Help! Trojan/Spyware reset itself as computer walpaper

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by lyndsey, Oct 6, 2004.

  1. lyndsey

    lyndsey Private E-2

    I turned on my computer yesterday to find an advertisement for a security product in place of my normal walpaper. The advertisement contains black and white pornographic images, and text saying my computer is in danger. The link goes to a site identified as "malware.cash". I ran my normal spyware and virus programs which found nothing. IE was reseting itself to a webpage called makemesearch.com. I deleted this search bar through add/remove programs, and haven't had a problem with that so far. Today I've spent quite a few hours completing all the things which were listed on the website to do before you posted a thread. I'm still not in good shape. :( Here's a run down of what I have so far:

    Trend Micro - reported a virus called TrogStilen.A and it's status was not cleanable.

    Other files that were found were Trog_agent.bm, tvmedia.tvmbho, keenvalue, ezula, keenware, and delfin media viewer. When prompted I fixed the problems.

    I also ran the optional things, such as the "deleteindex.dat" in Ccleaner, the immunization in spybot, and the online trojan scans and such. The memory and computer were free of trojans per that report. I downloaded and logged hijack this, and have it saved as a .txt file if anyone wants to see it. I used the guide that was given and deleted things that were unfamiliar or that proved to be bad according to the linked guides.

    I am running XP, home edition.

    If anyone could help me, I'd really appreciate it. Thanks so much!
     
    lyndsey, Oct 6, 2004
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, post your log as an attachment.
     
    chaslang, Oct 6, 2004
    #2
  3. lyndsey

    lyndsey Private E-2

    Here you go.
     

    Attached Files:

    lyndsey, Oct 6, 2004
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Why didn't you run the Symantec online scan?

    Did you or a system administrator load this PRISMXL.SYS stuff?
    C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS

    It is sometimes loaded with Gateway PCs or your network administrator is using
    Prism Deploy to manage the software configuration of your PC

    Did you add this ProxyOverride line:
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.ce1.attbb.net

    Do you use this Viewpoint Manger software?
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

    Go to Add/Remove Programs and uninstall WeatherBug. Also I would uninstall WildTangent stuff while there.


    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = res://C:\WINNT\system32\shdocpe.dll/asst.html
    R3 - URLSearchHook: (no name) - {CFBFAE00-17A6-11D0-99CB-00C04FD64497}_ - (no file)
    R3 - URLSearchHook: (no name) - {5D60FF48-95BE-4956-B4C6-6BB168A70310}_ - (no file)
    R3 - URLSearchHook: (no name) - {4FC95EDD-4796-4966-9049-29649C80111D}_ - (no file)
    R3 - URLSearchHook: (no name) - {20EC3D2D-33C1-4C9D-BC37-C2D500688DA2} - (no file)
    O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - (no file)
    O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/dlt/382.chm::/file.exe
    O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/2429579c69f69d8cb918/netzip/RdxIE601.cab


    Now reboot in safe mode and delete:
    C:\WINNT\system32\shdocpe.dll

    Reboot in normal mode and post a new HJT log attachment and tell me how things are working.
     
    chaslang, Oct 6, 2004
    #4
  5. lyndsey

    lyndsey Private E-2

    I ran the Symantec Security checker, whcih proved the safe status. When I tried to run the online virus checker, it automatically closes the window.

    As for PRISMXL.SYS, the computer is a Gateway, 510 series I believe, so I imagine that's where it was installed at, like you said.

    The proxy override I did not knowingly add, I don't even know what that is.

    I never, ever use view point.

    WeatherBug is gone, and there was an error removing Wild Tangent. It said it may have already been removed, so I clicked to remove the Wild Tangent Web Driver from the add or remove programs.
     
    lyndsey, Oct 6, 2004
    #5
  6. lyndsey

    lyndsey Private E-2

    I went to check the things in HJT, and none of those files are there anymore. There are different ones, do you need a log for this? I'm so confused. :rolleyes:
     
    lyndsey, Oct 6, 2004
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes, you will have to post a new log but before doing that go back to Add/Remove programs and uninstall Viewpoint Manager since you do not use it. There was a load of items for it in HijackThis earlier.
     
    chaslang, Oct 7, 2004
    #7
  8. lyndsey

    lyndsey Private E-2

    Removed all viewpoint manager from the add/delete list. Here's the new HJT. Thanks.
     

    Attached Files:

    lyndsey, Oct 7, 2004
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Lyndsey,

    Your log looks good now! How is everything working?
     
    chaslang, Oct 7, 2004
    #9
  10. lyndsey

    lyndsey Private E-2

    Still the same advertisement set as my wallpaper. Everything else seems okay, just can't get rid of that.
     
    lyndsey, Oct 8, 2004
    #10
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you try changing your wallpaper to something else?
     
    chaslang, Oct 8, 2004
    #11
  12. lyndsey

    lyndsey Private E-2

    Hey, sorry it's taken so long to respond. Yes, I tried changing my walpaper to something else and it did not work. If i right click the deasktop it comes up as properties to an html document, not the usual properties for the desktop. Also the picture that I reset as the wallpaper will show up only when my computer is shutting down.
     
    lyndsey, Oct 26, 2004
    #12
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I want your to search your computer for each of the below file names (one at a time)
    nr1beo9r.exe
    nr1beo9r.dll
    winwildapp.exe
    29389bdd.dll

    You need to configure search properly as a give below.

    Click Search and the Select "All files and folders"
    Enter the filename in the "All or part of the file name:" box, so enter nr1beo9r.exe
    Now select "More advanced options"
    Make sure the following check boxes are checked:
    - Search system folders
    - Search hidden files and folders
    - Search subfolders

    Then click the Search button.

    Then repeat the search for each file and tell me if you find them and where.
     
    chaslang, Oct 26, 2004
    #13
  14. lyndsey

    lyndsey Private E-2

    All four searches had no results.
     
    lyndsey, Oct 28, 2004
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Try click Start, Conrol Panel, Display, and then select the Desktop tab. Now click the Customize Desktop button. In the next windows select the Web tab. At the bottom uncheck the Lock desktop items. And in the top part under Web Page make sure everything is unchecked. The click OK to closes that window, select a different Background in the next window and then Apply and OK.

    Tell me if this changes anything.
     
    chaslang, Oct 29, 2004
    #15
  16. lyndsey

    lyndsey Private E-2

    Excellent, thanks so much! You've helped a lot. =) A quick question, why would the Security box being checked change my desktop?
     
    lyndsey, Oct 31, 2004
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You mean the Lock desktop items selection?

    While it was locked it was preventing you from fixing what ever the malware did to you. Basically it was saving the settings and when you changed it, it would just restore it.
     
    chaslang, Oct 31, 2004
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds