this Real Time program, then update each of the three programs and scan again, attach new logs:
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

    SPYBOT TEATIMER
    AVG ANTI-SPYWARE
    (when you get ready to turn this back on, you might want to check and see if the v7.5 is still supported ad updating)

    It appears you might have had the Norton/Symantec security at some point. You might have uninstall it, but these entries remain, so you need to run the Norton Removal Tool:
    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039
    It appears you may have changed printers and not uninstalled the previous printer:
    There are also Epsom temp files:
    What is the status of the Epsom printer?

    Okay, that's the housework! Please reboot the computer after resetting Cookies , installing Java, disabling the Real Time Protection, running the Norton Removal Tool.When you get it handled, please update and run new cans with the three programs and attach new logs. A not about "update": you will not be updating the version of the program, but rather any new malware entries. After you have run the programs, take them off of Startup so they don't run in the background.

    Then we'll go over the logs.

    Edite: Gosh Mike, it took me over 40 minutes to set my post up! Yours wasn't on yet. And you missed the Real Time protection running.
     
  4. nelliegrl

    nelliegrl TS Rookie Topic Starter

    update

    thanks so much for the feedback guys.
    mflynn~ i followed your instructions and the new logs are attached.
    bboye~ thanks very much for such a detailed response. i am still trying to make sense of some of it. i did reset cookies. i haven't gotten java yet as i already did that as part of the 8 steps. but since you say i need to i will do it again- could be i deleted the wrong version.
    you said to do this before updating & scanning again but i'm not sure what "this Real Time program" is referring to, or how to disable. (see- my newbness is showing).
    since the lexmark printer could not be found in "add/remove programs" i did a search for it & nothing was found.
    the talk about removing norton is over my head. i don't know what a product key is or how to save it & i don't know which version of norton i have.
    how do i do this?

    also forgot to mention this but in the past few weeks, several times a week, a box pops up that says "firefox has encountered a problem & needs to close". don't know if this has anything to do w/ my other problems.

    i am quite sure my amateur status is apparent by now so my apologies for the hand holding, and my thanks.
     
  5. nelliegrl

    nelliegrl TS Rookie Topic Starter

    i just now saw the instructions on how to disable anti-virus on step 3 of the 8, and for Avast, it says right click on the icon in the system tray. as i stated earlier- no anti-virus icons appear in my system tray. is there another way to do this?
     
  6. mflynn

    mflynn TS Rookie Posts: 2,655

    Good job!

    Run SAS once more Quick Scan to confirm clean log. MBAM was good!

    Download ComboFix

    Get it here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
    Or here: http://subs.geekstogo.com/ComboFix.exe

    Double click combofix.exe follow the prompts.

    Install Recovery Console if connected to the Internet!

    When finished, it will open a log.
    Attach the log and a new HJT log in your next reply.

    Note: Do not click combofix's window while its running. That may cause it to stall.
    =========================================

    Download SDFix to Desktop.

    http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

    On Desktop run SDdFix It will run (install) then close.

    Then reboot into Safe Mode

    As the computer starts up, tap the F8 key several times.

    On the Boot menu Choose Safe Mode.

    Click thu all the prompts to get to desktop.

    At Desktop
    My Computer C: drive. Double-click to open.

    Look for a folder called SD Fix. Double-click to enter SD Fix.

    Double-click to RunThis.bat. Type Y to begin.

    SD Fix does its job.

    When prompted hit the enter key to restart the computer

    Your computer will reboot.

    On normal restart the Fixtool will run again and complete the removal process then say Finished,
    Hit the Enter key to end the script and load your desktop icons.

    Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
    Attach the Report.txt file to your next post.

    And after all the above a fresh HJT log!

    Mike
     
  7. nelliegrl

    nelliegrl TS Rookie Topic Starter

    i downloaded those 2 programs mike, so i can run them tonight at home (about to leave work now). sorry to ask again but how do i disable avast if there is no icon in my "tray"?
     
  8. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    I don't think Avast is currently actively protecting you, and that's why it's not there.
    This program could be corrupt, and you likely may need to re-install it. (that or Avira Antivirus)
     
  9. mflynn

    mflynn TS Rookie Posts: 2,655

    Yes run tonight!

    Kim is correct your Avast may be damaged altho that is one of its quirks as I have it on one of my computers and it dropped the tray icon but was still resident. We will look into it!

    But for now the main thing is to get you thu these programs. So for now don't worry about it, the logs will likely show if it interferes and if you get a prompt about any of these cleanups from TechSpot then allow them.

    Mike
     
  10. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Nellie, yes, your 'newness' is showing! I laid out the steps for you with the exception of telling you how to take the program off of startup. If you follow the steps for TeaTimer and AVG Soyware, you won't have to take them off of startup. Just restart the computer after.

    You are going to need to get some basic reading to help you learn. I have always recommended the "Dummies" series for the operating system being used. For instance, you should get "Windows XP for Dummies." Don't be offended by the 'dummies' reference I have a whole library of them!

    Real Time means that a program is running the entire time you are signed on to the internet. These type of programs can interfere with cleaning.

    Frankly, I would not have had you download and run any other programs until you finished what I set up for you. Regarding Java, the HijackThis log shows you are running version 6, update 5. The current is v6u12. If you ran HijackThis BEFORE you updated, that's why is shows the earlier version.

    To Mike: she is not ready for the additional programs. The real Time programsd need to be stopped first.
     
  11. nelliegrl

    nelliegrl TS Rookie Topic Starter

    ok, did all that mike said. apologies to bobbye but i decided to go with the instructions that were easier for me to understand. good news- when i turned on my computer for the first time tonight at home (actually before i ran the 2 new programs) the anti-virus icons were in my tray!
    anyway i ran combo fix first, then my desktop icons were missing again but this time ctrl/alt/delete worked to bring them back. then followed the remaining instructions. however i am unable to attach logs by either clicking on the paperclip in the message box or by clicking on manage attachments in the additional options box- which has worked previously. anyone?

    nevermind. tried it again and it worked this time. here are the most recent logs. goodnight.
     

    Attached Files:

  12. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

    Presently you have the following installed:

    AVG8
    Avast!
    Symantec
    uTorrent

    Actually I would recommend un-installing uTorrent fully

    Uninstall your AVG Antivirus
    Then run the removal tool
    Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
    Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

    Un-install Norton (Symantec)
    Then run the Norton Removal tool

    Uninstall the corrupted Avast! Antivirus

    Restart (possible a couple of times with the above ;))

    Install Avira free AntiVirus
    Run a full Antivirus scan

    Reply back with Avira Scan log, and a new HijackThis log
     
  13. mflynn

    mflynn TS Rookie Posts: 2,655

    I totally agree with Kim and Kritus above. I just did not want that done until the special tools we are using had removed all or most of the Malware they can find.

    Do it this way.

    1. Update MBAM and SAS first.
    2. Boot to Safe Mode only and run SAS and MBAM Quickscans
    3. Still in Safe Mode run Combofix once more

    Reboot back to Normal mode and post the logs.

    Then uninstall all as in the post above remember the Removers are to be run after normal install. If any of these ask for a reboot to finish then do so before moving on to the next uninstall. Also if any require a reboot then after reboot is when to do the removers,

    You will gain a great performance boost additionally by removing Norton.

    Then also uninstall AVG AntiSpyware as it has been defunct for some time and was never that great to begin with.

    After all above do the below...

    Download JavaRa http://prm753.bchea.org/JavaRa.html

    Unzip it, run it, to update chose Jucheck (Suns updater) first, and if you do not have Jucheck then chose Update using Sun from here: http://www.java.com/en/download/manual.jsp

    After update chose Cleanup old versions. Give it a minute and after it pops up the log file you will see what it removed.

    Then click "Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

    After that run Search for Updates again to confirm you are up to date.
    After that run remove older versions again. This time the Log file should be empty.

    Follow the above with a new HJT log

    Mike
     
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I would like to make a suggestion regarding updating Java:

    The site Mike left is "This server is no longer maintained. You will be redirected to the new server in 10 seconds". I don't like 'redirects'. Instead, use this:
    ( Java Runtime Environment (JRE) 6.0 Update 12 ): http://java.com/en/download/manual.jsp

    Some of the Java update sites have other Toolbars pre-checked. Although the user should always look for this and remove the check, some don't and then get another download with Java. This ls happens if you open the Java program and click on Check for updates. I think Open Office is pre-checked on the site.

    These are the same directions I left in Post #3. This is the last comment I'll leave on this thread. Hopefully someone will have you properly uninstall the Lexmark printer (there are 3 processes for it) and guide you in removing the rest of the 'left over' entries from programs you no longer have.

    And the reminder that the Real Time programs must be temporarily disabled BEFORE running the scans.
     
  15. mflynn

    mflynn TS Rookie Posts: 2,655

    No it is OK, JavaRa will do the update and allow removing old versions and useless jre files.

    The redirect is only because they moved to a new server. Either let it redirect or use the link below. Then follow my instructions in post #13 to run JavaRa.

    http://raproducts.org/click/click.php?id=1

    Tell us about the printers!

    Mike
     
  16. kimsland

    kimsland Ex-TechSpotter Posts: 14,524

  17. mflynn

    mflynn TS Rookie Posts: 2,655

    Hmm works OK for me my FF and Opera both go to same place! Straight to the download!

    Mike
     
  18. nelliegrl

    nelliegrl TS Rookie Topic Starter

    sorry for the delay

    in posting. i was off from work yesterday & preferred to be outside. not to mention i only have dial-up at home (yes, some of us still have it!) and wanted to wait to download avira at work. so i am still following the latest instructions & will post when i am done. actually, here are the logs for the instructions that came before downloading avira.

    ok, i think i am done w/ the latest instrux.
    notes:
    couldn't find utorrent or norton symantec in 'add or remove programs' nor could i find utorrent in a search. found symantec in a search and deleted all entries. deleted utorrent from desktop.
    we currently use epson C120 and R380 printers. i did a search for anything 'epson' and came up with numerous entries but i tried copying & pasting them here with no results. also tried saving them but when i opened the file they saved to the entried were gone. if someone can tell me how to get search results saved as a text or log file i would like for you to be able to view them.
    forgot to mention this earlier but way back when i ran the ccleaner, a box popped up several times at the bottom of the screen saying something like, 'your disk space is filling up'. this was confusing since the purpose of the cleaner is to open up space right?
    the last few times i started my comp. a screen appeared briefly that i've seen in safe mode. it's the one from safe mode where you choose from either windows xp something or other, or recovery console something or other. the windows xp entry is already highlighted & then the start-up process continues (screen disappears). is this normal?
    i think that's all. btw- love the 'luke filewalker'. hahahaha.

    well, i thought i was doing well to edit my post instead of starting a new one but now i don't see how to add additional attachments when editing so i will post the newest logs below.
     

    Attached Files:

  19. nelliegrl

    nelliegrl TS Rookie Topic Starter

    here are the latest avira & hjt logs.
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Wow! And to think I stayed inside helping people with computer problems. Nellie, you had a good idea. I'm going out to enjoy the sunshine.

    Maybe I'll be back later.
     
  21. nelliegrl

    nelliegrl TS Rookie Topic Starter

    haha. i went for a nice hike down to the river. it was overcast but i prefer it that way, but it started getting pretty windy toward the end. btw thanks so much for taking the time to try & solve my problems!
     
  22. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    If you don't do this, the scans aren't reliable:

     
  23. nelliegrl

    nelliegrl TS Rookie Topic Starter

    thanks bobbye

    i cannot find a TeaTimer entry to uncheck in the system startup
    here are the entries that are in the 2nd column in system startup:
    Avira
    HotKeysCmds
    IgfxTray
    iTunesHelper
    PRONoMgr.exe
    Quick Time Task
    SunJava update
    ALU Alert
    Epson Stylus C...
    Epson Stylus P...
    SUPERAntSpyware
    MSMSGS
    OM_Monitor
    swg
    GoogleToolbar
    ALU Alert
    Drempels Desktop
    SASWinLogon

    and the following entries were in the 2nd column where WinLogon was in the 1st column:
    crypt32chain
    cryptnet
    cscdll
    dimsntfy
    igfxcui
    ScCertProp
    Schedule
    sclgntfy
    SensLogn
    termsrv
    WgaLogon
    Wballoon
     
  24. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

  25. nelliegrl

    nelliegrl TS Rookie Topic Starter

    thanks for sticking w/ me bobbye. i guess everyone else bugged out. i checked out the link you provided and even went to pacman's list to see what everything was. that was pretty interesting. i was able to uncheck a few things that i didn't need running in the background. however i'm 99% sure i followed your previous instructions correctly and i still don't see a teatimer entry to uncheck after clicking on 'system startup' icon in the list. i clicked on 'help' in s.b.sad and came across this as a possible explanation:

    System Startup
    This tool lists all programs that are started at Windows startup. If those items are in the database coming with Spybot-S&D, it will display some more information about them. It also allows you to disable (and enable) items, as well as delete them, change them or insert new items.

    The entries will be displayed in different colours:


    Green: legitimate program
    Yellow: unknown, unneeded or unambiguous program (e.g. malware programs might use the same file name as legitimate programs)
    Red: malicious program

    On Windows 9x and ME, the user has full access to this list. On Windows NT/2000/XP/Vista, the list will display the global and the current user entries. For some functions like seeing all entries or even changing some, the user may need admin or power user rights.

    Since version 1.3 entries that have changed since the last snapshot (the first snapshot is created when you started Spybot-S&D for the first time, later on you can create snapshots by right-clicking the list and selecting the corresponding menu item) are displayed in bold letters. This allows you to see changes to the list at once.

    i am the admin but i don't know what power user rights are.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...