?
Solved

Windows XP Spyware Background / Desktop problems

Posted on 2005-03-30
13
Medium Priority
?
382 Views
Last Modified: 2011-09-20
I have a windows xp machine that has had a problem with spyware.

I have installed microsoft antispyware, lavasoft ad-aware, & spybot search & destroy, of which none were able to locate this spyware.

The spyware has set itself up as a background html document, claiming that the user has spyware, "click here to remove it" sort of thing (how ironic). I have managed to locate and delete the html file (c:\windows\desktop.html), and make the appropriate changes in the registry, so now it does not show up; the user has a blank background.
Now this spyware had managed to disable right click on the desktop. I can right click on icons, just not on desktop 'space' to bring up display properties etc. So i managed to access the display properties throught control panel, but it has also locked me out from changing the background under the 'background' tab. I have been reading around, some have suggested gpedit.msc --> user configuration --> administrative templates --> control panel etc etc, i have tried setting this to disabled (was set to not configured), but this has not solved the problem.

And finally, everytime a desktop icon is created, it makes 2 icons. Delete one of those icons, they both dissaper. Huh????

I feel that these problems may be related, and further related to my spyware infection.

Help please!!!!!
0
Comment
Question by:compuit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 5
13 Comments
 
LVL 59

Expert Comment

by:LeeTutor
ID: 13667240
I'm surprised that the combination of SpyBot, Adaware and MS Antispyware didn't handle it; that is all I use on my system to periodically clean those nasties up.  Of course, I also have a firewall to help protect my system too.  You might also try this free program (HijackThis):

http://www.spychecker.com/download/download_hijackthis.html

HijackThis is a tool that is for advanced users, because it lists all the installed browser add-on and startup items, allowing you to inspect them and then optionally remove any ones you select.  You must be careful in choosing what to remove, although the program can create a backup of your original settings.  But put a check mark to fix any home page or search page setting that HijackThis detects which you have not entered yourself.  The program has an option to download online updates of the hijack data.

You should first post the log at this site:  

http://www.hijackthis.de/index.php?langselect=english

and it will be automatically analyzed for you, telling you which programs to delete.  If you have any questions about what it is asking you to fix that you would like the E-E experts to comment on, then do this:  scroll down where you will see a Save Analyse button, hit it and it will save your Log Analysis, then copy the link of that page and paste it here, and experts can check it for you.

In case you would like to learn more yourself how to use HijackThis, here are a couple of urls:

http://www.tomcoyote.org/hjt/
HijackThis Quick Start

http://www.spywareinfo.com/~merijn/htlogtutorial.html
HijackThis log tutorial
0
 
LVL 1

Author Comment

by:compuit
ID: 13667280
LeeTutor,

Sorry i forgot to mention i have already used a combination of hijackthis and windows search to remove a plethora of nasties that had infected this system. I have to use hijackthis on a variety of machines daily, so i am confident of using it, nonetheless i shall post the log once i have a chance to get back to the premises. I am not confident that hijackthis, or any of the spyware programs will actually reverse changes made to the windows xp policy.

Log to follow...
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 13667401
Please copy just the link to the analysis log, not the log itself.  The site's owners haven't wanted us to "clutter up" our PAQs with a lot of long logs like this...
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 1

Author Comment

by:compuit
ID: 13667814
Download log from this address:

 http://members.fortunecity.com/compuit

On there is a page with "download hijackthis log" (click on hijackthis.txt). Man what a headache to get some free webhosting. Finally got fortunecity (not the best choice, but im in a bit of a panic), and they dont allow remote linking... etc etc... but anyhow you can now get it.

Please not that this user connects to a win2000 server. References to office.local or any proxy settings are meant to be there. Also i use realvnc to connect to this pc.

Thankyou in advance
0
 
LVL 2

Expert Comment

by:jazz250
ID: 13668540
go to display properties -> desktop
click on "customize desktop" button
go to WEB
remove ALL entries but "my current homepage" apply the changes and then try to change your background again...
see if it works
0
 
LVL 1

Author Comment

by:compuit
ID: 13668593
Thanks jazz250, i have already checked your suggestion (in fact it was the first thing i tried). Instead of a html desktop component, the spyware had installed itself as an actual background. I have actually previously deleted the background, so it is gone. My question is concerning 1)no right click on desktop 2) duplicate icons on desktop and 3) unable to change background in <display properties> --> <background> (the background dialogue is greyed out).
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 13673765
This entry:

O4 - HKCU\..\Run: [msgina] C:\WINDOWS\System32\msgina\wuauclt2.exe

I found this page about that.  Look on the "Advanced" tab.

http://www.sophos.com/virusinfo/analyses/trojiyush.html

Troj/Iyus-H is an information stealing Trojan on the Windows platform.
When run the Trojan attempts to copy itself to the file %SYSTEM%\msgina\wuauclt2.exe and then creates the following registry entry so as to run itself on computer logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msgina
%SYSTEM%\msgina\wuauclt2.exe
Troj/Iyus-H also tries to delete files obtained from the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
The Trojan attempts to steal data and puts the information into the file
%SYSTEM%\msgina\id.txt
Troj/Iyus-H also tries to download data from a remote website and store it as %SYSTEM%\msgina\flagdata.txt.
The files flagdata.txt and id.txt are non-viral and can be safely deleted.
Once installed the Trojan attempts to download and execute files from the internet, terminate a large number of processes relating to security and anti-virus products and set up a HTTP proxy allowing a remote user to route web traffic through the infected computer.
Troj/Iyus-H also creates the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
msginaidnt
<random character string>'
The Trojan also drops the DLL file msgina32.dll in the Windows system folder. This dropped DLL provides Troj/Iyus-H with stealthing capabilities in order to make its presence difficult to detect.
0
 
LVL 1

Author Comment

by:compuit
ID: 13694101
Thanks LeeTutor,

Seems i missed that one, but luckily it was only a registry entry. I searched for the file itself, and it was not there (the was the msgina directory, but i deleted that).

I am still left with the other problems...
0
 
LVL 59

Accepted Solution

by:
LeeTutor earned 2000 total points
ID: 13694188
Found this about your duplicate icons on the Desktop:

http://windowsxp.mvps.org/duplicatedesktop.htm
0
 
LVL 59

Expert Comment

by:LeeTutor
ID: 13694191
Have you tried running the System File Checker in order to replace any possible missing or corrupt system files?  Start -> Run -> type CMD -> click OK

Type SFC /SCANNOW
Have you XP install CD handy to replace any needed files that are not in the system's dll cache...
0
 
LVL 1

Author Comment

by:compuit
ID: 13694370
Thanks again LeeTutor, you're a legend!

That 'duplicate icons on the desktop' fix worked a treat! The spyware had changed the values to c:\desktop\ (the origional spyware files was c:\desktop.html) and i found all of the person's icons we had created in the c:\desktop\ folder.

Sounds like the points are almost yours, but i still have the problems 1) unable to right click on desktop & 2) unable to change background from display properties (background selection greyed out).

0
 
LVL 1

Author Comment

by:compuit
ID: 13694373
Oh sorry and also i have begun sfc /scannow to correct windows system files, i shall post further info once it has finished.
0
 
LVL 1

Author Comment

by:compuit
ID: 13721563
LeeTutor,

Thankyou greatly for all your help, but i have now resolved the problem.

Firstly, i was unable to right click because of the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
REG_DWORD NoViewContextMenu

which was set to 1.

To resolve the "unable to change background", i just rebuilt the profile.

Again, thanks for all your help, you have been a top expert!

Adam.
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Ok I have been working on this for some time having learned and gained certification in XenDesktop 4 along came version 5 which was released last month. Since then I have been working to deploy XenDesktop 5 in a small environment with only 2 virt…
If your system is showing symptoms of browser hijacks or 'google search redirects' check out my other article (http://rdsrc.us/u3GP7A) first and run the tool TDSSKiller (http://rdsrc.us/GDBBs4) to get rid of the infection. Once done, and if the …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question