|
|
|
Profile Hijack, Spyware Program Hijack, etc.
Sunday, April 27, 2008 at 7:10 pm
Windows XP Annoyances Discussion Forum
Posted by Ravenquille
(17 messages posted)
Hi,
I have a strange bunch of things going on in 3 systems ( on a wireless home network
). I can't get a handle on what type of 'nasty' is causing the mess, and how it
is doing it; nothing has totally stopped 'it' so far.
( I am not certain that this is just 'one' problem at work, or if there is more than
one, doing separate things. )
1) I first noticed this problem with my husband's laptop, and the 'Uninstallation'
of TweakUI.
I installed TweakUI from the Microsoft official website. ( He wanted the laptop
to open straight to desktop, in his User Account ( no logon screens of any kind ).
) I did some settings, and began to see strange behavior after installing and using
TweakUI. I was suspicious of it, and decided to Uninstall. I got an odd window
during the Uninstall process, and Norton Internet Security blocked a 'malicious script'.
I could not Uninstall until I gave Norton permission to 'run once'. I did the Uninstall.
Snowballing, weird stuff has been going on after the Uninstall. Messages about
not being able to logon, slow startup to desktop, disconnects when online, mouse
locks/total lockups.
Laptop offline, turned off.
2) I also installed TweakIU in his desktop, and did some settings within the utility.
Never did an Uninstall of TweakIU in this system; but it has just recently been
completely redone ( on a new HDD, OS reload, etc. etc. )
I ran the following complete scans on Thurs. morning before we left for the weekend
( then shut down ):
*Norton
*SpyBot S&D
( all clear, saw no problems )
*Spyware Blaster set ( for its listed maximum protections )
Sat. night, my husband was online with this system. All was fine with startup. He
opened his WinTV to watch tv ( onscreen ). This opened/loaded very slowly. He,
then, tried to open TitanTV to get the channel listings, and it would not access
his account to display this information ( there had not been a problem with either
the program or the guide, previous to this ). System locked, he had to shut off
from power button. Rebooted normally, but once at desktop, there was mouse movement,
but mouse could not open anything. Shut off from power button again. Reboot. Desktop
got 'User Environment' screen ( 2 screens in succession ). He shut down from power
button and went to bed. I checked it this morning.
His User Profile has been altered by a Hijacker ( I do not believe this to be the
Windows Temporary Profile, which will sometimes activate when there is a logon problem
). It looks quite strange, and is specific to enable something to control operations.
Screen looked different from usual Windows scheme:
'User Environment': Windows cannot load the local User Profile.
Possible cause of the error include insufficient security rights or a corrupt logon.
If problem persists, contact your network administrator.'
( 'ok' box. If not clicked, a 2nd box appears after a seconds countdown )
2nd box: 'User Environment': Windows cannot find the local profile, so is logging
you in with a temporary profile. Any changes you make in this profile, will be lost
when you shutdown.'
( 'ok' box. If not clicked, disappears after seconds countdown. )
Proceeds to load Profile with my husband's name and the same User picture.
Bliss background loads, with Start Programs Menu displaying ( on its own ), in the
primary screen you would see if you clicked on 'Start'.
The menus that I looked at in Control Panel/Internet Options, etc. are NOT the same
as those of WinXP Pro ( I compared them to mine ).
There is, for example, a Submenu entry called 'MS VM'; which has the following enabled:
'JIT Compiler for Virtual Machine enable ( requires restart ). Settings are Custom
rather than the Default in some specific areas.
Under this new Profile, scans with Norton, SpyBot S&D come out clear; but the programs
open very slowly.
I did HijackThis log, but am not sure if it is showing anything; although I suspect
a few of the entries.
I disabled the Network connections my wireless network uses, and took the system
offline; ( in order to check MY system, which had also not been started since running
scans ( all normal ) on Thurs. morning before we left for the weekend. )
I ran scans on his system again after disabling the adapter and removing the network
connections: all clear again.
I checked his email from my computer: he has gotten some SPAM email, where he is
signed up for newsletters. He doesn't do email, and never signs up for anything;
so this is interesting.
3) My System:
Startup normal.
* Found Ad-Aware tampered with: all records of removals, quarantines, and scans gone,
settings changed.
*SpyBot S&D had been downloaded and installed, and integrated into my original SpyBot
installation somehow ( I did NOT download it;no one else has access to my system
).
( I Uninstalled AdAware, and SpyBot S&D, and downloaded both ( to a folder I made
); reinstalled both. AdAware will not allow updates; but did the most recent update
from Online ( to folder I created ).
Ran Fast Scan: showed 132 infections ( ad tracking cookies ). Removed only 10.
Log shows quarantine of 6. Will not quarantine all, will not remove ( unless after
shutdown/reboot ).
Ran Complete Scan: 65 showed up, all removed
*Ewido scan: 3 low-level ad cookies, removed
*Norton scan: showed no infections
( Spyware Blaster is also installed )
*Ran HijackThis: not sure, but appears to be listing normal, identifiable things
)
*Norton shows 36 items blocked under 'Privacy' today:
things like: google analytics, pageAd2 google, a tribal fusion, pixel quantserv
*Norton shows info sent by my computer today:
edge.quantserv, google syndication, tribalfusion; and many 'Connection Redirects'
with 'Aboutblank'
*No Profile altering at this startup, no different SPAM emails
Have not shutdown/rebooted yet, since I am still researching and investigating.
*Both systems have only one User Profile with Administrator Rights ( which I set
up ).
*Neither system is able to run the following online scans:
TrendMicro
Windowsecurity.com/trojanscan
( adjusting security settings to lower, allowing ActiveX, did not help )
Does anyone have any idea what this is, and how I can correct it?
Thanks,
Ravenquille
Ravenquille
|
Responses to this message:
|
|
All messages in this thread [show all]
 | Profile Hijack, Spyware Program Hijack, etc. (Ravenquille: Sun, Apr 27, 2008, 7:10 pm) |
| |
| |
Return to the Windows XP Discussion Forum
|
|
|
|
