Gary - I need your help please!

Syd · #1 02-06-2007, 12:48 AM

Gary, do you know what this screen means? It's not the first time I have had this come up and I went and downloaded Fixblast and have now run it twice but both times came up with nothing.

My computer has been acting really slowly lately. This is probably, in part, due to the fact that my hard drive is less than one Gb away from being choc a bloc! I am trying to hang in there for a while until I can afford to buy a whole new system - I have had this one for almost five years now. Perhaps I should also tell you that my Norton Antivirus expired a two months ago before I went on holiday and I still haven't got a new one. Whoops - don't scold me for that one! Also our apartment block is on a communal Internet connection. I have no idea how it works...all I know is that sometimes it is fast and sometimes it is slow. Am I in big trouble now and should I start backing up furiously?

Usually when the computer starts crawling at a snails pace then this screen comes up but then if I hit Refresh it will redirect me again. The last two days, however, it has been more offline than online. I am starting to get worried. Any advice. Thanks Gary or, in fact, anyone who might be able to explain to me what is going on.

Sincerely
Syd

CJ Swartz · #2 02-06-2007, 01:26 AM

Syd,

While waiting for Gary or one of the other knowledgeable folks to come by, take a look at this thread --

http://www.retouchpro.com/forums/har...lp-please.html

If you can backup really important files, do it -- not just because there's a problem, but because we always should do it.

There are free programs to scan for spyware and viruses -- while you're waiting, take a look at those and run one. Read what Gary says about the Hijack log -- wait for him if you have any questions about how to do anything, but start thinking about whether you've added any software lately, hardware, downloaded any funny email or programs from the internet, etc. -- something that might help Gary figure out what might be going on.

BillFrey · #3 02-06-2007, 01:39 AM

Hi Syd,

Your screen shot shows a url for my.yahoo.com. That's suspicious to begin with. Who would know how much bandwidth you are using and why would they warn you about it if it were a virus/worm?

Looks like a pop up ad that hit it's target.

Always good advice to keep your system free of virus and use a firewall.

CJ Swartz · #4 02-06-2007, 01:45 AM

Bill -- just to clarify -- it is Syd who has the problem.

Good advice about the firewall etc., but it may too late for that right now.

BillFrey · #5 02-06-2007, 01:54 AM

oops, sorry, CJ. When I scrolled to see the op's name I didn't realize the posts were in reverse order.

I'll fix my reply. Apologies!

chrishoggy · #6 02-06-2007, 02:18 AM

first of all you need to get your system protected and scanned, below is a free anti-virus and a free firewall. Both work very well and have never failed me.

Fire wall
http://www.zonelabs.com/store/conten...eeDownload.jsp

Anti-Virus
http://free.grisoft.com/doc/5390/lng...nti-virus-free

Then the next thing I would do is get shut of the Yahoo toolbar you have installed in IE6. Toolbars are never a good thing IMHO. Run windows updates, and make sure you are fully up to date with those. If you can, update to IE7 ,as it is a bit more secure than IE6.
If you can backup your files to CD/DVD and delete them from your system, this will help speed up your system. If you do that, defrag your hard drive after, to clean up the file placement on the drive.

Syd · #7 02-06-2007, 07:21 AM

CJ, Chris and Bill thanks so much for your advice. You guys are great. CJ, I am following Gary's advice in that thread right now and hopefully will have something to post for him soon. Chris, I do have Zonealarm and I will look into that Antivirus programme. My colleague at work mentioned AVG. It is free and, according to him, very good too. I had no idea that the toolbar might cause problems. I wouldn't even know how to remove it. Bill, I would never have thought to look at the URL. It looked so official to me and I just kept on wondering who or what Bandwidth Manager was!

Thanks guys.
Sincerely Syd

Cameraken · #8 02-06-2007, 07:22 AM

Hi Syd

Sorry to hear you are having problems. I am sure that Gary will need to see your HJT log. You could upload it whilst waiting for Gary if you want to save a little time.

Here are the instructions to post your log.

Click here to download HJTsetup.exe, and save it to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
Copy and paste the log here

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

Ken.

Syd · #9 02-06-2007, 07:36 AM

Thanks so much Ken. Ok I have done everything as you have instructed and here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 下午 10:29:04, on 2007/2/6
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Wintab32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE
D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\conime.exe
D:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - D:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: 使用影音傳送帶下載 - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/
O15 - Trusted Zone: http://office.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02DC897-A387-4AE6-AD76-E98EA833946F}: NameServer = 168.95.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Wintab32 - Unknown owner - D:\WINDOWS\system32\Wintab32.exe

I haven't fixed anything just like you advised me to. Thanks so much for your help.
Sincerely Syd

Syd · #10 02-06-2007, 07:54 AM

Right click My Computer, then click Manage.
This will bring up the Computer Management window.
Expand System Tools then click Event Viewer.
Double click System in the Right Hand pane.

Look for any Error indications (white cross on red background).
If found, double click the entry and an Event Property window will open.

We need details from that window, particularly the Event ID.

_________________

Ok, I did this too and I have only one error: ID 4321

Syd

Cameraken · #11 02-06-2007, 08:12 AM

Hi Syd

You do have some nasties in there.
I am still in training at the Malware University and not yet allowed to help you, but I would suggest you do nothing more until Gary replies or he will need a fresh HJT log.

I shall watch with interest as Gary fixes this.

Ken.

Syd · #12 02-06-2007, 08:26 AM

Thanks Ken. I won't touch anything. I am too scared too! What I am doing right now is downloading the AVG Antivirus programme but I am not going to install it or uninstall Norton or anything like that. I am going to wait for Gary first. It is 11:15 at night over here so I will probably be going to bed in the next 45 mins or so and, therefore, might not receive any advice you or anyone else might give until tomorrow morning.

Sincerely Syd

Gary Richardson · #13 02-07-2007, 08:20 AM

Hi Syd,

Sorry I'm a bit late getting to this, had a few problems lately that needed dealing with, so just got on line.

Before we get started I've a couple of questions.

1. Is Hinet, Chungwa Telecom Co. Ltd. Taipei, Taiwan anything to do with your ISP (Internet Service Provider).

2. How is Synnex concerned with your PC.

I see some Oriental Translation programmes running on your computer, so I'm guessing the first is legit, but I'll wait your answers.

You're using your D:\ drive as your default drive, so my auto systems weren't able to be used and I had to research your log manually, so that added a little time.

OK, had a look through your log, and it's mostly clean, however there's an item showing that I'm interested in.

I'd like you to check a file(s) for Viruses.

Go to VirusTotal or Jotti's, and scan the following file(s).

Quote:

D:\WINDOWS\system32\conime.exe

Click on the Browse button at the top of the screen.
Browse to the file.
Click OK.
Click Send, and the file will upload to VirusTotal / Jotti, where it will be scanned by several anti-virus programmes.
After a while, a window will open, with details of what the scans found.
Note details of any viruses found.
Post me the details please.

It's quite possible you have Rootkitted processes running on your computer, so I'd like you to run some scans for me.

Download GMER and unzip it to your Desktop. (It will create a folder GMER)

Alternate Download Site

Disconnect from the Internet, and close all running programmes.
There is a small chance this programme may crash your computer, so save any work you have open.
Open the GMER folder, and double click gmer.exe
Let the gmer.sys driver load if asked.
If it gives you a warning at programme start about rootkit activity and asks if you want to run a scan ..... click OK.
If no warning:
- Click Rootkit tab.
- Ensure that All the boxes to the right of the program are checked except Show All.
- Click Scan.
Once scan is finished click Copy.
- Click Start > Run then type Notepad.exe then click OK.
- This will open a Notepad file.
- Hit Ctrl+V to paste log into it.
- Save the log to your Desktop.
Reconnect to internet and post the log please.

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings.
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  - Extended (If available otherwise Standard)
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK.
Now under select a target to scan select My Computer.
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post please, along with the GMER log, and the details from Jotti/Virus Total.

Post each log separately, so we don't exceed the post size limiter here.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Syd · #14 02-07-2007, 09:13 AM

Gary, firstly thank you so much for responding in such a detailed way. You're a star!

Before we get started I've a couple of questions.

1. Is Hinet, Chungwa Telecom Co. Ltd. Taipei, Taiwan anything to do with your ISP (Internet Service Provider).

2. How is Synnex concerned with your PC.

In response to 1 - Yes, Hinet is our ISP and Chungwa is the local Telecom company.

Gary I am not sure what Synnex is. It sounds like something to do with Norton...or is that Symantec?

Ok, the rest I will get onto right away. I am not sure how much I will be able to finish tonight (it is already after 12) but hopefully I should have everything posted by tomorrow afternoon.

Thanks again for your willingness to help Gary.
Sincerely Syd

Gary Richardson · #15 02-07-2007, 09:32 AM

Synnex is the website that this entry on your computer connects to.

O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/

It is what IE uses when it resets to default conditions, usually it is set by the computer manufacturer or machine administrator, but it can be used by an attacker for malicious purposes.

In this case Synnex appears to be the retailer for your computer, (didn't find this info 1st time round), so the entry is likely to be legit. Just like to confirm things like this with the owner of the log I'm looking at.

Always happy to help where I can, I'm monitoring this thread, so I'll be notified when you next post.