trojan hijacking desktop wallpaper

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by ljdaul, Dec 15, 2005.

  1. ljdaul

    ljdaul Private E-2

    hi guys,

    I'm new here, and I have some sort of trojan that has hijacked my wallpaper and will redirect my browser to websites/produce popups etc.

    I got this virus/trojan early in the week and was running out of date virus software, and since then have run adaware and spybot that has gotten rid of some junk but nothing major, and downloaded the avg antivirus. after doing a scan with that, it detected 68 trojan horse files and 6 viruses. it was able to eliminate most except one called "Klone" hidden in a "ll.exe" file in c:\windows\system32

    When I startup my computer, it takes about twice as long as usual, and i get a "rundll" dialogue box that says it has problems opening a temp file, and then avg pops up a box that says a virus was detected, and i choose to delete the virus. Obviously it has not been deleted becasue after at least 5 restarts its still there.

    Should i run Hijackthis and post it, or do you have any other ideas?

    also, i am running a dell laptop (about 4 years old) with 850mhz pentium III processor, 256mb ram, Windows XP Pro SP2. (i did a windows update several weeks ago)

    Thanks in advance for your response - i really worked my self into a problem with this one!

    Laura
     
    ljdaul, Dec 15, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    HijackThis is far from the first step. You could have a Smitfraud or SpyAxe related problem but I cannot tell based on your message. You did not say anything about what was in the wallpaper it put on your PC. So you can either run this:

    Smitfraud, SpySheriff, SpyAxe & PSGuard Removal

    for those problems (if you can tell). Or you need to work thru the below.

    Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

    Please follow the steps below:

    - Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support

    Make sure you check version numbers and get all updates.

    - Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.


    After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

    Downloading, Installing, and Running HijackThis

    .
     
    chaslang, Dec 15, 2005
    #2
  3. ljdaul

    ljdaul Private E-2

    Sorry for the premature post – I should have read first! I have now done your READ & RUN ME instructions, and here is where I ran into difficulty:

    Steps 1-4 went smoothly, but with step 5 (online virus scanning)...

    I could not perform any of the online virus and Trojan scanning – I rarely use IE and am not familiar with the settings, so it kept telling me that my securities were too high and I could not run any of the programs. I tried to change the security to low, but if I hit “apply” it would go back to medium. I was able to get a bit farther with TrendMicro w/ java using firefox, but it froze up and told me it would take 4.5 days to analyze my computer. It sat frozen for over an hour so I stopped it and continued to the next step.

    after running all thr programs in safemode as recommended, i rebooted in normal...

    When I restart I still get this “RUNDLL” dialogue box that says “Error loading c:\Docume~1\ADMINI~1\LOCALS~1\Temp\se.dll Access is denied” With an “ok” button.

    Then an AVG window pops up and says “Virus Detected! While opening file: C:\Documents and Settings\Administrator\Local Settings\Temp\se.dll Trojan Horse Startpage UQ” it has buttons to continue, info, heal, delete file, & move to vault

    The desktop wallpaper is still hijacked - the normal wallpaper is there right when i boot up, and then is covered with the hijacked version within a few seconds.

    Attached is my hijackthis file

    Thanks in advance,
    Laura
     

    Attached Files:

    ljdaul, Dec 15, 2005
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! One of your problems is a form of About:Blank hijacker.

    Download this file: SpSeHjfix109

    Unzip it to your desktop or to a folder.

    Boot into Safe Mode

    Start SpSeHjfix, click on " Desinfecton starten" (the other button means close) then it will reboot and finish the cleaning.

    Run SpSeHjfix one more time.

    Reboot in Normal mode.

    Run HijackThis again and post a new log. Also post the log from SpSeHjfix, the log should be on your desktop or the same folder as SpSeHjfix.
     
    chaslang, Dec 16, 2005
    #4
  5. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I going to post some additional steps which will include some items that the previous steps may have already fixed or changed. But you need to do the below steps ASAP.
    If you are using WinXP or WinMe, make sure you have system restore disabled (per the tutorial).
    For all OS types, make sure viewing of hidden files is enabled (per the tutorial).

    Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\se.dll/space.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,HomeOldSP = about:blank
    O2 - BHO: (no name) - {08542E91-DD18-4177-AE55-29845E7C1541} - C:\WINDOWS\system32\jlpd.dll
    O4 - HKLM\..\Run: [WinHound] C:\Program Files\WinHound\WinHound.exe
    O4 - HKLM\..\RunServices: [windesktop] C:\WINDOWS\system32\windesktop.exe
    O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com (file missing) (HKCU)
    O18 - Filter: text/html - {E042853F-7434-4EB8-AF03-1FCD3A7345E1} - C:\WINDOWS\system32\jlpd.dll
    O18 - Filter: text/plain - {E042853F-7434-4EB8-AF03-1FCD3A7345E1} - C:\WINDOWS\system32\jlpd.dll
    O21 - SSODL: Internet Explorer - {F28A40D7-AD0E-034A-C651-5F0ED76232E6} - C:\WINDOWS\system32\Hhlogo32.dll (file missing)

    After clicking Fix, exit HJT.
    Boot into safe mode and use Windows Explorer to delete (if found):
    C:\Documents and Settings\Administrator\Local Settings\Temp\se.dll
    C:\WINDOWS\system32\jlpd.dll
    C:\WINDOWS\system32\Hhlogo32.dll
    C:\WINDOWS\system32\windesktop.exe
    C:\Program Files\WinHound <--- the whole folder

    If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. If it is, uncheck it and try again. Other wise open Task Manager and kill the process if running then delete the file.

    Now run Ccleaner (installed while running the READ ME FIRST). Now if running Win XP goto c:\windows\Prefetch and delete all files in this folder.

    Now we need to Reset Web Settings:
    1) If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2) Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3) If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

    Now reboot in normal mode and post a new HJT log. And tell us how things are working.
     
    chaslang, Dec 16, 2005
    #5
  6. ljdaul

    ljdaul Private E-2

    in waiting for your response i thought i would give an avg scan another shot (in normal mode) and it detected the following:

    getAccess.class
    InsecureClassLoader.class
    Installer.class
    classload[1].jar <--(the folder that holds the previous files)

    all located in the temporary internet files of an old username

    Upon booting up after running the SpSeHjfix109 file in safemode I get “winhound has encountered a problem and needs to close” but my regular wallpaper is back. I followed the directions on deleting the hijackthis files and then doing the stuff in safemode, and upon next bootup (which is still lagging in comparison to what it usually is) there was a message from the Microsoft antispyware program regarding the fact that I changed my homepage.

    It also seems there is a program trying to start or is stuck because there is a white box in the upper left-hand quarter of my monitor that looks like it’s a window trying to open. At any rate, the hijack this and spsehjfix logs are attached
     

    Attached Files:

    ljdaul, Dec 16, 2005
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    The message from MS Antispyware is to be expected as I was having you reset your web settings which will change all pages to defaults. You have to allow them or MS AS could reset them back to the bad stuff.

    Right now your log is clean! Try another reboot and let me know where things are afterwards. Make sure you run Ccleaner on the old user accounts to cleanup the TIF (also you could delete the user accounts if not needed).
     
    chaslang, Dec 16, 2005
    #7
  8. ljdaul

    ljdaul Private E-2

    I guess the hijacked wallpaper returning to normal was a fluke - the virus must have had time to regenerate or something because about 5 minutes later the fake wallpaper returned.

    The computer is still slow, and in the processes tab of the task manager it seems to have alot more open than normal.

    I did go and manually delete these temporary internet files that i referenced in my last post. I don't believe thats the root of the problem, but hopefully it fixed something.

    Thanks for all your help so far, and any further assistance would be fabulous! thanks,

    laura
     
    ljdaul, Dec 16, 2005
    #8
  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There is nothing unusal in your process list. Everything was probably there before except maybe the below two which you may have installed during the READ & RUN ME:
    C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
    C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

    The are part of MS Antispyware. Did you have it running before you came here? It does require some of your CPU horsepower but that is necessary for your security. You do not even have a firewall which you will also have to install .

    Post a new HJT log right now and let's see if anything else appeared.

    Also do the below:

    Fixing Locked Desktop
    Also you should right click on your Desktop and select Properties. Then click the Desktop tab and then the Customize Desktop button. Now in the next window that comes up click the Web tab. Make sure at the bottom that Lock desktop items is unchecked. Then in the Web pages: box delete all items but My Current Home Page and make sure it is unchecked too. Then click OK. Apply. OK.
     
    chaslang, Dec 16, 2005
    #9
  10. ljdaul

    ljdaul Private E-2

    yes, after a reboot the fake desktop wallpaper remains. any thoughts for the next plan of attack?

    you mentioned about deleting old usernames...in my "documents and settings" folder i have "administrator" (which i use now) "all users", "default", "default user" (hidden) and "ljdaul" - i deleted the ljdaul account under control panel>users, so can i just wipe out the folder under docs&settings? i just want to make sure i dont screw anything up.

    thanks again
     
    ljdaul, Dec 16, 2005
    #10
  11. ljdaul

    ljdaul Private E-2

    alright, new hijackthis log. also, when i right click on the desktop, the normal window does not come up. the box only had one tab titled "general" it says "not avaiable" at the top. underneath it says

    protocol: file protocol
    type: html document
    address (url): file://c:\windows\warn.html
    size: not available
    created:not available
    modified: not available


    i tried the right click on the desktop thing before i started posting on the forum, and i followed the file path and deleted the html page. it used to say "warning spyware on your computer" and now it is just plain white. therefore, whatever virus is on here is still calling for that html file.

    oh, and no i didn't have the ms antispyware running before i came here - that was new today.
     

    Attached Files:

    ljdaul, Dec 16, 2005
    #11
  12. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay! So MS AS is the only new item that is running on your PC. Thus there are only two additional processes in your list from whatever you had previously.

    Let's try a couple things

    1) Locate and delete: c:\windows\warn.html
    If you cannot delete it in normal boot mode, try deleting if after booting in safe mode.

    2) Copy the contents of the below Quote Box to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file fixadt.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.) Then double-click on the fixadt.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to Add in to the registry, say yes.
    Reboot your system and check to see how things are working.
     
    chaslang, Dec 16, 2005
    #12
  13. ljdaul

    ljdaul Private E-2

    i did the registry edit thing and did a reboot, and the fake wallpaper still appeared, but this time it had a very small toolbar at the top with the minimize, maximize, and close buttons (no page title or anything else) so i went to close it and the regular wallpaper (solid blue per your registry change) appeared. so i rebooted again and this time no fake wallpaper. so i did it again for good measure and no fake wallpaper again! PROBLEM SOLVED (i think).

    i will follow one of the top sticky threads for a firewall program. there were alot of programs i installed today for the "read and run me" - are all of them necessary for day to day maintenance? which would you recommend i keep? Again, thanks for all your help - i really appreciate it!

    laura
     
    ljdaul, Dec 16, 2005
    #13
  14. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    What firewall are your referring too?

    In the READ ME, the only items you need to install were:

    Ad-Aware SE
    CCleaner
    Microsoft® Windows AntiSpyware
    Microsoft Windows Malicious Software Removal Tool
    SpyBot - Search & Destroy

    The only one using any real resource all the time is MS Antispyware. The others do not use anything unless running a scan. You should keep them all. Spybot's SDhelper I requested that you use in the READ ME, use very little system resource but it does not look like you installed Spybot or you did not enable this feature.
     
    chaslang, Dec 16, 2005
    #14
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Also were you able to find and delete: c:\windows\warn.html
     
    chaslang, Dec 16, 2005
    #15
  16. ljdaul

    ljdaul Private E-2

    your quote from post #9 above:

    "You do not even have a firewall which you will also have to install ."

    one of the sticky threads at the top of the forum (maybe it was preventing malware? i forget exactly) talked about installing a free firewall because the one in XP is not good enough.

    also, i will make sure to enable that feature in spybot.

    The "warn.html" i did not find - i had deleted this file earlier in the day, so i believe it was already gone. i will do a search to make sure, but it was not located in the folder specified"

    overnight i did a AVG scan again and no viruses found...things are looking good.
     
    ljdaul, Dec 16, 2005
    #16
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Yes I know I said that! But I wanted to know which firewall (the name) you installed.

    I'm happy to hear things are working well!
     
    chaslang, Dec 17, 2005
    #17

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds