Normal IE6 behavior, or malware symptom?

[ggull]

I suspect I may have picked up some kind of infection -- I'm checking out
the advice that's been posted in this group and elsewhere and will run some
extra programs (I currently use AdAware and Norton AV) before posting more
about it.

But I'm curious if the following is a possible symptom, or just something
IE6 does all along that I just haven't noticed.

I always display the "Connected to.." box, and noted some unexpected
traffic, in particular more "bytes sent" than normal. So I was a bit
paranoid.

Later, I brought up IE's history panel in order to clear it (the 'clear
history' under Tools/Internet Options doesn't actually seem to do so), and
for some reason clicked on 'Today' and noticed a 'My Computer' entry;
clicking on that showed several files I had worked on with Wordpad,
EditpadLite, Irfanview, etc.

Maybe I've been reading too many stories about keystroke loggers and other
tracking malware, but this seems vaguely unkosher, as if something is
keeping track of my every move, ready to 'call home' and tell what I've been
doing and typing. I don't have another system to check against, and I don't
normally navigate with the history panel (and when I do I have a particular
goal in mind, not likely to idly click on an unrelated link), so this could
have been going on all along without my noticing ... but maybe not.

[Running Win ME, IE6, OE6, dial-up connection]

 

[Guest]

The documents you see in the History under My Computer are normal. Every
document you worked on or opened on your computer will appear in History
until you clear it again.

 

[Jan Il]

Hi ggull

It is always best to error on the side of too much vs. not enough with all
that is out there these days. ;-)

I suggest that you also try Spybot and the HiJackThis (included below the
first information) and make sure there's no scumware covertly lurking on
your system, as well as the following:

How to Empty IE Cache

Description of the Internet Explorer Cache
http://inetexplorer.mvps.org/answers3.htm#Cache

To empty your Temporary Internet Files cache
1. In Internet Explorer, click Tools, and then click Internet Options.
2. On the General tab, click Delete Files.

To turn off graphic compression in the AOL client
1. Go to Preferences in AOL.
2. Click Internet properties (or WWW in some versions).
3. Click Web Graphics.
4. Clear Never compress graphics (or Use compressed graphics in some
versions).

or .........................................

Clear the IE cache. I.E./Tools/Options/General/Delete files (and delete
offline content.) It's often recommended that the Temporary Internet Files
(folder) be kept at
40-50 MB. Bigger isn't necessarily better.
If still no joy then have a look at this page for other issues.
http://www.generation.net/~hleboeuf/ieimage.htm

I suspect I may have picked up some kind of infection -- I'm checking
out the advice that's been posted in this group and elsewhere and
will run some extra programs (I currently use AdAware and Norton AV)
before posting more about it.

But I'm curious if the following is a possible symptom, or just
something IE6 does all along that I just haven't noticed.

I always display the "Connected to.." box, and noted some unexpected
traffic, in particular more "bytes sent" than normal. So I was a bit
paranoid.

Later, I brought up IE's history panel in order to clear it (the
'clear history' under Tools/Internet Options doesn't actually seem to
do so), and for some reason clicked on 'Today' and noticed a 'My
Computer' entry; clicking on that showed several files I had worked
on with Wordpad, EditpadLite, Irfanview, etc.

Maybe I've been reading too many stories about keystroke loggers and
other tracking malware, but this seems vaguely unkosher, as if
something is keeping track of my every move, ready to 'call home' and
tell what I've been doing and typing. I don't have another system to
check against, and I don't normally navigate with the history panel
(and when I do I have a particular goal in mind, not likely to idly
click on an unrelated link), so this could have been going on all
along without my noticing ... but maybe not.

[Running Win ME, IE6, OE6, dial-up connection]

and now the following -

SpyBot Search & Destroy: Free
http://download.com.com/3000-8022-10289035.html?tag=lst-0-2

(IMPORTANT - Before you try to remove spyware using any of the programs
below, download a
copy of LSPFIX from any of the following sites:

http://www.cexx.org/lspfix.htm
http://www.spychecker.com/program/winsockxpfix.html (if your OS is Win2k or
XP) The process of removing certain malware may kill your internet
connection. If this should occur, this program, LSPFIX, will enable you to
regain your connection. Also, get a copy of WINSOCKFIX available at:
http://www.spychecker.com/program/winsockxpfix.html)

HiJackThis: - Free

Unzip the Download file in a NEW FOLDER that you can create before you start
the download.
DO NOT install in your Desktop folder.
DO NOT use any of the TEMP folders that are presently in your computer.
Double-click "HijackThis.exe" and Press "Scan".

Go to:
http://computercops.biz/downloads-cat-14.html ,
or
http://www.aumha.org/a/parasite.php#hjt
(If you get a 404 error or Access denied, try:
http://216.180.252.218/~spywareinfo.com/downloads/tools/hijackthis.zip)

and download HiJackThis to the new folder. Unzip to a folder other than your
Desktop or the Temp folder, doubleclick HiJackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log"
button. Press that, save the log some place you remember where it is.
Most of what it lists will be harmless or even required, so DO NOT fix
anything yet.

Open the copy of your log in NotePad and make a copy. Then you can go here
to post you log:

Jim Eshelman's site here:
AumHa Forums - HiJackThis section:
http://forum.aumha.org/

<<DO NOT POST YOUR LOG FILE TO THIS NEWSGROUP>>

You will need to register to open a new thread to post you log. It is free,
and no one will Spam you, it is one of many that provides this service. Once
registered, go to the HiJackThis section on the forum list and click to
open. Then start a new post and post your log. The experts there will
analyze the log and report back the results. Please allow at least a few
hours or a days time for a response, depending on when you post the log

Remember, you must return to the HJT site to get your answer. It is a good
idea to click the "Notify" box so that you will get an electronic
notification by e-mail to let you know when a response has been posted.
But, you must still return to the site of your answer

HJT Tutorial
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42


Hope this helps.

Jan

Smiles are meant to be shared,
that's why they're so contagious.

Please reply to the newsgroup so others may benefit.
Replies are posted only to the newsgroup for the benefit or other readers.

How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm
http://home.satx.rr.com/badour/html/post.html

 

[ggull]

Thanks. Exactly what I needed.
It's amazing what we don't notice until we look for it,
or are suitably paranoid

The documents you see in the History under My Computer are normal. Every
document you worked on or opened on your computer will appear in History
until you clear it again.

<snip>

 

[ggull]

Thanks Jan -- I'll follow your suggestions, though it may take a couple of
days.
I'll avoid typing any credit card numbers until then .

Actually, I'd already downloaded your response to a previous post and was
planning to investigate the resources you mentioned.

And I clear my TIF daily if not more often .. a true paranoid.
gg

 

[Jan Il]

Hi ggull

Thanks Jan -- I'll follow your suggestions, though it may take a
couple of days.
I'll avoid typing any credit card numbers until then .

Actually, I'd already downloaded your response to a previous post and
was planning to investigate the resources you mentioned.

And I clear my TIF daily if not more often .. a true paranoid.
gg

You're very welcome. I'm with you, with all the stuff out there these days,
it is best practice to question things that we're not sure of. It's that
one we take for granted that might come back to bite us. ;-))

Glad all worked out for you. And it's a good idea to keep the programs on
your hard drive and updated often, as if you get a bug and can't get access
to the Net, you've got your PestBusters at hand. <g>

Jan

Smiles are meant to be shared,
that's why they're so contagious.