Please interpret virus scan logs

[nelliegrl]

Hey guys~ this is my first post and I'm a little nervous because I don't know much about computers, but I have been reading some other posts here and am so thankful to find a forum that may be able to help. So thanks in advance.

Computer specs:
CD drive is not currently working.
Windows: Windows XP5.1 (Build 2600) Service Pack 3
Internet Explorer: 6.0.2900.5512
Memory (RAM): 511 MB
CPU Info: Intel(R) Celeron(R) M processor 1500MHz
CPU Speed: 1496.2 MHz
Sound card: SigmaTel Audio
Display Adapters: Intel(R) 82852/82855 GM/GME Graphics Controller | Intel(R) 82852/82855 GM/GME Graphics Controller | NetMeeting driver | RDPDD Chained DD
Monitors: 1
Screen Resolution: 1024 X 768 - 32 bit
Network: Network Present
Network Adapters: Intel(R) PRO/Wireless LAN 2100 3A Mini PCI Adapter - Packet Scheduler Miniport | Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport | WAN (PPP/SLIP) Interface
CD / DVD Drives: D: PHILIPS CDRW/DVD CDD5263
COM Ports: COM3 | COM1
LPT Ports: LPT1
Mouse: 2 Button Mouse Present
Hard Disks: C: 27.9GB
Hard Disks - Free: C: 3.7GB
USB Controllers: 4 host controllers.
Firewire (1394): 1 host controllers.
PCMCIA (Laptops): Not Installed
Manufacturer: Dell Inc.
Product Make: Latitude D505
AC Power Status: OnLine
BIOS Info: AT/AT COMPATIBLE | 09/03/04 | DELL - 27d40903
Time Zone: Eastern Standard Time
Battery: High
Motherboard: Dell Inc. 0H2049
Modem: Conexant D480 MDC V.9x Modem

Well, I didn't mean to copy everything but now that it's there I'll just leave it since I'm not sure what info. you need & what you don't.
BTW my computer is mostly for personal use and I also use it for my small business- mostly Microsoft office programs.

Some problems I've been having:
1) For quite awhile now- Google search results are not the same site that I click on (redirected)
2) About a week ago- when I logged onto my computer as "main" my desktop icons & start tab were missing, only thing showing was background art. I figured out that if I logged on under the other user on my computer and switched users everything was seemingly normal. That lasted a few days, then didn't work either.
(BTW the other user rarely if ever uses my computer).

Things I've done to try & fix it:
1)Tried right clicking on desktop- nothing.
2) Tried ctrl/alt/del on desktop-nothing.
3) A friend installed Avast & Spybot S&D a few days ago. The Avast scan found numerous things it put in the 'chest' but also found many things it said it was unable to scan. My friend said after the 2 scans finished I should see the icons in the lower right corner but they aren't there- I think something is blocking anti-virus programs from protecting me from incoming content and that they're only able to scan content that's already on my computer (my opinion).
4) Started in safe mode and tried to do a system restore but was unable to choose a month other than March- couldn't get the calendar to move up or back by month. So I chose a date near the beginning of March. But when system restore was finished it said it could not be done and that nothing had been changed. But strangely enough my icons came back!
5) Found this website & did the 8 steps, although had a little trouble downloading HJT- had to try several times before succeeding. (BTW the HJT scan barely lasted a few seconds before it was done so I'm not sure what happened there). Restarted computer AND shut down computer and now Google search seems to be working & icons are still there!

But things seem to be running somewhat slowly and I still don't have any protection from incoming threats (at least I don't have any anti-virus icons in the lower right corner).
Should I do anything else?
Thanks so much- logs are attached.

 

[mflynn]

To

don't know much about computers

you did a good job on the 8 steps.

Another run indicated!
OK there were found/removed items in MBAM and SAS so we need to run again as the first run likely exposed things that were not even seen the first time.

So another run Quick Scan will likely find more. So UPDATE and run both again.

Post logs!

Mike

 

[Bobbye]

Don't be nervous Nellie- I haven't bitten anyone of the other side of the screen yet!

4) Started in safe mode and tried to do a system restore

Here is why you should never attempt a System Restore when malware is suspected:

These are from the SAS log. System Volume is the restore points. I've copied just one of each file to show you that there is malware in the restore points:

Adware.180solutions/Seekmo
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP216\A0035543.EXE
Adware.180solutions/Seekmo/Zango
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP216\A0035547.DLL
Adware.Search2Find
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP229\A0048176.LNK

As the end of a cleaning, we have you drop all the old restore points and set a new clean one.

To prevent the Tracking Cookies:

Reset Cookies:
For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy section> Cookies> CHECK 'allow Cookies> UNCHECK 'allow third party Cookies.

Update Java:

Your version of Java is now outdated. Java vulnerabilities are commonly exploited by viruses so I strongly recommend you update. Click here to download the latest version of java ( Java Runtime Environment (JRE) 6.0 Update 12 ): http://java.com/en/download/manual.jsp
Please install it and then reboot your computer.

Remove the older versions of Java:
1. Click Start, Control Panel, Add/Remove Programs.
2. Delete all Java updates except J2SE Runtime Environment 6.0 Update 12

For the scans:
You are going to need to disable this Real Time program, then update each of the three programs and scan again, attach new logs:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

SPYBOT TEATIMER

* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

AVG ANTI-SPYWARE

* Launch AVG Anti-Spyware.
* From the "Status" menu, select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
* Then right click on AVG Anti-Spyware in the system tray and uncheck "Start with Windows".

(when you get ready to turn this back on, you might want to check and see if the v7.5 is still supported ad updating)

It appears you might have had the Norton/Symantec security at some point. You might have uninstall it, but these entries remain, so you need to run the Norton Removal Tool:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

The entries, ALUAlert are for Notification reminder for Symantec's LiveUpdate:
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')

It appears you may have changed printers and not uninstalled the previous printer:

This entry is for the Lexmark Print Server. If you no longer use a Lexmark, it should be uninstalled and the Service disabled:
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
Start> Run> services.msc> right click on LexBce Server> Properties> change Startup type to Disabled.

There are also Epsom temp files:

O4 - HKCU\..\Run: [EPSON Stylus C120 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICCA.EXE /FU "C:\WINDOWS\TEMP\E_S7B.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [EPSON Stylus Photo R380 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBOA.EXE /FU "C:\WINDOWS\TEMP\E_S85.tmp" /EF "HKCU"

What is the status of the Epsom printer?

Okay, that's the housework! Please reboot the computer after resetting Cookies , installing Java, disabling the Real Time Protection, running the Norton Removal Tool.When you get it handled, please update and run new cans with the three programs and attach new logs. A not about "update": you will not be updating the version of the program, but rather any new malware entries. After you have run the programs, take them off of Startup so they don't run in the background.

Then we'll go over the logs.

Edite: Gosh Mike, it took me over 40 minutes to set my post up! Yours wasn't on yet. And you missed the Real Time protection running.

 

[nelliegrl]

update

thanks so much for the feedback guys.
mflynn~ i followed your instructions and the new logs are attached.
bboye~ thanks very much for such a detailed response. i am still trying to make sense of some of it. i did reset cookies. i haven't gotten java yet as i already did that as part of the 8 steps. but since you say i need to i will do it again- could be i deleted the wrong version.

disable this Real Time program

you said to do this before updating & scanning again but i'm not sure what "this Real Time program" is referring to, or how to disable. (see- my newbness is showing).
since the lexmark printer could not be found in "add/remove programs" i did a search for it & nothing was found.
the talk about removing norton is over my head. i don't know what a product key is or how to save it & i don't know which version of norton i have.

take them off of Startup so they don't run in the background

how do i do this?

also forgot to mention this but in the past few weeks, several times a week, a box pops up that says "firefox has encountered a problem & needs to close". don't know if this has anything to do w/ my other problems.

i am quite sure my amateur status is apparent by now so my apologies for the hand holding, and my thanks.

 

[nelliegrl]

i just now saw the instructions on how to disable anti-virus on step 3 of the 8, and for Avast, it says right click on the icon in the system tray. as i stated earlier- no anti-virus icons appear in my system tray. is there another way to do this?

 

[mflynn]

Good job!

Run SAS once more Quick Scan to confirm clean log. MBAM was good!

