We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

ahtn virus wallpaper properties disabled

rekadrah
rekadrah asked
on
Medium Priority
4,127 Views
Last Modified: 2013-12-04
One of our machines has had the wallpaper replaced with screen warning (in broken english) that the machine is infected with a virus / trojan. I have managed to find and delete the offending wallpaper file ( ahtn.htm) but I'm now struggling to restore the desktop wallpaper as the desktop properties screen appears to have been disabled. Any help would be greatly appreciated. I'm currently scanning the machine with malwarebytes and have used msconfig to disable any unusual services / apps at startup.
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007
Commented:
Once you've done with MBAM and the problem persists, also run Smitfraudfix, it's good for those desktop hijackers.

Please download SmitfraudFix:
http://siri.geekstogo.com/SmitfraudFix.php
Extract the content (a folder named SmitfraudFix) to your Desktop.
Next, please reboot your computer in Safe Mode by rebooting the computer,
and repeatedly tapping the F8 key as the pc starts. Choose "Safe Mode" from
the options listed.

Once in Safe Mode, open the SmitfraudFix folder again and double-click
smitfraudfix.cmd

Select option #2 - Clean by typing 2 and press "Enter" to delete infected
files.

You will be prompted : "Registry cleaning - Do you want to clean the
registry?" answer "Yes" by typing Y and press "Enter" in order to remove
the Desktop background and clean registry keys associated with the
infection.

The tool will now check if wininet.dll is infected. You may be prompted to
replace the infected file (if found); answer "Yes" by typing Y and press
"Enter".

The tool may need to restart your computer to finish the cleaning process;
if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt






If you like, you can also try running Combofix later on to check if there are other nasties present that didn't give you any symptoms.the log should show clean if there aren't any others.

Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.


Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Malwarebytes resolved the problem - thanks rpggamergirl for your suggestion though.
CERTIFIED EXPERT
Top Expert 2007

Commented:
Glad to know it's been resolved.

Thanks!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.