Trojans and spyware

Viruses and worms
1

Hi New user here. I have aquired some spyware and trojans just need help to remove if possible. Thank you for your assistance,Jim

Here is my startup list
StartupList report, 3/8/05, 3:01:06 PM
StartupList version: 1.52
Started from : C:\WINDOWS\TEMP\STARTUPLIST.EXE
Detected: Windows 98 SE (Win9x 4.10.2222A)
Detected: Internet Explorer v6.00 (6.00.2600.0000)

  • Using default options
    ==================================================

Running processes:

C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSIMPL.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHCHEST.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\PHOTOED\PHOTOED.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\WINZIP\WINZIP32.EXE
C:\WINDOWS\TEMP\STARTUPLIST.EXE

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
TaskMonitor = C:\WINDOWS\taskmon.exe
SystemTray = SysTray.Exe
avast! Web Scanner = C:\PROGRA~1\ALWILS~1\AVAST4\ashWebSv.exe
sp = rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
ashMaiSv = C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

SchedulingAgent = mstask.exe
avast! = C:\Program Files\Alwil Software\Avast4\ashServ.exe

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=Explorer.exe
SCRNSAVE.EXE=
drivers=mmsystem.dll

C:\WINDOWS\WININIT.INI listing:
(Created 8/3/2005, 13:8:38)

[rename]
nul=C:\WINDOWS\SYSTEM\trz81D1.TMP
nul=c:\windows\system\trz6191.tmp
nul=c:\windows\temp\trz1221.tmp
nul=c:\windows\system\trz1091.tmp
nul=c:\windows\system\trz390.tmp
nul=c:\windows\temp\trze024.tmp
nul=c:\windows\temp\trzd014.tmp
nul=c:\windows\system\trz4251.tmp
nul=c:\windows\temp\trz21e0.tmp
nul=c:\windows\temp\trz6364.tmp
nul=c:\windows\temp\trz3356.tmp
nul=c:\windows\temp\trz22a3.tmp
nul=c:\windows\temp\trzc145.tmp
nul=c:\windows\temp\trzc314.tmp
nul=c:\windows\temp\trz9275.tmp
nul=c:\windows\temp\glb1a2b.exe
nul=c:\windows\temp_iu14d2n.tmp

C:\WINDOWS\WININIT.BAK listing:
(Created 5/3/2005, 9:2:44)

[rename]
nul=C:\WINDOWS\TEMP\trz22D4.TMP
nul=c:\windows\temp\trz12b3.tmp

Enumerating Browser Helper Objects:

(no name) - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\SYSTEM\DBDI.DLL - {EB51A641-8715-11D9-A320-4445D562DCAE}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL - {53707962-6F74-2D53-2644-206D7942484F}

Enumerating Task Scheduler jobs:

Tune-up Application Start.job
Maintenance-Defragment programs.job
Maintenance-ScanDisk.job
Maintenance-Disk cleanup.job

Enumerating Download Program Files:

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\SYSTEM\MACROMED\FLASH\FLASH.OCX
CODEBASE = http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Enumerating ShellServiceObjectDelayLoad items:

WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
System: C:\WINDOWS\system32\system32.dll

End of report, 4,774 bytes
Report generated in 2.122 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

Here is the hijackthis logLogfile of HijackThis v1.99.1
Scan saved at 1:56:09 PM, on 3/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSIMPL.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHCHEST.EXE
C:\WINDOWS\TEMP\HIJACKTHIS.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find777.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://find777.com/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {EB51A641-8715-11D9-A320-4445D562DCAE} - C:\WINDOWS\SYSTEM\DBDI.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ashWebSv.exe
O4 - HKLM..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra ‘Tools’ menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O18 - Filter: text/html - {740B7600-8C2F-11D9-A320-4445D0F155A7} - C:\WINDOWS\SYSTEM\DBDI.DLL
O18 - Filter: text/plain - {740B7600-8C2F-11D9-A320-4445D0F155A7} - C:\WINDOWS\SYSTEM\DBDI.DLL
O21 - SSODL: System - {9369BAE0-AA38-11D8-A320-444553540001} - C:\WINDOWS\system32\system32.dll (file missing)

2

Hi jbbigq,

THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\TEMP\se.dll/sp.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
o2 - BHO: (no name) - {EB51A641-8715-11D9-A320-4445D562DCAE} - C:\WINDOWS\SYSTEM\DBDI.DLL
o4 - HKLM..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
o18 - Filter: text/html - {740B7600-8C2F-11D9-A320-4445D0F155A7} - C:\WINDOWS\SYSTEM\DBDI.DLL
o18 - Filter: text/plain - {740B7600-8C2F-11D9-A320-4445D0F155A7} - C:\WINDOWS\SYSTEM\DBDI.DLL
o21 - SSODL: System - {9369BAE0-AA38-11D8-A320-444553540001} - C:\WINDOWS\system32\system32.dll (file missing)

The delete this file:

C:\WINDOWS\SYSTEM[b]DBDI.DLL[/b]

Then delete all yout Temp files, its easyer to use ccleaner for this (free), you can get it from here: http://www.filehippo.com/download_ccleaner.html

Then go to windows update and install all critical updates (www.windowsupdate.com).

Then reboot your machine, redo and repost your hijackthis log so we can confirm your system is clean.

–lee

3

Lee ,I will follow your instructions, Though I have a question, As I have been tracing this down one of the things I did after running avast anti virus The trojan file wouldn’t be sent to virus chest(Access denied can’t process) so I followed instructions to copy to the user file in the virus chest. that happened ok. Shoul i have gone back to the original location the virus was discovered and deleted it there? thans again Jim

4
The trojan file wouldn't be sent to virus chest(Access denied can't process)

Thats basicly because the malware was still activated, so do as suggested above, then run CWshredder as as said on the other thread, then the problem should be gone, however if its not, then open taskmanager (Alt + Ctrl + del) and kill all processes apart from Explorer and Systray, then try again with avast.

–lee

5

I don’t think that there are any CoolWebSearch hijacks here, but running CW Shredder (from your other thread) won’t hurt.

If you haven’t already got these, download, install and run them.

  1. Ad-Aware
  2. Spybot Search and Destroy
  3. Spywareblaster
6
If you haven't already got these, download, install and run them.
  1. Ad-Aware
  2. Spybot Search and Destroy
  3. Spywareblaster

Don’t forget to update them first :wink:

–lee

7

Ok here is what I’ve done so far
removed items via hijack this as instructed
ran cleensweep ok
deleted windows\system\dbdi.dll although I had to reboot computer before it would let me because it was using it at the time .
could not update windows ( I keep getting this persistent spyware that pops up during (Funny the popup is telling me I have spyware and I assume will redirect me if I click on it) One time while the popup was on my computer I logged off of aol leaving the aol program on then clicked on the ok sign and a website address showed in the address bar at the top of the aol screen. I don’t know if that address would be any help in all this. but i copied it to notepad on my desktop and have access to it.

After this I will run both spybot search and destroy and ad-aware current updates.
In the current hijack this file it still shows a reference to 1 of the trojans I noticed earlier(trojan found windows\temp\se.dll)
O4 - HKLM..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall

here is the new hijack this file
Logfile of HijackThis v1.99.1
Scan saved at 6:56:41 PM, on 3/8/05
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHSERV.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHWEBSV.EXE
C:\WINDOWS\RUNDLL32.EXE
C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
C:\WINDOWS\SYSTEM\RPCSS.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\PROGRAM FILES\AMERICA ONLINE 7.0\WAOL.EXE
C:\PROGRAM FILES\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://find777.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM..\Run: [SystemTray] SysTray.Exe
O4 - HKLM..\Run: [avast! Web Scanner] C:\PROGRA~1\ALWILS~1\AVAST4\ashWebSv.exe
O4 - HKLM..\Run: [sp] rundll32 C:\WINDOWS\TEMP\SE.DLL,DllInstall
O4 - HKLM..\Run: [ashMaiSv] C:\PROGRA~1\ALWILS~1\AVAST4\ashmaisv.exe
O4 - HKLM..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM..\RunServices: [avast!] C:\Program Files\Alwil Software\Avast4\ashServ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM\Shdocvw.dll
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll

Thanks again for the help
Jim

8

Extract from Eddy’s HJT analyser tool

CHECKING HIJACKTHIS, WINDOWS, INTERNET EXPLORER AND FIREWALL :

Old version of Internet Explorer detected, please update.
No software firewall detected. If you are not using a
hardware firewall, it is highly recommended to install one.

GENERAL INFORMATION :

All items in the original HijackThis log file which
are not shown here need further investigation.

Tutorial on the hijackthislog : http://members.home.nl/edeijl/

In addition to this application, you can also analyze the
original HijackThis log online at: http://hijackthis.de

THESE ITEMS ARE EITHER HARMFULL OR A SECURITY RISK
WE STRONGLY RECOMMEND TO FIX THEM :

r1 - hklm\software\microsoft\internet explorer\main
r1 - hkcu\software\microsoft\internet explorer\search
searchassistant = about:blank
r0 - hklm\software\microsoft\internet explorer\search
searchassistant = about:blank
r1 - hkcu\software\microsoft\internet explorer\searchurl
homeoldsp = about:blank
r1 - hklm\software\microsoft\internet explorer\main
homeoldsp = about:blank

Although this is highlighted by Eddy’s analysis too I’m not sure about it as it may be required for win98?
o4 - hklm..\run: [systemtray] systray.exe

9

Actually these need to be fixed:

r1 - hkcu\software\microsoft\internet explorer\main,search page = about:blank
r1 - hklm\software\microsoft\internet explorer\main,search page = about:blank
r1 - hkcu\software\microsoft\internet explorer\search,searchassistant = about:blank
r0 - hklm\software\microsoft\internet explorer\search,searchassistant = about:blank
r1 - hkcu\software\microsoft\internet explorer\searchurl,(default) = http://find777.com/
r1 - hkcu\software\microsoft\internet explorer\main,homeoldsp = about:blank
r1 - hklm\software\microsoft\internet explorer\main,homeoldsp = about:blank
o4 - hklm..\run: [sp] rundll32 c:\windows\temp\se.dll,dllinstall

Also update Internet Explorer.
If you don’t have a hardware firewall, buy one or at least get a software firewall.

10

Thanks for the tip on the anlysis tool @hijack this. He gave me some things to check.ie C:\PROGRAM FILES\ALWIL SOFTWARE\AVAST4\ASHMAISV.EXE
Safe. running process. (ASHMAISV.EXE)

Possibly nasty! According to our database this process runs normally in c:\programme\alwil software\avast4! Check if you know this process and arrange a viruscheck
. If i find this file in the proper place is it ok to just delete the one in the program files?

11

Oh And I know i’m running an older version of internet explorer I tried to get the update from windows update but it won’t finish loading and installing . Is there some other way to get the update.
Also any suggestions on firewall for this old computer?

12

Leave it in place this is a bug with the latest version of hijackthis, if you remove this registry key Mail Shield won’t run at start-up.

13

I think you can only update to IE6 SP1 with win98 (IE6 SP2 is XP only), you may find it on a Computer Magazine CD or ask a friend to download it for you.

A search of google returns many options - http://www.google.co.uk/search?q=Microsoft+IE6+SP1+download - http://www.microsoft.com/windows/ie/downloads/critical/ie6sp1/default.mspx this is one of them, you can download it outside of windows update and update off-line.

There are many different threads relating to firewalls a forum search will return many hits. However, Zone Alarm (free) has a more user friendly interface for the novice firewall user.