Download ComboFix

Get it here: https://www.techspot.com/downloads/5587-combofix.html
Or here: http://subs.geekstogo.com/ComboFix.exe

Double click combofix.exe follow the prompts.

Install Recovery Console if connected to the Internet!

When finished, it will open a log.
Attach the log and a new HJT log in your next reply.

Note: Do not click combofix's window while its running. That may cause it to stall.
=========================================

Download SDFix to Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

On Desktop run SDdFix It will run (install) then close.

Then reboot into Safe Mode

As the computer starts up, tap the F8 key several times.

On the Boot menu Choose Safe Mode.

Click thu all the prompts to get to desktop.

At Desktop
My Computer C: drive. Double-click to open.

Look for a folder called SD Fix. Double-click to enter SD Fix.

Double-click to RunThis.bat. Type Y to begin.

SD Fix does its job.

When prompted hit the enter key to restart the computer

Your computer will reboot.

On normal restart the Fixtool will run again and complete the removal process then say Finished,
Hit the Enter key to end the script and load your desktop icons.

Once the desktop is up, the SDFix report will open on screen and also be saved to the SDFix folder as Report.txt.
Attach the Report.txt file to your next post.

And after all the above a fresh HJT log!

Mike

 

[nelliegrl]

i downloaded those 2 programs mike, so i can run them tonight at home (about to leave work now). sorry to ask again but how do i disable avast if there is no icon in my "tray"?

 

[kimsland]

I don't think Avast is currently actively protecting you, and that's why it's not there.
This program could be corrupt, and you likely may need to re-install it. (that or Avira Antivirus)

 

[mflynn]

Yes run tonight!

Kim is correct your Avast may be damaged altho that is one of its quirks as I have it on one of my computers and it dropped the tray icon but was still resident. We will look into it!

But for now the main thing is to get you thu these programs. So for now don't worry about it, the logs will likely show if it interferes and if you get a prompt about any of these cleanups from TechSpot then allow them.

Mike

 

[Bobbye]

Nellie, yes, your 'newness' is showing! I laid out the steps for you with the exception of telling you how to take the program off of startup. If you follow the steps for TeaTimer and AVG Soyware, you won't have to take them off of startup. Just restart the computer after.

You are going to need to get some basic reading to help you learn. I have always recommended the "Dummies" series for the operating system being used. For instance, you should get "Windows XP for Dummies." Don't be offended by the 'dummies' reference I have a whole library of them!

Real Time means that a program is running the entire time you are signed on to the internet. These type of programs can interfere with cleaning.

Frankly, I would not have had you download and run any other programs until you finished what I set up for you. Regarding Java, the HijackThis log shows you are running version 6, update 5. The current is v6u12. If you ran HijackThis BEFORE you updated, that's why is shows the earlier version.

To Mike: she is not ready for the additional programs. The real Time programsd need to be stopped first.

 

[nelliegrl]

Ok, did all that mike said. apologies to bobbye but I decided to go with the instructions that were easier for me to understand. good news- when I turned on my computer for the first time tonight at home (actually before I ran the 2 new programs) the anti-virus icons were in my tray!
anyway I ran combo fix first, then my desktop icons were missing again but this time ctrl/alt/delete worked to bring them back. then followed the remaining instructions. however I am unable to attach logs by either clicking on the paperclip in the message box or by clicking on manage attachments in the additional options box- which has worked previously. anyone?

nevermind. tried it again and it worked this time. here are the most recent logs. goodnight.

 

[kimsland]

Presently you have the following installed:

AVG8
Avast!
Symantec
uTorrent

P2P Warning!

• IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.
  
  uTorrent
  
  Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
  Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
  
  I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.
  
  References for the risk of these programs can be found in these links: http://www.microsoft.com/windows/ie/community/columns/protection.mspx
  http://www.techweb.com/wire/160500554
  http://www.internetworldstats.com/articles/art053.htm
  See Clean/Infected P2P Programs here
  
  I would recommend that you uninstall uTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.
  
  If you wish to keep it, please do not use it until your computer is cleaned.

