?
Solved

ahtn virus wallpaper properties disabled

Posted on 2009-02-10
3
Medium Priority
?
4,098 Views
Last Modified: 2013-12-04
One of our machines has had the wallpaper replaced with screen warning (in broken english) that the machine is infected with a virus / trojan. I have managed to find and delete the offending wallpaper file ( ahtn.htm) but I'm now struggling to restore the desktop wallpaper as the desktop properties screen appears to have been disabled. Any help would be greatly appreciated. I'm currently scanning the machine with malwarebytes and have used msconfig to disable any unusual services / apps at startup.
0
Comment
Question by:rekadrah
  • 2
3 Comments
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1500 total points
ID: 23606399
Once you've done with MBAM and the problem persists, also run Smitfraudfix, it's good for those desktop hijackers.

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.

Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.

You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.

The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".

The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt






If you like, you can also try running Combofix later on to check if there are other nasties present that didn't give you any symptoms.the log should show clean if there aren't any others.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


0
 

Author Comment

by:rekadrah
ID: 23723100
Malwarebytes resolved the problem - thanks rpggamergirl for your suggestion though.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 23762452
Glad to know it's been resolved.

Thanks!
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

SHARE your personal details only on a NEED to basis. Take CHARGE and SECURE your IDENTITY. How do I then PROTECT myself and stay in charge of my own Personal details (and) - MY own WAY...
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Loops Section Overview
Suggested Courses

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question