Re-install XP. A system that badly infested is a hopeless mess.
Next time be more concise, no one wants to read through that much detail.
And you need to change your inet habits.







On Sunday, April 27, 2008 at 7:10 pm, Ravenquille wrote:

>Hi,

>I have a strange bunch of things going on in 3 systems ( on a wireless home network 

>).  I can't get a handle on what type of 'nasty' is causing the mess, and how it 

>is doing it; nothing has totally stopped 'it' so far.

>( I am not certain that this is just 'one' problem at work, or if there is more 
than 

>one, doing separate things. )

>

>1)  I first noticed this problem with my husband's laptop, and the 'Uninstallation' 

>of TweakUI. 

>I installed TweakUI from the Microsoft official website.  ( He wanted the laptop 

>to open straight to desktop, in his User Account ( no logon screens of any kind 
). 

>)  I did some settings, and began to see strange behavior after installing and using 

>TweakUI.  I was suspicious of it, and decided to Uninstall.  I got an odd window 

>during the Uninstall process, and Norton Internet Security blocked a 'malicious 
script'. 

> I could not Uninstall until I gave Norton permission to 'run once'.  I did the 
Uninstall. 

> Snowballing, weird stuff has been going on after the Uninstall.  Messages about 

>not being able to logon, slow startup to desktop, disconnects when online, mouse 

>locks/total lockups.  

>Laptop offline, turned off.

>

>2)  I also installed TweakIU in his desktop, and did some settings within the utility. 

> Never did an Uninstall of TweakIU in this system; but it has just recently been 

>completely redone (  on a new HDD, OS reload, etc. etc. )  

>I ran the following complete scans on Thurs. morning before we left for the weekend 

>( then shut down ):

>

>*Norton

>*SpyBot S&D

>( all clear, saw no problems )

>*Spyware Blaster set ( for its listed maximum protections )

>

>Sat. night, my husband was online with this system.  All was fine with startup. 
He 

>opened his WinTV to watch tv ( onscreen ).  This opened/loaded very slowly.  He, 

>then, tried to open TitanTV to get the channel listings, and it would not access 

>his account to display this information ( there had not been a problem with either 

>the program or the guide, previous to this ).  System locked, he had to shut off 

>from power button.  Rebooted normally, but once at desktop, there was mouse movement, 

>but mouse could not open anything.  Shut off from power button again.  Reboot.  
Desktop 

>got 'User Environment' screen ( 2 screens in succession ).  He shut down from power 

>button and went to bed.  I checked it this morning.

>His User Profile has been altered by a Hijacker ( I do not believe this to be the 

>Windows Temporary Profile, which will sometimes activate when there is a logon problem 

>).  It looks quite strange, and is specific to enable something to control operations.

>Screen looked different from usual Windows scheme:

>'User Environment':  Windows cannot load the local User Profile.

>Possible cause of the error include insufficient security rights or a corrupt logon. 

> If problem persists, contact your network administrator.'

>( 'ok' box.  If not clicked, a 2nd box appears after a seconds countdown )

>

>2nd box:  'User Environment':  Windows cannot find the local profile, so is logging 

>you in with a temporary profile.  Any changes you make in this profile, will be 
lost 

>when you shutdown.'

>( 'ok' box.  If not clicked, disappears after seconds countdown. )

>Proceeds to load Profile with my husband's name and the same User picture.

>Bliss background loads, with Start Programs Menu displaying ( on its own ), in the 

>primary screen you would see if you clicked on 'Start'.

>

>The menus that I looked at in Control Panel/Internet Options, etc. are NOT the same 

>as those of WinXP Pro ( I compared them to mine ).

>There is, for example, a Submenu entry called 'MS VM'; which has the following enabled: 

> 'JIT Compiler for Virtual Machine enable ( requires restart ).  Settings are Custom 

>rather than the Default in some specific areas.

>

>Under this new Profile, scans with Norton, SpyBot S&D come out clear; but the programs 

>open very slowly.  

>I did HijackThis log, but am not sure if it is showing anything; although I suspect 

>a few of the entries.

>I disabled the Network connections my wireless network uses, and took the system 

>offline; ( in order to check MY system, which had also not been started since running 

>scans ( all normal ) on Thurs. morning before we left for the weekend. )

>I ran scans on his system again after disabling the adapter and removing the network 

>connections: all clear again.

>I checked his email from my computer:  he has gotten some SPAM email, where he is 

>signed up for newsletters.  He doesn't do email, and never signs up for anything; 

>so this is interesting.

>

>3) My System:

>Startup normal. 

>* Found Ad-Aware tampered with: all records of removals, quarantines, and scans 
gone, 

>settings changed.

>*SpyBot S&D had been downloaded and installed, and integrated into my original SpyBot 

>installation somehow ( I did NOT download it;no one else has access to my system 

>).  

>( I Uninstalled AdAware, and SpyBot S&D, and downloaded both ( to a folder I made 

>); reinstalled both.  AdAware will not allow updates; but did the most recent update 

>from Online ( to folder I created ). 

>Ran Fast Scan: showed 132 infections ( ad tracking cookies ).  Removed only 10. 
 

>Log shows quarantine of 6.  Will not quarantine all, will not remove ( unless after 

>shutdown/reboot ).

>Ran Complete Scan:  65 showed up, all removed

>*Ewido scan:  3 low-level ad cookies, removed

>*Norton scan:  showed no infections

>( Spyware Blaster is also installed )

>*Ran HijackThis:  not sure, but appears to be listing normal, identifiable things 

>)

>*Norton shows 36 items blocked under 'Privacy' today:

>things like:  google analytics, pageAd2 google, a tribal fusion, pixel quantserv

>*Norton shows info sent by my computer today:

>edge.quantserv, google syndication, tribalfusion; and many 'Connection Redirects' 

>with 'Aboutblank' 

>*No Profile altering at this startup, no different SPAM emails

>Have not shutdown/rebooted yet, since I am still researching and investigating.

>

>*Both systems have only one User Profile with Administrator Rights ( which I set 

>up ).

>*Neither system is able to run the following online scans:

>

>TrendMicro

>Windowsecurity.com/trojanscan

>( adjusting security settings to lower, allowing ActiveX, did not help )

>

>Does anyone have any idea what this is, and how I can correct it?

>

>

>Thanks, 

>Ravenquille

>

>

>

>

>
 

• Reply or follow-up to this message

• Search this forum
• Start a new thread on a different subject

• Report abuse of the forum