Unwanted software installed that display silly jokes on the desktop

Hello everyrone,

I am avast free editon user. Since last Sunday 11 of May I have a problem on my PC.

My son was using it to download a file from the web and since then I have a software with daily silly jokes. ON top of this, it downloads viruses, trojans and several changes in the registry too.

I had used to scan my PC since Sunday afternoon: avast, asquared, spyware terminator, AVG, Spybot, Ad-Aware, and Pavark rootkit.

I have WinXP SP2 and with this troubles can’t start in Safe mode, the F8 key does not respond. I made change with the msconfig facility and the PC got into a reboot loop. It took me two days to rebuild the “boot.ini” file and Windows started again.

Everyday, I update the viruses databse, scan and several trojans and a couple of viruses are found. Also, a few registry changes are done.

I finish the days with the PC “clean” but as soon as I connect the PC to the web the “jokes” come up on the desktop. Besides being silly jokes, there must be a link to download the nasty stuff too and then I start all over again.

Today I searched for “exe files” installed last Sunday and found 3 of those in My Documents Folder and delete them, but the problem still is in the PC.

Is there a way to get rid of this problem?

I hope somebody can assist me on this.

I attach a JPG file with todays’ joke for your information.

I appreciatte all the assistance that the people from this forum can offer me.

Thanks, so much.

Carlos


Please download HijackThis from the link below, run the program but do not make any fixes, and then post the log results using the “copy & paste” method. It will probably take more than one post to be able to get the complete log posted. OR, you can post it as an attachment to your post by clicking on “Additional Options…” below left of the posting box. Someone will review your log and then offer help.

http://filehippo.com/download_hijackthis/


Hello CharleyO,

Thanks for your answer and suggestion. I run the software and the log file is attached.

I look forward to the next comments and suggestion about what to delete.

Thanks to everyone,

Carlos

Hi, I had a look at yout HJT (hijackthis) log. It shows traces of vundo. Along with, yes count them 3 antivrus programs. One at a time is the norm. You are not more protected, rather, probably less protected than with just 1.

I don’t know how well this will work until you uninstall 2 of the antivirus programs.

So start by uninstalling 2 of them. Your choice.

Then, teatimer will have to be disabled, or it will interfer with any fixes we are going to do.

Open Spybot and make sure teatimer is disabled, we will re-enable afterwards. To do so do the following

Click mode
click Advanced mode
if you get a warning answer “yes”
click tools
click resident
uncheck resident “teatimer”
click allow change

Download and Unzip to your Desktop: http://www.techsupportforum.com/sectools/ResetTeaTimer.zip
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

Reboot.

Open HJT, run a system scan only, check mark these lines if present

[b]R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {445CCC1C-B639-4924-B785-BA1DAA48ED61} - (no file)
O2 - BHO: (no name) - {4FEB0D4C-F53C-470C-9640-1C4A5A262E26} - (no file)
O2 - BHO: (no name) - {783C1844-6785-40D0-9629-3F3B0D927E43} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8691F860-96E4-4FB3-8D35-531C0D1B0AC1} - (no file)
O2 - BHO: (no name) - {F1D04022-B193-4344-AA49-4C47FBB4C703} - (no file)
O2 - BHO: (no name) - {F637F016-4785-493B-932D-9359FC69AAA0} - C:\WINDOWS\system32\wvUnKEvT.dll (file missing)
O20 - Winlogon Notify: geBRjKdd - geBRjKdd.dll (file missing)
O20 - Winlogon Notify: perfnw32 - perfnw32.dll (file missing)

NOTE: [color=red]If you or an administrator DID NOt set these line with spybot, you can include them in the fix

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present[/b]

Close all other browsers/windows, click fix checked, close HJT.

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download Malwarebytes’ Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[
]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Please post back with the malwarebytes results and a new HJT log. Please give us an update on your computer’s status.

Thanks.

Hi,

Thanks so much for your help. One thing about antivirus. I normally have avast on and asqured is installed because sometimes picks up trojans that are picked by avast. All the others were installed this week with the hope that they could fix my problem. At the end, desperate and with no success I wrote to this forum.

Now, going to your suggestions.

I had implemented all of your suggestions with the PC offline and some changes:

1 - After duble clicking ResetTeaTimer.bat I haven’t reboot the system.
2 - In Spybot Advance mode haven’t found the “Allow Change” command, I just exit the program.

Then I followed your instructions and conected to the web again to run Malwarebytes and run the software and removed all founds.

The PC now seems to be cleaned with some additional problems.

After all the cleaning the desktop ended in “white” colour. I went to Control Panel==> Display ==> Desktop and only can change colour, the background pictures options is dissable. How do I reset it?

Please, find attach the HJT results before and after cleaning and the Mawarebutes results too.

I thank you for any further suggestions on how to complete fixing this problem.

I attached 3 txt files but I do not know if all of them were attached. If there is any of them missing I will resend them. Please, let mw know. Thanks.

Kind regards,

Carlos

Re: teatimer

You should get a prompt after you uncheck Resident Tea-Timer

Here’s a pictorial

http://russelltexas.com/malware/teatimer.htm

It’s improtant that teatimer be disabled, as you will not be able to do the HJT fix while it’s running.

re: desktop
It is also possible it is teatimer causing this. It may not be allowing the changes.

Post back after you get teatimer disabled and do the HJt fix. Post a new log and let me know if your desktop is back.

Thanks

Hi,

Thanks for your answer. I had done all over again.

Opened Spybot, unchecked resident “teatimer” but the “Allow Change” message does not come up.

Then I rebooted the PC, run ResetTeaTimer and reboot again.

Run a system scan with HJT, deleted all the O2 - BHO: (no name)

The O20 - Winlogon Notify are there but ending differently with C:\Windows this time.

I run the Malwarebytes and found nothing this time. Before it found 8 files.

After completing this run again HJT, saved the report and attached to this message. When you open this one, you will see the BHO: (no name) are there again. How come?

Then opened Spybot and set Teatimer active again, no “Allow Change” message only the little clock besides the mouse pointer was on for a few seconds.

Reboot the PC again, when to Control Panel => Diplay => Desktop and it is exactly the same, only colour I can change.

What could I do next? The Spybot does not display the Allow Change and the desktop must be in one color only.

Well, the main problem of having someone displaying pictures in my desktop was solved. This is a huge solution for me, whatever is left is minor. Thanks very much.

I look forward to your next opinions and instruction.

Thanks, so much. I really appreciate your help with this trouble.

Regards,

Carlos

The O6 - HKCU were not there.

Hi

simply put, malware hijacked your desktop and made some registry changes. Teatimer is not allowing you to edit the registry, which is why the HJt fixes fail.

We have to find a way to disable teatimer.
2 possibilties as to why you can’t disable it are-

  1. you are not logged into an account with administrator rights
  2. you have another program that monitors registry changes. This would/could prevent teatimer from being disabled.

It’s been a long time since I looked at A2. Does it have that capabilty? Do you have any other program that may be doing that?

If you have such a program, please disable it before you try to disable teatimer.

Make sure the account you are logged into has administrator rights.

Besides checking the above 2 possibilties, you might be successful in safe mode. If you try this, do it from your regular account.

If you are successful in disabling teatimer, then run the HJT fix. There is no point in doing the HJT fix if teatimer is still running it will fail again.

The last way is a bit more drastic. You could uninstall Spybot and reinstall it again after you get your desktop sorted out.

We will be here to assist you further if needed.

Thanks

Hi,

As you know from my first letter, the Safe Mode is not possible in my PC, not even now after a few partial fixes.

It follows what I have done this time.
1- Uninstall A Squred.
2 – Uninstall SpyBot and download it again.
3 – Install new downloaded file, and once is completed I uncliked the run Teatimer option and Updated the software.
4 – Opened SpyBot and disabled TeaTimer, with not “Allow Changes” option as usual.
5 – Run the ResetTeaTimer
6 – Reboot.
7 – Run HJT and selected the options you recommended plus another one O2 – BHO that was there with (no file) ending.
8 – Clicked Fix Checked, and closed it.
9 – Now I will enable TeaTimer from SpyBotResident and click on it. Is this OK?

This time TWO Allow Changes boxes came up. A bit late came the first one, don’t you think so?

Do I select Immunize option with SpyBot? Does it work for future possible problems?

Than I run the AFT cleaner and Mawarebytes as before, no problems were found.

Then I run again the HJT and the report is attached.

It seems to me that one is OK. What do you think?

I really thanks for all this. It was a good learning experience.

Do I leave my PC with Avast only or install some other such as ASquared or AVG?

Do you know how I could have the Safe Mode option back into my PC? I haven’t tried yet, after all these fixes. I will later on and if everything is OK I will write again.

Thanks again.

Carlos

Try this - How to restore Safe Boot.
The malware may have deleted the SafeBoot registry keys.
Here are some options to restore them:

http://didierstevens.wordpress.com/2006/06/26/restoring-safeboot/
http://didierstevens.wordpress.com/2007/02/19/restoring-safe-mode-with-a-reg-file/

Also see http://forum.avast.com/index.php?topic=26554.msg216924#msg216924

Edit: Dead link removed.
Thanks oldman, I tried a search of that forum, but you appear to have to be registered and logged in to use the search function, crazy.

Leave teatimer off until we are done.

Let’s see if we can fix your safe mode first, then look at restoring the background.

Download AVZ from here:
http://z-oleg.com/avz4.zip
Unzip the file and place it on your desktop.

Open the avz4 folder and doubleclick avz.exe to start the tool.
On top in the menu[/b], click File, System recovery and select Restore Safeboot Reg keys
Click the “Execute selected Operations” button below.

Close avz.exe.
Delete AVZ4.ZIP, and the AVZ4 folder.
Reboot and Test Safe Mode.

You can try the tool above or try the second link that DavidR posted.

note: The last link DavidR posted, seems to be dead. I don’t know why. Many forums are using AVZ for safe mode repair.

Thanks for your answer.

I dissable TeaTimer and left it dissabled.

Followed your instructions and Safe Mode is Restored and worked very well, Thanks. I could logon as Administrator and also as user (myself).

I look forward to your next recommendations on how to recover the desktop, still is dissable. Only colour I can change, the background options is off.

Thanks,

Carlos

Hi Carlos

On the Desktop tab are both the Customize Desktop and browse buttons grayed out?

If they are not grayed out, try this

Right click on a bare spot on your desktop and select Properties.
Go to Desktop tab, click the Customize Desktop button (near the bottom),
Click the Web tab and delete everything except “My current home page” and leave that unticked

Also leave Lock Desktop Items unchecked

If you can’t do the above, try this to see if a web item is locked on the desktop

Right click a bare spot on the desktop
Highlight Arrange Icons by and make sure Lock Web Items on Desktop is not checked

Please post back.

Hi,

Thanks for your answer and help to recover the Desktop.

I tried all suggestions but this time none of them worked.

I will be away from my PC for this week. I plan to work again on it during the weekend. I will write back including pictures of what I have with the Desktop option so you have a more clear indication of what it looks like. I think this will help you to think further.

Nevertheless, if you have further suggestion and like to write back before the weekend I will apply them and then write a more complete note, with pictures and results.

Thanks and regards,

Carlos

Hi Carlos

I haven’t forgotten about you. Was just waiting for the weekend.

We have checked the easy things to check, now we look at some registry keys. We won’t change anything yet, we just have to examine a few keys.

Are you comfortable looking at the registry? We can back it up first if you wish.

Download and run ERUNT http://www.larshederer.homepage.t-online.de/erunt/

note: the download links are server1,server2, server3

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click “…” to browse your computer’s drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Next, select the backup options:

  • System registry:

  • Current user registy: .

  • Other open user registries:

Click “OK” and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

After you have done the above

Click the start button, click run. In the run box type regedit , click ok

By clicking the + signs, navigate to these registry keys

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

note: each \ signifies a new sub key. Scroll down to the next entry

example

click the + beside HKEY_CURRENT_USER
click the + beside Software
click the + beside Microsoft
and so on

When you reach the last entry for that key, please click the Registry button at the top of the screen, select Export Registry file
On the box that popus up set the save in box to desktop
in the filename box, type (including the " " marks) “key1.txt”
set the Save as type to All files(.)
Make sure the Selected Branch is checked.
click save.

Do the same with the other 2 keys, but change the name to “key2.txt” and “key3.txt”

I attached a screenshot, but keep in mind, I’m on win98se, so it may be slightly different. You should be able to get the idea though.

Please post the contents of the 3 notepads you saved. We’ll have a look and see if we have to look at any others. These are the most common.

Thanks

Hi,

I was about to send you the pics I mentioned before and found further opinions and suggestions from you on getting into the registry.

I should not have problems with editing the registry if required. I will read you answer and implemented it. I will send my reply after with findings/problems and solutions too!!

In the meantime, I send on this message the pics I just saved FYI only I think. These will give you a clear picture of what I see when I try to change the background.

Thanks,

Carlos

Hi,

I implemented your suggestions, downloaded the ERUNT, installed it and backed up the registry. Then I went to the regedit, opened all the keys down to policies, but not all of them are present, key1 (“Policies\System”) is missing.

I saved a JPG for both present and exported the registry branches. Please, find attached all these files.

Looking at the txt files, the last lines on both should be delete it in my opinion, but I do not know what the previous two really mean. I look forward to your next one. Thanks.

Carlos

Hi Carlos

One thing I forgot to ask. On the the themes tab, is a theme selected? I believe the xp default is “Luna”.

Check that, post back.

You may as well check this key also

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

The screenshots are fine, no need for the notepads.

HI,

Thanks for your answer. Here follows the pics attached:

  • Desktop Themes
  • Active Desktop (sent also on my previous one)
  • Registry Editor.

The last one is attached because you asked in your previous for an HKLM key that it does not exit in my PC. I searched the registry with the option “Find” but found nothing with HKLM.

The Entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop is found in HKEY_Current_User.…\ActiveDesktop (picture attached)

I hope this will hep you anyway.

Looking forward to yours.

Thanks,

Carlos

Hi Carlos.

I didn’t see this entry in any of the keys you have posted. I think there is at least one key pointed at it.

Use the find function in the registry editor and look for this
desktop.html

If found it will probably look like this
[/b]Wallpaper=C:\WINDOWS\desktop.html[/b]

Let me know where you find it/them. If present, is in likelyhood the cause of the problem.

Thanks