?
Solved

Desktop and profile hijacked

Posted on 2005-03-30
49
Medium Priority
?
669 Views
Last Modified: 2013-12-04
this machine running windows xp home. service pack one, with all patches applied.The desktop has been hijacked and replaced by a desktop.html that lives in the windows folder. I have run (in this order, Spybot 1.3 updated, Ad-aware updated, A2 updated, spywaresweeper updated, microsoft antispyware updated, CWshredder, house call online scan. They all now say that my computer is clean.  On the next reboot, the desktop gets hijacked again.  I have deleted the desktop.html, it just makes the picture go away. the desktop is still locked.  No right click.  When I go into control panel to display, customize, web, nothing is checked. the only thing in there is " my home page" but it is not checked. IF I check it, I get my home page ontop of the hijacked picture.  I can not change the theme, or the background picture. It will not let me select anything. On and on the next reboot the desktop.html comes back.  It is a RED screen with a anti-spyware ad in it.  I created a new profile and after 2 reboots the problem came to that profile as well.

  this is day 4 of trying to figure this one out.  any help would be great.
0
Comment
Question by:sredmond
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 23
  • 19
  • 6
  • +1
49 Comments
 
LVL 12

Accepted Solution

by:
rossfingal earned 1600 total points
ID: 13666544
Hi!

Download HijackThis from:
http://www.gatesofdelirium.com/ee/tools/ 
Install it into a folder of it's own -
With all browser windows closed, run it and
copy and paste your log file into the Automatic Analysis site at:
http://www.hijackthis.de/en
Then post a LINK to your log back here.
We'll look at it.

RF
0
 
LVL 3

Author Comment

by:sredmond
ID: 13672171
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13672431
Hi!

Ooops!  You posted the wrong LINK.
Copy and paste your HJT log into the textbox area at http://www.hijackthis.de/index.php#anl 
Then below the textbox click the "Analyze" button
After the analysis is done and it's displayed
Click on "Save Analysis"
A page will be displayed with your saved analysis
Post a LINK to that page back here.

RF
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 3

Author Comment

by:sredmond
ID: 13672481
hi,
  OOoops, http://www.hijackthis.de/logfiles/55f7053bd8b104c26f70899178a42b50.html

     That might work a little better.  FYI - I have already deleted the open32 several times and it keeps comming back almost instantly.

  Thanks again.

sr
0
 
LVL 12

Assisted Solution

by:rossfingal
rossfingal earned 1600 total points
ID: 13673371
Hi!

Start Task Manager - in the list of running processes look for these:
C:\WINDOWS\System32\open32.exe
If it's listed: kill it.
Search your entire computer for any instances of it and
delete any that you find.
Make sure you check the "dllcache" and "Prefetch" folders.

Is this (Flk.exe) related to a program called "Fake Links Killer"  -  C:\WINDOWS\Flk.exe
Did you install it?
Also, check the properties of these 2 files (manufacturer):
C:\WINDOWS\Jni.exe
O4 - Startup: winupdate83654910[1].exe

Run HijackThis and have it fix the following entries:
C:\WINDOWS\System32\open32.exe
O4 - HKLM\..\Run: [Shell] open32.exe

Clean out all your "temp" files:

# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)

Empty your "Recycle Bin".

Reboot your computer
With all browser windows closed run HijackThis again and check the log file to see if this is listed:
C:\WINDOWS\System32\open32.exe
You don't have to post a new HJT log - just let me know if it's listed.

RF
0
 
LVL 3

Author Comment

by:sredmond
ID: 13674809
yes. it is listed. and more. there are now many "trusted" sites in the hijack this log. and Open32 is back.  http://www.hijackthis.de/logfiles/16663026c34e2c97671c0280c80fd3ff.html is my new log file.

  any other ideas? I am fresh out myself.

  sr
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13675234
Hi!

Did you check the properties on the 2 files above?
What were they?

From my previous post - did you find any of those processes running in Task Manager;
and were you able to kill them?

RF

(ps. Not out of ideas yet!)  :)
0
 
LVL 3

Author Comment

by:sredmond
ID: 13675473
Sorry,
 I am unable to check the properties of anything. I cannot right click on anything, unless I am in internet explorer, and if I go to the file- properties menu nothing happens.

 Open32 starts and stops so quickly in task manager I don't know how to stop it. it only flashes so fast that only sometimes can you tell what the process is.

Some temp files in the temp folder in the profile could not be deleted. but all the temp-internet and the windows temp are empty. cleared all of the off-line content and deleted all cookies.
0
 
LVL 12

Assisted Solution

by:rossfingal
rossfingal earned 1600 total points
ID: 13676026
OK

Sometimes these things don't to like be "played with"!  :)

Download the following utilities (they're free):
DLLCompare from Lobo's site -  
http://www.gatesofdelirium.com/ee/tools/

Killbox (Pocket Killbox) from -
http://www.subratam.org/main/index.php?option=com_content&task=view&id=19&Itemid=41

Install DLLCompare to it's own folder.
Run DLLCompare (let's see if you have something hiding!)
In the main window; put a check-mark in the "Include Subdirectories" box
The default location in the text-box window to the right of the "Run Locate.com" button should be:
C:\WINDOWS\System32
*.dll should be showing in the text-box window next to it
Click on the "Run Locate.com" button

It will start scanning - this may take a little while.

After the scan is complete -
Click on the "Compare" button
 
When that completes -
Click on the "The make a log of what was found" button

Copy and paste that log back here.

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13676194
For the right-click problem - try this
Click on "Start" - click on "Run" - and type "regedit" (without the quotes)
Navigate to the following keys (back them up before you edit them):

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
In the right-pane, double-click NoViewContextMenu and set it to 0 if exists.

Then - do the same thing in this key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

See if this helps.

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13676251
Here's some info concerning the problem with your Desktop background:
(Note: check the profiles for all users)
You might want to see if that "desktop.html" file is in any of them.

For the Display Properties Background tab, Windows XP fetches the image files from the following locations:

BMP Files from %Systemroot%

BMP, JPG, GIF, JPE, DIB, PNG, HTM files from the following locations:

    %Systemroot%\Web\Wallpaper
    %USERPROFILE%\My Documents\My Pictures (& sub-folders)
    %AppData%\Microsoft\Internet Explorer
    %ProgramFiles%\Plus!\Themes (& sub-folders)

If you want to clear a file from that list, move the file away from the above locations. Type the above paths in Start, Run dialog.

NOTE: Windows XP ignores folders which contain a lot of image files. [Thanks to David Candy for this information].

RF
0
 
LVL 4

Expert Comment

by:bkinsey
ID: 13677240
FWIW, some of the nastier malware apps kill and/or replace things like regedit, so you may not be able to use it.  Another technique is linked processes, DLL's, and registry keys, with the DLL reloading the process and recreating the reg keys as fast as you can manually kill them.  And, with the behavior you describe for open32.exe, I suspect it's corrupted Task Manager, and is hiding itself.  (Also ukh.exe, if it doesn't show in task manager).

I think what you're dealing with is 'Horseserver', which I've not seen in person, but has a pretty nasty reputation. Among other things, it allegedly includes a keylogger.

Here: http://forums.spywareinfo.com/lofiversion/index.php/t43065.html (bottom of page) is a discussion with tools and steps that may help with this particular malware.  A specific cleanup tool for a specific malware is usually the easiest way to clean it up, although, like I said, I've never seen this one, and so can't comment on the effectiveness of the tool.

If that doesn't work, some additionaly tools I find helpful in dealing with this kind of stuff in general include Pstools (pslist and pskill provide an alternative to Task Manager when it's been compromised), handle (lets you see what other files and DLL's a nasty process is accessing), FileMon and RegMon (let you view all filesystem and/or registry reads and writes as they happen), all free utilities from www.sysinternals.com.

Questions:

Can you use regedit?  If so, have you been able to delete any of the keys ross has pointed out?

Can you kill the ukh.exe process?  Does it come back?

Do you have another system you can access the internet from, so you can isolate in infected one from the net?
0
 
LVL 3

Author Comment

by:sredmond
ID: 13680841
Hi again,
    DLLCompare won't run. I get an error. that the C:\windows\system32\autexec.nt is not suitable for running MS-DOS and Microsoft windows Applications.

    I can still run regedit. I made the changes listed. The deleted reg keys come back after reboot. and I lose my right click context menu.  Although if I make the changes suggested and just close all explorer windows and reopen them I have my right click until I reboot.

   The infected computer is Off-line and I have other ways of getting files to and from it.
   
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13680970
Hi!

This will fix that error for autoexec.nt -

http://www.visualtour.com/downloads/xp_fix.exe

That message means that your autoexec.nt or congig.nt files are missing and/or corrupted.

RF
0
 
LVL 3

Author Comment

by:sredmond
ID: 13681074
Hi,
 Yep that worked. here is the log file from dll compare.
*    DLLCompare Log version(1.0.0.125)
Files Found that Windows does not See or cannot Access
*Not everything listed here means you are infected!
________________________________________________

C:\WINDOWS\SYSTEM32\msvcp60.dll    Thu Aug 29 2002   5:41:08a  A.SH.        401,462   392.05 K
C:\WINDOWS\SYSTEM32\DLLCACHE\msvcp60.dll    Thu Aug 29 2002   5:41:08a  A.S..        401,462   392.05 K
________________________________________________

1,675 items found:  1,675 files (2 H/S), 0 directories.
Total of file sizes:  372,161,751 bytes    354.92 M

Administrator Account =  True

--------------------End log---------------------
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13681489
That's a valid windows file - it's part of the C++ Runtime library.

Download this tool - HSFix:
http://www.atribune.org/downloads/HSFix.zip

You say you've rebooted - run HijackThis again and post a LINK to
a new log file.

Also, make sure you have "Show all Files and Folders", including hidden and system enabled.

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13682409
Download: DelDomains.inf
http://mvps.org/winhelp2002/DelDomains.inf
To use: Close all open browsers
Right-click DelDomains.inf and select: Install
Note: this will remove all entries in the Trusted Zone and Restricted Zone.
Do not run it yet.

Reboot your computer into "Safe" mode
Run the "HSFix" tool
Post the log file it generates back here.

Then run DelDomains.inf

Clean out your temp files
Empty the Recycle Bin

Then reboot into "Normal" mode
Run HJT again and post a LINK to the HJT log.

By the way - do you have "System Restore" enabled?

Good luck!

RF
0
 
LVL 3

Author Comment

by:sredmond
ID: 13682926
I will update as soon as I can run all of that.

 System retore is off.
0
 
LVL 3

Author Comment

by:sredmond
ID: 13682990
BTW
 I am at work. and I am the only help desk support for  62 users. The computer we are working on, is the the CEO's personal computer form home. I really appriciate all the help. and I don't mean to take so long to get back to you, but Actual work sometimes gets in the way of fixing personal computers. : )
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13683251
Hi!

No problem!  :)

Take your time!

Good luck!

RF
0
 
LVL 4

Expert Comment

by:bkinsey
ID: 13683295
It's always the CEO, isn't it?  Why is that, do you think? :-)
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13683404
He, He, He!!   :)
No comment!
0
 
LVL 3

Author Comment

by:sredmond
ID: 13683463
Wow,
  I hate to sound like a NEWBIE, but how am I supposed to run the DelDomains.inf? In selected it and went File-Install and then after following the rest of your instructions, I can't seem to run it.  I have tried many variations from the run line, but all of the "trusted" sites are still there.

sr
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13683544
Right-click on it and select "Install"

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13683583
Also, make sure the Hosts file is not set to read-only and that it
is not locked by Spybot S & D, for instance.

RF
0
 
LVL 3

Author Comment

by:sredmond
ID: 13683693
I got it installed. is that it?

  Hijack this log = http://www.hijackthis.de/logfiles/16663026c34e2c97671c0280c80fd3ff.html

 
Horseserver Removal Tool v1.05
      by Atri
-
-
1. Registry Fix Started
-
   Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate

    still no good on desktop.  

 SR
0
 
LVL 4

Expert Comment

by:bkinsey
ID: 13683727
Is that latest Hijack this log from after running the hsfix tool, or after the DelDomains.inf only?  It got your trusted sites, but all those "questionable" processes and entries in the run key are bad news (unless HSFix got rid of them after you ran HiJack this. . . .)
0
 
LVL 3

Author Comment

by:sredmond
ID: 13683786
NOPE.  Ran HSFIX first. then DelDomains.
0
 
LVL 4

Expert Comment

by:bkinsey
ID: 13683912
Then you've definitely still got issues.  I'd suggest running HijackThis again, only this time use the "Fix Checked" button.  Run it, look at the results, and check the box next to all of the O4 Run keys that are marked as 'Unknown' (ukh, bfe, etc.), and the bfe.exe process (as well as any other random 3-letter processes that are new to the scan), and having HijackThis fix them.  Also look at the entries for nhksrv.exe and acsd.exe; if you're using the associated programs, leave them alone.  Otherwise get rid of them, too.  (Standard disclaimer for HijackThis - it shows you good stuff as well as bad, so don't just check everything :-)

Once those are gone, you MAY be clean, but I'd run it again before rebooting, and post the results. . . .
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13684098
Go ahead and try fixing those things with HijackThis.
If you're unsure about an entry - let me know.
All of those randomly named 3 letter exec's are safe to fix.
Let see what comes up then.
If that doesn't work - we'll try something else.

RF
0
 
LVL 3

Author Comment

by:sredmond
ID: 13684669
OK. Here is the new Hijack this log. = http://www.hijackthis.de/logfiles/55f7053bd8b104c26f70899178a42b50.html

 it has also started taking a lot of time to log back on to the machine.I mean a loooooooooong time. 15 to 20 minutes just to load the desktop. So perhaps we have it cornered. or dead and it's taking the hard drive with it.  Perhaps. or not.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13684875
Well, the HJT log looks better.

Check through the list of locations (that I listed in a previous post)
that XP loads background images from and see if there's something in there.
Too many files can effect it.
Also, check the desktop.ini file in C:\WINDOWS

RF
0
 
LVL 4

Expert Comment

by:bkinsey
ID: 13684906
Is your desktop (when it loads) working properly?  Correct background, right-click functionality, etc. . . ?
0
 
LVL 3

Author Comment

by:sredmond
ID: 13698641
desktop no longer loads an image. However, the desktop is still not the proper desktop and does not work properly. still cannot right click on the desktop and there are only minimal icons, no the ones that should load.
0
 
LVL 4

Assisted Solution

by:bkinsey
bkinsey earned 400 total points
ID: 13698800
Check this registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

This determines your desktop environment (shell), and is sometimes modified by malware to load infected programs at logon.  That *could* account for your desktop issues.  Default is 'explorer.exe'

Also check these, as they are sometimes modification targets:
HKLM, Software\CLASSES\batfile\shell\open\command
HKLM, Software\CLASSES\comfile\shell\open\command
HKLM, Software\CLASSES\exefile\shell\open\command
HKLM, Software\CLASSES\piffile\shell\open\command
HKLM, Software\CLASSES\regfile\shell\open\command
HKLM, Software\CLASSES\scrfile\shell\open\command

default values should be "%1" %* for all except the regfile key, which should be regedit.exe "%1"

Is your HijackThis log still coming up clean?  Any other symptoms?  Still slow logons?  (One possibility that occurs to me is that, if the shell key has been modified, Windows is searching for .exe's and associated .dll's that have been deleted by the cleanup process.  That would account for some slowdown. . . .)
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13699287
Also, check this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
See if there are any entries which may be effecting things - no Right-click.

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13699367
Check this page concerning Context menu handlers -
http://windowsxp.mvps.org/slowrightclick.htm

RF
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13699455
One other thing that I just noticed (I must be asleep!)
I would definitely look into updating XP to; at least, Service Pack 1 -
and Internet Explorer to SP 1
Probably a lot of patches/fixes not installed.

RF
0
 
LVL 15

Expert Comment

by:greyknight17
ID: 13704253
Try this:

Right click on http://www.greyknight17.com/spy/RepairDesktop.reg and save it as "RepairDesktop.reg" (with the quotes intact).

Double click that RepairDesktop.reg file we made and merge it into the registry. If it asks you..say YES to merge.

Once thats merged...reboot the PC.

Now..once your back to normal windows..right click on the desktop..select properties...desktop..customize desktop...web..and uncheck anything listed. Now highlight and delete all the entries listed except "My Current Homepage".

Restart and see how the background is now.
0
 
LVL 3

Author Comment

by:sredmond
ID: 13716900
OK. I am just about back to functional.  That repairdesktop did a lot of the trick.  One thing remaining is that , when I boot I get a compaint from xp about no paging file. When I assign a size (382 - 1024 in this case.) is says I need to reboot to make the changes, I reboot and no paging file again. Would explain the long desktop load time however.  Any thoughts.

SR
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13717078
Do you have enough free space on the drive you have your paging file on?

RF
0
 
LVL 3

Author Comment

by:sredmond
ID: 13717106
Yes.  15.9 Gigs Free.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13717279
How much memory do you have?
Is the paging file on your boot - system - or another drive?
0
 
LVL 3

Author Comment

by:sredmond
ID: 13717585
Memory = 256

only one hard drive and only one partition.

  FYI - Norton Internet security is installed and running with the firewall turned off in favor of XP's firewall.

   Service pack 2 is now installed. btw
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13718173
As far as I know - the "rule of thumb" is the paging file should be 1 to 1-1/2 the size of RAM.
Try setting it to 256 - 400
Another thing to consider is adding more memory -
256 is generally considered the min. for XP - 384 to 512 work much better.

If I recall - you had quite a lot of things running at Startup
Consider using Windows Startup Inspector (free) to control the things you have loading
This might speed things up.
http://www.windowsstartup.com/index.php

RF
0
 
LVL 3

Author Comment

by:sredmond
ID: 13719021
My problem is that there is NO paging file. and none can be created.
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13720495
When you went into the dialogue for virtual memory and you specified the min. and max. sizes -
did you make sure -
Your drive was hi-lited and -
after you entered the sizes in the boxes -
you hit "Set" - then "Apply" then "OK'd" out and rebooted

Also check this Key in Regedit:
HKLM\System\CurrentControlSet\Control\SessionManager\Memory Management
Do you have an entry "PagingFiles"

RF
0
 
LVL 3

Author Comment

by:sredmond
ID: 13762863
It is hard to assign points and accepted answers. so I did the best I could.  I will open A new question about the page file.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Article by: btan
The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses
Course of the Month12 days, 5 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question