Serious issue, nothing will work

- Collapse -

Oh Boy!...More Info Please. If You Can Copy/ Paste AdWatch..

by tobeach Dec 19, 2005 2:22PM PST

report you saved it might be of some help.
We need some system info OS, SP level, Names of whatever scanners/ protectors you normally have on board, all latest updates?
What have you tried so far & results. Please write down EXACTLY what you get shown re problem including and names/paths of where baddies are. Firewall (which) Connection type(dsl,cable,dial up) & ISP, etc.
Worth a 1st try, download McAfee Singer program from following link and run and at end have it fix what it can & click "save report" send to desktop or where you can easily access it. Get Here:
http://vil.nai.com/vil/stinger/
You maybe better off if you can download it on some other clean computer and then bring it home to yours. Its fairly small, will fit on a 3.5 floppy disc or a cd or a portable USB storage item (Sandisk type). Just put in floppy drive( or appropriate) and double click exe to run.
Feels like maybe it's been happening for a few more days than you think, suspect was on board before recent AVG updates and caused corruption there in. Possibly an "Exploit" type worm or trojan. From Outlook Express?
Possibly a System Restore to when you know for Positive you were clean (5-7 days ago? more?).
Post back with info please. I will be here for 1 hour and will return same time tommorrow. Others will also have a look but we all need the info !! Thanks.

- Collapse -

Fixed, here's the stuff:

by NWRCS Dec 19, 2005 3:01PM PST

XP Pro, SP2. Cable modem.
AVG, which I believe is the root issue, with Spybot as an on-demand, MS Anti-Spyware (NOT AV) AdAware on-demand, AdWatch running all the time, Privacy Guardian on-demand, Spyware Doctor monitoring.
An AVG Update occurred (once we were up again and could access Outlook Express, we could see there were no e-mails), and the system lunched upon completion.
I had an MS Certified Software Engineer and Certified Trainer here. He'd never seen anything like it.
ALL files were changed from an .exe to a .lnk file.
You could access some stuff, but not Command Prompt, Add/Subtract, regedit was dead, the list goes on.
Apparently, final decision was to "accept" all there "registry modifications" that are NOT noted as being AVG (everything else I get is) and see what happened.
I had done 2 System Restores, and he did one.
So, we "accepted" all these, problem gone.
NO idea what it all is about.
I am a little afraid to re-load AVG.
Could not laod and execute any programs. Tried.
I have MS XP Firewall only, configured to allow AVG as they directed.
When done, ran all scans, clean, ran CWShredder, clean. Ran HiJackThis, clean (compared to saved logfiles).
What do you think?

Ad-Watch Logfile, exported on 12/19/2005
Total number of events:40
===============================================
12/19/2005 2:31:38 PM - Definitions file SE1R81 16.12.2005 loaded successfully.
BuildE1R81 16.12.2005
Total Signatures :45642
Target Families :797
Target Categories :6
CSI data Size :82552

File Size :1693319

===============================================
12/19/2005 2:31:38 PM - Internal Error : User Preference file corrupted!
To correct this error, close and relaunch Ad-Watch.

Default settings have been applied.
(All Blocking Features are active)

12/19/2005 2:31:38 PMInitialization Error (3)

===============================================
12/19/2005 2:31:38 PM - Sites file loaded.
Sites file loaded successfully.
C:\Program Files\Lavasoft\Ad-Aware SE Plus\sites.txt
Total entries : 3230

===============================================
12/19/2005 2:32:04 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
KeyOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value:AppInit_DLLs
Data:
New Data:

===============================================
12/19/2005 2:33:15 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
KeyOFTWARE\Classes\regfile\shell\open\command
Value:
Data:
New Data:regedit.exe "%1"

===============================================
12/19/2005 2:34:25 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
KeyOFTWARE\Classes\lnkfile\CLSID
Value:
Data:
New Data:{00021401-0000-0000-C000-000000000046}

===============================================
12/19/2005 2:35:24 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
KeyOFTWARE\Classes\exefile\shell\open\command
Value:
Data:
New Data:"%1" %*

===============================================
12/19/2005 2:35:51 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Classes\.com
Value:
Data:
New Data:comfile

===============================================
12/19/2005 2:36:10 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Classes\.scr
Value:
Data:
New Data:scrfile

===============================================
12/19/2005 2:36:31 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Classes\.bat
Value:
Data:
New Data:batfile

===============================================
12/19/2005 2:36:58 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Classes\.pif
Value:
Data:
New Data:piffile

===============================================
12/19/2005 2:37:18 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Classes\.reg
Value:
Data:
New Data:regfile

===============================================
12/19/2005 2:37:41 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Classes\.lnk
Value:
Data:
New Data:lnkfile

===============================================
12/19/2005 2:37:43 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Classes\.exe
Value:
Data:
New Data:exefile

===============================================
12/19/2005 2:37:43 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Microsoft\Windows\CurrentVersion\Run
Value:AWMON
Data:
New Data:"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Watch.exe"

===============================================
12/19/2005 2:37:43 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Windows\CurrentVersion\Run
Valuepyware Doctor
Data:
New Data:"C:\Program Files\Spyware Doctor\swdoctor.exe" /Q

===============================================
12/19/2005 2:37:44 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Microsoft\Internet Explorer\SearchUrl
Value:
Data:
New Data:

===============================================
12/19/2005 2:37:48 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Microsoft\Internet Explorer\Search
ValueearchAssistant
Data:
New Datawww.google.com]

===============================================
12/19/2005 2:37:48 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Microsoft\Internet Explorer\Main
Valueefault_Page_URL
Data:
New Datawww.microsoft.com]

===============================================
12/19/2005 2:37:50 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\Toolbar\Webbrowser
Value:{01E04581-4EEE-11D0-BFE9-00AA005B4383}
Data:
New Data:

===============================================
12/19/2005 2:37:51 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\SearchUrl
Value:provider
Data:
New Data:gogl

===============================================
12/19/2005 2:37:52 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\Search
Valueefault_Search_URL
Data:
New Datawww.google.com]

===============================================
12/19/2005 2:37:52 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Classes\.exe
Value:Content Type
Data:
New Data:application/x-msdownload

===============================================
12/19/2005 2:37:53 PM - Tracking cookie blocked.
Name: Cookie:dave@ads.pointroll.com/
Size: 493 Bytes.
Hits: 7
UseCount: 0
Expires: 12/31/2009 4:00:00 PM

Last Sync Time: 12/19/2005 1:43:18 PM

===============================================
12/19/2005 2:37:53 PM - Tracking cookie blocked.
Name: Cookie:dave@edge.ru4.com/
Size: 714 Bytes.
Hits: 3
UseCount: 0
Expires: 12/12/2035 1:43:02 PM

Last Sync Time: 12/19/2005 1:43:12 PM

===============================================
12/19/2005 2:37:53 PM - Tracking cookie blocked.
Name: Cookie:dave@questionmarket.com/
Size: 223 Bytes.
Hits: 2
UseCount: 0
Expires: 2/9/2007 5:43:10 AM

Last Sync Time: 12/19/2005 1:43:20 PM

===============================================
12/19/2005 2:37:53 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Microsoft\Windows\CurrentVersion\Run
Value:gcasServ
Data:
New Data:"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

===============================================
12/19/2005 2:37:53 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Microsoft\Internet Explorer\Search
Value:CustomizeSearch
Data:
New Data:[ie.search.msn.com]{SUB_RFC1766}/srchasst/srchcust.htm

===============================================
12/19/2005 2:37:54 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Microsoft\Internet Explorer\Main
Value:Local Page
Data:
New Data:C:\WINDOWS\SYSTEM32\blank.htm

===============================================
12/19/2005 2:37:54 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\Toolbar\Webbrowser
Value:{0E5CBF21-D15F-11D0-8301-00AA005B4383}
Data:
New Data:

===============================================
12/19/2005 2:37:55 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\SearchUrl
Value:
Data:
New Datawww.google.com]

===============================================
12/19/2005 2:37:55 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\Toolbar\Webbrowser
Value:{2318C2B1-4965-11D4-9B18-009027A5CD4F}
Data:
New Data:

===============================================
12/19/2005 2:37:56 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Microsoft\Internet Explorer\Main
Valuetart Page
Data:
New Datawww.msn.com]

===============================================
12/19/2005 2:37:56 PM - Registry modification detected
Root:HKEY_LOCAL_MACHINE
Keyoftware\Microsoft\Windows\CurrentVersion\Run
Value:AVG7_CC
Data:
New Data:C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

===============================================
12/19/2005 2:37:57 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\Toolbar\Webbrowser
Value:{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}
Data:
New Data:

===============================================
12/19/2005 2:37:57 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\Toolbar\Webbrowser
Value:ITBarLayout
Data:
New Data:

===============================================
12/19/2005 2:37:58 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\Toolbar\Webbrowser
Value:{C4069E3A-68F1-403E-B40E-20066696354B}
Data:
New Data:

===============================================
12/19/2005 2:37:59 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\Main
Value:Local Page
Data:
New Data:C:\WINDOWS\system32\blank.htm

===============================================
12/19/2005 2:37:59 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\Main
Valuetart Page
Data:
New Datawww.bachmanntrains.com]

===============================================
12/19/2005 2:38:00 PM - Registry modification detected
Root:HKEY_CURRENT_USER
Keyoftware\Microsoft\Internet Explorer\Main
Valueearch Page
Data:
New Datawww.google.com]

===============================================

Please note, at no point does any of this say it's from "AVG", so Registry Modifications are blocked BY ME.

I ran a Spyware Doctor scan, clean.
Ran an AVG scan, clean, but computer for all intents and purposes is inop.

- Collapse -

Scary Stuff! I Can't Say I've Seen Either. Feels Like .....

by tobeach Dec 19, 2005 4:28PM PST

a take-over attempt on the computer to turn it into a zombie.
I wonder about any unpatched exploit holes.
Are U using Sun Java? MSs' is full of holes !!
I would go to Sheilds Up at GRC and run all entry tests for browser leak & all ports & anytthing else they offer.
Use Link below, click their "home" button and scan about 1/2 page down. Click Leak Test (for firewall) & Sheilds Up after. Additionally check there about disabling Net-Bios, Network Pinter Sharing & Universal Plug & Play. GRC Here:
http://www.grc.com/x/ne.dll?rh1dkyd2

Just a feeling, but OE has a backchannel messenger entrance as well as Messenger itself. These can both be blocked by 2 add-ons in download at Lavasoft. While there get VX2 scanner add-on.
Clearly IT attacked AVG and AdWatch and much more.
When I went to Cable, I got a router just to have a Hardware Firewall plus my software one( for one machine, later 2).
I don't know it's AVGs fault. I would fear it is compromised and would probably download and install a clean copy plus updates.
Spybot's Tea Timer function (Advanced mode>tools>resident) prevents un-athorized changes to main system settings without your permission for each occassion and MAY have prevented some of this.
Thanks for posting back with info and results. Glad it's fixed, wish I could tell,for sure, how it got in.
Be sure to create some NEW restore points with first one Clearly Marked Post Disaster! Good Luck !!

- Collapse -

VERY strange indeed.

by NWRCS Dec 20, 2005 12:36AM PST

Ran AdAware last night, got about 5 more "accept/decline".
I did re-install AVG earlier.
1430 local will be the telling point on AVG.

Now I gotta think and see if I can remember how to add "Grisoft" into AdAware and AdWatch.

I'll look into those things.

What really bothers me is NOTHING sees anything wrong.
SpyBot, Spyware Doctor, MS Giant Anti-Spyware, AVG, nothing.

- Collapse -

NWRCS, It Act's Similar To SWEN

by Grif Thomas Former Forum moderator Dec 20, 2005 2:09AM PST

See the links below to Symantec's and McAfee's write up about the SWEN worm..

http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a@mm.html

http://vil.nai.com/vil/content/v_100662.htm

You'll note it has the ability to spread over network shares, P2P software, IRC, etc. and it doesn't need to be a mail message which is opened..It does have the ability to change the registry entries you have listed.

You might try downloading the McAfee Stinger tool, then run a scan with it and see if it detects anything.

http://vil.nai.com/vil/stinger/

Hope this helps.

Grif

- Collapse -

Results

by NWRCS Dec 20, 2005 3:51AM PST

Ran ''Stinger'', came up with nothing.

- Collapse -

It's A Long Shot but....How about a Rootkit Search? There's

by tobeach Dec 20, 2005 4:37AM PST

a free Rootkit revealer available as a beta version from F-Secure. I & my daughter have both used on XPPro with no problems. Luckily nothing found. Available here:
http://www.europe.f-secure.com/exclude/blacklight/index.shtml
Free until March/06 now. Worth a try?

- Collapse -

Scan complete

by NWRCS Dec 20, 2005 7:11AM PST

No items found with Blacklight Beta from F-secure.

- Collapse -

Thanks 4 Posting Back! I'm Out of Guesses, Time to Crawl ..

by tobeach Dec 20, 2005 3:38PM PST

back to my cave!! (It's snowing heavily, must be hibernation time!)Best of Luck!

- Collapse -

Hey, no problem.

by NWRCS Dec 21, 2005 1:50AM PST

Once we "accepted" all these Registry Modifications, it has functioned flawlessly, and no more issues.
Every scan I can think of and anybody else can think of come up empty.

It's a real head scratcher.

Still convinced it's AVG doing something with an update and AdWatch catching it, but AVG didn't tell us the "new data" was grisoft.

I'm just watching it closely.

Thanks.

CNET Forums

Other Forums

Forum Info