User Profile hijack, Spyware program hijacking, etc.

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by Ravenquille, Apr 27, 2008.

Thread Status:
Not open for further replies.
  1. Ravenquille

    Ravenquille Private E-2

    Hi,
    I have a strange bunch of things going on in 3 systems ( on a wireless home network ). I can't get a handle on what type of 'nasty' is causing the mess, and how it is doing it; nothing has totally stopped 'it' so far.
    ( I am not certain that this is just 'one' problem at work, or if there is more than one, doing separate things. )

    1) I first noticed this problem with my husband's laptop, and the 'Uninstallation' of TweakUI.
    I installed TweakUI from the Microsoft official website. ( He wanted the laptop to open straight to desktop, in his User Account ( no logon screens of any kind ). ) I did some settings, and began to see strange behavior after installing and using TweakUI. I was suspicious of it, and decided to Uninstall. I got an odd window during the Uninstall process, and Norton Internet Security blocked a 'malicious script'. I could not Uninstall until I gave Norton permission to 'run once'. I did the Uninstall. Snowballing, weird stuff has been going on after the Uninstall. Messages about not being able to logon, slow startup to desktop, disconnects when online, mouse locks/total lockups.
    Laptop offline, turned off.

    2) I also installed TweakIU in his desktop, and did some settings within the utility. Never did an Uninstall of TweakIU in this system; but it has just recently been completely redone ( on a new HDD, OS reload, etc. etc. )
    I ran the following complete scans on Thurs. morning before we left for the weekend ( then shut down ):

    *Norton
    *SpyBot S&D
    ( all clear, saw no problems )
    *Spyware Blaster set ( for its listed maximum protections )

    Sat. night, my husband was online with this system. All was fine with startup. He opened his WinTV to watch tv ( onscreen ). This opened/loaded very slowly. He, then, tried to open TitanTV to get the channel listings, and it would not access his account to display this information ( there had not been a problem with either the program or the guide, previous to this ). System locked, he had to shut off from power button. Rebooted normally, but once at desktop, there was mouse movement, but mouse could not open anything. Shut off from power button again. Reboot. Desktop got 'User Environment' screen ( 2 screens in succession ). He shut down from power button and went to bed. I checked it this morning.
    His User Profile has been altered by a Hijacker ( I do not believe this to be the Windows Temporary Profile, which will sometimes activate when there is a logon problem ). It looks quite strange, and is specific to enable something to control operations.
    Screen looked different from usual Windows scheme:
    'User Environment': Windows cannot load the local User Profile.
    Possible cause of the error include insufficient security rights or a corrupt logon. If problem persists, contact your network administrator.'
    ( 'ok' box. If not clicked, a 2nd box appears after a seconds countdown )

    2nd box: 'User Environment': Windows cannot find the local profile, so is logging you in with a temporary profile. Any changes you make in this profile, will be lost when you shutdown.'
    ( 'ok' box. If not clicked, disappears after seconds countdown. )
    Proceeds to load Profile with my husband's name and the same User picture.
    Bliss background loads, with Start Programs Menu displaying ( on its own ), in the primary screen you would see if you clicked on 'Start'.

    The menus that I looked at in Control Panel/Internet Options, etc. are NOT the same as those of WinXP Pro ( I compared them to mine ).
    There is, for example, a Submenu entry called 'MS VM'; which has the following enabled: 'JIT Compiler for Virtual Machine enable ( requires restart ). Settings are Custom rather than the Default in some specific areas.

    Under this new Profile, scans with Norton, SpyBot S&D come out clear; but the programs open very slowly.
    I did HijackThis log, but am not sure if it is showing anything; although I suspect a few of the entries.
    I disabled the Network connections my wireless network uses, and took the system offline; ( in order to check MY system, which had also not been started since running scans ( all normal ) on Thurs. morning before we left for the weekend. )
    I ran scans on his system again after disabling the adapter and removing the network connections: all clear again.
    I checked his email from my computer: he has gotten some SPAM email, where he is signed up for newsletters. He doesn't do email, and never signs up for anything; so this is interesting.

    3) My System:
    Startup normal.
    * Found Ad-Aware tampered with: all records of removals, quarantines, and scans gone, settings changed.
    *SpyBot S&D had been downloaded and installed, and integrated into my original SpyBot installation somehow ( I did NOT download it;no one else has access to my system ).
    ( I Uninstalled AdAware, and SpyBot S&D, and downloaded both ( to a folder I made ); reinstalled both. AdAware will not allow updates; but did the most recent update from Online ( to folder I created ).
    Ran Fast Scan: showed 132 infections ( ad tracking cookies ). Removed only 10. Log shows quarantine of 6. Will not quarantine all, will not remove ( unless after shutdown/reboot ).
    Ran Complete Scan: 65 showed up, all removed
    *Ewido scan: 3 low-level ad cookies, removed
    *Norton scan: showed no infections
    ( Spyware Blaster is also installed )
    *Ran HijackThis: not sure, but appears to be listing normal, identifiable things )
    *Norton shows 36 items blocked under 'Privacy' today:
    things like: google analytics, pageAd2 google, a tribal fusion, pixel quantserv
    *Norton shows info sent by my computer today:
    edge.quantserv, google syndication, tribalfusion; and many 'Connection Redirects' with 'Aboutblank'
    *No Profile altering at this startup, no different SPAM emails
    Have not shutdown/rebooted yet, since I am still researching and investigating.

    *Both systems have only one User Profile with Administrator Rights ( which I set up ).
    *Neither system is able to run the following online scans:

    TrendMicro
    Windowsecurity.com/trojanscan
    ( adjusting security settings to lower, allowing ActiveX, did not help )

    Does anyone have any idea what this is, and how I can correct it?


    Thanks,
    Ravenquille
     
  2. abri

    abri MajorGeek

    Hi Ravenquille,
    Welcome to Major Geeks!

    Please try to take each machine back to a restore point which predates the installation of the TweakUI. Something indeed is going on, but it would be nice to find the easiest solution before you dive into the more complex malware removal procedures.

    If you have not done this before, go to Start / All Programs / Accessories / System Tools / System Restore
    check the box to Restore my computer to an earlier time and click on Next. You'll see a calendar with highlighted dates. Choose one of the dates just preceeding the installation you described and allow your system to return to that date. See if the problem goes away.

    If this helps with the first computer, for the other computers, if they're all networked, return them to the same date as the original computer.

    Let me know how this goes.

    Thanks.
    abri
     
  3. Ravenquille

    Ravenquille Private E-2

    Hi Abri, thanks for the Welcome,

    I have never used System Restore, as I have always opted for the wipe-the-drive, and fresh-install method. I have also encountered a few 'No Restore point' available situations.
    I have a question:
    I understand that Windows System Restore takes the state back to a previous stable date; but what exactly does it effect?
    ( just the OS? or will it also remove recently installed programs, updates, drivers, or personal files ( docs, pics, music ) which you recently created? )

    I might be able to use it on my system, depending on exactly what it will alter; but I don't know if it would work on my husband's Laptop and Desktop.
    ( If it effects more than Windows itself, I don't know if it could be used in my husband's two systems, since I have very recently redone both:
    Laptop: Toshiba restore/OS, and complete fresh installations of software, all done on the same day
    Desktop: installed new HDD, so everything from scratch on up is a recent installation, and done on the same date ).

    Problem originated with the Laptop and TweakUI:
    TweakUI in the Laptop, was installed the same day everything else was done; so, that day would be the earliest available restore point. In that case, would it just go back to the point where ONLY the OS was installed ( before any programs, updates, etc. were installed? )

    ( The Networking is Wireless, and for Internet sharing only; no file or printer sharing. My Desktop is the Host, with Cable Modem/Router. )

    My system has been continuously 'protected' by:

    Norton Internet Security 2005
    Spyware Guard
    Spyware Blaster
    SpyBot S&D
    Spyware Doctor ( fairly recently removed due to inability to update )
    AdAware
    Ewido

    Husband's Laptop had Norton Internet Security 2004 installed, and updated before installing Spyware Doctor, SpyBot S&D, and AdAware

    His Desktop with new HDD/fresh installations had Norton Internet Security 2004 installed/updated, before installing SpyBot S&D ( TweakUI was on previous HDD, when used created odd problems. TweakUI has NOT been installed on this new HDD; however. )




    Thanks,
    Ravenquille
     
  4. abri

    abri MajorGeek

    Hi Ravenquille,

    System restore does not affect data files like music, documents, photos, etc. It takes the registry back to an earlier restore point and if you installed programs on that day, it uninstalls them. It may be if you go as far as the calendar in the instructions I gave you and click on a date that is in bold print, that you will find multiple restore points for that day and that one of them will precede the installation of Tweak UI. See if that is the case. If there are more than one on a certain date, they will be assigned a time stamp so you know which are the earlier ones and they will say what they refer to, so one of them might be called Tweak UI.

    abri
     
  5. Ravenquille

    Ravenquille Private E-2

    Hi Abri,
    I did System Restores on all 3 systems.

    1) Laptop: restored to 4/12, day after complete Toshiba Restore/Install CDs used; some things installed on that second day ( not taking it back to the 1rst day of the initial Redo/OS install, because this would kill the Belkin Network Notebook card, Network Settings/Internet Settings ).
    TWEAKUI is still there, obviously went in on the first install day ( before I uninstalled it ).

    Desktop arrived with an interesting attempt to install something called 'TrayApp'. First boot, this arrived appearing to be connected with an attempt to re-install Pinnacle Media Center ( which was already installed ). The 'TrayApp' window wants to install from the CD drive, and points to something labeled simply as '1' which is seems to be looking for.
    2nd Reboot: Again the TrayApp installation attempt; this time associated with PC Remote ( related to Pinnacle ). Same TrayApp media search for CD screen. This is hard to close, keeps popping up. CTRL/ALT/DEL numerous times to get it off.

    *Following programs cannot be uninstalled via Add/Remove or via their 'Uninstall' option:

    Pinnacle Media Center
    Studio 10
    QuickTime

    A few 'Error Reporting' Windows: chose always 'Don't Send'

    Discovered that Google and Yahoo are monitored, can't open many things; especially things related to SpyWare Removal.
    MajorGeeks opened very slowly; with all downloads listed for AdAware and SpyBot S&D in accessible! Total lockup/turn off from powerbutton/reboot
    Used MAMA to get to MajorGeeks; opened fast.
    Downloaded the following from Australian Mirror/to Programs/Installed:

    SpyBot S&D ( 11 entries for Wild Tangent were removed )
    Spyware Blaster
    Advanced Spyware Remover ( 2 SpyBots removed, alot of cookies )
    MalwareBytes Anti Malware ( Clear )
    Norton Scan ( Clear )
    ( have logs )

    Google and Yahoo still monitored/controlled
    MAMA can be used on Laptop

    Still, obviously, a problem; but seems better


    2) Husband's Desktop:
    System Restore to 4/21; day after new HDD installation/and full installations of everything. TWEAKUI not installed.
    Original Profile is back, intact.
    IE: got screen to sign in for Windows ID ( don't have one ). Took awhile for me to get out of this screen. ( Looking for Accounts/Passwords, Personal stuff apparently )

    Weird behavior trying to open 'TitanTV Listing' slow to open, can't be used ( this goes with a DVR, and local cable ). Total lockup once, rebooted

    Google and Yahoo monitored/controlled; heavily. Slow or impossible to open certain things, pictures not forming right, or can't be opened.

    MAMA or Copernic can be used NORMALLY: except that TitanTV still cannot be accessed properly or used
    ( this may have something to do with my husband having an account/password, I am suspecting )

    Was able to use Copernic to download SpyWare Doctor and run scan: 3 low level infections and a few minor cookies, all removed
    ( He wanted to surf last night, so that is all I did with that )
    He said it was fine except for all he was looking for.

    Today, he found that Yahoo and Google would not display graphics/photos; I changed him over to Copernic and it was fine there.

    3) My System ( the Host ):
    Restore to 2/10

    I had TWEAKUI for a long time, but never opened it at all; as of 2/10/08.
    Opened AdAware to update. Apparently had a weird 'install script' connected to it ( was already installed ); and enacted when I tried to do an update. Could not update.
    SpyBot S&D update was not possible
    SpyWare Blaster kept 'unprotecting' when I enabled all
    Norton appeared tampered with, permitting too many Ads

    Did a 2nd Restore to 1/30/08: the last one I have available.

    TWEAKUI still there, as I had it on my system for a long time; still never opened it as of 1/30/08.
    Norton still showing too many permissions in Ads List ( tampering )
    Spyware Doctor update done/removed quarantined items
    Full Scan run: 1 low level tracking cookie

    Downloaded installed from MajorGeeks, through Australian Mirror:

    Advanced Spyware Remover
    MalwareBytes AntiMalware
    Updates to both
    Ewido updates
    ( all through Copernic )

    MalwareBytes scan: removed 1 Dialer: C:\WINDOWS\system32\WinTab.32.dll
    Advanced Spyware Remover Scan: removed 1 low level tracking cookie
    Ewido scan: removed many cookies, and 4 high risk Downloaders:

    Small.edw ( C:\5380276.exe )
    Tiny.fy ( C:\61399.exe, C:\80243647.exe )
    Small ( C:\WINDOWS\cmp32.exe, C:\WINDOWS\kdbf:32.dll )
    Goldun.od ( C:\WINDOWS\system32\wavvie2.dll )

    Not displaying any problems, things are being caught or found; but need to clear.

    I can completely reload my husband's laptop and desktop; but cannot reload mine, as I currently have no OS CD ( shop is looking for it, will replace or give me an OEM ). I do NOT want to wipe my system due to extremely large amount of crucial files, in any case.


    What is the best way to proceed now?



    Thanks, Ravenquille
     
  6. abri

    abri MajorGeek

    Hi Ravenquille,

    Your descriptions are complex in part due to the fact that you're bringing in more than one computer and some of the scans you describe are not those which are part of our standard cleaning procedures. First of all let me ask you about this:
    I misunderstood when I read this, thinking that you had already tried running the procedures in the READ & RUN ME FIRST. In these procedures we ask that you download, install and run the following programs:

    CCleaner
    SuperAntiSpyware
    Spybot S&D
    MalwareBytes
    Combofix
    MGTools

    The reference you make to Advanced Spyware Remover and Ewido don't have anything to do with this. Since you are finding malware despite the recent installation, I would like for you to first concentrate on your own computer. With the particular programs I listed, and that you can find the links for in the link below, it shouldn't matter which browser you use to download them. They can be downloaded onto an external medium and transfered if necessary, for instance, in situations where there is no internet connection available.

    See if you can follow the procedures from beginning to end in the READ & RUN ME FIRST and attach those logs you are able to get. If you have already run a scan (MalwareBytes) you can skip that one, but try to run everything else in the order it is described. Also, if you can't do one of the steps, make a note of what happens and continue on. This will give us more information to work with. Go as far as you can and let us know how this goes.

    abri
     
  7. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    1) Yes, with 3 computers, I realize that there may be more than one problem at play here; and confusion reigns!

    2) No, I had not yet attempted the specific listing of cleaning methods on your site; was waiting to see if, perhaps, you might recommend additions or changes to that method, regarding the specific set of problems I am having.

    3) Ok, I will work specifically on my own system first; since it is the Host on my Wireless Network. ( It is the least problematic, and functional, of the 3. )
    ( And will follow the READ ME, and use the specific programs recommended ).

    4) And YES, strangely enough, it definitely does matter which browser is used ( at least with the 3 systems here ). I tested this for hours. Yahoo and Google absolutely can't be used: only Copernic and MAMA.

    5) From MajorGeeks Download page, ALL downloads related to AdAware CANNOT be accessed at all.
    ( did not test this on other Download websites; just MajorGeeks, which is the site I have preferred to use )

    6) From MajorGeeks Download page, ANY of the programs I did download could NOT be downloaded from ANY US MIRROR ( I tested this extensively ).
    Australian Mirror worked fine.
    ( did not test this on other Download websites; just MajorGeeks )


    Ok, I am off to get at it. Don't know if I can complete this today, as I have to go out for awhile.

    Thanks,
    Ravenquille
     
  8. Ravenquille

    Ravenquille Private E-2

    Hi Abri,
    My computer is done, followed instructions exactly; results not too rewarding, still problems.
    I am attaching SASWlog, MGTlog, and my NISlog ( I will explain why ).
    Encountered some interesting things:

    1) MajorGeek website-related:

    *my 'remember-me' set password was, now, no longer set when I came to do this post ( was always intact before )

    *all parts of website opening very slowly ( now, not before )

    *noticed numerous programs showing up as unaccessible ( sort of greyed-out/dimmed, and not 'clickable links' ). Others normal.

    *ONLY Australian Mirrors could be used for download of programs!

    *Some of the programs downloaded from MajorGeeks are being hijacked. Either coming into my system corrupted in some way; or are being corrupted/altered as soon as they get into my system:

    a) SpyBot S&D:

    ( Note: I already had this program. Checking it out, I found a second installation which looks very different ( done by downloader apparently ). The program is altered/hijacked; so I tried to uninstall it from Add/Remove. Neither could be removed; even with removal from Registry. I tried to circumvent this situation by downloading it afresh, and saving it in an odd place ( I created a file in Programs, called 'Cookbook', and saved it there; installed it there. )

    * It downloaded fine; but would not install until I disabled the automatic update in the installation process. Problems when I was about to run scan. Got a window which said:
    'You need to install the detection update first by using the integrated update or manual updater'.

    * I decided to use the update on MajorGeeks. Downloaded fine; I saved it to the Cookbook/SpyBot S&D file, and installed it.

    * Ran scan. Instant finish, showing no results.
    ( Existing or new installations of SpyBot S&D are being hijacked/altered. )

    b) Combofix: Downloaded fine, saved to Desktop. Renamed icon to cf.exe. Did cc/v command line to Run. At this point, I think it is being hijacked/altered ( I have never seen this before, but this looks weird to me ):

    *small blue screen, then a Software Warranty window, with the 'yes or no' boxes. Selected 'yes'.

    *Got a window which said: Confirm
    'Roughly 1/100 machines failed to make it through the disinfection process!
    Are you sure you want to do this??
    'Yes and No' boxes.

    *I tried to research this, by searching for 'Using Combofix' in Copernic.
    Search was instantly controlled. Would not search, no progress. Checked other search subjects: were fine. Noticed that cable modem and wireless router showed no movement at all. Unplugged and replugged cable modem and router. Tried search again; still would not work. Exit Copernic.

    *Got a Windows System Error: 'IP Conflict with another system on the network'
    Suspicious: Laptop was unplugged, and the other Desktop system was turned off.
    Checked my Send/Receive Email function to see if that was operative; it was.

    *Checked Norton Internet Security Status/Connections: Two interesting entries related to the Combofix problems appear. Norton Log File attached for this reason. ( 1040 and 1218 ports' activity: 2nd and third entries )

    *Script Error Window in Norton: shows URL as 'about blank'
    ( has been coming up for quite awhile )


    2) Browser-related:

    Copernic and MAMA, in general open and function freely. ( Google and Yahoo in both other systems are clearly hijacked, problematic. I never use them in my system; I use only Copernic. )
    Copernic is also, now, 'monitoring' Malware-related search words:
    'Malware Removal', 'AdAware', 'Spybot S&D', 'Spybot S&D Updates', 'Combofix', 'Using Combofix'. ( Not totally stopped; but will either not do the search at all, or will proceed abnormally slowly; getting 'Cannot Open Page'. ) I had to go to MajorGeeks to get the Spybot S&D update; as I could not access it on Patrick Colla's website.


    3) QUESTION:

    Ewido previously quarantined 2 instances of
    ( Proxy.Delf.cc ), in the following locations:

    C:\WINDOWS\system\prhelp32.dll
    C:\WINDOWS\msiutil.exe

    ( I did NOT remove these, or empty the quarantine, because I don't know if they can safely be deleted or not. ( or if these are still in the system since I have taken it back to a January Restore point. )


    That's as far as I can get. Something is still at work.

    ( Keeps 'Unlogging me' here in the Forum too. Apparently doesn't like MajorGeeks at all! )


    Thanks,
    Ravenquille
     

    Attached Files:

  9. abri

    abri MajorGeek

    Hi Ravenquille,

    I would like to start by saying that the Remember Me button for this website has never held my password information. Since you seem to be a newly registered member of the forum, I'm not sure how you can say that it has always held this information for you in the past and is no longer doing so.

    Also, I need to add that the experience you describe of being limited to only Australian mirrors and that the programs you have downloaded from here are corrupt has only thusfar been reported by you. If this were a problem in general for the website, we would be getting an onslaught of complaints. Therefore, let's consider the possibility that your computer has been affected in some specific way rather than assuming that the website has been hacked.

    I would like to look at your logs now and see if I can see signs for a possible redirect in your logs which might point at a possible explanation for corrupted software. It's possible there are viruses on your computer which are disabling your protection software, and Spybot S&D is as targeted as any other protection software when it comes to viruses which attempt to shut them down. Additionally, I would like to mention that there is a program out called Spybot which has nothing to do with the one produced by Safer Networking. It is fraudulent. It costs money and plays on Spybot's good name and reputation to hook people into buying it.

    Ewido was purchased by AVG - Grifsoft.

    Thanks for your patience.
    abri
     
  10. abri

    abri MajorGeek

    Hi Ravenquille,

    I would like to add this to my previous post. There's nothing obvious wrong with your computer based on the logs you posted. I would like to see the combofix log as there are infected restore points on your computer and this generally indicates there is a current infection which is still there or there was an infection. I would also like for you to run an online scan which is quite thorough but picks up things which other scans don't always find. Additionally, there are a few things which I will post to you below which need to be done to make your computer safer, but first I would like to clarify a few things.

    Combofix does tell the user that one in 100 computers may experience some problems as the result of using this tool. It's one of the best tools for removing malware, which is why we use it, but it does carry this risk with it.

    Secondly, I'm not sure if I already posted this, but there is some confusion regarding browsers and search engines. Internet Explorer, Firefox and Opera are browsers. Google, Yahoo, Mama and Copernic are search engines. Each of these keeps a record of your browsing habits. You can reduce the effect of these records kept on your searches by adjusting your settings and by using tools like CCleaner to erase your cookies, temporary internet files and history.

    Thirdly, you seem to have protection software on your computer which is not current. Please go to add/remove programs and uninstall the oldest versions of Spybot S&D. You have two versions in Program Files which are both recent. Additionally you mentioned that you made an extra directory called Cookbook in which there is a third version and you have a version in add/remove programs listed as version 1.4. However many there are installed, there needs to be only one and it should be the current version which is 1.5.2.20. Check to make sure the version you keep is this one.

    While you are in add/remove programs, please uninstall both Viewpoint Media Player and Viewpoint Manager (Remove Only)

    This program - ewido anti-spyware 4.0 - was purchased by AVG some time ago. Is your version current? If not, please uninstall it.

    In add/remove programs you have Norton Internet Security and Norton Antivirus both from 2005. Are these the current versions? Have you been keeping them current with upgrades? Has there not been any requirement since 2005 to reinstall a new version?

    And now, I would like for you to go to Running BitDefender Online Scan This is a thorough scan which requires the use of Internet Explorer and you have to have Active X enabled. It will ask you if it can download and this will refer to the Active X component it needs in order to run the program. After that it will ask if you agree to the conditions. Be sure that you have it fix everything it finds. Please follow the instructions in the link listed here so that you will produce a log which is usable for us when you finish.

    Thanks.
    abri
     
  11. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    1) 'Remember Me' selected, did 'remember me' previously and allowed me to be logged in when I came to the forum, without re-entering Username and Password. This changed, and I had not changed it; at the time I posted about it. Today it had my stored Username and Password, apparently.

    2) Combofix Message Box: Ok, it is a valid screen. This screen wasn't mentioned in the Instructions, and as I had not seen the program in operation before, I was suspicious of it; thought it would be safest to ask before hitting 'yes'.

    3) Browser/Search Engines: Sorry, I do know the difference.....alot of typing, notes, and I was half asleep.....


    4) MajorGeek website problems: Yes, let's hope there is no website hack ON the website. There is clearly something causing MY computer to be unable to access certain things, and download only from the Australian Mirrors. All very weird, but I am trying to describe what I am experiencing as clearly as I can.


    5) Removed Viewpoint Manager and Viewpoint Media Player

    6) Uninstalled Ewido 4.0

    7) Did the BitDefender Online Scan

    8) I have Norton Internet Security 2005; and updates have run out. This was an OEM installed by the shop, I have no CD ( friends of mine trying to do me a favor ). I have 2004 never used as of yet ( because of their having installed 2005 ); the other 2 systems here are using 2004, current install with updating.
    I have not wanted to tamper with much of anything because I currently do not have an OS CD. ( It went to the shop, they mislaid it; installed OEM OS. They never mentioned this; I discovered it. I am currently in the process of trying to get my original CD or a replacement; since they lost it. )

    9) SpyBot S&D: There were 2 older versions on my system. I was only able to uninstall 1 of them. The remaining one will not uninstall; says that unins000.dat does not exist and cannot be installed.
    The file folders for this instance of SpyBot S&D has some odd files:
    unins000.dat 17KB NeroMediaPlayer Media File dated 4/23/08
    unins000.msg 11KB Outlook item dated 4/23/08
    messages. zres 26KB ZRES File dated 4/2/08

    I did try to remove both of these, before I downloaded the latest SpyBot S&D version. This one, I saved to Programs\Cookbook. I have not tried to install it; have been keeping an eye on it. The date showing now, is 5/1/08; but I did NOT download/save it today; nor did I access it at all. I am assuming it is also infected/affected in some way.

    10) Installed and Ran Combofix

    11) Combofix log attached, BitDefender Log attached
    ( The Save Report screen would NOT allow me to save in any other format but the HTML being forced. I typed the log out, lol! )


    Thanks, Ravenquille
     

    Attached Files:

  12. abri

    abri MajorGeek

    Hi Ravenquille,

    What I'm seeing in your logs so far is that you had some infections on your computer which have been removed. You have some infected restore points, but we ask that you leave your restore points as is until we finish here with your computer. In your case, this is especially important if you don't have a recovery disk for your operating system.

    Some of the things you say are not always exactly clear. For instance:
    "I have Norton Internet Security 2005; and updates have run out. This was an OEM installed by the shop, I have no CD"

    You have Norton Internet Secuirty 2005 installed. But in your logs, it shows you have much more than this. It shows you have their antivirus, their Anti-Spam, their Network Drivers update, their Script-blocking update and their firewall. It appears you got updates from them on March 5th. Is this when you put this software in the computer? How did you get those updates?

    You write that your "updates have run out. This was an OEM." Does the updates statement refer to your Norton? Or does it mean your Windows Updates and refer to your OEM XP operating system?

    My experience with Norton/Symantec in general, is that if you don't have a current version, it will not protect your computer. Therefore, I think it in your case, it would be useful to take the steps to properly uninstall it (no easy task) and get it completely out of your system and replace it with a working and current free resident antivirus program and two-way firewall.

    If you would like to do this, I will post the steps for you. In order to keep your computer protected while we're removing one antivirus program and installing another one, I will have you download what you need and then have you run the steps disconnected from the internet, so that when you boot back up your computer will be protected.

    Let me know if you would like to try that.

    Before you do that, I would like for you to run two rootkit scans. Please go to Alternate Scans. Scroll about halfway down the page and find the list of rootkit scans. Please use the instructions for running GMER. Then I would like for you to also run Silent Runners .

    Please attach the logs for these two scans and let me know about what can and cannot be updated of your Nortons and Windows.

    Thanks.
    abri
     
  13. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    I rescheduled some things I had to do today, and decided to stay here and stick with this computer situation. So, I am here all day/evening to get at whatever your recommendations are.

    Here are the GMER and SilentRunner Logs.


    Thanks,
    Ravenquille
     

    Attached Files:

  14. abri

    abri MajorGeek

    Hi Ravenquille,

    Combofix removed some things that needed to be removed. I've looked through all of your logs and your computer looks good now and I don't think there is much we can do further in terms of removing malware. However, if you're using outdated and non-updatable security software, it would be better to remove it and install programs which are updated daily.

    You may find that some of the problems you've been experiencing with Google and Yahoo are directly related to Norton. It is a very insidious program which sets up restrictions in ways which can reduce your browsing quality in the name of security. I expect this is one of the problems you've been experiencing. You did have some malware, but it seems to be gone from what your scans show.

    If you would like to continue, I would ask you to do the following. To begin with, please go to How to Protect Yourself from Malware and look for the list of free antivirus programs. Choose one of these (I use AVG and like it, but would at the moment recommend Avast, because AVG is moving up an upgrade and may still be buggy). Download the installation program and put it in somewhere where you can find it later. Do not run it to install the program. We will do that later!

    Next please go to Removing Files from Norton Antivirus Quarantine. If you have any files in quarantine, remove them using this tool.

    After you complete this or decide it does not apply in your case, then I would like for you to print out these instructions and those with the associated links from here on, because I'm going to ask yoiu to physically unplug your computer from the internet. When you have the instructions, please disconnect it from the internet.

    Boot back up and see if you can disable your Norton antivirus program. Usually there will be a possibility to do this by right-clicking on the icon or by opening the program and finding a way to disable it. If you can disable any of the other Norton programs, do this as well.

    Then I would like for you to run the Norton Removal Tool & Instructins from Symantec
    Read the warning associated with it to see if it is a concern for your computer. If so, back up the data as they request.

    After you complete the above, reboot your computer.

    Find the installation program for the new antivirus program you will be installing and run it. After it is installed, RE-connect your computer to the internet and allow the program to update.

    Then go to How to Protect Yourself from Malware and look for the list of free firewalls. Choose one of these and download and install it on your computer. If you choose Zone Alarm, it will do a quick check of your computer at the start to look for known programs and will allow these to connect to the internet.

    Let me know if you decide to do this and how it goes?

    Finally, I wanted to ask you what is in the following folder? Is it something you installed?

    C:\Program Files\WinErrorCode Program

    Will wait to hear back from you.
    abri
     
  15. Ravenquille

    Ravenquille Private E-2

    Hi Abri,
    I did all the Downloads for the programs I have chosen to use ( saved/not installed yet ):

    1) AVAST!
    2) Online Armor
    3) ComodoBO Clean Anti-Malware
    4) VM Java Removal Tool ( I already did removal, but will double check with this tool )
    5) Norton Removal Tool

    * I have no Norton Anti-Virus Quarantines

    Going offline now, unplugging Cable Modem, to do removals/reboots, and installations!


    Thanks,
    Ravenquille
     
  16. abri

    abri MajorGeek

    Hi Ravenquille,
    I have to sleep now. I'll look for your post tomorrow to see how things went. :)
    abri
     
  17. Ravenquille

    Ravenquille Private E-2

    Hi Abri,
    I hope you had a restful sleep; I hope to fall into unconsciousness soon myself, lol!

    The WinError Program is a Utility to explain some Windows Error Codes. I haven't opened it, as of yet.

    Did all the Uninstallations, new Installations, and Updating. All went smoothly.

    Removed Norton Internet Security Suite 2005
    Removed Spyware Doctor
    Removed Spyware Guard
    Old Version Spyware Blaster

    I also did some Registry Cleans with CCleaner ( on software uninstalled and a keyboard/mouse no longer in the system: Jasc PaintShop Pro9, QLock, AdAware Personal 1.4, Skype, old version Spyware Guard, Spyware Blaster, Spyware Doctor, Norton Internet Security, etc. ).

    I chose to install:

    Avast!
    Online Armor
    ComodoBO Clean
    Latest Version Spyware Blaster
    ( and I still have the following: )

    SUPERAntiSpyware
    CCleaner
    MalwareBytes


    I have a few questions:

    A) Online Armor:

    1) How do you get Updates? Or aren't there any in the free version??
    *In Settings under 'General', it is set for 'Manual' ( no choices to select )
    *There is a button for 'Internet' ( a proxy setup window )
    *Right clicking on Shield Icon on Start Bar, has ' Check for Product Updates' greyed out

    2) There are some features greyed out; are they supposed to be?
    * Mail Shield
    *Web Shield
    *Keyloggers
    *My Websites


    B) Avast!:

    1) What is the best setting for 'Logging'?
    'Notice' by default; but has Emergency, Alert, Critical Error, Error, Warning, Notice, Info, and Debug

    2) 'Check floppy', 'Check CD', 'Check other removable media' when logging off'
    ( not selected by default; is that a good setting? )

    3) Alerts:
    How to get Virus Alerts ( WinPop, MAPI, ICQ, Windows Messenger, SMTP,
    Printers )
    This is how other people are notified that you have a virus on your computer.
    ( I have never seen anything of this type before; other than notices in an email from my ISP. ) What about this?


    I may not be out of the woods yet after all that.
    PROBLEMS:

    1) SpyBot S&D still cannot be Uninstalled from any method ( Add/Remove, CCleaner, direct Registry removal ); still has odd files in the file folders. Obviously still hijacked. Am not going to open it.

    2) SUPERAntiSpyware may have, now, been altered/hijacked:

    In Preferences:

    Cannot select RealTime Protection
    Cannot select First Chance Protection
    Cannot deselect 'Do not scan when program starts'

    But, CAN select and run scans from 'Scan' menu; however they appear to possibly be controlled:

    Did Custom scans of Memory and Registry, separately to check them; because the inclusive, Quick Scan looked bizarre, as I watched it progress. It showed 491 Memory items, 104 Registry items; but the counter stopped at 104 and the process of Registry checking kept on running. I stopped the scan and did custom scans of Memory and Registry, separately:

    Memory scan listed that it scanned only 491 items.
    Registry scan listed that it scanned 5678 items; but the counter stops and the scan line keeps on going.
    The log report says that the Registry scan only scanned 52 items; and, of course, everything is clear.

    Ran Silent Runners
    Ran Combofix
    Ran BitDefender
    Ran gmer.exe
    Ran MalwareBytes ( found 1 Rootkit.Agent, quarantined )
    This is new; no Rootkit. Agent was found before.


    Attaching some new logs.
    It is 3 AM, and I have been at this almost constantly from about 9 AM; now I have to get some sleep.


    Thanks,
    Ravenquille
     

    Attached Files:

  18. Ravenquille

    Ravenquille Private E-2

    Another log.


    Ravenquille
     

    Attached Files:

  19. abri

    abri MajorGeek

    Hi Ravenquille,

    I would like to know what's in the Spybot folder you're referring to. You can open a folder without it activating any programs, just don't click on the files. Please open it and tell me what files are in there and where this folder is located and what it is called.

    The problems started with TweakUI.

    You still have some symantec on your computer. I would like to see if any of it is active.

    Please run CCleaner at the default setting with the Windows tab as the top one.

    Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip.


    abri
     
  20. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    ( My forum UN and PW not stored again.... )

    I am attaching the CCleaner and MG files.


    Here are the file listings for the two incidents of SpyBot S&D:

    1) Name: Spybot Search & Destroy

    Folder: Dummies
    Files in it:
    dummy cd_clint.dll
    1.0.0.0
    DLL (GUI)

    Folder: Includes
    Files in it:
    Targets.nfo
    MSInfo Document
    1, 009 KB

    Folder: Plugins
    ( TCPIP Address.dll )

    Folder: Updates
    Files in it:
    Downloaded.ini
    Configuration Settings
    9 KB

    online.ini
    Configuration Settings
    62 KB

    Folder: Help
    Empty

    Folder: Languages
    Files in it:
    English. SBL
    SBL file
    66 KB

    Folder: Skins
    Files in it: 3 Configuration Settings, all 1 KB
    Colorblind.ini
    Italia.ini
    Peace.ini

    aports.dill
    2.1.0.0
    Maps TCp and UDP ports to the ow..

    borlndmm.dll
    7.0.4.453
    Borland Memory Manager

    delphimm.dll
    7.0.4.453
    Borland Compatability Memory Man....

    advcheck.dll
    1.2.1.0
    Dateiuberprufungs-Biblothek

    Tools.dll
    2.1.2.0
    Bibliothek fur Spybot-S&D

    UnzDll.dll
    1.73.1.1
    UnzDLL

    ZipDll.dll
    1.73.2.0
    ZipDLL

    SDHelper.dll
    1.4.0.0
    Bad download blocker

    Default configuration.ini
    Configuration Settings
    3 KB

    OptOut.ini
    Configuration Settings
    3 KB

    blindman.exe
    Dummy
    Safer Networking Limited

    pkysetup.exe
    Piky Basket Setup
    Conceptworld Corporation

    SpybotSD.exe
    Spybot-Search & Destroy
    Safer Networking Limited

    TeaTimer.exe
    Systems settings protector
    Safer Networking Limited

    Update.exe
    External updater
    Safer Networking Limited

    unins000.exe
    Setup/Uninstall


    2) Spybot Search & Destroy(2)

    Folder: Dummies
    Files in it:
    dummy.dap. gif
    dummy.data.xml
    dummy.default.gif
    dummy.related.htm
    Thumbs.db

    Folder: Includes(2)
    Files in it:
    Adware.sbi, Adwarec. sbi
    Browserpages.sbs
    Cookies.sbi, Cookies.sbs
    Dialer.sbi, Dialer.sbs, Dialerc.sbi
    Clsids.sbs
    Domains.sbs
    HeavyDuty.sbi
    Hijackers.sbi, HijackersC.sbi
    Keyloggers.sbi, KeyloggersC.sbi
    Logs.uts
    Lsp.sbi, Lsp.sbs
    Malware.sbi, Malwarec.sbi
    OperaPlugins.sbs
    ProcWatch.sbs
    Pups.sbi, Pupsc.sbi
    Regwatch.sbs
    RegXLinks. sbs
    Revision.sbi, Revision.sbs
    Searchpages.sbs
    SecurityC.sbi, Security.sbi
    Services.sbs
    Spybots.sbi, Spybotsc.sbi
    Spyware.sbi, Spywarec.sbi
    Startup.tnfo
    Tracks.uti
    Trojans.sbi, Trojansc.sbi
    URL-Blacklist.sbs
    X509White.sbs

    Folder: Updates(2)

    Files in it:
    online.ini.uiz
    UIZ File
    8 KB

    Folder: Help
    Files in it:
    English.chm
    Compiled HTML Help file
    468 KB

    English. license.txt
    Text Document
    6 KB

    Folder: Languages
    Files in it:
    English.SBL
    SBL file
    82 KB



    Esperanto.SBL
    SBL file
    58 KB

    messages.zres
    ZRES File
    26 KB

    unins000.msg
    Outlook Item
    11 KB

    unins000.dat
    NeroMediaPlayer media files
    17 KB
     

    Attached Files:

  21. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    I discovered some other weird things:


    1) The desktop icon for the link to my Ministry website changed from the usual IE icon to a red square with a thick white cross in it, then changed again to a box with red border top and bottom, with a white area with black words in the middle.

    2) I asked the Host, OurChurch.com if they had just added a feature in their NE1 Website Builder. They had not.

    3) I checked navigation via Copernic, to my site:
    Google Toolbar opens ( I tried to remove this thing quite a few times ). The searchline, and the tab contain the same icon, after the page fully loads.

    4) I checked navigation to OurChurch.com:
    Their site has the red square with wide white cross, searchline and tab, after page fully loads.

    5) I checked some Church and Ministries in OurChurch.com's Directory:
    quite a few had some sort of icon ( one of the 2 icons I described above, if the sites are only in OurChurch.com. A few which are also on other sites, have different icons. )
    Not ALL things I checked in this Directory are affected; seems to be selective.

    6) I checked African-based sites at OurChurch.com ( Churches, Ministries )
    NONE of these had the icons.

    7) I checked Christian Ministries, Christian Churches, in general, in Copernic:
    Alot had icons: all of these were different than the OurChurch.com icons.
    Some icons grabbed part of the website's logo if they had one; others were things like: red dots around a larger red dot, a chipmunk face with a hat and sunglasses, some orange dots in a line, going down into a round black gear kind of image, etc.
    NOT all sites I checked had icons.

    8) NO African-based Christian-oriented sites had icons in general search.
    9) NO other topical searches, so far, have had icons ( ONLY the Christian-oriented searches )

    * I watched the Firewall Connection progress, as I opened sites with icons:
    most had many, many, many connections momentarily; which then disappeared from the list ( google was showing up in a few, youtube in a few, ad3.rtm, ad1.rtm.1.vip. ( something ).aol, yo-1v-f147.google.com, rc10. ysm.vip.ao2., jl-in-f99.google.com, arbela.quirk.co.za, MY EMAIL SERVER in one, ( I could not begin to catch them all ). US, Canada, UK, Australia.



    Online Armor appears to be altered:

    Mail Shield and Web Shield not installed
    Exclusions, BackUp/Restore, Hotkey, Keyloggers, and My Websites are not accessible ( message: ' sorry, these features are disabled in the free version' )
    Web Help seems to suggest that they should be available???

    Update set to manual

    ( some things on the Config/Settings menu and other menus are either greyed out, offer no selections, are not installed, or are partly different than the pics of screens shown in the online Help for Online Armor )


    I saw 3 Startup Programs in Online Armor, I have not seen before:

    Something called 'Both'
    PROCEXP90.SYS Process Explorer, 9.30
    PSEXESVC.EXE PsExec Service, 1.7.0

    Showed that 'User Decision' to allow the following:
    C:\WINDOWS\System32\svchost.exe, ICMP access allowed
    ( I did not made any 'allow' of this. This took place a few seconds after initial startup this morning )


    Avast!:

    Has 'Outlook/Exchange' altered
    'The Provider is waiting for a subsystem to start'
    Only 'Terminate' button is accessible ( others greyed out )
    Process appears to be running, activity is showing




    Thanks,
    Ravenquille
     
  22. abri

    abri MajorGeek

    Hi Ravenquille,

    Please go to add/remove programs and uninstall Spybot S&D. I believe it's version 1.4 which is outdated. If there is a second one, uninstall that as well. Then download and install Spybot again taking care that it does not make a new folder, but installs directly over the old version. It will ask you if it should do that and say yes.

    For the icons you described, can you get screen shots of what you are talking about? In particular with reference to

    Online Armor states in every single website that the free version does not offer a lot of the optios offered by the paid version. To test this, you might have to get the paid version. It's possible that they have a trial version somewhere.


    The Symantec entry you have is a service called Symantec Network Services Drivers. Please see the following link for more information about this to see if it is something you need to have running. Did you previously use the Norton Firewall?

    http://www.bleepingcomputer.com/startups/Symantec_Network_Drivers_Service-5016.html

    Let me know how this goes.
    abri
     
  23. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    1) I don't need any of the Symantec files. I had been using the full suite, which included Firewall, yes. Didn't uninstall all the way.
    ( Seems to be a general Uninstall issue going on; something trying to prevent uninstallations I think. )

    2) Spybot S&D CANNOT be uninstalled: not in Add/Remove, Not in CCleaner.
    It does NOT show in 'Software' in the Registry.
    ( an error screen is generated which says:
    File C:\Program Files\Spybot - Search & Destroy\unins000.dat does not exist. Cannot uninstall. )
    This file does show up in both of the Program Folders. It looks like it may be being controlled.

    3) The Online Armor issues I described are things which show that they ARE available in the free version I have installed; in its own menus. One menu shows something as available, another menu has it inaccessible in some way.
    I think what is supposed to be there is either inaccessible, or has had visible things in the menu added or removed.
    I compared to screen shots and text in Online Armor Help. Text file DID mention some features that were not available in the free version; but it doesn't apply to what I am finding.
    I should probably talk to someone who has the free version installed to see what they are seeing and being able to use.

    4) SCREEN SHOTS:
    The Google Toolbar appears normal in every way; except for the fact that CERTAIN websites have odd icons ( all others have the usual 'blue e' for IE. ). I took some shots of some of the icons, then cropped and tried to enhace clarity a little. These are not totally clear, but you can get an idea.
    They show:

    * my desktop icon ( which changed again today, back to the red square with thick white cross )

    *OurChurch.com ( my Ministry Hosting site ) icon ( same as mine now )

    *Suspected Fake Ministry site at OurChurch.com with the same icon
    ( there are many of these hosted at OurChurch.com; the idea is to get donations, or contact in some way to get donations )

    *Site not hosted at OurChurch with black gear/orange circle icon,
    chipmunk icon, orange square with CA icon, etc.


    *Sites not hosted at OurChurch with 'Logo grabbing copy' icons

    ( I will attach 3 in each post )


    5) MalwareBytes quick scan today:
    Registry entry was:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv (Spyware.OnlineGames) -> Quarantined and deleted successfully.

    ( interesting.....I neither visit or play online games )

    Keeps logging me out here at the Forum.


    Thanks,
    Ravenquille
     

    Attached Files:

  24. Ravenquille

    Ravenquille Private E-2

    Next 3 Google Toolbar Website Icons
     

    Attached Files:

  25. Ravenquille

    Ravenquille Private E-2

    2 more, last 2 in next post
     

    Attached Files:

  26. Ravenquille

    Ravenquille Private E-2

    These 2 use CW and CA




    These 'icon tagged websites' showing in Google Toolbar/Copernic Browser Search, will also appear if you place a shortcut on your desktop.
    ( I tested this with my website a few times. The icon always comes along. I didn't want to try out saving any others to my desktop. )
    Any other sites I have on my desktop or in a file, all have the usual 'blue e' IE icons.


    Ravenquille
     

    Attached Files:

  27. Ravenquille

    Ravenquille Private E-2

    Abri,

    I see these pics don't enlarge very much when you click on them; I thought they would.

    With the 97 KB limit for a file, I don't know what else I could do, so that you can see the Icons.



    Ravenquille
     
  28. abri

    abri MajorGeek

    Hi Ravenquille,

    Thanks for the jpg's. I would like for you to continue as follows:

    1) Reset Web Settings & Default Security Settings

    For IE 6 users:

    To Reset Web Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

    To Default Security Settings:
    Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

    For IE 7 users:

    Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


    2) Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

    NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.
    If you use Firefox browser

    • Click Firefox at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    If you use Opera browser

    • Click Opera at the top and choose: Select All
    • Click the Empty Selected button.
      • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
    Click Exit on the Main ATF Cleaner menu to close the program.

    3) Finally, please download and install Spybot S&D into a folder where there is already a Spybot S&D. Be sure to make it install into an existing Spybot folder Then see if you can uninstall the program via add/remove programs.

    4) Then run ATF Cleaner again.

    Let me know how this goes?

    abri
     
  29. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    I ran a Defrag with Diskkeeper Lite ( free version )
    C was wildly fragmented, of course.

    1) Set IE7 Advanced/Reset

    2) Ran ATF

    3) Installed SB S&D to existing SpyBot-Search & Destroy Folder

    4) Add/Remove attempt: ( did not proceed because of the following )
    Online Armor Warns of Suspicious File which 'looks the same as C:\Program Files\Spybot-Search & Destroy\unins001.exe'
    File is:

    C:\Documents and Settings\Deborah\Local Settings\Temp\_IU14D2N.temp

    5) Ran ATF

    6) Installed SB S&D to existing SpyBot-Search & Destroy(2) Folder

    7) Add/Remove attempt: get the same 'C:\Program Files\SpyBot-Search & Destroy\unins000.dat does not exist. Cannot uninstall.'

    8) Ran ATF again


    Going to reboot and see if the Icon fun is still happening in Copernic Search.
    Will post results, then I will not be back online till later this afternoon.


    Ravenquille

    ??Should I try the Uninstall ( which will use File referenced in item #4 ) ?
     
  30. Ravenquille

    Ravenquille Private E-2

    Abri,

    Reboot
    I have different Desktop icons now.

    Test search Copernic: still icons appearing on certain Christian-oriented sites

    Thought I'd try to 'add provider' in IE ( add Copernic, as it is not in the provider list ). Page for that got an icon, and page for TEST operation at Copernic.com also got its own icon.
    Exit

    After this, I opened IE from Desktop IE icon ( normal )
    Got the SETTINGS FIRST RUN Page for IE7!

    ( attaching 2 pics, in 2 posts )

    Ravenquille
     

    Attached Files:

  31. Ravenquille

    Ravenquille Private E-2

    Abri,

    Page open is slower than it should be. I had to unplug cable modem and router for reset. Ok after that. I notice that all progress lights on both, will often freeze; so I reset one or both at that point.

    Here's my new icon pic, and IE Setup First Run page pic


    That's it till later this afternoon....have to jump in the shower and then go get some building supplies.
    Will check for further instructions when I get back.


    ( It is beginning to feel like someone is standing behind my chair looking over my shoulder, so they can catch everything I am doing......

    You know this is ticking me off so bad, that I would like to become an expert in the Malware/Virus/Hacking Detection/Removal/Prevention thing. )


    Ravenquille
     

    Attached Files:

  32. abri

    abri MajorGeek

    Hi Ravenquille,

    Yes, try uninstalling it. It sounds like the tmp file is the other file renamed.

    abri
     
  33. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    Looks like all Hell is breaking loose.

    1) Uninstalled SB S&D via Add/Remove. Got screen which tries to talk you out of Uninstalling. Uninstalled. Uninstall appears to be progressing normally; says successful, need to restart.

    2) Reboot

    3) At boot, I try to Uninstall SB S&D(2). Still the same screen that file does not exist/cannot Uninstall.

    4) I check the SB S&D ( first one, not (2) ) Program Folder. Tah! Dah!
    More Magic! A long list of new folders, files, and 13 Executables!!!

    5) Ran MalwareBytes. Decided to update. Fatal mistake. Proceeded to download 'new version'. Stupidly, I thought for a second this might have meant new definition database update; ran scan. Scan is clean.

    6) Time and date has changed by itself, 2x. I set it back.

    7) Ran HijackThis!

    8) DiskeeperLite screen pops up and suggests I should defragment C. I close the screen.

    9) I run GMER on C

    10) I have NOTHING on my 2nd HDD, E:
    I ran GMER on E. BERSERK listing !
    Looks like something is really, really busy.


    Logs attached

    ( NOTE: All log dates are really W. 5/7/08, not M.5/5/08 as stated on the logs ( time/date changed by something ) )

    GraceMary is GMER on C
    GraceMark is GMER on E


    Ravenquille
     

    Attached Files:

  34. abri

    abri MajorGeek

    Hi Ravenquille,

    Diskkeeper Lite does that. I finally uninstalled it, because i got tired of.

    What I've been trying to get you to do is to uninstall one Spybot - the troublesome one and then if the remaining one is not in add/remove programs, to then install Spybot over it and uninstall the non-troublesome one.

    What executables did you get in the second Spybot folder?

    abri
     
  35. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    1) Can't run ComboFix
    Tried to download again to an obscure file location, then renamed it to 'Candy.exe0

    2) Online Armor caught:

    "Candy.exe wants to remotely control another process using Windows Message API
    Wants to control C:\Program Files\SUPERSAntiSpyware\SUPERAntiSpyware.exe ( process ID-2908 )
    ( I blocked it )

    "Candy.exe wants to start
    C:\327882RFWJFW\nircmd.com
    ( I blocked it )


    3) My 2nd HDD ( E) has 2 Folders:

    RECYCLER ( I did not look at this )

    System Volume Information
    ( Access is Denied if click on it; but mouseover says 'File is Empty' )


    4) Looks like SpywareBlaster is being messed with too:
    Any time I open it, all protections are Disabled and Unchecked

    I looked at the entries in Restricted Sites; not sure, but possibly some of the listings are fake and are really good sites

    ( I am leaving it as it is with nothing checked, at this point. I enabled all a number of times; but not today. )


    5) It looks like my system may be being controlled REMOTELY.
    Tonight feels like bombs keep going off in my last footstep.......



    Ravenquille
     
  36. abri

    abri MajorGeek

    Hi Ravenquille,

    Your communication is sometimes not clear because of the missing pronouns. Please be clear.

    Did you try to download Combofix? If so, where did you tell your computer to download it to? Where did you have your computer install it? Who named it Candy.exe0


    I don't know if I asked you to run combofix, but one thing you should know about it is that it is picked up by almost all the scans as trying to control things. It's a good tool, because it goes so far into the system. The other scans can't identify if it's a good process or a bad one and so they throw up warnings like the ones you've described.

    The RECYCLER folder and the System Volume Information are visible now, because we had you make your invisible files visible. You can reverse this following those instructions in the READ & RUN ME FIRST in reverse order and making them all invisible again. We don't need to see them anymore. The reason System Volume Information appears empty is because if you do anything to the files inside of that folder, your computer probably won't work anymore. It's made to be difficult to see into for the safety of your computer.

    So far the main problems we've seen are that your icons got mixed up in Internet Explorer and you've had multiple copies of Spybot S&D which you haven't been able to uninstall. Everything else you've described points at original problems caused when you first installed Tweak UI.

    abri
     
  37. Ravenquille

    Ravenquille Private E-2

    Abri,

    I did do the new installations into the program folders.
    Both of the current SpyBot S&D Folders are 'troublesome ones'.
    It is not possible to Uninstall SpyBot S&D. I tried to download and install the latest version into BOTH of these 'troublesome' program folders; it hasn't helped so far.

    1) SB S&D(2):
    This folder has the Spybotsd152.exe in it ( 2 screens/magnifying glass icon ); no other .exe, no Uninstall/Install ( new version was downloaded and installed to this SpyBot-Search & Destroy(2) Folder.
    This program folder cannot be uninstalled because it generates the 'unins000.dat does not exist. Cannot uninstall.' ( Even with latest version installed into that folder, there was no change. Still could not Uninstall. )

    2) SpyBot-Search & Destroy:
    This program SB S&D; only LOOKED like it uninstalled.
    When I downloaded Version 1.52 to that program folder and installed, it, the latest version just meshes into the existing SpyBot-Search & Destroy program folder.
    AFTER it appeared as though it Uninstalled, it is STILL there, WITH the latest version installation STILL meshed into it; but, now, with these added files I list below.


    I tried to get a screen shot of all the Folders and Files, and the 13 executables; keeps coming over either too huge to post, or if I edit it down, it is too small to read.

    So...... I will type the 15 ( not 13, I miscounted ) Executables and other files:

    ( monitor/cd/box icon ):

    spybotsd14.exe
    unins001.exe
    pkysetup.exe


    ( 2 screens/magnifying glass icon ):

    SDMain.exe
    blindman.exe
    SDDelFile.exe
    SDWinSec.exe
    spybotsd152.exe
    spybotsd_includes.exe

    unins000.exe
    File Ver: 51.41.0.0


    ( World with a plug icon ):

    update.exe


    ( 2 screens/magnifying glass/lock icon( sort of greyed out ) ):

    TeaTimer.exe


    ( 2 screens/magnifying glass icon ( sort of greyed out ) ):

    SpybotSD.exe
    SDUpdate.exe


    ( Metal Trashcan icon ):

    SDShred.exe



    Others Files:

    unins001.msg
    Outlook Item

    unins001.dat
    NeroMediaPlayer media files


    ( 2 screens/magnifying glass icon ( sort of greyed out ) ):

    PQDGTJ.scr
    LKTGMJJUWVZ.scr
    SUOLVSYTKXMRYYOY.scr


    DelZip179.dll
    1.79.7.4
    Freeware Zip/UnZip
    5/5/2008

    Languages Folder:
    English and Esperanto

    ( Some other Folders/Files, but others look normal )



    It is 6:15 AM, and I have been up all night. I have to get a few hours sleep now.



    Thanks,

    Ravenquille
     
  38. abri

    abri MajorGeek

    Hi Ravenquille,

    The problem with the Spybot S&D not uninstalling properly is certainly annoying. Please go to How to uninstall - Spybot S&D and look for the very small link called "this very small fix" in light blue. This should uninstall any remaining entries you have in your computer for Spybot. See if this works. If this doesn't work, I will ask you to post at their help forum for help with their product, as I think they will be quite experienced in everything that can occur and be unusual.

    abri
     
  39. Ravenquille

    Ravenquille Private E-2




    Abri,

    1). I tried, first, to click on the existing icon cf.exe, which I had moved into a Desktop folder I named 'Cooking Tips'.
    2). I got an Error box which said: "You cannot save ComboFix as cf.exe. Please Rename it, prefrably with alphanumeric characters"
    ( and 'prefrably' was misspelled )
    3). I ignored and closed this box, and copied the 'kill' command line from the instructions, and pasted it into the Start/Run. Another Error box said that 'System cannot find Regedit' ( not sure now of the exact wording on this, but that's what it was trying to say. Regedit was fine, I checked. )
    4). I went to MajorGeeks and downloaded ComboFix again.
    5). I downloaded, and installed it to My Documents\COBRA Medical Plan
    ( to try to hide it, to see if I could run )
    6). I renamed it to 'Candy.exe'


    ( Scans thinking ComboFix is Controlling something ):

    7). I thought this might be possible; but I wasn't sure if the Online Armor warning:
    "Candy.exe wants to remotely control another process using Windows Message API"
    "Candy. exe wants to start C:\327882RFWJFW\nircmd.com"
    are things I would be safe in 'Allowing'.


    ( System Volume Information and RECYCLER ):

    8). I understand that, in relation to HDD C; and I know better than to alter any file that I am not completely sure about.
    The GMER log I ran on HDD C is small ( this attached log is named 'GraceMary'. )

    However, the GMER log for HDD E is huge ( the attached log named 'GraceMarkE' ). I recently installed this 2nd HDD; no OS, no Programs, no Files, one simple Partition. I have never put anything on it at all.

    This time is the ONLY time that anything showed up at all on HDD E.
    Previous GMER logs did not show anything for E ( run separately from C ).
    Some of the info on this log looks strange to me. There are also some files which have 'Access Denied' and 1 File Not Found.

    Is all of this log content for E, normal?)


    9). The SpyBot S&D original, older version was hijacked by something which downloaded itself into it, during an Update. I Uninstalled it because of this.
    I installed the latest version. That installation meshed with the previous hijack program ( which did not Uninstall, but appeared to. ) When I tried to do a fresh install, I got the further hijacked combination of 2 Program Folders.
    Today, with an Uninstall ( which did not really Uninstall ), I got new, additional files and executables in the original Program folder.
    They could not be uninstalled before, couldn't after all the scans and fixes we have run; and still cannot be uninstalled.

    10). Only ONE Desktop icon has been hijacked; but many, many, have been created in IE ( when I was using Copernic, with the impossible-to-remove Google addition popping up in Copernic Search ).
    'Mixed up' doesn't seem to describe what is going on.

    11). There have been a number of Downloaders and Trojans being discovered and removed.

    12). Malware/Spyware, Anti-Virus programs are being hijacked in various ways, one by one. Sometimes if I run a program, something will get enacted; sometimes a download happens on its own. Sometimes, if I do an Update, a hijacking download has taken place.

    13). Norton Internet Security 2005 could not totally be Uninstalled.

    14). Skype, and QLock, I noticed, also did not totally Uninstall.
    ( It appears that both 'Install' and 'Uninstall' functions may be hijacked in some way. )

    15). As far as TWEAKUI goes in MY system:

    I downloaded and installed it. I opened it to take a look at it. I did not use it at all. I have not tried to Uninstall it ( the Uninstall seemed to create a mess in both of my husband's systems; so I have not yet attempted this ).

    It all seems to be getting worse, rather than better.



    Ravenquille, now a total Zombie.........
     
  40. abri

    abri MajorGeek

    B]Hi Ravenquille,[/B]

    Please concentrate on one thing at a time. It's important that we first see if Spybot can be completely removed from your computer. Then if there is any malware affecting it, it will be gone. Then we will go on to the next thing. Did the link I gave you at the Safer Networking website work? Have you tried it yet?


    You should not be running Combofix right now. We'll work on that next.


    abri
     
  41. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    1). Yes, Ok, one thing at a time.
    I have been trying to be a bit experimental, to see if I can figure out what 'whatever it is' is doing; and to try to keep a step ahead of 'it'.
    ( I am not trying to screw things up; but I am trying to learn. )

    2). YES, actually, I did follow the 'manufacturer's' tips for SB S&D Uninstallation; before I went to sleep for 2 hours.
    It appears that it has been finally removed.
    The C:\Programs folder is gone, gone from 'Software' in the Registry.

    3). On Reboot, I ran an Onine Armor Filesystem Scan.

    Very soon into the Scan got this Warning:

    "Dangerous Program"

    C:\Documents and Settings\All Users\Application Data\AOLDownloads\Triton_suite_install_6.0.28.1\

    "Recommend Delete"

    4). I Deleted

    5). Scan progress normally, took quite awhile ( did not seem to be hijacked ).
    No further nasties of any kind discovered.


    *What's the next step, at this point?



    Going to get a much-needed cup of coffee, and then have to help my husband with some cement and block work.....be back later,

    Thanks, Ravenquille
     
  42. abri

    abri MajorGeek

    Hi Ravenquille!

    This is good!
    And this is great!
    Now please download Dr. Web CureIT to the desktop -

    Find Dr.Web CureIt on the desktop and run it.
    • Doubleclick the drweb-cureit.exe file and Allow it to run the express scan if it doesn't start automatically.
    • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
    • Once the short scan has finished, you should now choose the complete scan.
    • Click the green arrow to the right, and the scan will start.
    • Click 'Yes to all' if it asks if you want to cure/move the file.
    • When the scan has finished, see if you can click next, next to the files found
    • If so, click it and then click next right below and select Move incurable
    • After the scan, in the menu, click file and choose save report list
    • Save the report to your desktop. The report will be called DrWeb.csv
    • Close Dr.Web Cureit.
    • Reboot the computer in Normal Mode,
    • Zip the Cure-it report

    Let me know how this goes.
    abri
     
    Last edited: May 7, 2008
  43. Ravenquille

    Ravenquille Private E-2

    Abri,

    1) Downloaded/installed Dr.Web CureIT
    2) Rebooted to Safe Mode
    3) Ran Dr. Web CureIT
    It opened with 'preparing to scan'; with no options to select a type of scan. It ran the Quick Scan, and found nothing.
    4) I ran it again, in 'Complete Scan' ( 'Custom Scan' would not run ( pay ver? )
    5) This scan took 1 hr. 34 minutes; but it found
    11 Nasties. ( all 'Moved Incurables' )
    6) Saved Log
    7) Ran HijackThis
    8) Saved Log
    9) Rebooted to Normal Mode

    Logs attached.
    DrWeb log would not post as in Excel format saved; copied to Notepad and posted it from that file.

    I have to go to sleep now. Have to leave early in the morning. Won't be back online until tomorrow late afternoon or sometime in the evening.


    Thanks,
    Ravenquille
     

    Attached Files:

  44. abri

    abri MajorGeek

    Hi Ravenquille,

    That was good!

    Now I would like for you to shut down a service. To do this:
    • click Start > Run and type services.msc
    • Scroll down to Symantec Network Drivers Service and right click on it.
    • Click Properties and under Service Status click Stop
    • Then under Startup Type change it to Disabled.
    Next I want you to delete the Service. To do this:
    • Run C:\MGtools\analyse.exe by double clicking on it. (This is really HijackThis.)
    • Instead of scanning, click on the button None of the above, just start the program at the bottom of the choices.
    • Then click Config -> Misc Tools -> Delete an NT service.
    • In the Delete window, paste in SNDSrvc and press OK.
    • OK any prompts and close HijackThis.
    Now let's stop two items from starting when you bootup. Run C:\MGtools\analyse.exe by double clicking on it. Select Do a system scan only) and select the following lines. Exit all browser windows including the one you're reading in now and then clcik Fix.

    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

    After you click fix, just close hijackthis.

    Now run CCleaner at the default setting (only!) with the Windows tab as the one on top.When you finish all of the above, I would like for you to run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip

    Thanks.
    abri
     
  45. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    1)services.msc:
    Symantec Network Drivers Service Properties had ONLY 'Start'
    available ( the other selections all greyed out )

    * I did change Startup Type to 'Disabled'

    2) MGtools:
    Config, Misc Tools, Delete and NT service:
    SNDSrvc, OK: Message that it 'cannot be deleted!'

    3) HijackThis:
    Fixed the 2 requested 04 HKLM Run entries

    4) CCleaner default Windows settings

    5) MGlogs.zip attached



    Thanks,
    Ravenquille
     

    Attached Files:

  46. abri

    abri MajorGeek

    Hi Ravenquille,

    Your logs look good. How is your computer doing now? If it's running as it should, I would like to ask you to go ahead with the final cleanup instructions in the box below. In some cases you'll have to vary the instructions to match your own, for instance if there are files you renamed differently than we asked you to, simply insert your own name where ours is. In addition to what we normally ask you to remove in the box below, you also have other software from our instructions which you may or may not want to keep. Before you decide, I suggest going through the link at the end of the box How to protect yourself from malware and checking which programs you need and which can be removed. After you disabled the Symantec entry, it didn't show up in HJT. You might want to go back to Start / Run and type in services.msc and see if that entry is still in place and if it's still disabled.

    Also, in your first post, you mentioned three computers. If you would like to continue with a second one, please start a thread for that computer. We will ask you for that computer, as always, to go through the instructions in the READ & RUN ME FIRST.
    abri
     
  47. Ravenquille

    Ravenquille Private E-2

    Hi Abri,

    I have the list of recommended things to do, but I have some more things to report, and a few questions. Don't know if we can 'wrap things up' or not just yet:

    PROBLEM:
    1) I ran Dr. Web again today: 3 more things found
    ( log attached )
    And ran GMER on both C and E Drives.
    ( Please look these over and see if these are normal. I don't understand why E ( the new HDD with nothing at all on it ) has a much longer list showing up on the GMER scan.

    2) Doing some general checks in my system.
    3) Weird Icons still on my Desktop: deleted them.
    4) Checked more generalized Searches already in History in Copernic ( not just 'Christian oriented' searches ). These were NOT 'icon-ed' before; but ARE now.
    5) Deleted Copernic History
    6) Reset Internet Options to Default again, Rebooted
    7) In general Copernic Search, most things I checked are not 'icon-ed'; but Christian things are. I am not saving any Searches.

    PROBLEM:
    SO, the Icon Problem is still unaffected.

    PROBLEM:
    Time does not remain 'set'. I synchronized with Internet Time many times, changed time. Is often altered.

    QUESTIONS:

    1) services. msc:
    Should these things be concerns?

    Remote Registry ( automatic/started )
    Remote Desktop Help
    Windows Installer ( manual/stopped )
    IIS Admin ( automatic/started )
    IMAPI CD Burning ( Manual/off )
    System Restore ( automatic/started )
    Secondary Logon ( automatic/started )
    Symantec Network Drivers ( showing up here, but disabled )
    Messenger ( disabled )


    2) When I do the other two systems, I think I will just opt to save time by just totally reloading OS and the rest. Should I install the Norton Internet Security 2004, then go online ( with these systems, one at a time ) to download the recommended protection programs? Or is it better to download programs onto a flash drive from MY system (if we can sufficiently clear it)?

    **OR** Do you want me to investigate them a bit first, to see what is in them; then tackle the clearing process, instead of just wiping the HDDs?

    3) Should I run scans on my Compact Flash Cards, and USB Flash Drives?

    4) Should the computer being currently worked on, be the ONLY computer going online at the time?
    ( That would be my preference, but my husband has insisted on being online with his Desktop, while I have been in the process of cleaning my system. )

    Because all 3 are on a Wireless Home Network, are all the infections/spyware, etc. passing between them constantly?
    ( I have only Internet Connection being shared, No files, No programs, No devices being shared. )


    Thanks, Ravenquille
     

    Attached Files:

  48. abri

    abri MajorGeek

    Hi Ravenquille,
    The things you mentioned in services.msc need to be there. Your logs only show that you still have infected restore point. After you run the final clean-up instructions, your logs should be fine. The entries in both GMER scans refer to you C-drive, which is probably accessible from your other drive. It's not that a lot of things are showing up in your second drive.
    Do the final cleanup instructions first and then rerun the online BitDefender Scan again and be sure when you run it to have everything (like your flashdrives) plugged in so that it will check those too.
    abri
     
  49. Ravenquille

    Ravenquille Private E-2

    Hi Abri,


    1) Disabled Restore, Ran CCleaner
    2) Removed MGtools
    3) Removed HijackThis
    4) Ran CCleaner
    5) Removed all ComboFix files
    6) Ran CCleaner
    7) Ran GMER

    8) Ran the following Scans:

    *BitDefender
    *MalwareBytes
    *Avast
    *SUPERAntiSpyware
    *CureIt

    9) Ran CCleaner again
    10) Ran BitDefender again
    All showing clear

    11) Rechecked Internet Options Settings
    Popup Blocker and Phishing Filter are on
    12) Enabled Restore




    ***THESE PROBLEMS STILL UNCHANGED:

    1) Clock will not hold time settings:

    No matter how many times I reset, not matter how many times I synchronize with Internet time. Displays as double-digit ( ex: 9:48, displays as 09:48 )
    Progresses in double-digits past '12'; which eventually whacks out the date setting as well.

    2) Weird Internet Site Icons:

    This remains unchanged. Seems to be progressing; new Icons appearing on sites I had not seen them on before.
    Does not seem to be that any and every site gets assigned an Icon if I visit it; although this has happened a few times ( no Icon at first, Icon next time I open the site ). I delete all searches after I am done.

    Icon-ed sites may open normally, or slowly to very slowly; non-Icon-ed sites definitely open much faster.

    *Yahoo mail is Icon-ed ( I have it, but never use it ).

    *I set up a Gmail Account, just to see what would happen.
    Site not Icon-ed.
    As soon as I set up an Account, and accessed it, the site received an Icon.

    *Found Bluebottle and Hotmail to be Icon-ed.

    ( This suggests that any Email Accounts at Icon-ed Provider sites, would be monitored. )




    Not sure when I can tackle my husband's Desktop.
    Will follow the standard Cleaning Instructions.
    Will do a separate Post for that one.



    Thanks, Ravenquille
     
  50. Ravenquille

    Ravenquille Private E-2

    Abri,

    Forgot to mention this one:

    When I log in to this Forum ( entering UN/PW each time ); neither UN or PW will hold.
    I usually have to log in again if I try to manage an attachment, or submit the post.



    Ravenquille
     
Thread Status:
Not open for further replies.

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds