User.dat

I've been helping my gf try to recover her computer from trojans and a badurl.gradstreetinteractive spyware. We had read that there would be some information about the spyware in the USER.DAT file, and so she wanted to go in and delete it. I thought it would be fine, because I had her copy it first and simply rename the original. I figured if we had a problem, we could restore the old one. Well, it comes back up, and it's initiated the default USER.DAT file. What's worse is that the other two ( the copied one and the altered one ) are nowhere to be found. I thought about using a bootdisk and running some DOS stuff, but after searching for them forever, I'm really at a loss as to how to recover them. Any info on the aforementioned spyware and the trojan-gen virus that resides in the _Restore would be helpful.

 

Welcome Anexanhume

Can you tell us what OS she's using? Like XP, W98 etc. Also does she have the OS boot CD / disk?

 

I was under the impression this is the Windows ME forum. That's what OS she is using, and as far as boot disks go, she's got an E-machine with restore disks. I downloaded two boot disks from bootdisks.com to a cd-r and am ready to transfer to a floppy in case we need to do that. It's really odd because we cannot find any USER.DAT files anywhere when we're allowing the computer to search for hidden files and the whole bit. The only thing that I can imagine is that by changing the files, we made the computer wipe out the contents of that folder to begin with, in which case they are both lost. Otherwise, both files should be floating around somewhere, or at least the original that we renamed ( to user1.dat )

 

You are correct, thought I was still in secuity thread
Did you do a search just using user as the file?
I'm sure this will just be the beginning of a fix for her. The virus's and such will need to be fixed. Someone that knows WME will help you with the boot / restore issues.

 

We've searched user, user1, files of type dat, etc.

As far as the trojan-gen goes, avast couldn't touch it because it's in the _Restore folder, so we'll have to take steps to get rid of that. badurl.grandstreetinteractive continually tries to get IE to visit that address, and you are unable to do anything else. I read where it was linked to a certain spyware site, but apparently it may not do exactly what it is supposed to. We ran ad-aware over it before we messed with the user.dat and ad-aware didn't seem to help much.

 

Unfortunately, we were not so scrupulous our first time. We need to first find the file before we can eliminate any of it. I've also read of people encountering problems when they initially try to relocate the file they want to become the user.dat file.

 

Steve R Jones, Does ME have a restore point? Would that get the User.dat file back.

 

ME has restore, but it is not functioning. If I had to guess, the aforementioned trojan is somewhat to blame. In any event, we have no restore points, nor can we make any.

 

Download HijackThis from link in my signature. It's a zip file that will fit on a floppy. On your GF pc, copy and save it to a permanent folder (I create a new folder in C:\ named HJT). Unzip, Open and hit scan, then save log. Once it is saved it will open in notepad. Select all from the edit button, copy and paste the results on a floppy and post it here. Don't fix anything with it yet! Someone experienced with the logs will advise you.

 

I will do that, but I will most likely have to unzip it prior to putting it on her pc. I don't believe she has an unzipper, and even if she did, I don't know how reliable anything is at this point.

 

Hello Anexanhume,

To trun SR completely off and the restore file deleted by the system:

From the Control Panel > System > Performance tab > File System - there, move the slider left to zero and reboot.

After resolving the infection, turn it back on by moving the slider to the right to whatever desired size.

Regards - Charles

 

I'm just writing to thank you all for your help. The files were recovered by going into scanregw. The system detected that it had no validation, so it reverted back to the old settings. As for the grandstreetinteractive spyware, we located and deleted the key in the registry, and now the computer is going to a professional to be fixed. So, it's out of our hands.

 

i have the same problem.
eveytime i star IE6, i'm being directed to the site: http://a-search.biz/?wmid=1010

i;ve done all you asked for and that's the HIJACK-THIS logfile:

Logfile of HijackThis v1.97.7
Scan saved at 17:04:59, on 25/09/2004
Platform: Windows ME (Win9x 4.90.3000)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\SYSTEM\SSDPSRV.EXE
C:\WINDOWS\SYSTEM\MDM.EXE
C:\WINDOWS\SYSTEM\SSAMEMLA.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\INTERNAT.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\HIDSERV.EXE
E:\PROGRAM FILES\NORTON ANTIVIRUS\NAVAPW32.EXE
C:\WINDOWS\LOADQM.EXE
E:\PROGRAM FILES\SPYBOT - SEARCH & DESTROY\TEATIMER.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\WINOA386.MOD
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
F:\EXTRACT\PROGRAMS\SECURITY\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.barak.net.il:8080
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHELPER.DLL
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - E:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [internat.exe] internat.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [PCHealth] C:\WINDOWS\PCHealth\Support\PCHSchd.exe -s
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Hidserv] Hidserv.exe run
O4 - HKLM\..\Run: [NAV Agent] E:\PROGRA~1\NORTON~1\NAVAPW32.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMANTEC\LIVEUP~1\SNDMON.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
O4 - HKLM\..\RunServices: [SSDPSRV] C:\WINDOWS\SYSTEM\ssdpsrv.exe
O4 - HKLM\..\RunServices: [*StateMgr] C:\WINDOWS\System\Restore\StateMgr.exe
O4 - HKLM\..\RunServices: [ScriptBlocking] "C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe" -reg
O4 - HKLM\..\RunServices: [Machine Debug Manager] C:\WINDOWS\SYSTEM\MDM.EXE
O4 - HKLM\..\RunServices: [xx DNSCache ys 25.9.2004] C:\WINDOWS\SYSTEM\SSAMEMLA.exe
O4 - HKLM\..\RunServices: [DNSCache] C:\WINDOWS\SYSTEM\SSAMEMLA.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] e:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [ICQ Lite] E:\PROGRAM FILES\ICQLITE\ICQLITE.EXE -trayboot
O4 - Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: ICQ Lite (HKLM)
O9 - Extra 'Tools' menuitem: ICQ Lite (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {94D2A476-84BC-4E4C-820A-2C5372CF89BF} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -
O17 - HKLM\System\CCS\Services\VxD\MSTCP: NameServer = 192.168.1.1

can you help me?

 

Remove these with HJT.
O2 - BHO: (no name) - {00320615-B6C2-40A6-8F99-F1C52D674FAD} - C:\WINDOWS\LOCALNRD.DLL
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\RunServices: [xx DNSCache ys 25.9.2004] C:\WINDOWS\SYSTEM\SSAMEMLA.exe
O4 - HKLM\..\RunServices: [DNSCache] C:\WINDOWS\SYSTEM\SSAMEMLA.exe
O16 - DPF: {94D2A476-84BC-4E4C-820A-2C5372CF89BF} -
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) -
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) -

The items in green are optional, they aren't needed to be running.

 

thanks
actually, i d/l an antivirus that eliminates that TROJAN (the AV is MWAV.exe)

however, why should i eliminate those lines?
isnt loadqm important for windows ?

 

No, it really is just a resource hog.
Some pages on this
Taskmon monitors what programs you use, and when you defrag it reorders your hard drive so that they can start slightly faster. Saves you about 3 microseconds on today's faster computers and drives. Whoopee! If you do decide to eliminate all effects of this and disable Taskmon, delete everything in the C:\Windows\Applog folder.