Unwanted software installed that display silly jokes on the desktop

[cdestefani]

Hi,

The C:\Antivuris is a folder I created where I have all the antivirus softwares downloaded.

The extra.txt is attached.

Thanks,

[oldman]

Hi Carlos, sorry about the delay. Don't know if this will fix the desktop, but should remove the rest of the infection.

First use ERUNT to back up you reisty, then do the rest.

REGISTRY FIX

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{445CCC1C-B639-4924-B785-BA1DAA48ED61}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445CCC1C-B639-4924-B785-BA1DAA48ED61}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{445CCC1C-B639-4924-B785-BA1DAA48ED61}\InProcServer32]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4FEB0D4C-F53C-470C-9640-1C4A5A262E26}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FEB0D4C-F53C-470C-9640-1C4A5A262E26}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4FEB0D4C-F53C-470C-9640-1C4A5A262E26}\InProcServer32]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{783C1844-6785-40D0-9629-3F3B0D927E43}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{783C1844-6785-40D0-9629-3F3B0D927E43}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{783C1844-6785-40D0-9629-3F3B0D927E43}\InProcServer32]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8691F860-96E4-4FB3-8D35-531C0D1B0AC1}\InProcServer32]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1D04022-B193-4344-AA49-4C47FBB4C703}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F1D04022-B193-4344-AA49-4C47FBB4C703}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F1D04022-B193-4344-AA49-4C47FBB4C703}\InProcServer32]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F637F016-4785-493B-932D-9359FC69AAA0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F637F016-4785-493B-932D-9359FC69AAA0}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F637F016-4785-493B-932D-9359FC69AAA0}\InProcServer32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geBRjKdd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\perfnw32]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=-
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"=" msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file.  Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box, set the top box SAVE IN to DESKTOP
 
Then in the FILE NAME box type (including the " " marks),  "fix.reg"

Click save.

This will create a fix.reg file on your desktop

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Please download
 OTMoveIt2 by by OldTimer

Save it to your desktop.

Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):


C:\WINDOWS\system32\TvEKnUvw.ini2
C:\WINDOWS\system32\QqrqBcfe.ini2
C:\WINDOWS\system32\remL
C:\WINDOWS\system32\1046a
C:\WINDOWS\system32\arDA
C:\WINDOWS\system32\dFrnx18
C:\WINDOWS\system32\wvUnKEvT
C:\WINDOWS\system32\wvUnKEvT.*


Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.

Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.

Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

NOTE: If OTMOVEITE reboots, before you can get the ruslts they can be found here
 C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Please post the OTMOVEIT2 results nad a new DSS log.

[cdestefani]

Hi,

Thanks for your suggestions. I had implemented them, done the fix.reg file and merged it, run the OTMoveIt2, this iare the results:

C:\WINDOWS\system32\TvEKnUvw.ini2 moved successfully.
C:\WINDOWS\system32\QqrqBcfe.ini2 moved successfully.
C:\WINDOWS\system32\remL moved successfully.
C:\WINDOWS\system32\1046a moved successfully.
C:\WINDOWS\system32\arDA moved successfully.
C:\WINDOWS\system32\dFrnx18 moved successfully.
File/Folder C:\WINDOWS\system32\wvUnKEvT not found.
< C:\WINDOWS\system32\wvUnKEvT.* >
File/Folder C:\WINDOWS\system32\wvUnKEvT.* not found.
 
OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05312008_045949

Then I run the DSS and found a few entries with (no name) and (no file), so I run the HJT software, deleted them, run again HJT and then run again DSS. I attached all these files in order of runnig them: 1, 2, 3, and 4 (the last one).

Between the HJT runs 2 and 3 I rebooted the PC, just to check if the entries were deleted it. Before they use to come up again after a reboot, this time they did not came back. I hope it will continue this way.

At the end I run the DSS again, file number 4.

Well, it seems like this time the fix was done.

The desktop still is not enabled.

How I enable TeaTimer? Is it time now? May it enable the desktop?

If I want to recover the desktop, will an "install repair" fix it?

I look forward to your answer with further comments/opinions, etc.

Thanks,

Carlos
=

[oldman]

Hi Carlos

The remnants are gone.

Re-enabling teatimer won't fix your desktop, I'm afraid. Teatimer monitors reg changes, this is why it has to be disabled before doing any fixes that involve the registry.

To enable
See Here

Did you try another user account to see if the problem exist there also?

Your acount may be corrupted, given the problems you had disabling teatimer the first time. It may still show you have adminstrator rights, but you may still not be able to preform all the rights associated. You can try to create a new aminstrator account and see if that works.

This infection is probably part of the smitfraud family so I don't think it would be a problem running Smitrem from http://noahdfear.geekstogo.com/  Note , it is to be run in safe mode. If you decide to try this, remember teatimer has to be off.

To remove DSS and OTMOVEIT2

double-click OTMoveIt2.exe to run it, then click the Clean Up button. You may get prompted by your firewall that OTMoveIt wants to contact the internet -  allow this.  A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself.

[cdestefani]

Hi,

I had done the last suggestion, run the smitrem in safe mode. This was very fast and does not produce any report, but I could see some messages saying "file not found" or similar, which means it was removed before if it was there.

At this stage, I think we got to a point that there is not much to be done. The desktop was left blue and I can change colours only. But the the whole process was a huge learning experience.

What I think now is download the sevice pack 3 and install it. It will bring up several securities issues and may fix the desktop problem too.

I also need to move to another PC that was hijack with the same rubbish in the screen. I will try to implement all what you told me and if I need further assistance I will ask you, if you don't mind. Could I ask you again?

Thanks for everything really. It was a great learning experience.

Carlos
=

[oldman]

Hi Carlos

Sorry I couldn't help more. I suggested everything I came across. It has to be a reg key or just the permissions (rights) your account has.

If you do another computer, make sure you get teatimer or any other program that monitors reg changes, disabled before you try to remove the infection.

No problem asking, I'm usually around.

Take care.

[cdestefani]

Hi,

Thanks for everything, without your help I will most likely be still trying to clean the PC or just reformatting the HD and making a new start. I downloaded and installed Windows XP SP3, the PC work OK but there is no background enable. It must be a key in the registry, but it will take some time to find it. I decided to leave it as it is for now.

However, I moved to the other PC that was Hijacked a week before mine with the same problem in the screen. I managed to get rid ot the screen program running several antivirus softwares, the background is dissable.

Just now, I dissabled TeaTimer, run HJT and also run an updated version of Malwarebytes, no viruses were found.

On the HJT report, I really need your help to identify entries to be deleted. I do not have such criteria on deciding what is good or bad.

On the report there are some lines that to me look suspicius such as:

C:\Program Files\Bonjour\mDNSResponder.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O9 - Extra button: (no name)...... there are 3 of these entries.

There are also other entries with {}, numbers plus letter that I can't make a proper jugment about how useful they are. Can you help me?

I attach the HJT and mbam report. I do not find the spelling check so I apologise for the errors.

Thanking you in advance,

Carlos
=

[oldman]

Hi Carlos

However, I moved to the other PC that was Hijacked a week before mine with the same problem in the screen. I managed to get rid ot the screen program running several antivirus softwares, the background is dissable

You mean you now have 2 PCs with no background?

C:\Program Files\Bonjour\mDNSResponder.exe

mdnsresponder.exe is a process associated with "Bonjour for Windows" software. It is used by ITunes for music sharing. This is a non-essential process. Disabling or enabling it is down to user preference.

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

This is okay.

Extra button: (no name)

These are extra buttons on the main IE toolbar. They don't have a name associated with them. One is java (which BTW is out of date), 1 Spybot and the other network diagnostics. Leave them, they are good guys.

Numbers in the {} are like folder/file names. Just windows keeping track of everything.

The log looks clean.

[cdestefani]

Hi,

Yes, I have two PCs with the same problem, not background thanks to the hijack. I remeber telling you this before.

Well it seems that in this PC I managed to remove everything. Will it make any difference if I run smitrem? This is just to have some reassurance only, does it make sense?

Thanks a lot for you assistance on this.

Thanks,

Carlos
=

[oldman]

Smitrem shouldn't hurt. Don't know if it will fix the backgound though.

[cdestefani]

Thanks for your assistance with this trouble.

The smitrem is only to use it, I am not expecting the background to be fixed. I think we should live without it.

I will look at microsoft site and it may be there some articles that could deal with this issue. It is a thought only.

Thanks,

Carlos
=