compuit
asked on
Windows XP Spyware Background / Desktop problems
I have a windows xp machine that has had a problem with spyware.
I have installed microsoft antispyware, lavasoft ad-aware, & spybot search & destroy, of which none were able to locate this spyware.
The spyware has set itself up as a background html document, claiming that the user has spyware, "click here to remove it" sort of thing (how ironic). I have managed to locate and delete the html file (c:\windows\desktop.html), and make the appropriate changes in the registry, so now it does not show up; the user has a blank background.
Now this spyware had managed to disable right click on the desktop. I can right click on icons, just not on desktop 'space' to bring up display properties etc. So i managed to access the display properties throught control panel, but it has also locked me out from changing the background under the 'background' tab. I have been reading around, some have suggested gpedit.msc --> user configuration --> administrative templates --> control panel etc etc, i have tried setting this to disabled (was set to not configured), but this has not solved the problem.
And finally, everytime a desktop icon is created, it makes 2 icons. Delete one of those icons, they both dissaper. Huh????
I feel that these problems may be related, and further related to my spyware infection.
Help please!!!!!
I have installed microsoft antispyware, lavasoft ad-aware, & spybot search & destroy, of which none were able to locate this spyware.
The spyware has set itself up as a background html document, claiming that the user has spyware, "click here to remove it" sort of thing (how ironic). I have managed to locate and delete the html file (c:\windows\desktop.html),
Now this spyware had managed to disable right click on the desktop. I can right click on icons, just not on desktop 'space' to bring up display properties etc. So i managed to access the display properties throught control panel, but it has also locked me out from changing the background under the 'background' tab. I have been reading around, some have suggested gpedit.msc --> user configuration --> administrative templates --> control panel etc etc, i have tried setting this to disabled (was set to not configured), but this has not solved the problem.
And finally, everytime a desktop icon is created, it makes 2 icons. Delete one of those icons, they both dissaper. Huh????
I feel that these problems may be related, and further related to my spyware infection.
Help please!!!!!
ASKER
LeeTutor,
Sorry i forgot to mention i have already used a combination of hijackthis and windows search to remove a plethora of nasties that had infected this system. I have to use hijackthis on a variety of machines daily, so i am confident of using it, nonetheless i shall post the log once i have a chance to get back to the premises. I am not confident that hijackthis, or any of the spyware programs will actually reverse changes made to the windows xp policy.
Log to follow...
Sorry i forgot to mention i have already used a combination of hijackthis and windows search to remove a plethora of nasties that had infected this system. I have to use hijackthis on a variety of machines daily, so i am confident of using it, nonetheless i shall post the log once i have a chance to get back to the premises. I am not confident that hijackthis, or any of the spyware programs will actually reverse changes made to the windows xp policy.
Log to follow...
Please copy just the link to the analysis log, not the log itself. The site's owners haven't wanted us to "clutter up" our PAQs with a lot of long logs like this...
ASKER
Download log from this address:
http://members.fortunecity.com/compuit
On there is a page with "download hijackthis log" (click on hijackthis.txt). Man what a headache to get some free webhosting. Finally got fortunecity (not the best choice, but im in a bit of a panic), and they dont allow remote linking... etc etc... but anyhow you can now get it.
Please not that this user connects to a win2000 server. References to office.local or any proxy settings are meant to be there. Also i use realvnc to connect to this pc.
Thankyou in advance
http://members.fortunecity.com/compuit
On there is a page with "download hijackthis log" (click on hijackthis.txt). Man what a headache to get some free webhosting. Finally got fortunecity (not the best choice, but im in a bit of a panic), and they dont allow remote linking... etc etc... but anyhow you can now get it.
Please not that this user connects to a win2000 server. References to office.local or any proxy settings are meant to be there. Also i use realvnc to connect to this pc.
Thankyou in advance
go to display properties -> desktop
click on "customize desktop" button
go to WEB
remove ALL entries but "my current homepage" apply the changes and then try to change your background again...
see if it works
click on "customize desktop" button
go to WEB
remove ALL entries but "my current homepage" apply the changes and then try to change your background again...
see if it works
ASKER
Thanks jazz250, i have already checked your suggestion (in fact it was the first thing i tried). Instead of a html desktop component, the spyware had installed itself as an actual background. I have actually previously deleted the background, so it is gone. My question is concerning 1)no right click on desktop 2) duplicate icons on desktop and 3) unable to change background in <display properties> --> <background> (the background dialogue is greyed out).
This entry:
O4 - HKCU\..\Run: [msgina] C:\WINDOWS\System32\msgina \wuauclt2. exe
I found this page about that. Look on the "Advanced" tab.
http://www.sophos.com/virusinfo/analyses/trojiyush.html
Troj/Iyus-H is an information stealing Trojan on the Windows platform.
When run the Trojan attempts to copy itself to the file %SYSTEM%\msgina\wuauclt2.e xe and then creates the following registry entry so as to run itself on computer logon:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Run
msgina
%SYSTEM%\msgina\wuauclt2.e xe
Troj/Iyus-H also tries to delete files obtained from the following registry entry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Explorer\ Shell Folders\AppData
The Trojan attempts to steal data and puts the information into the file
%SYSTEM%\msgina\id.txt
Troj/Iyus-H also tries to download data from a remote website and store it as %SYSTEM%\msgina\flagdata.t xt.
The files flagdata.txt and id.txt are non-viral and can be safely deleted.
Once installed the Trojan attempts to download and execute files from the internet, terminate a large number of processes relating to security and anti-virus products and set up a HTTP proxy allowing a remote user to route web traffic through the infected computer.
Troj/Iyus-H also creates the following registry entry:
HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings
msginaidnt
<random character string>'
The Trojan also drops the DLL file msgina32.dll in the Windows system folder. This dropped DLL provides Troj/Iyus-H with stealthing capabilities in order to make its presence difficult to detect.
O4 - HKCU\..\Run: [msgina] C:\WINDOWS\System32\msgina
I found this page about that. Look on the "Advanced" tab.
http://www.sophos.com/virusinfo/analyses/trojiyush.html
Troj/Iyus-H is an information stealing Trojan on the Windows platform.
When run the Trojan attempts to copy itself to the file %SYSTEM%\msgina\wuauclt2.e
HKCU\Software\Microsoft\Wi
msgina
%SYSTEM%\msgina\wuauclt2.e
Troj/Iyus-H also tries to delete files obtained from the following registry entry:
HKCU\Software\Microsoft\Wi
The Trojan attempts to steal data and puts the information into the file
%SYSTEM%\msgina\id.txt
Troj/Iyus-H also tries to download data from a remote website and store it as %SYSTEM%\msgina\flagdata.t
The files flagdata.txt and id.txt are non-viral and can be safely deleted.
Once installed the Trojan attempts to download and execute files from the internet, terminate a large number of processes relating to security and anti-virus products and set up a HTTP proxy allowing a remote user to route web traffic through the infected computer.
Troj/Iyus-H also creates the following registry entry:
HKCU\Software\Microsoft\Wi
msginaidnt
<random character string>'
The Trojan also drops the DLL file msgina32.dll in the Windows system folder. This dropped DLL provides Troj/Iyus-H with stealthing capabilities in order to make its presence difficult to detect.
ASKER
Thanks LeeTutor,
Seems i missed that one, but luckily it was only a registry entry. I searched for the file itself, and it was not there (the was the msgina directory, but i deleted that).
I am still left with the other problems...
Seems i missed that one, but luckily it was only a registry entry. I searched for the file itself, and it was not there (the was the msgina directory, but i deleted that).
I am still left with the other problems...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Have you tried running the System File Checker in order to replace any possible missing or corrupt system files? Start -> Run -> type CMD -> click OK
Type SFC /SCANNOW
Have you XP install CD handy to replace any needed files that are not in the system's dll cache...
Type SFC /SCANNOW
Have you XP install CD handy to replace any needed files that are not in the system's dll cache...
ASKER
Thanks again LeeTutor, you're a legend!
That 'duplicate icons on the desktop' fix worked a treat! The spyware had changed the values to c:\desktop\ (the origional spyware files was c:\desktop.html) and i found all of the person's icons we had created in the c:\desktop\ folder.
Sounds like the points are almost yours, but i still have the problems 1) unable to right click on desktop & 2) unable to change background from display properties (background selection greyed out).
That 'duplicate icons on the desktop' fix worked a treat! The spyware had changed the values to c:\desktop\ (the origional spyware files was c:\desktop.html) and i found all of the person's icons we had created in the c:\desktop\ folder.
Sounds like the points are almost yours, but i still have the problems 1) unable to right click on desktop & 2) unable to change background from display properties (background selection greyed out).
ASKER
Oh sorry and also i have begun sfc /scannow to correct windows system files, i shall post further info once it has finished.
ASKER
LeeTutor,
Thankyou greatly for all your help, but i have now resolved the problem.
Firstly, i was unable to right click because of the following registry key:
HKEY_LOCAL_MACHINE\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\Explor er
REG_DWORD NoViewContextMenu
which was set to 1.
To resolve the "unable to change background", i just rebuilt the profile.
Again, thanks for all your help, you have been a top expert!
Adam.
Thankyou greatly for all your help, but i have now resolved the problem.
Firstly, i was unable to right click because of the following registry key:
HKEY_LOCAL_MACHINE\Softwar
REG_DWORD NoViewContextMenu
which was set to 1.
To resolve the "unable to change background", i just rebuilt the profile.
Again, thanks for all your help, you have been a top expert!
Adam.
http://www.spychecker.com/download/download_hijackthis.html
HijackThis is a tool that is for advanced users, because it lists all the installed browser add-on and startup items, allowing you to inspect them and then optionally remove any ones you select. You must be careful in choosing what to remove, although the program can create a backup of your original settings. But put a check mark to fix any home page or search page setting that HijackThis detects which you have not entered yourself. The program has an option to download online updates of the hijack data.
You should first post the log at this site:
http://www.hijackthis.de/index.php?langselect=english
and it will be automatically analyzed for you, telling you which programs to delete. If you have any questions about what it is asking you to fix that you would like the E-E experts to comment on, then do this: scroll down where you will see a Save Analyse button, hit it and it will save your Log Analysis, then copy the link of that page and paste it here, and experts can check it for you.
In case you would like to learn more yourself how to use HijackThis, here are a couple of urls:
http://www.tomcoyote.org/hjt/
HijackThis Quick Start
http://www.spywareinfo.com/~merijn/htlogtutorial.html
HijackThis log tutorial