Re: virus - overtaken desktop

From: Malke (invalid_at_not-real.com)
Date: 05/11/05 

Date: Wed, 11 May 2005 05:30:38 -0700

chopsticks wrote:

> my dekstop has been replaced by this warning thing that reads
> something along the lines of "wanring! you're in danger.....". i found
> where the image is located in my computer and when i delete this
> image, my desktop turns grey and flashes from grey to white
> continuosly.
>
> i tried getting rid of it but it doesnt seem to be working.
>
> is there a possible solution of getting rid of it without having to
> reformat my computer? if not, if i do reformat, would there still be
> traces of this ad/spyware or virus??
>
> any advice =/ ? please help.

Have you completely removed all malware from your computer? The warning
is just a picture. Here's how to get rid of it, but you'll need to make
sure you've also cleaned up your computer. General malware removal
steps follow the information about the desktop warning picture.

A. Remove picture - Here's how to get rid of the desktop warning being
displayed by malware. Go to the Display applet in Control Panel and
look on the Desktop tab. Click on Customize Desktop, and then click on
the Web tab. You will see that there are checkmarks next to "My Current
Home Page" and probably "Lock Desktop Items". Uncheck these. By
highlighting the "My Current Home Page" and clicking on the Properties
button, you will be able to determine the name of the file that is the
message. It might be called something like "security.html" or the like.

Click Apply and OK out when you've made your changes. Then you want to
find the *.html malware file and delete it.

B. General malware removal - First delete all Temporary and Temporary
Internet Files. For IE's Temporary Files, go to Control Panel>Internet
Options>General tab. You'll see where you can delete cookies and files.
For Firefox, clear its cache by going to Tools>Options>Privacy>Cache>
Clear. For Windows Temporary files, Start>Run cleanmgr [enter] and
then:

1) Scan in Safe Mode with current version (not earlier than 2004)
antivirus using updated definitions.

Before you remove malware, get LSPFix or WinSockFix for XP - see links
below.

2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.

Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).

If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See below for
HijackThis links, including sites where you can post your HJT logs. A
combination of HijackThis and About:Buster works well in removing the
About:Blank homepage hijacker. Again, this is an expert tool and
novices should get help with it.

3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the
Restore Points. With ME, you must disable System Restore completely.
With XP, you can delete all but the most recent (presumably clean)
System Restore point from the More Options section of Disk Cleanup
(Run>cleanmgr).

4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.

5) Run a firewall.

Links to help with malware:

Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.intermute.com/products/cwshredder.html
http://www.tomcoyote.com/hjt/ - HijackThis
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after
removing spyware
http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe

HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

General:
http://aumha.net - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Malke 

-- 
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
Quantcast