Gary - I need your help please!

[Syd]

Gary here is the HJT scan. Many thanks Syd

Logfile of HijackThis v1.99.1
Scan saved at 上午 11:13:58, on 2007/2/10
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Wintab32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\wdfmgr.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\system32\ctfmon.exe
D:\WINDOWS\System32\alg.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
D:\WINDOWS\system32\conime.exe
D:\WINDOWS\system32\taskmgr.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - D:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/
O15 - Trusted Zone: http://office.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\system32\ZONELABS\vsmon.exe

[Gary Richardson]

Hi Syd,

Far as I can see your Computer is clear of any infection. I can't guarantee that you won't get the warning windows on your browser, but I can say with some confidence that it is not caused by any hidden infection that you may have.

It is of course possible that you have a new form of Rootkit that isn't detected by GMER, but that likelihood is very remote as the writer of GMER keeps it very much up to date with the latest Rootkit techniques.

OK, lets do a little tidying up, then I'll give you a list of things you can do to secure your computer. You've already done some of them, but read through the list and attend to any you may have missed.

Right, first thing is to delete these folders (in bold).

D:\!KillBox
C:\Program Files\Norton AntiVirus

You can also delete the Killbox executable Killbox.exe you won't be needing it further. Killbox is a very powerful programme and if used inappropriately can do a lot of damage.

Now to secure your system.

THESE STEPS ARE VERY IMPORTANT

Lets reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to clean the restore points.

• Turn off System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • Check Turn off System Restore.
  • Click Apply, and then click OK.
• Reboot.
  
• Turn ON System Restore.
  • On the Desktop, right-click My Computer.
  • Click Properties.
  • Click the System Restore tab.
  • UN-Check *Turn off System Restore*.
  • Click Apply, and then click OK.
• NOTE: only do this ONCE, NOTon a regular basis

Updating Windows and Internet Explorer

IMPORTANT: You need to update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site to get the critical updates.

If you're running Microsoft Office, or any portion thereof, go to Microsoft's Office Update site and make sure you have at least all the critical updates installed. (Free at Microsoft Office Update).

Make your Internet Explorer more secure (some people are annoyed by the prompts they get after they've done this, so it's optional, however your computer will be less secure. As I use Firefox, tying IE down like this does not bother me, however if you use IE as your main browser you may want to trade off security for utility, your choice).

• From within Internet Explorer click on Tools > Options > Security > Internet > Custom Level.
• Make sure these options are set as follows:
  • Download signed ActiveX controls to Prompt
  • Download unsigned ActiveX controls to Disable
  • Initialize and script ActiveX controls not marked as safe to Disable
  • Installation of desktop items to Prompt
  • Launching programs and files in an IFRAME to Prompt
  • Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
• Press the Apply button and then the OK to exit the Internet Properties page.

The following are free programs that are designed to keep your computer clean. A brief description is included with each item, click on name to go to download site.

• Adaware SE Personal
  Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial
  
• Spybot S & D
  Spybot is a scanner like Adaware. It scans for spyware and other malicious programs. It is important to have both Adaware and Spybot on your computer because each program provides unique detection and protection measures. Spybot has preventitive tools that stop programs from even installing on your computer.
  To see how to set this up as well as more spybot features, see here
  
• SpywareBlaster
  Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes "kill bits" in the registry, so that certain activex controls can't install.
  If you don't know what activex controls are, see here
  
• IE Spyad
  It puts many bad webpages on your restricted zones LIST. This means that you can still view the "bad" webpages, but the webpages can't do certain things (such as use javascripts and cookies). Use IE Spyad for single account computers, and IE Spyad 2 for multi account computers.
  
• Hosts file:
  • Every version of windows has a hosts file as part of them.
  • In a very basic sense, they are used to locate webpages.
  • We can customize a hosts file so that it blocks certain webpages.
  • However, it can slow down certain computers.
  • This is why using a hosts file is optional!!
  • Make sure you read the instructions on how to install the hosts file, here.
• If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
  • Click the start button (at the lower left hand corner of your screen)
  • Click run
  • In the dialog box, type services.msc
  • hit enter, then locate dns client
  • Highlight it, then double-click it.
  • On the dropdown box, change the setting from automatic to manual.
  • Click ok
    

• Use an Anti Virus Software - It's very important that your computer has an anti-virus software running. This alone can save you a lot of trouble with malware in the future. See this link for a LISTing of some, on line & their stand-alone anti virus programs:
  Computer Safety On line - LIST of free Anti virus programs
  
• Use a Firewall - I cannot stress enough how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. For more info, check this webpage out.
  See here to choose one.
  
• Site Advisor This is a utility that can be downloaded and installed. It loads an icon to the taskbar of your browser (versions for IE and Firefox), indicating the trustworthiness of the site you are on. Green for safe, Red for suspicious. Click on the icon to access details that SiteAdvisor has about the site. It also marks entries when you're doing a Google search, and I personally find this the most useful feature as it allows you to judge how safe a site is before you visit it. Despite the fact that it's now owned by McAfee, I highly recommend it.

Just a final reminder for you.

• UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
• Run Spybot and Adaware regularly. (Once a week minimum)
• It is important that you visit http://www.windowsupdate.com regularly. This will ensure you always have the latest security updates installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Once again, please post and tell me how things are going with your system... problems etc.

Gary

[Syd]

Gary you are an absolute star! Thank you so much for all the time and effort you have spent over the past week helping me out with my computer. I can't tell you how much I appreciate it. You explained everything so clearly and everything worked just like you said it would. And you did it all in such a way that never once did I feel like I was being spoken down to. Hats off to you Gary!

To update you on what I have done so far: OK, deleted those files that you said I should, and took the time to delete another 1 gig or so of stuff that I didn't need or want anymore, defragmented my hard drive and ran another AVG scan. All clean!

You won't believe this but when I went to switch off System Restore, I found that it had been switched off already. I don't think I ever had it on. It was probably like that when I bought it because I would never have switched it off in the first place. Anyway it is on now.

I went to update Windows but I had done that recently so there was nothing to update.

I am downloading the lastest version of IE at the moment and will install immediately.

I also plan to download that Adaware Programme. I already have Spybot.

My AVG Antivirus is set to scan everyday. Perhaps that is a bit excessive. My Norton used to scan once a week. I will see how it goes. It doesn't seem to slow the computer down as much as Norton did.

All in all everything seems to be going a lot better now than a week ago. Ultimately I need a new computer but, to be honest, can't afford it right now so I got a bit panicky when this one seemed to be giving up the ghost. Thank you so much for rescuing it!

Will keep you posted if there are any further developments.

Sincerely and extremely gratefully
Syd

[chrishoggy]

Scanning every day isn't excessive at all, in fact I would say it's the norm
Gary has said all the rest, as he is the malware/spyware Guru

Might also be worth spending a few $ on a data recovery/restore program such as
Acronis
http://www.acronis.com/homecomputing/products/

Or
RestoreIT (Gary, stop laughing )
http://www.farstone.com/software/restoreit.htm

These can give you the option of restoring all your system and personal files back to just before a problem started.

[Gary Richardson]

Hi Syd,

Glad everything seems to be working fine, happy to help where I can.

As Chris has said, a good backup strategy is always a very good idea. (Just hope that mentioning RestoreIt doesn't start another round of discussions with our absent friend ).

Keep safe, any problems let me know.

[1STLITE]

Hey, ya'll!! Popular thread here, huh? lol

Well, I solved my issues - got a new computer!! yaaay! I am just in awe at this wonderful new device! I worked for so long with that pos, restarting over and over and over just to be able to keep working - sooooo slow. I am sure this one is no speed demon compared to alot of folks' setups, but it sure is nice to me!!! To think I can edit, listen to music, chat and browse at the same freaking time is just AWESOME to me!!! My head is spinning, seriously!

Gary, I need your help one more time, if I may bother you. It will probably be a couple days til I can get it done, but I wonder if you mind checking over a HJT log for me, to let me know what I can safely disable in the startup. I had that other one pretty clean, yes, but this is different for me and I only knew what I was doing on the other because I looked up every little tiny thing about it, spent hours and hours - don't have that kind of time on my hands currently, though. Plus this has XP MCE (it was cheap), and I am clueless what some of this stuff is. Let me know if you can do this for me in a couple days, pretty please? I appreciate you SO much!

Have a Great Day, everyone!
Dawn

[Gary Richardson]

No problem Dawn, just post it when you're ready.

Send me a PM with a link to the post so I don't miss it.