MajorGeeks Support Forums

Go Back   MajorGeeks Support Forums > ----------= PC, Desktop and Laptop Support =---------- > Malware Removal
Register FAQ Members List Calendar Casino Mark Forums Read

Malware Removal Malware removal forum. Please see the READ ME FIRST thread before you post. Forum is staffed by a small number of volunteers, please be patient.


Closed Thread
 
Thread Tools Display Modes
  #21  
Old 05-04-08, 19:12
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Hi Abri,

I discovered some other weird things:


1) The desktop icon for the link to my Ministry website changed from the usual IE icon to a red square with a thick white cross in it, then changed again to a box with red border top and bottom, with a white area with black words in the middle.

2) I asked the Host, OurChurch.com if they had just added a feature in their NE1 Website Builder. They had not.

3) I checked navigation via Copernic, to my site:
Google Toolbar opens ( I tried to remove this thing quite a few times ). The searchline, and the tab contain the same icon, after the page fully loads.

4) I checked navigation to OurChurch.com:
Their site has the red square with wide white cross, searchline and tab, after page fully loads.

5) I checked some Church and Ministries in OurChurch.com's Directory:
quite a few had some sort of icon ( one of the 2 icons I described above, if the sites are only in OurChurch.com. A few which are also on other sites, have different icons. )
Not ALL things I checked in this Directory are affected; seems to be selective.

6) I checked African-based sites at OurChurch.com ( Churches, Ministries )
NONE of these had the icons.

7) I checked Christian Ministries, Christian Churches, in general, in Copernic:
Alot had icons: all of these were different than the OurChurch.com icons.
Some icons grabbed part of the website's logo if they had one; others were things like: red dots around a larger red dot, a chipmunk face with a hat and sunglasses, some orange dots in a line, going down into a round black gear kind of image, etc.
NOT all sites I checked had icons.

8) NO African-based Christian-oriented sites had icons in general search.
9) NO other topical searches, so far, have had icons ( ONLY the Christian-oriented searches )

* I watched the Firewall Connection progress, as I opened sites with icons:
most had many, many, many connections momentarily; which then disappeared from the list ( google was showing up in a few, youtube in a few, ad3.rtm, ad1.rtm.1.vip. ( something ).aol, yo-1v-f147.google.com, rc10. ysm.vip.ao2., jl-in-f99.google.com, arbela.quirk.co.za, MY EMAIL SERVER in one, ( I could not begin to catch them all ). US, Canada, UK, Australia.



Online Armor appears to be altered:

Mail Shield and Web Shield not installed
Exclusions, BackUp/Restore, Hotkey, Keyloggers, and My Websites are not accessible ( message: ' sorry, these features are disabled in the free version' )
Web Help seems to suggest that they should be available???

Update set to manual

( some things on the Config/Settings menu and other menus are either greyed out, offer no selections, are not installed, or are partly different than the pics of screens shown in the online Help for Online Armor )


I saw 3 Startup Programs in Online Armor, I have not seen before:

Something called 'Both'
PROCEXP90.SYS Process Explorer, 9.30
PSEXESVC.EXE PsExec Service, 1.7.0

Showed that 'User Decision' to allow the following:
C:\WINDOWS\System32\svchost.exe, ICMP access allowed
( I did not made any 'allow' of this. This took place a few seconds after initial startup this morning )


Avast!:

Has 'Outlook/Exchange' altered
'The Provider is waiting for a subsystem to start'
Only 'Terminate' button is accessible ( others greyed out )
Process appears to be running, activity is showing




Thanks,
Ravenquille
Sponsored links
  #22  
Old 05-04-08, 21:48
abri's Avatar
abri abri is offline
Major Geek
 
Join Date: May 2005
Location: inside the Trojan Horse
Posts: 6,000
Thanks: 24
Thanked 47 Times in 46 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Hi Ravenquille,

Please go to add/remove programs and uninstall Spybot S&D. I believe it's version 1.4 which is outdated. If there is a second one, uninstall that as well. Then download and install Spybot again taking care that it does not make a new folder, but installs directly over the old version. It will ask you if it should do that and say yes.

For the icons you described, can you get screen shots of what you are talking about? In particular with reference to
Quote:
1) The desktop icon for the link to my Ministry website changed from the usual IE icon to a red square with a thick white cross in it, then changed again to a box with red border top and bottom, with a white area with black words in the middle.

2) I asked the Host, OurChurch.com if they had just added a feature in their NE1 Website Builder. They had not.

3) I checked navigation via Copernic, to my site:
Google Toolbar opens ( I tried to remove this thing quite a few times ). The searchline, and the tab contain the same icon, after the page fully loads.

4) I checked navigation to OurChurch.com:
Their site has the red square with wide white cross, searchline and tab, after page fully loads.

Online Armor states in every single website that the free version does not offer a lot of the optios offered by the paid version. To test this, you might have to get the paid version. It's possible that they have a trial version somewhere.


The Symantec entry you have is a service called Symantec Network Services Drivers. Please see the following link for more information about this to see if it is something you need to have running. Did you previously use the Norton Firewall?

http://www.bleepingcomputer.com/star...vice-5016.html

Let me know how this goes.
abri
  #23  
Old 05-05-08, 15:46
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Hi Abri,

1) I don't need any of the Symantec files. I had been using the full suite, which included Firewall, yes. Didn't uninstall all the way.
( Seems to be a general Uninstall issue going on; something trying to prevent uninstallations I think. )

2) Spybot S&D CANNOT be uninstalled: not in Add/Remove, Not in CCleaner.
It does NOT show in 'Software' in the Registry.
( an error screen is generated which says:
File C:\Program Files\Spybot - Search & Destroy\unins000.dat does not exist. Cannot uninstall. )
This file does show up in both of the Program Folders. It looks like it may be being controlled.

3) The Online Armor issues I described are things which show that they ARE available in the free version I have installed; in its own menus. One menu shows something as available, another menu has it inaccessible in some way.
I think what is supposed to be there is either inaccessible, or has had visible things in the menu added or removed.
I compared to screen shots and text in Online Armor Help. Text file DID mention some features that were not available in the free version; but it doesn't apply to what I am finding.
I should probably talk to someone who has the free version installed to see what they are seeing and being able to use.

4) SCREEN SHOTS:
The Google Toolbar appears normal in every way; except for the fact that CERTAIN websites have odd icons ( all others have the usual 'blue e' for IE. ). I took some shots of some of the icons, then cropped and tried to enhace clarity a little. These are not totally clear, but you can get an idea.
They show:

* my desktop icon ( which changed again today, back to the red square with thick white cross )

*OurChurch.com ( my Ministry Hosting site ) icon ( same as mine now )

*Suspected Fake Ministry site at OurChurch.com with the same icon
( there are many of these hosted at OurChurch.com; the idea is to get donations, or contact in some way to get donations )

*Site not hosted at OurChurch with black gear/orange circle icon,
chipmunk icon, orange square with CA icon, etc.


*Sites not hosted at OurChurch with 'Logo grabbing copy' icons

( I will attach 3 in each post )


5) MalwareBytes quick scan today:
Registry entry was:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\mchInjDrv (Spyware.OnlineGames) -> Quarantined and deleted successfully.

( interesting.....I neither visit or play online games )

Keeps logging me out here at the Forum.


Thanks,
Ravenquille
Attached Images
File Type: jpg My Desktop Icon.jpg (2.2 KB, 7 views)
File Type: jpg OurChurch.com Icon.jpg (1.9 KB, 2 views)
File Type: jpg SCAMsite OurChurch.com icon.jpg (1.9 KB, 3 views)
  #24  
Old 05-05-08, 15:48
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Next 3 Google Toolbar Website Icons
Attached Images
File Type: jpg LogoGrab icon.jpg (8.1 KB, 4 views)
File Type: jpg Logo Icon.jpg (10.7 KB, 5 views)
File Type: jpg Chipmunk Icon.jpg (2.0 KB, 3 views)
  #25  
Old 05-05-08, 15:50
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

2 more, last 2 in next post
Attached Images
File Type: jpg BlackgearOrangeDot Icon.jpg (1.9 KB, 2 views)
File Type: jpg Flower Icon.jpg (6.6 KB, 3 views)
Sponsored links
  #26  
Old 05-05-08, 15:55
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

These 2 use CW and CA




These 'icon tagged websites' showing in Google Toolbar/Copernic Browser Search, will also appear if you place a shortcut on your desktop.
( I tested this with my website a few times. The icon always comes along. I didn't want to try out saving any others to my desktop. )
Any other sites I have on my desktop or in a file, all have the usual 'blue e' IE icons.


Ravenquille
Attached Images
File Type: jpg CW Icon.jpg (3.2 KB, 2 views)
File Type: jpg CA Icon.jpg (2.9 KB, 5 views)
  #27  
Old 05-05-08, 15:58
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Abri,

I see these pics don't enlarge very much when you click on them; I thought they would.

With the 97 KB limit for a file, I don't know what else I could do, so that you can see the Icons.



Ravenquille
  #28  
Old 05-06-08, 01:59
abri's Avatar
abri abri is offline
Major Geek
 
Join Date: May 2005
Location: inside the Trojan Horse
Posts: 6,000
Thanks: 24
Thanked 47 Times in 46 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Hi Ravenquille,

Thanks for the jpg's. I would like for you to continue as follows:

1) Reset Web Settings & Default Security Settings

For IE 6 users:

To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK

To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites. For IE 7 users, simply click the "Reset all zones to default level" button.

For IE 7 users:

Select Internet Options, then the Advanced Tab and then the Reset button under Reset Internet Explorer Settings.


2) Now please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main ATF Cleaner menu to close the program.

3) Finally, please download and install Spybot S&D into a folder where there is already a Spybot S&D. Be sure to make it install into an existing Spybot folder Then see if you can uninstall the program via add/remove programs.

4) Then run ATF Cleaner again.

Let me know how this goes?

abri
  #29  
Old 05-06-08, 08:44
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Hi Abri,

I ran a Defrag with Diskkeeper Lite ( free version )
C was wildly fragmented, of course.

1) Set IE7 Advanced/Reset

2) Ran ATF

3) Installed SB S&D to existing SpyBot-Search & Destroy Folder

4) Add/Remove attempt: ( did not proceed because of the following )
Online Armor Warns of Suspicious File which 'looks the same as C:\Program Files\Spybot-Search & Destroy\unins001.exe'
File is:

C:\Documents and Settings\Deborah\Local Settings\Temp\_IU14D2N.temp

5) Ran ATF

6) Installed SB S&D to existing SpyBot-Search & Destroy(2) Folder

7) Add/Remove attempt: get the same 'C:\Program Files\SpyBot-Search & Destroy\unins000.dat does not exist. Cannot uninstall.'

8) Ran ATF again


Going to reboot and see if the Icon fun is still happening in Copernic Search.
Will post results, then I will not be back online till later this afternoon.


Ravenquille

??Should I try the Uninstall ( which will use File referenced in item #4 ) ?
  #30  
Old 05-06-08, 09:43
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Abri,

Reboot
I have different Desktop icons now.

Test search Copernic: still icons appearing on certain Christian-oriented sites

Thought I'd try to 'add provider' in IE ( add Copernic, as it is not in the provider list ). Page for that got an icon, and page for TEST operation at Copernic.com also got its own icon.
Exit

After this, I opened IE from Desktop IE icon ( normal )
Got the SETTINGS FIRST RUN Page for IE7!

( attaching 2 pics, in 2 posts )

Ravenquille
Attached Images
File Type: jpg IE Add Search Provider.jpg (2.4 KB, 2 views)
File Type: jpg IE Copernic set.jpg (2.4 KB, 4 views)
Sponsored links
  #31  
Old 05-06-08, 09:51
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Abri,

Page open is slower than it should be. I had to unplug cable modem and router for reset. Ok after that. I notice that all progress lights on both, will often freeze; so I reset one or both at that point.

Here's my new icon pic, and IE Setup First Run page pic


That's it till later this afternoon....have to jump in the shower and then go get some building supplies.
Will check for further instructions when I get back.


( It is beginning to feel like someone is standing behind my chair looking over my shoulder, so they can catch everything I am doing......

You know this is ticking me off so bad, that I would like to become an expert in the Malware/Virus/Hacking Detection/Removal/Prevention thing. )


Ravenquille
Attached Images
File Type: jpg My Desktop icon today.jpg (1.5 KB, 6 views)
File Type: jpg IE after settings.jpg (3.0 KB, 4 views)
  #32  
Old 05-06-08, 09:52
abri's Avatar
abri abri is offline
Major Geek
 
Join Date: May 2005
Location: inside the Trojan Horse
Posts: 6,000
Thanks: 24
Thanked 47 Times in 46 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Hi Ravenquille,

Yes, try uninstalling it. It sounds like the tmp file is the other file renamed.

abri
  #33  
Old 05-07-08, 01:57
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Hi Abri,

Looks like all Hell is breaking loose.

1) Uninstalled SB S&D via Add/Remove. Got screen which tries to talk you out of Uninstalling. Uninstalled. Uninstall appears to be progressing normally; says successful, need to restart.

2) Reboot

3) At boot, I try to Uninstall SB S&D(2). Still the same screen that file does not exist/cannot Uninstall.

4) I check the SB S&D ( first one, not (2) ) Program Folder. Tah! Dah!
More Magic! A long list of new folders, files, and 13 Executables!!!

5) Ran MalwareBytes. Decided to update. Fatal mistake. Proceeded to download 'new version'. Stupidly, I thought for a second this might have meant new definition database update; ran scan. Scan is clean.

6) Time and date has changed by itself, 2x. I set it back.

7) Ran HijackThis!

8) DiskeeperLite screen pops up and suggests I should defragment C. I close the screen.

9) I run GMER on C

10) I have NOTHING on my 2nd HDD, E:
I ran GMER on E. BERSERK listing !
Looks like something is really, really busy.


Logs attached

( NOTE: All log dates are really W. 5/7/08, not M.5/5/08 as stated on the logs ( time/date changed by something ) )

GraceMary is GMER on C
GraceMark is GMER on E


Ravenquille
Attached Files
File Type: log hijackthis.log (7.8 KB, 1 views)
File Type: txt GraceMary.txt (2.2 KB, 3 views)
File Type: txt GraceMarkE.txt (27.2 KB, 2 views)
  #34  
Old 05-07-08, 02:49
abri's Avatar
abri abri is offline
Major Geek
 
Join Date: May 2005
Location: inside the Trojan Horse
Posts: 6,000
Thanks: 24
Thanked 47 Times in 46 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Hi Ravenquille,

Diskkeeper Lite does that. I finally uninstalled it, because i got tired of.

What I've been trying to get you to do is to uninstall one Spybot - the troublesome one and then if the remaining one is not in add/remove programs, to then install Spybot over it and uninstall the non-troublesome one.

What executables did you get in the second Spybot folder?

abri
  #35  
Old 05-07-08, 03:36
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Hi Abri,

1) Can't run ComboFix
Tried to download again to an obscure file location, then renamed it to 'Candy.exe0

2) Online Armor caught:

"Candy.exe wants to remotely control another process using Windows Message API
Wants to control C:\Program Files\SUPERSAntiSpyware\SUPERAntiSpyware.exe ( process ID-2908 )
( I blocked it )

"Candy.exe wants to start
C:\327882RFWJFW\nircmd.com
( I blocked it )


3) My 2nd HDD ( E) has 2 Folders:

RECYCLER ( I did not look at this )

System Volume Information
( Access is Denied if click on it; but mouseover says 'File is Empty' )


4) Looks like SpywareBlaster is being messed with too:
Any time I open it, all protections are Disabled and Unchecked

I looked at the entries in Restricted Sites; not sure, but possibly some of the listings are fake and are really good sites

( I am leaving it as it is with nothing checked, at this point. I enabled all a number of times; but not today. )


5) It looks like my system may be being controlled REMOTELY.
Tonight feels like bombs keep going off in my last footstep.......



Ravenquille
Sponsored links
  #36  
Old 05-07-08, 03:51
abri's Avatar
abri abri is offline
Major Geek
 
Join Date: May 2005
Location: inside the Trojan Horse
Posts: 6,000
Thanks: 24
Thanked 47 Times in 46 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Hi Ravenquille,

Your communication is sometimes not clear because of the missing pronouns. Please be clear.

Quote:
1) Can't run ComboFix
Tried to download again to an obscure file location, then renamed it to 'Candy.exe0
Did you try to download Combofix? If so, where did you tell your computer to download it to? Where did you have your computer install it? Who named it Candy.exe0


I don't know if I asked you to run combofix, but one thing you should know about it is that it is picked up by almost all the scans as trying to control things. It's a good tool, because it goes so far into the system. The other scans can't identify if it's a good process or a bad one and so they throw up warnings like the ones you've described.

The RECYCLER folder and the System Volume Information are visible now, because we had you make your invisible files visible. You can reverse this following those instructions in the READ & RUN ME FIRST in reverse order and making them all invisible again. We don't need to see them anymore. The reason System Volume Information appears empty is because if you do anything to the files inside of that folder, your computer probably won't work anymore. It's made to be difficult to see into for the safety of your computer.

So far the main problems we've seen are that your icons got mixed up in Internet Explorer and you've had multiple copies of Spybot S&D which you haven't been able to uninstall. Everything else you've described points at original problems caused when you first installed Tweak UI.

abri
  #37  
Old 05-07-08, 05:14
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Abri,

I did do the new installations into the program folders.
Both of the current SpyBot S&D Folders are 'troublesome ones'.
It is not possible to Uninstall SpyBot S&D. I tried to download and install the latest version into BOTH of these 'troublesome' program folders; it hasn't helped so far.

1) SB S&D(2):
This folder has the Spybotsd152.exe in it ( 2 screens/magnifying glass icon ); no other .exe, no Uninstall/Install ( new version was downloaded and installed to this SpyBot-Search & Destroy(2) Folder.
This program folder cannot be uninstalled because it generates the 'unins000.dat does not exist. Cannot uninstall.' ( Even with latest version installed into that folder, there was no change. Still could not Uninstall. )

2) SpyBot-Search & Destroy:
This program SB S&D; only LOOKED like it uninstalled.
When I downloaded Version 1.52 to that program folder and installed, it, the latest version just meshes into the existing SpyBot-Search & Destroy program folder.
AFTER it appeared as though it Uninstalled, it is STILL there, WITH the latest version installation STILL meshed into it; but, now, with these added files I list below.


I tried to get a screen shot of all the Folders and Files, and the 13 executables; keeps coming over either too huge to post, or if I edit it down, it is too small to read.

