Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

What to delete?


  • This topic is locked This topic is locked
4 replies to this topic

#1 asimov

asimov

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:07:25 PM

Posted 03 October 2005 - 03:02 PM

Hello

This is my first post at the forum. I found your page when I was searching google to find files that might be spyware. I suspect that I have some spyware installed, but I´m not sure what to delete and the best way to do that. I´ve run Spybot and avast 4.6 home edition and found some problems and deleted them. I´ve downloaded hijackthis and done a scan(below).

Logfile of HijackThis v1.99.1
Scan saved at 18:46:57, on 2005-10-03
Platform: Windows 95 B (Win9x 4.00.1111)
MSIE: Internet Explorer v5.50 (5.50.4134.0600)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM\IT-KLOCKAN\ITCLOCK.EXE
C:\PROGRAM\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM\WEBWASHER\WWASHER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://home.microsoft.com/intl/sv/access/allinone.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.netscape.com/home/winsearch200.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://keyword.netscape.com/keyword/%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRAM\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1053,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [IT-Klockan] C:\Program\IT-Klockan\itclock.exe
O4 - HKLM\..\Run: [avast! Web Scanner] C:\PROGRAM\ALWILS~1\AVAST4\ASHWEBSV.EXE
O4 - HKLM\..\Run: [ashMaiSv] C:\PROGRAM\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM\..\RunServices: [avast!] C:\Program\Alwil Software\Avast4\ashServ.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\PROGRAM\SPYBOT - SEARCH & DESTROY\TeaTimer.exe
O4 - Startup: Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE
O4 - Startup: Office-genvägar.lnk = C:\Program\Microsoft Office\Office\MSOFFICE.EXE
O4 - Startup: Microsoft Office Snabbsökning.lnk = C:\Program\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: WebWasher.lnk = C:\Program\WebWasher\wwasher.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: MSN Messenger Service - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program\Messenger\MSMSGS.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .wav: C:\PROGRAM\INTERN~1\PLUGINS\npqtplugin.dll
O12 - Plugin for .mov: C:\PROGRAM\INTERN~1\PLUGINS\npqtplugin.dll
O13 - WWW. Prefix: http://
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.skoobidoo.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted IP range: 213.159.117.133
O15 - Trusted IP range: 213.159.117.133 (HKLM)

I´ve also generated a start-up list:

StartupList report, 2005-10-03, 18:48:09
StartupList version: 1.52.2
Started from : C:\HIJACKTHIS\HIJACKTHIS.EXE
Detected: Windows 95 B (Win9x 4.00.1111)
Detected: Internet Explorer v5.50 (5.50.4134.0600)
* Using default options
==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\PROGRAM\IT-KLOCKAN\ITCLOCK.EXE
C:\PROGRAM\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\PROGRAM\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\PROGRAM\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\PROGRAM\MICROSOFT OFFICE\OFFICE\OSA.EXE
C:\PROGRAM\MICROSOFT OFFICE\OFFICE\MSOFFICE.EXE
C:\PROGRAM\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\PROGRAM\WEBWASHER\WWASHER.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\PROGRAM\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\tapiexe.exe
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\HIJACKTHIS\HIJACKTHIS.EXE
C:\WINDOWS\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\WINDOWS\Start-menyn\Program\Autostart]
Office-autostart.lnk = C:\Program\Microsoft Office\Office\OSA.EXE
Office-genvägar.lnk = C:\Program\Microsoft Office\Office\MSOFFICE.EXE
Microsoft Office Snabbsökning.lnk = C:\Program\Microsoft Office\Office\FINDFAST.EXE
WebWasher.lnk = C:\Program\WebWasher\wwasher.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IT-Klockan = C:\Program\IT-Klockan\itclock.exe
avast! Web Scanner = C:\PROGRAM\ALWILS~1\AVAST4\ASHWEBSV.EXE
ashMaiSv = C:\PROGRAM\ALWILS~1\AVAST4\ashmaisv.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

avast! = C:\Program\Alwil Software\Avast4\ashServ.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

