1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

User Profile hijack, Spyware program hijacking, etc.

Discussion in 'Malware Removal' started by Ravenquille, Apr 27, 2008.

Thread Status:
Not open for further replies.
  1. Ravenquille

    Ravenquille Private E-2

    I have a strange bunch of things going on in 3 systems ( on a wireless home network ). I can't get a handle on what type of 'nasty' is causing the mess, and how it is doing it; nothing has totally stopped 'it' so far.
    ( I am not certain that this is just 'one' problem at work, or if there is more than one, doing separate things. )

    1) I first noticed this problem with my husband's laptop, and the 'Uninstallation' of TweakUI.
    I installed TweakUI from the Microsoft official website. ( He wanted the laptop to open straight to desktop, in his User Account ( no logon screens of any kind ). ) I did some settings, and began to see strange behavior after installing and using TweakUI. I was suspicious of it, and decided to Uninstall. I got an odd window during the Uninstall process, and Norton Internet Security blocked a 'malicious script'. I could not Uninstall until I gave Norton permission to 'run once'. I did the Uninstall. Snowballing, weird stuff has been going on after the Uninstall. Messages about not being able to logon, slow startup to desktop, disconnects when online, mouse locks/total lockups.
    Laptop offline, turned off.

    2) I also installed TweakIU in his desktop, and did some settings within the utility. Never did an Uninstall of TweakIU in this system; but it has just recently been completely redone ( on a new HDD, OS reload, etc. etc. )
    I ran the following complete scans on Thurs. morning before we left for the weekend ( then shut down ):

    *SpyBot S&D
    ( all clear, saw no problems )
    *Spyware Blaster set ( for its listed maximum protections )

    Sat. night, my husband was online with this system. All was fine with startup. He opened his WinTV to watch tv ( onscreen ). This opened/loaded very slowly. He, then, tried to open TitanTV to get the channel listings, and it would not access his account to display this information ( there had not been a problem with either the program or the guide, previous to this ). System locked, he had to shut off from power button. Rebooted normally, but once at desktop, there was mouse movement, but mouse could not open anything. Shut off from power button again. Reboot. Desktop got 'User Environment' screen ( 2 screens in succession ). He shut down from power button and went to bed. I checked it this morning.
    His User Profile has been altered by a Hijacker ( I do not believe this to be the Windows Temporary Profile, which will sometimes activate when there is a logon problem ). It looks quite strange, and is specific to enable something to control operations.
    Screen looked different from usual Windows scheme:
    'User Environment': Windows cannot load the local User Profile.
    Possible cause of the error include insufficient security rights or a corrupt logon. If problem persists, contact your network administrator.'
    ( 'ok' box. If not clicked, a 2nd box appears after a seconds countdown )

    2nd box: 'User Environment': Windows cannot find the local profile, so is logging you in with a temporary profile. Any changes you make in this profile, will be lost when you shutdown.'
    ( 'ok' box. If not clicked, disappears after seconds countdown. )
    Proceeds to load Profile with my husband's name and the same User picture.
    Bliss background loads, with Start Programs Menu displaying ( on its own ), in the primary screen you would see if you clicked on 'Start'.

    The menus that I looked at in Control Panel/Internet Options, etc. are NOT the same as those of WinXP Pro ( I compared them to mine ).
    There is, for example, a Submenu entry called 'MS VM'; which has the following enabled: 'JIT Compiler for Virtual Machine enable ( requires restart ). Settings are Custom rather than the Default in some specific areas.

    Under this new Profile, scans with Norton, SpyBot S&D come out clear; but the programs open very slowly.
    I did HijackThis log, but am not sure if it is showing anything; although I suspect a few of the entries.
    I disabled the Network connections my wireless network uses, and took the system offline; ( in order to check MY system, which had also not been started since running scans ( all normal ) on Thurs. morning before we left for the weekend. )
    I ran scans on his system again after disabling the adapter and removing the network connections: all clear again.
    I checked his email from my computer: he has gotten some SPAM email, where he is signed up for newsletters. He doesn't do email, and never signs up for anything; so this is interesting.

    3) My System:
    Startup normal.
    * Found Ad-Aware tampered with: all records of removals, quarantines, and scans gone, settings changed.
    *SpyBot S&D had been downloaded and installed, and integrated into my original SpyBot installation somehow ( I did NOT download it;no one else has access to my system ).
    ( I Uninstalled AdAware, and SpyBot S&D, and downloaded both ( to a folder I made ); reinstalled both. AdAware will not allow updates; but did the most recent update from Online ( to folder I created ).
    Ran Fast Scan: showed 132 infections ( ad tracking cookies ). Removed only 10. Log shows quarantine of 6. Will not quarantine all, will not remove ( unless after shutdown/reboot ).
    Ran Complete Scan: 65 showed up, all removed
    *Ewido scan: 3 low-level ad cookies, removed
    *Norton scan: showed no infections
    ( Spyware Blaster is also installed )
    *Ran HijackThis: not sure, but appears to be listing normal, identifiable things )
    *Norton shows 36 items blocked under 'Privacy' today:
    things like: google analytics, pageAd2 google, a tribal fusion, pixel quantserv
    *Norton shows info sent by my computer today:
    edge.quantserv, google syndication, tribalfusion; and many 'Connection Redirects' with 'Aboutblank'
    *No Profile altering at this startup, no different SPAM emails
    Have not shutdown/rebooted yet, since I am still researching and investigating.

    *Both systems have only one User Profile with Administrator Rights ( which I set up ).
    *Neither system is able to run the following online scans:

    ( adjusting security settings to lower, allowing ActiveX, did not help )

    Does anyone have any idea what this is, and how I can correct it?

  2. abri

    abri MajorGeek

    Hi Ravenquille,
    Welcome to Major Geeks!

    Please try to take each machine back to a restore point which predates the installation of the TweakUI. Something indeed is going on, but it would be nice to find the easiest solution before you dive into the more complex malware removal procedures.

    If you have not done this before, go to Start / All Programs / Accessories / System Tools / System Restore
    check the box to Restore my computer to an earlier time and click on Next. You'll see a calendar with highlighted dates. Choose one of the dates just preceeding the installation you described and allow your system to return to that date. See if the problem goes away.

    If this helps with the first computer, for the other computers, if they're all networked, return them to the same date as the original computer.

    Let me know how this goes.

  3. Ravenquille

    Ravenquille Private E-2

    Hi Abri, thanks for the Welcome,

    I have never used System Restore, as I have always opted for the wipe-the-drive, and fresh-install method. I have also encountered a few 'No Restore point' available situations.
    I have a question:
    I understand that Windows System Restore takes the state back to a previous stable date; but what exactly does it effect?
    ( just the OS? or will it also remove recently installed programs, updates, drivers, or personal files ( docs, pics, music ) which you recently created? )

    I might be able to use it on my system, depending on exactly what it will alter; but I don't know if it would work on my husband's Laptop and Desktop.
    ( If it effects more than Windows itself, I don't know if it could be used in my husband's two systems, since I have very recently redone both:
    Laptop: Toshiba restore/OS, and complete fresh installations of software, all done on the same day
    Desktop: installed new HDD, so everything from scratch on up is a recent installation, and done on the same date ).

    Problem originated with the Laptop and TweakUI:
    TweakUI in the Laptop, was installed the same day everything else was done; so, that day would be the earliest available restore point. In that case, would it just go back to the point where ONLY the OS was installed ( before any programs, updates, etc. were installed? )

    ( The Networking is Wireless, and for Internet sharing only; no file or printer sharing. My Desktop is the Host, with Cable Modem/Router. )

    My system has been continuously 'protected' by:

    Norton Internet Security 2005
    Spyware Guard
    Spyware Blaster
    SpyBot S&D
    Spyware Doctor ( fairly recently removed due to inability to update )

    Husband's Laptop had Norton Internet Security 2004 installed, and updated before installing Spyware Doctor, SpyBot S&D, and AdAware

    His Desktop with new HDD/fresh installations had Norton Internet Security 2004 installed/updated, before installing SpyBot S&D ( TweakUI was on previous HDD, when used created odd problems. TweakUI has NOT been installed on this new HDD; however. )

  4. abri

    abri MajorGeek

    Hi Ravenquille,

    System restore does not affect data files like music, documents, photos, etc. It takes the registry back to an earlier restore point and if you installed programs on that day, it uninstalls them. It may be if you go as far as the calendar in the instructions I gave you and click on a date that is in bold print, that you will find multiple restore points for that day and that one of them will precede the installation of Tweak UI. See if that is the case. If there are more than one on a certain date, they will be assigned a time stamp so you know which are the earlier ones and they will say what they refer to, so one of them might be called Tweak UI.

  5. Ravenquille

    Ravenquille Private E-2

    Hi Abri,
    I did System Restores on all 3 systems.

    1) Laptop: restored to 4/12, day after complete Toshiba Restore/Install CDs used; some things installed on that second day ( not taking it back to the 1rst day of the initial Redo/OS install, because this would kill the Belkin Network Notebook card, Network Settings/Internet Settings ).
    TWEAKUI is still there, obviously went in on the first install day ( before I uninstalled it ).