So...... I will type the 15 ( not 13, I miscounted ) Executables and other files:

( monitor/cd/box icon ):

spybotsd14.exe
unins001.exe
pkysetup.exe


( 2 screens/magnifying glass icon ):

SDMain.exe
blindman.exe
SDDelFile.exe
SDWinSec.exe
spybotsd152.exe
spybotsd_includes.exe

unins000.exe
File Ver: 51.41.0.0


( World with a plug icon ):

update.exe


( 2 screens/magnifying glass/lock icon( sort of greyed out ) ):

TeaTimer.exe


( 2 screens/magnifying glass icon ( sort of greyed out ) ):

SpybotSD.exe
SDUpdate.exe


( Metal Trashcan icon ):

SDShred.exe



Others Files:

unins001.msg
Outlook Item

unins001.dat
NeroMediaPlayer media files


( 2 screens/magnifying glass icon ( sort of greyed out ) ):

PQDGTJ.scr
LKTGMJJUWVZ.scr
SUOLVSYTKXMRYYOY.scr


DelZip179.dll
1.79.7.4
Freeware Zip/UnZip
5/5/2008

Languages Folder:
English and Esperanto

( Some other Folders/Files, but others look normal )



It is 6:15 AM, and I have been up all night. I have to get a few hours sleep now.



Thanks,

Ravenquille
  #38  
Old 05-07-08, 05:47
abri's Avatar
abri abri is offline
Major Geek
 
Join Date: May 2005
Location: inside the Trojan Horse
Posts: 6,000
Thanks: 24
Thanked 47 Times in 46 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Hi Ravenquille,

The problem with the Spybot S&D not uninstalling properly is certainly annoying. Please go to How to uninstall - Spybot S&D and look for the very small link called "this very small fix" in light blue. This should uninstall any remaining entries you have in your computer for Spybot. See if this works. If this doesn't work, I will ask you to post at their help forum for help with their product, as I think they will be quite experienced in everything that can occur and be unusual.

abri
  #39  
Old 05-07-08, 06:41
Ravenquille's Avatar
Ravenquille Ravenquille is offline
Private First Class
 
Join Date: Apr 2008
Location: Fountain Springs, Ashland, PA
Posts: 43
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

Quote:
Originally Posted by abri View Post
Hi Ravenquille,

Your communication is sometimes not clear because of the missing pronouns. Please be clear.

Did you try to download Combofix? If so, where did you tell your computer to download it to? Where did you have your computer install it? Who named it Candy.exe?

I don't know if I asked you to run combofix, but one thing you should know about it is that it is picked up by almost all the scans as trying to control things. It's a good tool, because it goes so far into the system. The other scans can't identify if it's a good process or a bad one and so they throw up warnings like the ones you've described.

So far the main problems we've seen are that your icons got mixed up in Internet Explorer and you've had multiple copies of Spybot S&D which you haven't been able to uninstall. Everything else you've described points at original problems caused when you first installed Tweak UI.
abri



Abri,

1). I tried, first, to click on the existing icon cf.exe, which I had moved into a Desktop folder I named 'Cooking Tips'.
2). I got an Error box which said: "You cannot save ComboFix as cf.exe. Please Rename it, prefrably with alphanumeric characters"
( and 'prefrably' was misspelled )
3). I ignored and closed this box, and copied the 'kill' command line from the instructions, and pasted it into the Start/Run. Another Error box said that 'System cannot find Regedit' ( not sure now of the exact wording on this, but that's what it was trying to say. Regedit was fine, I checked. )
4). I went to MajorGeeks and downloaded ComboFix again.
5). I downloaded, and installed it to My Documents\COBRA Medical Plan
( to try to hide it, to see if I could run )
6). I renamed it to 'Candy.exe'


( Scans thinking ComboFix is Controlling something ):

7). I thought this might be possible; but I wasn't sure if the Online Armor warning:
"Candy.exe wants to remotely control another process using Windows Message API"
"Candy. exe wants to start C:\327882RFWJFW\nircmd.com"
are things I would be safe in 'Allowing'.


( System Volume Information and RECYCLER ):

8). I understand that, in relation to HDD C; and I know better than to alter any file that I am not completely sure about.
The GMER log I ran on HDD C is small ( this attached log is named 'GraceMary'. )

However, the GMER log for HDD E is huge ( the attached log named 'GraceMarkE' ). I recently installed this 2nd HDD; no OS, no Programs, no Files, one simple Partition. I have never put anything on it at all.

