Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Profile Hijack, Spyware Program Hijack, Etc.!


  • Please log in to reply
1 reply to this topic

#1 Ravenquille

Ravenquille

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 28 April 2008 - 09:35 AM

Hi,
I have a strange bunch of things going on in 3 systems ( on a wireless home network ). I can't get a handle on what type of 'nasty' is causing the mess, and how it is doing it; nothing has totally stopped 'it' so far.
( I am not certain that this is just 'one' problem at work, or if there is more than one, doing separate things. )

1) I first noticed this problem with my husband's laptop, and the 'Uninstallation' of TweakUI.

I installed TweakUI from the Microsoft official website. ( He wanted the laptop to open straight to desktop, in his User Account ( no logon screens of any kind ). ) I did some settings, and began to see strange behavior after installing and using TweakUI. I was suspicious of it, and decided to Uninstall. I got an odd window during the Uninstall process, and Norton Internet Security blocked a 'malicious script'. I could not Uninstall until I gave Norton permission to 'run once'. I did the Uninstall. Snowballing, weird stuff has been going on after the Uninstall. Messages about not being able to logon, slow startup to desktop, disconnects when online, mouse locks/total lockups.
Laptop offline, turned off.

2) I also installed TweakIU in his desktop, and did some settings within the utility. Never did an Uninstall of TweakIU in this system; but it has just recently been completely redone ( on a new HDD, OS reload, etc. etc. , and TweakUI is NOT installed )

I ran the following complete scans on Thurs. morning before we left for the weekend ( then shut down ):

*Norton
*SpyBot S&D
( all clear, saw no problems )
*Spyware Blaster set ( for its listed maximum protections )

Sat. night, my husband was online with this system. All was fine with startup. He opened his WinTV to watch tv ( onscreen ). This opened/loaded very slowly. He, then, tried to open TitanTV to get the channel listings, and it would not access his account to display this information ( there had not been a problem with either the program or the guide, previous to this ). System locked, he had to shut off from power button. Rebooted normally, but once at desktop, there was mouse movement, but mouse could not open anything. Shut off from power button again. Reboot. Desktop got 'User Environment' screen ( 2 screens in succession ). He shut down from power button and went to bed.
I checked it this morning.
His User Profile has been altered by a Hijacker ( I do not believe this to be the Windows Temporary Profile, which will sometimes activate when there is a logon problem ). It looks quite strange, and is specific to enable something to control operations.
Screen looked different from usual Windows scheme:
'User Environment': Windows cannot load the local User Profile.
Possible cause of the error include insufficient security rights or a corrupt logon. If problem persists, contact your network administrator.'
( 'ok' box. If not clicked, a 2nd box appears after a seconds countdown )

2nd box: 'User Environment': Windows cannot find the local profile, so is logging you in with a temporary profile. Any changes you make in this profile, will be lost when you shutdown.'
( 'ok' box. If not clicked, disappears after seconds countdown. )
Proceeds to load Profile with my husband's name and the same User picture.
Bliss background loads, with Start Programs Menu displaying ( on its own ), in the primary screen you would see if you clicked on 'Start'.

The menus that I looked at in Control Panel/Internet Options, etc. are NOT the same as those of WinXP Pro ( I compared them to mine ).
There is, for example, a Submenu entry called 'MS VM'; which has the following enabled: 'JIT Compiler for Virtual Machine enable ( requires restart ). Settings are Custom rather than the Default in some specific areas.

Under this new Profile, scans with Norton, SpyBot S&D come out clear; but the programs open very slowly.
I did HijackThis log, but am not sure if it is showing anything; although I suspect a few of the entries.
I disabled the Network connections my wireless network uses, and took the system offline; ( in order to check MY system, which had also not been started since running scans ( all normal ) on Thurs. morning before we left for the weekend. )
I ran scans on his system again after disabling the adapter and removing the network connections: all clear again.
I checked his email from my computer: he has gotten some SPAM email, where he is signed up for newsletters. He doesn't do email, and never signs up for anything; so this is interesting.

3) My System:
Startup normal.
* Found Ad-Aware tampered with: all records of removals, quarantines, and scans gone, settings changed.
*SpyBot S&D had been downloaded and installed, and integrated INTO my original SpyBot installation somehow ( I did NOT download it;no one else has access to my system ).
( I Uninstalled AdAware, and SpyBot S&D, and downloaded both ( to a folder I made ); reinstalled both. AdAware will not allow updates; but I managed to do the most recent update from Online ( to folder I created ).

Ran Fast Scan: showed 132 infections ( ad tracking cookies ). Removed only 10. Log shows quarantine of 6. Will not quarantine all, will not remove ( unless after shutdown/reboot, which I have not done yet).

Ran Complete Scan: 65 showed up, all removed

*Ewido scan: 3 low-level ad cookies, removed
*Norton scan: showed no infections
( Spyware Blaster and Spyware Guard is also installed )
*Ran HijackThis: not sure, but appears to be listing normal, identifiable things )
*Norton shows 36 items blocked under 'Privacy' today:
things like: google analytics, pageAd2 google, a tribal fusion, pixel quantserv
*Norton shows info sent by my computer today:
edge.quantserv, google syndication, tribalfusion; and many 'Connection Redirects' with 'Aboutblank'
*No Profile altering at this startup, no different SPAM emails
Have not shutdown/rebooted yet, since I am still researching and investigating.
( Reboot Monday morning: no Profile altering )

*All 3 systems have only one User Profile with Administrator Rights ( which I set up ).
*Neither system is able to run the following online scans:

TrendMicro
Windowsecurity.com/trojanscan
( adjusting security settings to lower, allowing ActiveX, did not help )

Does anyone have any idea what this is, and how I can correct it?


Thanks,
Ravenquille

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:15 PM

Posted 28 April 2008 - 09:49 AM

Sounds like some maleware/trojan spreading thru network shares, in a case like this it's best to work on one computer at a time and physically disconnect the lan. As soon as you remove part of the malware from one computer it's reinfected from another, not to mention that the malware goes back to the web for updates and new instructions.

In case you have a backdoor trojan the systems will be hard to clean and your confidental information has been compromised.

Take the computer that's least infected/corrupted. leaving only it connected to the wan and lan, and run MBAM

http://www.bleepingcomputer.com/forums/ind...st&p=809739
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users