Secured Friend's Computer (HJT Log - Please check and recommend.)

Please look at the HJT log below and make any recommendations I should follow.

A friend allowed me to make her computer more secure so I did the following...

I uninstalled her 2-year old Norton AntiVirus 2004 since it hadn't been renewed/updated in a year.

I downloaded, installed, updated as necessary, and scanned when applicable:

• AVG (Free)
• Ad-Aware
• Spybot Search & Destroy
• Ewido
• Spyware Blaster (enabled all protections)
• MVPS HOSTS
• Mozilla's Firefox (Javascript enabled, Java disabled, Cookies for originating site only)
• McAfee's Site Advisor (for IE and Firefox)
• Zone Alarm (Free) Program Control in Low-Learning Mode for now to minimize alerts, Internet Zone: High Security, Trusted Zone: Medium Security)

Ad-Aware scan flagged 55 files (DataMiner cookies). I allowed Ad-Aware to quarantine all.

Spybot S&D flagged Wild Tangent (program) and Web Trends Live (cookie). I allowed Spybot S&D to quarantine all.

Ewido flagged 20 more cookies and Hijacker.Small (in C:\windows\browser.exe). I allowed Ewido to quarantine all.

I expect to replace Ewido's Guard with Windows Defender or some other free, automatically updating memory-resident anti-spyware app within the next month (when Ewido's free memory-resident feature period runs out).

I am going to suggest my friend use Firefox for her primary browsing and use IE only when necessary. I haven't locked down IE yet (other than what Spyware Blaster did).

My friend has minimal Internet/computer experience so I want to minimize the decisions she needs to make (such as with alert dialogues) and tasks she needs to perform (such as manual updates, manual scans, etc.).

I may install avast! and see if I can turn off its memory resident features so it can be used as a back-up AV scanner.

Here is her HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 2:41:04 AM, on 7/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Security Software\HijackThis\unzipped\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...sbcydial/*http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydial/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus...sbcydial/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydial/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydial/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\saIE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\saIE.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe "
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

I will wait for recommendations before going further.
Thanks!

 

Everything here looks fine, nothing in the HJT log file.

With respect to SpywareBlaster, I would untick IE restricted sites protection in favor of IE-SPY ADS. IE-SPYADS does the same thing, but has nearly 3 times more sties added of known malware sites.

While updating it is a little bit more involved as opposed to SB, the extra protection offered far out weighs the learning cure, IMHO. If she can update the hosts file, she can figure out IE-SPYAD.

Just be sure she pays attention to updating things on a regular basis checking at least each week.

I would also add WinPatrol v10.0.10.

Calendar of Updates

Nice work, carry on sir.

Tom

 

Thanks, Tom.

I plan to create a detailed set of instructions for her to perform essential manual weekly updates for software that requires manual updates (i.e., SpywareBlaster, Spybot S&D, etc.) and scans in hopes she will follow through. However, I want to minimize the amount of work she needs to do to stay updated. Likewise, I want to minimize my work keeping her computer updated as well.

She sparingly uses her computer, mostly for online banking and bill paying. I don't think she's confident enough to attempt to update her MVPS HOSTS when updates are released (even with detailed instructions). I'll probably perform the MVPS HOSTS updating task myself. Therefore, I also think she would not follow through on updating IE-SPYAD2 on her own.

I may install IE-SPYAD2 on her machine and occasionally update that myself, but then she will need special instructions to remember to not enable SpywareBlaster's Restricted Sites protection when/if she performs weekly updates.

Are you suggesting WinPatrol instead of Windows Defender?

If I install WinPatrol, I may purchase the one-time license fee for her, especially if it is necessary for automatic updating. In case I install WinPatrol (since I expect Ewido's memory-resident and automatic updating features will expire in the free version of Ewido), do you know of any potential conflicts that exist with any other existing AV/AS software on her system?

In regards to her HJT log, would I be safe to tell HJT to "fix" the following entries without producing any system instability?

• O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
• O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
• O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
  
  
  • LIUtilities' WinTasks Process Library states ALCXMNTR.EXE is not a risk and " Should not be disabled, required for essential applications to work properly ".
  • However, CastleCops' StartupList Deep Dive states ALCXMNTR.EXE is 'Definitely not required - typically viruses, spyware, adware and "resource hogs" '.

My friend also has a 13-year old child who has started to use the computer for Internet. I will continue to suggest to her we create a limited Windows XP Home account for her child to further protect her computer from unauthorized software installations. If/when we cross that bridge, I may start another thread if I can't find enough info via forum searches.

Thanks again for your valuable help, Tom.

 

Yes I can understand all of this, simplicity is indeed a must for many users, but of course education is better.

There is a tool found on the MVPS hosts file site which automatically checks for updates, I think. Short of that, she can sign up Sign up for HOSTS file update notices via email.

Not so much in place of Defender, and I would actually stay away from Defender because it is in beta. Not something I would feeel comfortable giving a n00b. Stick with Adaware and Spybot, much more stable. TeaTimer enacted is ok, but then again, we run into the simplicity vs. education problem. Best thing at very leat, she needs to read all alerts very carefully.

WP will use virtually zero resources. Worth the one time fee for PLUS? Here we get into an area where she could be presented with too much info. I think WP free will suffice, IMHO.

Yes, thos emay all be fixed with no ill effects.

While you're doing that, trinning start ups:
Here is an excellent site for that:
AnswersThatWork
Just go to the appropriate letter, and search for the process/exe, they will give good detailed info regarding it, we use it quite often

Excellent idea.

Your friend is lucky to have someone who will spend the time on this stuff, kudos to you.

My pleasure.

 

Thanks again for your time and expertise, Tom. I want to be sure you continue to earn your status as a Windows BBS Staff Member/Forum Moderator. (Congrats, BTW.)

Thanks for the heads-up. I downloaded HostsMan and HOSTS Secure. I will try them out and see which one I want to install on her machine.

Thanks for the suggestion. I will download and install the free WP on her machine. You've piqued my "tinkering" curiousity. I may buy a license for my own machine and see what it offers.

Will do. Thanks.

I'm lucky too. She already treated me to a delicious 16 oz. prime rib dinner. :Q...