This time is the ONLY time that anything showed up at all on HDD E.
Previous GMER logs did not show anything for E ( run separately from C ).
Some of the info on this log looks strange to me. There are also some files which have 'Access Denied' and 1 File Not Found.

Is all of this log content for E, normal?)


9). The SpyBot S&D original, older version was hijacked by something which downloaded itself into it, during an Update. I Uninstalled it because of this.
I installed the latest version. That installation meshed with the previous hijack program ( which did not Uninstall, but appeared to. ) When I tried to do a fresh install, I got the further hijacked combination of 2 Program Folders.
Today, with an Uninstall ( which did not really Uninstall ), I got new, additional files and executables in the original Program folder.
They could not be uninstalled before, couldn't after all the scans and fixes we have run; and still cannot be uninstalled.

10). Only ONE Desktop icon has been hijacked; but many, many, have been created in IE ( when I was using Copernic, with the impossible-to-remove Google addition popping up in Copernic Search ).
'Mixed up' doesn't seem to describe what is going on.

11). There have been a number of Downloaders and Trojans being discovered and removed.

12). Malware/Spyware, Anti-Virus programs are being hijacked in various ways, one by one. Sometimes if I run a program, something will get enacted; sometimes a download happens on its own. Sometimes, if I do an Update, a hijacking download has taken place.

13). Norton Internet Security 2005 could not totally be Uninstalled.

14). Skype, and QLock, I noticed, also did not totally Uninstall.
( It appears that both 'Install' and 'Uninstall' functions may be hijacked in some way. )

15). As far as TWEAKUI goes in MY system:

I downloaded and installed it. I opened it to take a look at it. I did not use it at all. I have not tried to Uninstall it ( the Uninstall seemed to create a mess in both of my husband's systems; so I have not yet attempted this ).

It all seems to be getting worse, rather than better.



Ravenquille, now a total Zombie.........
  #40  
Old 05-07-08, 08:07
abri's Avatar
abri abri is offline
Major Geek
 
Join Date: May 2005
Location: inside the Trojan Horse
Posts: 6,000
Thanks: 24
Thanked 47 Times in 46 Posts
Default Re: User Profile hijack, Spyware program hijacking, etc.

B]Hi Ravenquille,[/B]

Please concentrate on one thing at a time. It's important that we first see if Spybot can be completely removed from your computer. Then if there is any malware affecting it, it will be gone. Then we will go on to the next thing. Did the link I gave you at the Safer Networking website work? Have you tried it yet?


You should not be running Combofix right now. We'll work on that next.


abri
Sponsored links
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
User Profile problem under w2k Gswiss Software 0 08-09-07 11:44
Frozen user profile hannahDaley Software 1 06-23-07 19:49
User profile is 1 GB??? jerseydevil Software 1 03-24-06 00:52
deleting user profile gooble Software 4 01-22-05 19:01
user profile mpc458 Software 1 03-02-04 14:54


All times are GMT -5. The time now is 16:25.


MajorGeeks.Com Home Page
| Admin Tools | All In One | Anti-Spyware | Anti-Virus | Appearance | Backup | Benchmarking | BIOS | Browsers | Covert Ops |
Data Recovery | Diagnostics | Drive Cleaners | Drive Utilities | Drivers | Driver Tools Ergonomics | Firewalls | Games | Game Tweaks | Graphics | Input Devices | Internet Tools | Macintosh | Mail Utilities | Memory | Messaging | Monitoring | Microsoft | Multimedia | Networking | Office Tools | Process Management | Processor | Registry | Security | System Info | Toys | Video | Miscellaneous
|
Powered by vBulletin® Version 3.8.4
Copyright © 2009 vBulletin Solutions, Inc. All rights reserved.
Ad Management by RedTyger