Actually I would recommend un-installing uTorrent fully

Uninstall your AVG Antivirus
Then run the removal tool
Here is the 32Bit version (most users): http://www.avg.com/filedir/util/avg_arm_sup_____.dir/avgremover.exe
Here is the 64Bit version: http://www.avg.com/filedir/util/avg_arv_sup_____.dir/avgremoverx64.exe

Un-install Norton (Symantec)
Then run the Norton Removal tool

Uninstall the corrupted Avast! Antivirus

Restart (possible a couple of times with the above )

Install Avira free AntiVirus
Run a full Antivirus scan

Reply back with Avira Scan log, and a new HijackThis log

 

[mflynn]

I totally agree with Kim and Kritus above. I just did not want that done until the special tools we are using had removed all or most of the Malware they can find.

Do it this way.

1. Update MBAM and SAS first.
2. Boot to Safe Mode only and run SAS and MBAM Quickscans
3. Still in Safe Mode run Combofix once more

Reboot back to Normal mode and post the logs.

Then uninstall all as in the post above remember the Removers are to be run after normal install. If any of these ask for a reboot to finish then do so before moving on to the next uninstall. Also if any require a reboot then after reboot is when to do the removers,

You will gain a great performance boost additionally by removing Norton.

Then also uninstall AVG AntiSpyware as it has been defunct for some time and was never that great to begin with.

After all above do the below...

Download JavaRa http://prm753.bchea.org/JavaRa.html

Unzip it, run it, to update chose Jucheck (Suns updater) first, and if you do not have Jucheck then chose Update using Sun from here: https://www.techspot.com/downloads/6463-java-se.html

After update chose Cleanup old versions. Give it a minute and after it pops up the log file you will see what it removed.

Then click "Additional tasks" and check "remove Useless JRE files and Remove JavaRa log files.

After that run Search for Updates again to confirm you are up to date.
After that run remove older versions again. This time the Log file should be empty.

Follow the above with a new HJT log

Mike

 

[Bobbye]

I would like to make a suggestion regarding updating Java:

The site Mike left is "This server is no longer maintained. You will be redirected to the new server in 10 seconds". I don't like 'redirects'. Instead, use this:
( Java Runtime Environment (JRE) 6.0 Update 12 ): http://java.com/en/download/manual.jsp

After download and Save to Desktop> double click to Run (install)
Go to Add/Remove Programs in the Control Panel> uninstall any earlier versions.
STOP the updater: Control Panel> Java> Update tab> UNCHECK 'check automatically check for updates'> Apply> when the message comes up 'are you sure'> answer Yes.
Please install it and then reboot your computer.

Some of the Java update sites have other Toolbars pre-checked. Although the user should always look for this and remove the check, some don't and then get another download with Java. This ls happens if you open the Java program and click on Check for updates. I think Open Office is pre-checked on the site.

These are the same directions I left in Post #3. This is the last comment I'll leave on this thread. Hopefully someone will have you properly uninstall the Lexmark printer (there are 3 processes for it) and guide you in removing the rest of the 'left over' entries from programs you no longer have.

And the reminder that the Real Time programs must be temporarily disabled BEFORE running the scans.

 

[mflynn]

No it is OK, JavaRa will do the update and allow removing old versions and useless jre files.

The redirect is only because they moved to a new server. Either let it redirect or use the link below. Then follow my instructions in post #13 to run JavaRa.

http://raproducts.org/click/click.php?id=1

Tell us about the printers!

Mike

 

[kimsland]

Your new link says Server not found

Here is another link:
http://downloads.sourceforge.net/javara/JavaRa.zip

 

[mflynn]

Hmm works OK for me my FF and Opera both go to same place! Straight to the download!

Mike

 

[nelliegrl]

sorry for the delay

in posting. I was off from work yesterday & preferred to be outside. not to mention I only have dial-up at home (yes, some of us still have it!) and wanted to wait to download avira at work. so I am still following the latest instructions & will post when I am done. actually, here are the logs for the instructions that came before downloading avira.

ok, I think I am done w/ the latest instrux.
notes:
couldn't find utorrent or norton symantec in 'add or remove programs' nor could I find utorrent in a search. found symantec in a search and deleted all entries. deleted utorrent from desktop.
we currently use epson C120 and R380 printers. I did a search for anything 'epson' and came up with numerous entries but I tried copying & pasting them here with no results. also tried saving them but when I opened the file they saved to the entried were gone. if someone can tell me how to get search results saved as a text or log file I would like for you to be able to view them.
forgot to mention this earlier but way back when I ran the ccleaner, a box popped up several times at the bottom of the screen saying something like, 'your disk space is filling up'. this was confusing since the purpose of the cleaner is to open up space right?
the last few times I started my comp. a screen appeared briefly that I've seen in safe mode. it's the one from safe mode where you choose from either windows xp something or other, or recovery console something or other. the windows xp entry is already highlighted & then the start-up process continues (screen disappears). is this normal?
I think that's all. btw- love the 'luke filewalker'. hahahaha.

well, I thought I was doing well to edit my post instead of starting a new one but now I don't see how to add additional attachments when editing so I will post the newest logs below.

 

[nelliegrl]

here are the latest avira & hjt logs.

 

[Bobbye]

Wow! And to think I stayed inside helping people with computer problems. Nellie, you had a good idea. I'm going out to enjoy the sunshine.

Maybe I'll be back later.

 

[nelliegrl]

haha. i went for a nice hike down to the river. it was overcast but i prefer it that way, but it started getting pretty windy toward the end. btw thanks so much for taking the time to try & solve my problems!

 

[Bobbye]

If you don't do this, the scans aren't reliable:

You are going to need to disable this Real Time program, then update each of the three programs and scan again, attach new logs:
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

SPYBOT TEATIMER
Quote:
* Launch Spybot S&D, go to the Mode menu and make sure "Advanced Mode" is selected.
* On the left hand side, click on Tools, then click on the Resident Icon in the list.
* Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
* Click on the "System Startup" icon in the List
* Uncheck the "TeaTimer" box and "OK" any prompts.
* If Teatimer gives you a warning that changes were made, click the "Allow Change" box when prompted.
* Exit Spybot S&D when done.
* (When we are done, you can re-enable Teatimer using the same steps but this time place a check next to "Resident TeaTimer" and check the "TeaTimer" box in System Startup.]

 

[nelliegrl]

thanks bobbye

i cannot find a TeaTimer entry to uncheck in the system startup
here are the entries that are in the 2nd column in system startup:
Avira
HotKeysCmds
IgfxTray
iTunesHelper
PRONoMgr.exe
Quick Time Task
SunJava update
ALU Alert
Epson Stylus C...
Epson Stylus P...
SUPERAntSpyware
MSMSGS
OM_Monitor
swg
GoogleToolbar
ALU Alert
Drempels Desktop
SASWinLogon

and the following entries were in the 2nd column where WinLogon was in the 1st column:
crypt32chain
cryptnet
cscdll
dimsntfy
igfxcui
ScCertProp
Schedule
sclgntfy
SensLogn
termsrv
WgaLogon
Wballoon

 

[Bobbye]

You are looking in the wrong place.

Please see this: How to use MSCONFIG
http://netsquirrel.com/msconfig/

 

[nelliegrl]

thanks for sticking w/ me bobbye. i guess everyone else bugged out. i checked out the link you provided and even went to pacman's list to see what everything was. that was pretty interesting. i was able to uncheck a few things that i didn't need running in the background. however i'm 99% sure i followed your previous instructions correctly and i still don't see a teatimer entry to uncheck after clicking on 'system startup' icon in the list. i clicked on 'help' in s.b.sad and came across this as a possible explanation:

System Startup
This tool lists all programs that are started at Windows startup. If those items are in the database coming with Spybot-S&D, it will display some more information about them. It also allows you to disable (and enable) items, as well as delete them, change them or insert new items.

The entries will be displayed in different colours:


Green: legitimate program
Yellow: unknown, unneeded or unambiguous program (e.g. malware programs might use the same file name as legitimate programs)
Red: malicious program

On Windows 9x and ME, the user has full access to this list. On Windows NT/2000/XP/Vista, the list will display the global and the current user entries. For some functions like seeing all entries or even changing some, the user may need admin or power user rights.

Since version 1.3 entries that have changed since the last snapshot (the first snapshot is created when you started Spybot-S&D for the first time, later on you can create snapshots by right-clicking the list and selecting the corresponding menu item) are displayed in bold letters. This allows you to see changes to the list at once.

i am the admin but i don't know what power user rights are.