Desktop.htm

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Help! Somehow I got on the wrong website and ended up with spyware/malware,
etc. I have every tool imaginable to get rid of that kind of stuff and I now
show nothing wrong BUT, after it happen, I ended up with a red desktop with a
rectangle black box in the center with flashing red letters stating that I
had spyware, etc. on my computer and that I should click on the link and
download (and pay for of course) "RazeSpyware". When I right clicked on my
desktop, it was an htm page and showed the location as "File://c:\documents
and settings\john\local settings\temp\desktop.htm"
I have navigated to that spot and even removed the temp directory and it
keeps coming back. I am not able to select a background as this htm page
won't let me. I hope someone can help.
 
From: "JTR" <[email protected]>

| Help! Somehow I got on the wrong website and ended up with spyware/malware,
| etc. I have every tool imaginable to get rid of that kind of stuff and I now
| show nothing wrong BUT, after it happen, I ended up with a red desktop with a
| rectangle black box in the center with flashing red letters stating that I
| had spyware, etc. on my computer and that I should click on the link and
| download (and pay for of course) "RazeSpyware". When I right clicked on my
| desktop, it was an htm page and showed the location as "File://c:\documents
| and settings\john\local settings\temp\desktop.htm"
| I have navigated to that spot and even removed the temp directory and it
| keeps coming back. I am not able to select a background as this htm page
| won't let me. I hope someone can help.
| --
| Thanks, JTR

Download Haxdoor.exe from the URL --
http://www.ik-cs.com/programs/virtools/Haxdoor.exe

Execute; Haxdoor.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.
 
JTR,

What you are experiencing is a nasty attempt to fool you into thinking you
have a virus or malware attack on your computer. The message probably
instructs you to log into a website and purchase software to get rid of the
nasty looking new desktop you have.

DONT FALL FOR IT, IT'S A SCAM.

Open up Regedit and search for all occurances of "desktop.htm" and delete
each occurance you find. The desktop is being substituted through the
registry at bootup so you have to fix things there.

-Alias
 
JTR,

I forgot one important thing. If you left click your desktop and slide the
mouse while holding down the left mouse button you can actually move that
bogus .htm file out of the way of your real desktop. Afterwards, right-click
the real desktop and change your wallpaper back to the original.

If you look very closely at the top of the fake .htm page you will see a
horizontal line. Right-clicking gives you some funky looking drop-down menu,
a tell-tale sign that this is not a true windows wallpaper but a web page
pretending to be wallpaper. It's a clever way to trick you into thinking you
have a virus or something similar, and no virus software will ever find it
because "it's not a virus or malware".

-Alias
 
David, Thanks a million!!! I had to run it twice. Second time in safe mode
but it found another issue I've had for a long time. Every time I visit a
site that required Java, my antivirus software would detect a trojan.

You've made my day better.
 
From: "JTR" <[email protected]>

| David, