Forced blue background?

Is it a feature of Avast to change my back ground to blue with a warning box saying Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer? It seems dodgy, but I don’t know what else would do that. Unless a random website I visited has that kind of access to my computer?

Right clicking the desktop to change the background doesn’t work, by the way - only 3 tabs are available and none of them let you change the background.

I’d appreciate help with this even if it’s not an Avast problem - apparently I’m not as well protected as I should be. Also, I can run a HiJackThis log if it’s needed, just let me know.

Thanks in advance,
Patron

After an Avast scan, it didn’t go away. However, Avast keeps turning up .tmp files that seem to happen no matter what I’m doing.

Also, I selected an image in my pictures and made it my background, however; I still don’t have those tabs on the display properties window that would let me change it to tile, stretch, center, etc.

EDIT: The recurring .tmp trojan files are “.ttF96.tmp” and “.ttF9C.tmp”. Google searches turned up nothing.

No that is most certainly not a feature of avast.

It sounds more like scum/scamware, trying to get you to buy something or install something that will likely infect your system and it is most certainly ‘dodgy’ as you suspect. The actual program that does this isn’t a virus as such but fake alerts that play on your fears.

If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
SUPERantispyware On-Demand only in free version.

There is also this tool, RogueRemover, available here http://www.malwarebytes.org/rogueremover.php

Hi David - thanks for responding so fast.

I ran the program in safe mode as requested and got the following log:

http://www.uploading.com/files/T5GVYU9Q/SUPERAntiSpyware_Scan_Log_-_07-07-2008_-...log.html

Note: sorry I had to upload it to a website, but it has a 56,000 character count and the limit in one post is 1,000

You can also attach text based files like .log or .txt to the posts.

More importantly did it get the job done ?
If not try the next tool, rogue remover.

This one you should upload to virustotal for further analysis as avast didn’t detect it (see below).

Rogue.Dropper/Gen
C:\WINDOWS\SYSTEM32\LPHCTSDJ0EJF1.EXE

This is strange as a bmp file shouldn’t have any potential to be a trojan, but check it at VT also.
Trojan.Unknown Origin
C:\WINDOWS\SYSTEM32\PHCTSDJ0EJF1.BMP

These make me think that the two items above might not be malware, as in tsese ones SAS says they aren’t Harmful and are from sysinternals, well the file names are so close to the ones above they would most likely be for the same sysinternals bluescreen capture.

NotHarmful.Sysinternals Bluescreen Screen Saver
C:\WINDOWS\SYSTEM32\BLPHCTSDJ0EJF1.SCR
C:\WINDOWS\Prefetch\BLPHCTSDJ0EJF1.SCR-3A9C0701.pf

Also the prefetch folder doesn’t have a copy of the file just the HDD location referenced so it can be loaded quicker.

Tracking cookies are nothing to get concerned about, I have that option deselected in the SAS Scan settings. However you could certain;y do with periodically clearing out your cookies, yours are a mess, I don’t think I have see so many and this is the reason the log is so big.

You could also check the offending/suspect file at: VirusTotal - Multi engine on-line virus scanner and report the findings here.

If multiple scanners detect malware in either of the uploaded files (I would think unlikely) you should send a sample to avast.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn’t already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. A copy of the file/s will remain in the original location, so any further action you take can remove that.

After uploading the files mentioned for scanning, clear your cookies I would suggest that you run SAS again but this time do a Full rather than quick scan it will look deeper as whatever was responsible for the fake alerts isn’t detected.

Or you could run the rogue remover first.

Rogue Remover detected no items, yet my graphics display tabs are still broken.

C:\WINDOWS\SYSTEM32\LPHCTSDJ0EJF1.EXE - file not found for VT

C:\WINDOWS\SYSTEM32\PHCTSDJ0EJF1.BMP - file not found for VT

C:\WINDOWS\SYSTEM32\BLPHCTSDJ0EJF1.SCR - 5/33 programs thought it was bad. (http://www.virustotal.com/analisis/aefac119620d503fc183caada6b86b9d)

C:\WINDOWS\Prefetch\BLPHCTSDJ0EJF1.SCR-3A9C0701.pf - file not found for VT

Oh, and I keep trying to delete all my cookies but I hit clear private data and then go back to my cookie log and there are still some there. You were right about having a ton of cookies though, I’ve been using Opera as a browser and completely forgot about it, so my Firefox and IE browsers were clean but Opera was loaded down.

The files not found may be because SAS moved it to quarantine ? though that wasn’t clear from the SAS log.

On the VT result, most saying it is a joke blue screen (BSOD), one suspicious (heuristic and possible false detection) and only one that puts a name to it.

So all in all it is a non-essential application and you could get rid of the
C:\WINDOWS\SYSTEM32\BLPHCTSDJ0EJF1.SCR file.

I would be surprised if the fake alerts would somehow have any impact on your graphics card tabs and is possibly unrelated. You could try reinstalling the graphics card interface.

You can post a HJT log and see if there is anything obvious on that.

If you want to be sure you’re clean and it’s not just about cookies… well, I suggest:

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on. If avast does not detect it, you can try DrWeb CureIT! instead.
  4. Use SUPERantispyware, MBAM or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest avast! antirootkit or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.

Also, I found out that the problem is only on my Windows name - when my sister logs in, she doesn’t have the problem.

Attached is the HJT log, I’m in the process of doing all that you said, Tech.

From a quick look, these look suspicious:

C:\DOCUME~1\Bob\LOCALS~1\Temp\goIJ.exe C:\WINDOWS\system32\lphctsdj0ejf1.exe

Can you upload those in VirusTotal and post results?

For the cleaning procedure Tech has it correct :slight_smile:

i agree with pico.Looks very dodgy C:\WINDOWS\system32\lphctsdj0ejf1.exe…its also starting at boot up in hklm.You can get some information by navigating to that file and right clicking and selecting properties.Does it give you any information under details tab?.In addition to techs advice you may want to download and run drweb cureit ,as it doesnt require any installation, but runs straight from the executable.Its also pretty good at these sort of nasties.
http://freedrweb.com/cureit/
m

Sorry tech …i see you have already mentioned cureit…My eyes are getting bad ::slight_smile:

Ok, as far as C:\DOCUME~1\Bob\LOCALS~1\Temp\goIJ.exe and C:\WINDOWS\system32\lphctsdj0ejf1.exe are concerned, I’m having some trouble. I can’t navigate to them and even that direct file name in Virus Total gives me the message 0 bytes recieved. They don’t come up when I search them either.

For C:\DOCUME~1\Bob\LOCALS~1\Temp\goIJ.exe, how should I find that anyways? I assume DOCUME~1 is Document and Settings, so I clicked that, but I have no LOCALS~1 file or folder under Bob.

I also did a complete SAS scan, and it came up with a few results, one of which had details that it was a fake blue screen thing that was set up to trick people into thinking they had malware, which fits the bill perfectly. I clicked to quarantine it, and the program requested I reboot to finalize the process. I rebooted, but my tabs were still broken. So, I ran SAS full scan again, and it found nothing, but my tabs are still broken.

Now I think I’ll start Tech’s method, I’ll see how that goes.

You may need to show hidden files and folders in folder options to see local folder.
m

If it helps…
Hide protected operating system files
View hidden files and folders.

I have all files and folders showing now, and I can navigate to the right subfolders, but the files themselves are not where they are supposed to be. If it’s all alphabetical, which I assume it must be, those files aren’t there. I have Dr. Web running a full scan now, I’ll edit with results later.

Hi…is your active desktop enabled?
http://www.computerhope.com/issues/ch000593.htm

m

Actually hang on a second guys, we may have a quick fix here. I was looking around for answers on google and found somebody with the same problem as me. Somebody traced it back to an HKEY binary value. Now I know that editing the registry is definitely not to be taken lightly, but this is definitely where my problem is at - in my HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System folder I have 2 things: NoDispBackgroundPage and NoDispScrSavPage. I’d say these 2 are definitely where my problem is, but I want to check with the experts before I go and delete things from my registry. Do I have the green light from you guys to delete those?

Also, just to check, if I delete them then empty my recycle bin would that be that, or do I have to export them to the Avast chest or something?

Did cureit find anything?.It looks like malware changed your settings.You can restore those settings with the reg file here…
http://forums.techarena.in/showthread.php?t=681646
m

Problem solved everyone! A big thank you to DavidR, Tech, PiCo, and miscreant for all your help.

To other people who have the same problem I just fixed, the condensed version of fixing the problem is as follows:

  1. Start → Run

  2. Type in “Regedit”

  3. HKEY → HKEY_CURRENT_USER → Software → Microsoft → Windows → Currentversion → Policies → System

  4. Now you should be in a folder with 3 things, (Default), NoDispBackgroundPage, and NoDispScrSavPage. Double click the files NoDispBackgroundPage and NoDispScrSavPage and change their values from 1 to 0

  5. Close regedit

Cheers and thanks again,
Patron

Good to hear. :slight_smile: you may wish to consider supplementing avast with something like drivesentry (free) or other such software that can protect the alteration of such registry keys and also protect system files etc…
http://www.drivesentry.com/AntiVirus-Firewall-features-for-computers-and-removable-media.html

I find it works well with avast ,although like all security software check that it doesn’t conflict with other apps.