Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 384
  • Last Modified:

Windows XP Spyware Background / Desktop problems

I have a windows xp machine that has had a problem with spyware.

I have installed microsoft antispyware, lavasoft ad-aware, & spybot search & destroy, of which none were able to locate this spyware.

The spyware has set itself up as a background html document, claiming that the user has spyware, "click here to remove it" sort of thing (how ironic). I have managed to locate and delete the html file (c:\windows\desktop.html), and make the appropriate changes in the registry, so now it does not show up; the user has a blank background.
Now this spyware had managed to disable right click on the desktop. I can right click on icons, just not on desktop 'space' to bring up display properties etc. So i managed to access the display properties throught control panel, but it has also locked me out from changing the background under the 'background' tab. I have been reading around, some have suggested gpedit.msc --> user configuration --> administrative templates --> control panel etc etc, i have tried setting this to disabled (was set to not configured), but this has not solved the problem.

And finally, everytime a desktop icon is created, it makes 2 icons. Delete one of those icons, they both dissaper. Huh????

I feel that these problems may be related, and further related to my spyware infection.

Help please!!!!!
0
compuit
Asked:
compuit
  • 7
  • 5
1 Solution
 
LeeTutorretiredCommented:
I'm surprised that the combination of SpyBot, Adaware and MS Antispyware didn't handle it; that is all I use on my system to periodically clean those nasties up.  Of course, I also have a firewall to help protect my system too.  You might also try this free program (HijackThis):

http://www.spychecker.com/download/download_hijackthis.html

HijackThis is a tool that is for advanced users, because it lists all the installed browser add-on and startup items, allowing you to inspect them and then optionally remove any ones you select.  You must be careful in choosing what to remove, although the program can create a backup of your original settings.  But put a check mark to fix any home page or search page setting that HijackThis detects which you have not entered yourself.  The program has an option to download online updates of the hijack data.

You should first post the log at this site:  

http://www.hijackthis.de/index.php?langselect=english

and it will be automatically analyzed for you, telling you which programs to delete.  If you have any questions about what it is asking you to fix that you would like the E-E experts to comment on, then do this:  scroll down where you will see a Save Analyse button, hit it and it will save your Log Analysis, then copy the link of that page and paste it here, and experts can check it for you.

In case you would like to learn more yourself how to use HijackThis, here are a couple of urls:

http://www.tomcoyote.org/hjt/
HijackThis Quick Start

http://www.spywareinfo.com/~merijn/htlogtutorial.html
HijackThis log tutorial
0
 
compuitAuthor Commented:
LeeTutor,

Sorry i forgot to mention i have already used a combination of hijackthis and windows search to remove a plethora of nasties that had infected this system. I have to use hijackthis on a variety of machines daily, so i am confident of using it, nonetheless i shall post the log once i have a chance to get back to the premises. I am not confident that hijackthis, or any of the spyware programs will actually reverse changes made to the windows xp policy.

Log to follow...
0
 
LeeTutorretiredCommented:
Please copy just the link to the analysis log, not the log itself.  The site's owners haven't wanted us to "clutter up" our PAQs with a lot of long logs like this...
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
compuitAuthor Commented:
Download log from this address:

 http://members.fortunecity.com/compuit

On there is a page with "download hijackthis log" (click on hijackthis.txt). Man what a headache to get some free webhosting. Finally got fortunecity (not the best choice, but im in a bit of a panic), and they dont allow remote linking... etc etc... but anyhow you can now get it.

Please not that this user connects to a win2000 server. References to office.local or any proxy settings are meant to be there. Also i use realvnc to connect to this pc.

Thankyou in advance
0
 
jazz250Commented:
go to display properties -> desktop
click on "customize desktop" button
go to WEB
remove ALL entries but "my current homepage" apply the changes and then try to change your background again...
see if it works
0
 
compuitAuthor Commented:
Thanks jazz250, i have already checked your suggestion (in fact it was the first thing i tried). Instead of a html desktop component, the spyware had installed itself as an actual background. I have actually previously deleted the background, so it is gone. My question is concerning 1)no right click on desktop 2) duplicate icons on desktop and 3) unable to change background in <display properties> --> <background> (the background dialogue is greyed out).
0
 
LeeTutorretiredCommented:
This entry:

O4 - HKCU\..\Run: [msgina] C:\WINDOWS\System32\msgina\wuauclt2.exe

I found this page about that.  Look on the "Advanced" tab.

http://www.sophos.com/virusinfo/analyses/trojiyush.html

Troj/Iyus-H is an information stealing Trojan on the Windows platform.
When run the Trojan attempts to copy itself to the file %SYSTEM%\msgina\wuauclt2.exe and then creates the following registry entry so as to run itself on computer logon:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
msgina
%SYSTEM%\msgina\wuauclt2.exe
Troj/Iyus-H also tries to delete files obtained from the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData
The Trojan attempts to steal data and puts the information into the file
%SYSTEM%\msgina\id.txt
Troj/Iyus-H also tries to download data from a remote website and store it as %SYSTEM%\msgina\flagdata.txt.
The files flagdata.txt and id.txt are non-viral and can be safely deleted.
Once installed the Trojan attempts to download and execute files from the internet, terminate a large number of processes relating to security and anti-virus products and set up a HTTP proxy allowing a remote user to route web traffic through the infected computer.
Troj/Iyus-H also creates the following registry entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
msginaidnt
<random character string>'
The Trojan also drops the DLL file msgina32.dll in the Windows system folder. This dropped DLL provides Troj/Iyus-H with stealthing capabilities in order to make its presence difficult to detect.
0
 
compuitAuthor Commented:
Thanks LeeTutor,

Seems i missed that one, but luckily it was only a registry entry. I searched for the file itself, and it was not there (the was the msgina directory, but i deleted that).

I am still left with the other problems...
0
 
LeeTutorretiredCommented:
Found this about your duplicate icons on the Desktop:

http://windowsxp.mvps.org/duplicatedesktop.htm
0
 
LeeTutorretiredCommented:
Have you tried running the System File Checker in order to replace any possible missing or corrupt system files?  Start -> Run -> type CMD -> click OK

Type SFC /SCANNOW
Have you XP install CD handy to replace any needed files that are not in the system's dll cache...
0
 
compuitAuthor Commented:
Thanks again LeeTutor, you're a legend!

That 'duplicate icons on the desktop' fix worked a treat! The spyware had changed the values to c:\desktop\ (the origional spyware files was c:\desktop.html) and i found all of the person's icons we had created in the c:\desktop\ folder.

Sounds like the points are almost yours, but i still have the problems 1) unable to right click on desktop & 2) unable to change background from display properties (background selection greyed out).

0
 
compuitAuthor Commented:
Oh sorry and also i have begun sfc /scannow to correct windows system files, i shall post further info once it has finished.
0
 
compuitAuthor Commented:
LeeTutor,

Thankyou greatly for all your help, but i have now resolved the problem.

Firstly, i was unable to right click because of the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
REG_DWORD NoViewContextMenu

which was set to 1.

To resolve the "unable to change background", i just rebuilt the profile.

Again, thanks for all your help, you have been a top expert!

Adam.
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now