SpybotSD TeaTimer = C:\PROGRAM\SPYBOT - SEARCH & DESTROY\TeaTimer.exe

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = C:\WINDOWS\NOTEPAD.EXE %1

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll power.drv

--------------------------------------------------

C:\WINDOWS\WININIT.BAK listing:
(Created 28/9/2005, 21:39:22)

[rename]
nul=C:\PROGRAM\ALWILS~1\AVAST4\SETUP\REBOOT.TXT

--------------------------------------------------

C:\AUTOEXEC.BAT listing:

mode con codepage prepare=((850) C:\WINDOWS\COMMAND\ega.cpi)
mode con codepage select=850
keyb sv,,C:\WINDOWS\COMMAND\keyboard.sys

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://fpdownload.macromedia.com/get/shock...ash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL

--------------------------------------------------
End of report, 4 371 bytes
Report generated in 1,823 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

My questions are:
What can I delete?
The list with trusted zones/IP range are adresses I´ve never visited, I guess this is because of spyware?
How should I set the security in explorer so that this doesn´t happen again?
As I wrote above I´ve downloaded avast 4.6 and Spybot. Do I really need any firewall since I´m using a dial-up modem?
If that´s recommended is there any freeware firewall that´s easily combined with avast 4.6?

Looking forward to an answer

Peter

BC AdBot (Login to Remove)

 


m

#2 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:08:25 PM

Posted 11 October 2005 - 02:22 PM

Welcome to the BleepingComputer forum. We are currently studying your log and will have instructions for you shortly. Thank you for your patience.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#3 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:08:25 PM

Posted 11 October 2005 - 02:42 PM

Let’s take care of these two things first while I research your log.

As I wrote above I´ve downloaded avast 4.6 and Spybot. Do I really need any firewall since I´m using a dial-up modem?
If that´s recommended is there any freeware firewall that´s easily combined with avast 4.6?


Yes. You do need a firewall.

A Firewall is an essential part of computer security and you do not appear to have one running on your system. There are a few available for free that appear to be good and easy to use:

Zone Alarm Free Firewall

Sygate Personal Firewall

Outpost Firewall Free

NetVeda Safety.Net

How should I set the security in explorer so that this doesn´t happen again?

  • Make your Internet Explorer more secure This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
    • When all these settings have been made, click on the OK button.
    • If it asks you if you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use IE-SPYAD Install IE SPYAD. Add another level of protection to your Internet Explorer browser by blocking certain sites that are known to contain malware. IE SPYAD puts several thousand sites in your restricted zone so you'll be protected when you visit innocent looking sites that aren't actually innocent at all. If you happen on a site within its list, they can't hijack you or install anything. Program is free and is updated about once a month. Please follow readme instructions for install; it is a little different. Single user PC use IE Spyad1. Multi user XP PC use IE Spyad2.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#4 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:08:25 PM

Posted 11 October 2005 - 03:31 PM

  • To help prevent further infection, please download SpywareBlasterSpywareBlaster helps to:
    • Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.
    • Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.
    • Restrict the actions of potentially unwanted sites in Internet Explorer.
  • Please download Symantec’s FixCdt tool to remove Adware.CDT.
    • Press “Start” to begin the process.
    • It will remove Adware.CDT or tell you that it is not present on your computer.
  • Please post a new HiJackThis log.

You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.

#5 suebaby41

suebaby41

    W.A.M. (Women Against Malware)


  • Malware Response Team
  • 6,248 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:South Carolina, USA
  • Local time:08:25 PM

Posted 15 December 2005 - 04:52 PM

Due to inactivity, this thread will now be closed. If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you. Include the address of this thread in your request. If you should have a new issue, please start a new topic. This applies only to the original topic starter. Everyone else please begin a New Topic.
You don't stop laughing when you get old; you get old when you stop laughing.
A Member of U-N-I-T-E (Unified Network of Instructors and Trained Eliminators)
Malware Removal University Masters Graduate

Posted Image
Join The Fight Against Malware
No reply within 5 days will result in your topic being closed. If you need more time, please let me know by posting in this topic so that your topic will not be closed.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users