virus - overtaken desktop



chopsticks
07-09-2005, 10:48 PM
my dekstop has been replaced by this warning thing that reads something along
the lines of "wanring! you're in danger.....". i found where the image is
located in my computer and when i delete this image, my desktop turns grey
and flashes from grey to white continuosly.

i tried getting rid of it but it doesnt seem to be working.

is there a possible solution of getting rid of it without having to reformat
my computer? if not, if i do reformat, would there still be traces of this
ad/spyware or virus??

any advice =/ ? please help.

Malke
07-09-2005, 10:48 PM
chopsticks wrote:

> my dekstop has been replaced by this warning thing that reads
> something along the lines of "wanring! you're in danger.....". i found
> where the image is located in my computer and when i delete this
> image, my desktop turns grey and flashes from grey to white
> continuosly.
>
> i tried getting rid of it but it doesnt seem to be working.
>
> is there a possible solution of getting rid of it without having to
> reformat my computer? if not, if i do reformat, would there still be
> traces of this ad/spyware or virus??
>
> any advice =/ ? please help.

Have you completely removed all malware from your computer? The warning
is just a picture. Here's how to get rid of it, but you'll need to make
sure you've also cleaned up your computer. General malware removal
steps follow the information about the desktop warning picture.

A. Remove picture - Here's how to get rid of the desktop warning being
displayed by malware. Go to the Display applet in Control Panel and
look on the Desktop tab. Click on Customize Desktop, and then click on
the Web tab. You will see that there are checkmarks next to "My Current
Home Page" and probably "Lock Desktop Items". Uncheck these. By
highlighting the "My Current Home Page" and clicking on the Properties
button, you will be able to determine the name of the file that is the
message. It might be called something like "security.html" or the like.

Click Apply and OK out when you've made your changes. Then you want to
find the *.html malware file and delete it.

B. General malware removal - First delete all Temporary and Temporary
Internet Files. For IE's Temporary Files, go to Control Panel>Internet
Options>General tab. You'll see where you can delete cookies and files.
For Firefox, clear its cache by going to Tools>Options>Privacy>Cache>
Clear. For Windows Temporary files, Start>Run cleanmgr [enter] and
then:

1) Scan in Safe Mode with current version (not earlier than 2004)
antivirus using updated definitions.

Before you remove malware, get LSPFix or WinSockFix for XP - see links
below.

2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.

Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).

If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See below for
HijackThis links, including sites where you can post your HJT logs. A
combination of HijackThis and About:Buster works well in removing the
About:Blank homepage hijacker. Again, this is an expert tool and
novices should get help with it.

3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the
Restore Points. With ME, you must disable System Restore completely.
With XP, you can delete all but the most recent (presumably clean)
System Restore point from the More Options section of Disk Cleanup
(Run>cleanmgr).

4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.

5) Run a firewall.

Links to help with malware:

Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.intermute.com/products/cwshredder.html
http://www.tomcoyote.com/hjt/ - HijackThis
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after
removing spyware
http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe

HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

General:
http://aumha.net - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

David H. Lipman
07-09-2005, 10:48 PM
From: "chopsticks" <chopsticks@discussions.microsoft.com>

| my dekstop has been replaced by this warning thing that reads something along
| the lines of "wanring! you're in danger.....". i found where the image is
| located in my computer and when i delete this image, my desktop turns grey
| and flashes from grey to white continuosly.
|
| i tried getting rid of it but it doesnt seem to be working.
|
| is there a possible solution of getting rid of it without having to reformat
| my computer? if not, if i do reformat, would there still be traces of this
| ad/spyware or virus??
|
| any advice =/ ? please help.

Please perform the following...

Dump the contents of the IE Temporary Internet Folder cache (TIF)
Start --> Settings --> Control Panel --> Internet Options --> Delete Files

Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
Tools --> Options --> Privacy --> Cache --> Clear

1) Download the TrendMicro Sysclean Front End

Download the utility SYSCLEAN_FE at the following URL --
http://www.ik-cs.com/got-a-virus.htm
SYSCLEAN_FE automates the download and execution process of the Trend Sysclean Package.
Direct URL --
http://www.ik-cs.com/programs/virtools/Sysclean_FE.exe


2) Download and install Ad-aware SE
(free personal version v1.05)
http://www.lavasoftusa.com/
Update Ad-aware with the latest definitions and then exit the software.

3) Execute; SYSCLEAN_FE.EXE
Choose; Unzip
Choose; Close


Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
when you get to the menu dhoose [1] so you can boot into Safe Mode.

4) If you are using WinME or WinXP, disable System Restore
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm

5) Reboot your PC into Safe Mode and shutdown as many applications as possible.

6) Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a full scan of your PC and delete
all objects found.

7) Restart your PC and perform a "final" Full Scan of your platform
Execute; c:\sysclean\SYSCLEAN_FE.BAT
{ or Double-click on 'SYSCLEAN_FE Link' in c:\sysclean }
Choose [2] and let SYCLEAN.COM scan your computer.
when done, execute Ad-aware SE and perform a final scan of your PC and delete
all objects found.


8) If you are using WinME or WinXP,Re-enable System Restore and re-apply any
System Restore preferences, (e.g. HD space to use suggested 400 ~ 600MB),

9) Reboot your PC.

10) If you are using WinME or WinXP, create a new Restore point


* * * Please report back your results * * *


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm


virus - overtaken desktop