Got Alemon Trojan... deleted but can't change wallpaper

[Guest]

Good evening.

My system was infected with the Alemon trojan. I was able to delete it.
All subsequent virus scans are showing up clean. This program changed my
wallpaper to an .html file. I deleted the file, however now I just get a
white background. I'm unable to change my wallpaper to anything else. I've
looked at several instructions, but don't find the registery entries they are
talking about.

Can anyone provide me with some help on how I can change my wallpaper again.

Thanks.

 

[David H. Lipman]

From: "wyzard" <[email protected]>

| Good evening.
|
| My system was infected with the Alemon trojan. I was able to delete it.
| All subsequent virus scans are showing up clean. This program changed my
| wallpaper to an .html file. I deleted the file, however now I just get a
| white background. I'm unable to change my wallpaper to anything else. I've
| looked at several instructions, but don't find the registery entries they are
| talking about.
|
| Can anyone provide me with some help on how I can change my wallpaper again.
|
| Thanks.


If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp


It is suggested that you execute the following tool in both Normal Mode and then in Safe
Mode.

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *

 

[WTC]

Good evening.

My system was infected with the Alemon trojan. I was able to delete it.
All subsequent virus scans are showing up clean. This program changed my
wallpaper to an .html file. I deleted the file, however now I just get a
white background. I'm unable to change my wallpaper to anything else.
I've
looked at several instructions, but don't find the registery entries they
are
talking about.

Can anyone provide me with some help on how I can change my wallpaper
again.

Edit the registry at the following locations.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
and/or
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
In the right-hand pane, delete "NoChangingWallPaper" or change the value
to 0.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
and/or
[HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System]
In the right-hand pane, delete "Wallpaper" and "WallpaperStyle".

 

[Guest]

Here's the information in the Virus Scan Report File

--------------------------------------------------------------------------------
Virus Scan Informatio
--------------------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4736 created Apr 07 2006
Scanning for 185597 viruses, trojans and variants.


--------------------------------------------------------------------------------
Virus Scan Result
--------------------------------------------------------------------------------




04/10/2006 06:18:36


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /HTML C:\MCAFEE\NORMAL_SCANREPORT.HTML

Scanning C: []
Scanning C:\*.*
C:\WINNT\system32\taskdir.dll ... Found the Downloader-ZQ trojan !!!
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 162545
Clean: ................. 162497
Possibly Infected: ..... 1
Cleaned: ............... 0
Deleted: ............... 1
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 00:44.18



--------------------------------------------------------------------------------

Visit the McAfee Online Web Site
Need some help or advice? Send email to Technical Support. Normal file.
Still need to do the safe one.



I still can't get another background on my system. Just stays white. For
some reason it's looking for an html file, but I've checked the registry for
all suggestions and find nothing. Please help. Want to totally get rid of
this and get my background back.

Thanks.

 

[David H. Lipman]

From: "wyzard" <[email protected]>

| Here's the information in the Virus Scan Report File
| --------------------------------------------------------------------------------

< snip >

|
| I still can't get another background on my system. Just stays white. For
| some reason it's looking for an html file, but I've checked the registry for
| all suggestions and find nothing. Please help. Want to totally get rid of
| this and get my background back.
|
| Thanks.
|

McAfee did find the "Downloader-ZQ" Trojan.

Check your DeskTop settings for "Active Desktop".

 

[Guest]

How do I check for this and turn it off. I've looked everywhere I can think
of, but no luck.

Thanks again for the help.

 

[David H. Lipman]

From: "wyzard" <[email protected]>

| How do I check for this and turn it off. I've looked everywhere I can think
| of, but no luck.
|
| Thanks again for the help.
|

I have Win2K in front f me but if I Right-Click on the DeskTop and choose "Properties" then
"Web".

 

[Guest]

No luck on the David...

When I right click on my desktop and choose properties it just shows me the
html file info.. can't change anything. This is extremely annoying...

Anymore help?

Thanks.

 

[David H. Lipman]

From: "wyzard" <[email protected]>

| No luck on the David...
|
| When I right click on my desktop and choose properties it just shows me the
| html file info.. can't change anything. This is extremely annoying...
|
| Anymore help?
|
| Thanks.
|

Unfortunately -- No, sorry :-(