    Desktop arrived with an interesting attempt to install something called 'TrayApp'. First boot, this arrived appearing to be connected with an attempt to re-install Pinnacle Media Center ( which was already installed ). The 'TrayApp' window wants to install from the CD drive, and points to something labeled simply as '1' which is seems to be looking for.
    2nd Reboot: Again the TrayApp installation attempt; this time associated with PC Remote ( related to Pinnacle ). Same TrayApp media search for CD screen. This is hard to close, keeps popping up. CTRL/ALT/DEL numerous times to get it off.

    *Following programs cannot be uninstalled via Add/Remove or via their 'Uninstall' option:

    Pinnacle Media Center
    Studio 10

    A few 'Error Reporting' Windows: chose always 'Don't Send'

    Discovered that Google and Yahoo are monitored, can't open many things; especially things related to SpyWare Removal.
    MajorGeeks opened very slowly; with all downloads listed for AdAware and SpyBot S&D in accessible! Total lockup/turn off from powerbutton/reboot
    Used MAMA to get to MajorGeeks; opened fast.
    Downloaded the following from Australian Mirror/to Programs/Installed:

    SpyBot S&D ( 11 entries for Wild Tangent were removed )
    Spyware Blaster
    Advanced Spyware Remover ( 2 SpyBots removed, alot of cookies )
    MalwareBytes Anti Malware ( Clear )
    Norton Scan ( Clear )
    ( have logs )

    Google and Yahoo still monitored/controlled
    MAMA can be used on Laptop

    Still, obviously, a problem; but seems better

    2) Husband's Desktop:
    System Restore to 4/21; day after new HDD installation/and full installations of everything. TWEAKUI not installed.
    Original Profile is back, intact.
    IE: got screen to sign in for Windows ID ( don't have one ). Took awhile for me to get out of this screen. ( Looking for Accounts/Passwords, Personal stuff apparently )

    Weird behavior trying to open 'TitanTV Listing' slow to open, can't be used ( this goes with a DVR, and local cable ). Total lockup once, rebooted

    Google and Yahoo monitored/controlled; heavily. Slow or impossible to open certain things, pictures not forming right, or can't be opened.

    MAMA or Copernic can be used NORMALLY: except that TitanTV still cannot be accessed properly or used
    ( this may have something to do with my husband having an account/password, I am suspecting )

    Was able to use Copernic to download SpyWare Doctor and run scan: 3 low level infections and a few minor cookies, all removed
    ( He wanted to surf last night, so that is all I did with that )
    He said it was fine except for all he was looking for.

    Today, he found that Yahoo and Google would not display graphics/photos; I changed him over to Copernic and it was fine there.

    3) My System ( the Host ):
    Restore to 2/10

    I had TWEAKUI for a long time, but never opened it at all; as of 2/10/08.
    Opened AdAware to update. Apparently had a weird 'install script' connected to it ( was already installed ); and enacted when I tried to do an update. Could not update.
    SpyBot S&D update was not possible
    SpyWare Blaster kept 'unprotecting' when I enabled all
    Norton appeared tampered with, permitting too many Ads

    Did a 2nd Restore to 1/30/08: the last one I have available.

    TWEAKUI still there, as I had it on my system for a long time; still never opened it as of 1/30/08.
    Norton still showing too many permissions in Ads List ( tampering )
    Spyware Doctor update done/removed quarantined items
    Full Scan run: 1 low level tracking cookie

    Downloaded installed from MajorGeeks, through Australian Mirror:

    Advanced Spyware Remover
    MalwareBytes AntiMalware
    Updates to both
    Ewido updates
    ( all through Copernic )

    MalwareBytes scan: removed 1 Dialer: C:\WINDOWS\system32\WinTab.32.dll
    Advanced Spyware Remover Scan: removed 1 low level tracking cookie
    Ewido scan: removed many cookies, and 4 high risk Downloaders:

    Small.edw ( C:\5380276.exe )
    Tiny.fy ( C:\61399.exe, C:\80243647.exe )
    Small ( C:\WINDOWS\cmp32.exe, C:\WINDOWS\kdbf:32.dll )
    Goldun.od ( C:\WINDOWS\system32\wavvie2.dll )

    Not displaying any problems, things are being caught or found; but need to clear.

    I can completely reload my husband's laptop and desktop; but cannot reload mine, as I currently have no OS CD ( shop is looking for it, will replace or give me an OEM ). I do NOT want to wipe my system due to extremely large amount of crucial files, in any case.

    What is the best way to proceed now?

    Thanks, Ravenquille
  6. abri

    abri MajorGeek

    Hi Ravenquille,

    Your descriptions are complex in part due to the fact that you're bringing in more than one computer and some of the scans you describe are not those which are part of our standard cleaning procedures. First of all let me ask you about this:
    I misunderstood when I read this, thinking that you had already tried running the procedures in the READ & RUN ME FIRST. In these procedures we ask that you download, install and run the following programs:

    Spybot S&D

    The reference you make to Advanced Spyware Remover and Ewido don't have anything to do with this. Since you are finding malware despite the recent installation, I would like for you to first concentrate on your own computer. With the particular programs I listed, and that you can find the links for in the link below, it shouldn't matter which browser you use to download them. They can be downloaded onto an external medium and transfered if necessary, for instance, in situations where there is no internet connection available.

    See if you can follow the procedures from beginning to end in the READ & RUN ME FIRST and attach those logs you are able to get. If you have already run a scan (MalwareBytes) you can skip that one, but try to run everything else in the order it is described. Also, if you can't do one of the steps, make a note of what happens and continue on. This will give us more information to work with. Go as far as you can and let us know how this goes.

  7. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    1) Yes, with 3 computers, I realize that there may be more than one problem at play here; and confusion reigns!

    2) No, I had not yet attempted the specific listing of cleaning methods on your site; was waiting to see if, perhaps, you might recommend additions or changes to that method, regarding the specific set of problems I am having.

    3) Ok, I will work specifically on my own system first; since it is the Host on my Wireless Network. ( It is the least problematic, and functional, of the 3. )
    ( And will follow the READ ME, and use the specific programs recommended ).

    4) And YES, strangely enough, it definitely does matter which browser is used ( at least with the 3 systems here ). I tested this for hours. Yahoo and Google absolutely can't be used: only Copernic and MAMA.

    5) From MajorGeeks Download page, ALL downloads related to AdAware CANNOT be accessed at all.
    ( did not test this on other Download websites; just MajorGeeks, which is the site I have preferred to use )

    6) From MajorGeeks Download page, ANY of the programs I did download could NOT be downloaded from ANY US MIRROR ( I tested this extensively ).
    Australian Mirror worked fine.
    ( did not test this on other Download websites; just MajorGeeks )

    Ok, I am off to get at it. Don't know if I can complete this today, as I have to go out for awhile.

  8. Ravenquille

    Ravenquille Private E-2

    Hi Abri,
    My computer is done, followed instructions exactly; results not too rewarding, still problems.
    I am attaching SASWlog, MGTlog, and my NISlog ( I will explain why ).
    Encountered some interesting things:

    1) MajorGeek website-related:

    *my 'remember-me' set password was, now, no longer set when I came to do this post ( was always intact before )

    *all parts of website opening very slowly ( now, not before )

    *noticed numerous programs showing up as unaccessible ( sort of greyed-out/dimmed, and not 'clickable links' ). Others normal.

    *ONLY Australian Mirrors could be used for download of programs!

    *Some of the programs downloaded from MajorGeeks are being hijacked. Either coming into my system corrupted in some way; or are being corrupted/altered as soon as they get into my system:

    a) SpyBot S&D:

    ( Note: I already had this program. Checking it out, I found a second installation which looks very different ( done by downloader apparently ). The program is altered/hijacked; so I tried to uninstall it from Add/Remove. Neither could be removed; even with removal from Registry. I tried to circumvent this situation by downloading it afresh, and saving it in an odd place ( I created a file in Programs, called 'Cookbook', and saved it there; installed it there. )

    * It downloaded fine; but would not install until I disabled the automatic update in the installation process. Problems when I was about to run scan. Got a window which said:
    'You need to install the detection update first by using the integrated update or manual updater'.

    * I decided to use the update on MajorGeeks. Downloaded fine; I saved it to the Cookbook/SpyBot S&D file, and installed it.

    * Ran scan. Instant finish, showing no results.
    ( Existing or new installations of SpyBot S&D are being hijacked/altered. )

    b) Combofix: Downloaded fine, saved to Desktop. Renamed icon to cf.exe. Did cc/v command line to Run. At this point, I think it is being hijacked/altered ( I have never seen this before, but this looks weird to me ):

    *small blue screen, then a Software Warranty window, with the 'yes or no' boxes. Selected 'yes'.

    *Got a window which said: Confirm
    'Roughly 1/100 machines failed to make it through the disinfection process!
    Are you sure you want to do this??
    'Yes and No' boxes.

    *I tried to research this, by searching for 'Using Combofix' in Copernic.
    Search was instantly controlled. Would not search, no progress. Checked other search subjects: were fine. Noticed that cable modem and wireless router showed no movement at all. Unplugged and replugged cable modem and router. Tried search again; still would not work. Exit Copernic.

    *Got a Windows System Error: 'IP Conflict with another system on the network'
    Suspicious: Laptop was unplugged, and the other Desktop system was turned off.
    Checked my Send/Receive Email function to see if that was operative; it was.

    *Checked Norton Internet Security Status/Connections: Two interesting entries related to the Combofix problems appear. Norton Log File attached for this reason. ( 1040 and 1218 ports' activity: 2nd and third entries )

    *Script Error Window in Norton: shows URL as 'about blank'
    ( has been coming up for quite awhile )

    2) Browser-related:

    Copernic and MAMA, in general open and function freely. ( Google and Yahoo in both other systems are clearly hijacked, problematic. I never use them in my system; I use only Copernic. )
    Copernic is also, now, 'monitoring' Malware-related search words:
    'Malware Removal', 'AdAware', 'Spybot S&D', 'Spybot S&D Updates', 'Combofix', 'Using Combofix'. ( Not totally stopped; but will either not do the search at all, or will proceed abnormally slowly; getting 'Cannot Open Page'. ) I had to go to MajorGeeks to get the Spybot S&D update; as I could not access it on Patrick Colla's website.

    3) QUESTION:

    Ewido previously quarantined 2 instances of
    ( Proxy.Delf.cc ), in the following locations:


    ( I did NOT remove these, or empty the quarantine, because I don't know if they can safely be deleted or not. ( or if these are still in the system since I have taken it back to a January Restore point. )

    That's as far as I can get. Something is still at work.

    ( Keeps 'Unlogging me' here in the Forum too. Apparently doesn't like MajorGeeks at all! )


    Attached Files:

  9. abri

    abri MajorGeek

    Hi Ravenquille,

    I would like to start by saying that the Remember Me button for this website has never held my password information. Since you seem to be a newly registered member of the forum, I'm not sure how you can say that it has always held this information for you in the past and is no longer doing so.

    Also, I need to add that the experience you describe of being limited to only Australian mirrors and that the programs you have downloaded from here are corrupt has only thusfar been reported by you. If this were a problem in general for the website, we would be getting an onslaught of complaints. Therefore, let's consider the possibility that your computer has been affected in some specific way rather than assuming that the website has been hacked.

    I would like to look at your logs now and see if I can see signs for a possible redirect in your logs which might point at a possible explanation for corrupted software. It's possible there are viruses on your computer which are disabling your protection software, and Spybot S&D is as targeted as any other protection software when it comes to viruses which attempt to shut them down. Additionally, I would like to mention that there is a program out called Spybot which has nothing to do with the one produced by Safer Networking. It is fraudulent. It costs money and plays on Spybot's good name and reputation to hook people into buying it.

    Ewido was purchased by AVG - Grifsoft.

    Thanks for your patience.
  10. abri

    abri MajorGeek

    Hi Ravenquille,

    I would like to add this to my previous post. There's nothing obvious wrong with your computer based on the logs you posted. I would like to see the combofix log as there are infected restore points on your computer and this generally indicates there is a current infection which is still there or there was an infection. I would also like for you to run an online scan which is quite thorough but picks up things which other scans don't always find. Additionally, there are a few things which I will post to you below which need to be done to make your computer safer, but first I would like to clarify a few things.

    Combofix does tell the user that one in 100 computers may experience some problems as the result of using this tool. It's one of the best tools for removing malware, which is why we use it, but it does carry this risk with it.

    Secondly, I'm not sure if I already posted this, but there is some confusion regarding browsers and search engines. Internet Explorer, Firefox and Opera are browsers. Google, Yahoo, Mama and Copernic are search engines. Each of these keeps a record of your browsing habits. You can reduce the effect of these records kept on your searches by adjusting your settings and by using tools like CCleaner to erase your cookies, temporary internet files and history.

    Thirdly, you seem to have protection software on your computer which is not current. Please go to add/remove programs and uninstall the oldest versions of Spybot S&D. You have two versions in Program Files which are both recent. Additionally you mentioned that you made an extra directory called Cookbook in which there is a third version and you have a version in add/remove programs listed as version 1.4. However many there are installed, there needs to be only one and it should be the current version which is Check to make sure the version you keep is this one.

    While you are in add/remove programs, please uninstall both Viewpoint Media Player and Viewpoint Manager (Remove Only)

    This program - ewido anti-spyware 4.0 - was purchased by AVG some time ago. Is your version current? If not, please uninstall it.

    In add/remove programs you have Norton Internet Security and Norton Antivirus both from 2005. Are these the current versions? Have you been keeping them current with upgrades? Has there not been any requirement since 2005 to reinstall a new version?

    And now, I would like for you to go to Running BitDefender Online Scan This is a thorough scan which requires the use of Internet Explorer and you have to have Active X enabled. It will ask you if it can download and this will refer to the Active X component it needs in order to run the program. After that it will ask if you agree to the conditions. Be sure that you have it fix everything it finds. Please follow the instructions in the link listed here so that you will produce a log which is usable for us when you finish.

  11. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    1) 'Remember Me' selected, did 'remember me' previously and allowed me to be logged in when I came to the forum, without re-entering Username and Password. This changed, and I had not changed it; at the time I posted about it. Today it had my stored Username and Password, apparently.

    2) Combofix Message Box: Ok, it is a valid screen. This screen wasn't mentioned in the Instructions, and as I had not seen the program in operation before, I was suspicious of it; thought it would be safest to ask before hitting 'yes'.

    3) Browser/Search Engines: Sorry, I do know the difference.....alot of typing, notes, and I was half asleep.....

    4) MajorGeek website problems: Yes, let's hope there is no website hack ON the website. There is clearly something causing MY computer to be unable to access certain things, and download only from the Australian Mirrors. All very weird, but I am trying to describe what I am experiencing as clearly as I can.

    5) Removed Viewpoint Manager and Viewpoint Media Player

    6) Uninstalled Ewido 4.0

    7) Did the BitDefender Online Scan

    8) I have Norton Internet Security 2005; and updates have run out. This was an OEM installed by the shop, I have no CD ( friends of mine trying to do me a favor ). I have 2004 never used as of yet ( because of their having installed 2005 ); the other 2 systems here are using 2004, current install with updating.
    I have not wanted to tamper with much of anything because I currently do not have an OS CD. ( It went to the shop, they mislaid it; installed OEM OS. They never mentioned this; I discovered it. I am currently in the process of trying to get my original CD or a replacement; since they lost it. )

    9) SpyBot S&D: There were 2 older versions on my system. I was only able to uninstall 1 of them. The remaining one will not uninstall; says that unins000.dat does not exist and cannot be installed.
    The file folders for this instance of SpyBot S&D has some odd files:
    unins000.dat 17KB NeroMediaPlayer Media File dated 4/23/08
    unins000.msg 11KB Outlook item dated 4/23/08
    messages. zres 26KB ZRES File dated 4/2/08

    I did try to remove both of these, before I downloaded the latest SpyBot S&D version. This one, I saved to Programs\Cookbook. I have not tried to install it; have been keeping an eye on it. The date showing now, is 5/1/08; but I did NOT download/save it today; nor did I access it at all. I am assuming it is also infected/affected in some way.

    10) Installed and Ran Combofix

    11) Combofix log attached, BitDefender Log attached
    ( The Save Report screen would NOT allow me to save in any other format but the HTML being forced. I typed the log out, lol! )

    Thanks, Ravenquille

    Attached Files:

  12. abri

    abri MajorGeek

    Hi Ravenquille,

    What I'm seeing in your logs so far is that you had some infections on your computer which have been removed. You have some infected restore points, but we ask that you leave your restore points as is until we finish here with your computer. In your case, this is especially important if you don't have a recovery disk for your operating system.

    Some of the things you say are not always exactly clear. For instance:
    "I have Norton Internet Security 2005; and updates have run out. This was an OEM installed by the shop, I have no CD"

    You have Norton Internet Secuirty 2005 installed. But in your logs, it shows you have much more than this. It shows you have their antivirus, their Anti-Spam, their Network Drivers update, their Script-blocking update and their firewall. It appears you got updates from them on March 5th. Is this when you put this software in the computer? How did you get those updates?

    You write that your "updates have run out. This was an OEM." Does the updates statement refer to your Norton? Or does it mean your Windows Updates and refer to your OEM XP operating system?

    My experience with Norton/Symantec in general, is that if you don't have a current version, it will not protect your computer. Therefore, I think it in your case, it would be useful to take the steps to properly uninstall it (no easy task) and get it completely out of your system and replace it with a working and current free resident antivirus program and two-way firewall.

    If you would like to do this, I will post the steps for you. In order to keep your computer protected while we're removing one antivirus program and installing another one, I will have you download what you need and then have you run the steps disconnected from the internet, so that when you boot back up your computer will be protected.

    Let me know if you would like to try that.

    Before you do that, I would like for you to run two rootkit scans. Please go to Alternate Scans. Scroll about halfway down the page and find the list of rootkit scans. Please use the instructions for running GMER. Then I would like for you to also run Silent Runners .

    Please attach the logs for these two scans and let me know about what can and cannot be updated of your Nortons and Windows.

  13. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    I rescheduled some things I had to do today, and decided to stay here and stick with this computer situation. So, I am here all day/evening to get at whatever your recommendations are.

    Here are the GMER and SilentRunner Logs.


    Attached Files:

  14. abri

    abri MajorGeek

    Hi Ravenquille,

    Combofix removed some things that needed to be removed. I've looked through all of your logs and your computer looks good now and I don't think there is much we can do further in terms of removing malware. However, if you're using outdated and non-updatable security software, it would be better to remove it and install programs which are updated daily.

    You may find that some of the problems you've been experiencing with Google and Yahoo are directly related to Norton. It is a very insidious program which sets up restrictions in ways which can reduce your browsing quality in the name of security. I expect this is one of the problems you've been experiencing. You did have some malware, but it seems to be gone from what your scans show.

    If you would like to continue, I would ask you to do the following. To begin with, please go to How to Protect Yourself from Malware and look for the list of free antivirus programs. Choose one of these (I use AVG and like it, but would at the moment recommend Avast, because AVG is moving up an upgrade and may still be buggy). Download the installation program and put it in somewhere where you can find it later. Do not run it to install the program. We will do that later!

    Next please go to Removing Files from Norton Antivirus Quarantine. If you have any files in quarantine, remove them using this tool.

    After you complete this or decide it does not apply in your case, then I would like for you to print out these instructions and those with the associated links from here on, because I'm going to ask yoiu to physically unplug your computer from the internet. When you have the instructions, please disconnect it from the internet.

    Boot back up and see if you can disable your Norton antivirus program. Usually there will be a possibility to do this by right-clicking on the icon or by opening the program and finding a way to disable it. If you can disable any of the other Norton programs, do this as well.

    Then I would like for you to run the Norton Removal Tool & Instructins from Symantec
    Read the warning associated with it to see if it is a concern for your computer. If so, back up the data as they request.

    After you complete the above, reboot your computer.

    Find the installation program for the new antivirus program you will be installing and run it. After it is installed, RE-connect your computer to the internet and allow the program to update.

    Then go to How to Protect Yourself from Malware and look for the list of free firewalls. Choose one of these and download and install it on your computer. If you choose Zone Alarm, it will do a quick check of your computer at the start to look for known programs and will allow these to connect to the internet.

    Let me know if you decide to do this and how it goes?

    Finally, I wanted to ask you what is in the following folder? Is it something you installed?

    C:\Program Files\WinErrorCode Program

    Will wait to hear back from you.
  15. Ravenquille

    Ravenquille Private E-2

    Hi Abri,
    I did all the Downloads for the programs I have chosen to use ( saved/not installed yet ):

    1) AVAST!
    2) Online Armor
    3) ComodoBO Clean Anti-Malware
    4) VM Java Removal Tool ( I already did removal, but will double check with this tool )
    5) Norton Removal Tool

    * I have no Norton Anti-Virus Quarantines

    Going offline now, unplugging Cable Modem, to do removals/reboots, and installations!

  16. abri

    abri MajorGeek

    Hi Ravenquille,
    I have to sleep now. I'll look for your post tomorrow to see how things went. :)
  17. Ravenquille

    Ravenquille Private E-2

    Hi Abri,
    I hope you had a restful sleep; I hope to fall into unconsciousness soon myself, lol!

    The WinError Program is a Utility to explain some Windows Error Codes. I haven't opened it, as of yet.

    Did all the Uninstallations, new Installations, and Updating. All went smoothly.

    Removed Norton Internet Security Suite 2005
    Removed Spyware Doctor
    Removed Spyware Guard
    Old Version Spyware Blaster

    I also did some Registry Cleans with CCleaner ( on software uninstalled and a keyboard/mouse no longer in the system: Jasc PaintShop Pro9, QLock, AdAware Personal 1.4, Skype, old version Spyware Guard, Spyware Blaster, Spyware Doctor, Norton Internet Security, etc. ).

    I chose to install:

    Online Armor
    ComodoBO Clean
    Latest Version Spyware Blaster
    ( and I still have the following: )


    I have a few questions:

    A) Online Armor:

    1) How do you get Updates? Or aren't there any in the free version??
    *In Settings under 'General', it is set for 'Manual' ( no choices to select )
    *There is a button for 'Internet' ( a proxy setup window )
    *Right clicking on Shield Icon on Start Bar, has ' Check for Product Updates' greyed out

    2) There are some features greyed out; are they supposed to be?
    * Mail Shield
    *Web Shield
    *My Websites

    B) Avast!:

    1) What is the best setting for 'Logging'?
    'Notice' by default; but has Emergency, Alert, Critical Error, Error, Warning, Notice, Info, and Debug

    2) 'Check floppy', 'Check CD', 'Check other removable media' when logging off'
    ( not selected by default; is that a good setting? )

    3) Alerts:
    How to get Virus Alerts ( WinPop, MAPI, ICQ, Windows Messenger, SMTP,
    Printers )
    This is how other people are notified that you have a virus on your computer.
    ( I have never seen anything of this type before; other than notices in an email from my ISP. ) What about this?

    I may not be out of the woods yet after all that.

    1) SpyBot S&D still cannot be Uninstalled from any method ( Add/Remove, CCleaner, direct Registry removal ); still has odd files in the file folders. Obviously still hijacked. Am not going to open it.

    2) SUPERAntiSpyware may have, now, been altered/hijacked:

    In Preferences:

    Cannot select RealTime Protection
    Cannot select First Chance Protection
    Cannot deselect 'Do not scan when program starts'

    But, CAN select and run scans from 'Scan' menu; however they appear to possibly be controlled:

    Did Custom scans of Memory and Registry, separately to check them; because the inclusive, Quick Scan looked bizarre, as I watched it progress. It showed 491 Memory items, 104 Registry items; but the counter stopped at 104 and the process of Registry checking kept on running. I stopped the scan and did custom scans of Memory and Registry, separately:

    Memory scan listed that it scanned only 491 items.
    Registry scan listed that it scanned 5678 items; but the counter stops and the scan line keeps on going.
    The log report says that the Registry scan only scanned 52 items; and, of course, everything is clear.

    Ran Silent Runners
    Ran Combofix
    Ran BitDefender
    Ran gmer.exe
    Ran MalwareBytes ( found 1 Rootkit.Agent, quarantined )
    This is new; no Rootkit. Agent was found before.

    Attaching some new logs.
    It is 3 AM, and I have been at this almost constantly from about 9 AM; now I have to get some sleep.


    Attached Files:

  18. Ravenquille

    Ravenquille Private E-2

    Another log.


    Attached Files:

  19. abri

    abri MajorGeek

    Hi Ravenquille,

    I would like to know what's in the Spybot folder you're referring to. You can open a folder without it activating any programs, just don't click on the files. Please open it and tell me what files are in there and where this folder is located and what it is called.

    The problems started with TweakUI.

    You still have some symantec on your computer. I would like to see if any of it is active.

    Please run CCleaner at the default setting with the Windows tab as the top one.

    Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.

  20. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    ( My forum UN and PW not stored again.... )

    I am attaching the CCleaner and MG files.

    Here are the file listings for the two incidents of SpyBot S&D:

    1) Name: Spybot Search & Destroy

    Folder: Dummies
    Files in it:
    dummy cd_clint.dll
    DLL (GUI)

    Folder: Includes
    Files in it:
    MSInfo Document
    1, 009 KB

    Folder: Plugins
    ( TCPIP Address.dll )

    Folder: Updates
    Files in it:
    Configuration Settings
    9 KB

    Configuration Settings
    62 KB

    Folder: Help

    Folder: Languages
    Files in it:
    English. SBL
    SBL file
    66 KB

    Folder: Skins
    Files in it: 3 Configuration Settings, all 1 KB

    Maps TCp and UDP ports to the ow..

    Borland Memory Manager

    Borland Compatability Memory Man....


    Bibliothek fur Spybot-S&D



    Bad download blocker

    Default configuration.ini
    Configuration Settings
    3 KB

    Configuration Settings
    3 KB

    Safer Networking Limited

    Piky Basket Setup
    Conceptworld Corporation

    Spybot-Search & Destroy
    Safer Networking Limited

    Systems settings protector
    Safer Networking Limited

    External updater
    Safer Networking Limited


    2) Spybot Search & Destroy(2)

    Folder: Dummies
    Files in it:
    dummy.dap. gif

    Folder: Includes(2)
    Files in it:
    Adware.sbi, Adwarec. sbi
    Cookies.sbi, Cookies.sbs
    Dialer.sbi, Dialer.sbs, Dialerc.sbi
    Hijackers.sbi, HijackersC.sbi
    Keyloggers.sbi, KeyloggersC.sbi
    Lsp.sbi, Lsp.sbs
    Malware.sbi, Malwarec.sbi
    Pups.sbi, Pupsc.sbi
    RegXLinks. sbs
    Revision.sbi, Revision.sbs
    SecurityC.sbi, Security.sbi
    Spybots.sbi, Spybotsc.sbi
    Spyware.sbi, Spywarec.sbi
    Trojans.sbi, Trojansc.sbi

    Folder: Updates(2)

    Files in it:
    UIZ File
    8 KB

    Folder: Help
    Files in it:
    Compiled HTML Help file
    468 KB

    English. license.txt
    Text Document
    6 KB

    Folder: Languages
    Files in it:
    SBL file
    82 KB

    SBL file
    58 KB

    ZRES File
    26 KB

    Outlook Item
    11 KB

    NeroMediaPlayer media files
    17 KB

    Attached Files:

Thread Status:
Not open for further replies.

Share This Page

MajorGeeks.Com Menu

MajorGeeks.Com \ All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ NEW! PC Games \ System Tools \ Macintosh \ Demonews.Com \ Top Downloads

MajorGeeks.Com \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds