Re: spam inserted as wall paper

From: DZigas (DZigas_at_discussions.microsoft.com)
Date: 02/13/05 

Date: Sun, 13 Feb 2005 11:21:01 -0800

Malke -- Could you clarify -- in step 1), what is the anti-virus scan in safe
mode you refer to? Is it a Windows XP utility that I need to update? Thanks
for all your time. -- David

"Malke" wrote:

> DZigas wrote:
>
> > Hi -- Some spam was inserted on my son's computer -- a message about
> > the dangers of spyware. It has a black background, takes up the whole
> > screen with
> > a "Danger" warning, and I can't get rid of it. Otherwise the computer
> > functions normally. At the bottom, there's a link for "removal
> > instructions"
> > but when you click it, it takes you to "topantispyware.com" and lists
> > search results for various spyware software.
> >
> > We subscribe to McAfee antvirus software online, and ran the scan,
> > removing all the spyware it could find. Any clues on how I can get rid
> > of this junk? Thanks.
> >
> This has nothing to do with viruses, so your McAfee can't deal with it.
> You need to clean up your computer because I can assure you with almost
> 100% certainty that the cr*p causing your immediate problem is not the
> only malware on your system.
>
> To remove the spam message, you will need to go to the Display applet in
> Control Panel. Click on the Desktop tab and then on the Customize
> Desktop button. Now click on the Web tab. Clear all checkmarks on that
> tab, Apply and OK out. I just had something like this on a client's
> machine and the infector page was "security.html". Also, every time I
> would open Display Properties from the Desktop, the infector would
> crash Explorer. I was able to kill it from the Control Panel, and then
> find the referenced file and delete it.
>
> As I said in the first paragraph, it is extremely likely that you have
> other malware on the system. Go through the following removal steps,
> doing everything with updated tools in Safe Mode:
>
> 1) Scan in Safe Mode with current version (not earlier than 2004)
> antivirus using updated definitions.
>
> Before you remove malware, get LSPFix (or WinSockFix for XP which you
> can get from MajorGeeks) - see links below.
>
> 2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
> programs are free, so use them both since they complement each other.
> There is a new version of CWShredder from Intermute. I would not
> install the other Intermute programs, however. Alternately, there are
> CoolWebSearch malware removal steps at SilentRunners.
>
> Be sure to update these programs before running, and it is a good idea
> to do virus/spyware scans in Safe Mode. Make sure you are able to see
> all hidden files and extensions (View tab in Folder Options).
>
> If the malware remains even after you used Ad-aware and Spybot, you can
> scan with HijackThis. HijackThis is an excellent tool to discover and
> disable hijackers, but it requires expert skill. See below for
> HijackThis links, including sites where you can post your HJT logs. A
> combination of HijackThis and About:Buster works well in removing the
> About:Blank homepage hijacker. Again, this is an expert tool and
> novices should get help with it.
>
> 3) If you are running Windows ME or XP, you should disable/enable System
> Restore after the system is clean because malware will be in the
> Restore Points. With ME, you must disable System Restore completely.
> With XP, you can delete all but the most recent (presumably clean)
> System Restore point from the More Options section of Disk Cleanup
> (Run>cleanmgr).
>
> 4) Make sure you've visited Windows Update and applied all security
> patches. Do not install driver updates from Windows Update.
>
> 5) Run a firewall.
>
> Links to help with malware:
>
> Software/Methods:
> http://www.safer-networking.org - Spybot Search & Destroy
> http://www.lavasoftusa.com - Ad-aware
> http://www.majorgeeks.com - good download site
> http://www.intermute.com/spysubtract/cwshredder_download.html
> http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
> http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after
> removing spyware
> http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe
>
> HijackThis:
> http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
> Eshelman
> http://aumha.net - forums
> http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
> forum
> http://www.wilderssecurity.com/
> http://forums.tomcoyote.org/
>
> General:
> http://aumha.net - look under "Security" for various forums
> http://rgharper.mvps.org/cleanit.htm
> http://mvps.org/winhelp2002/unwanted.htm
> http://www.aumha.org/a/parasite.htm - The Parasite Fight
> http://www.spywarewarrior.com/rogue_anti-spyware.htm
>
> Malke
> --
> MS MVP - Windows Shell/User
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
>

Loading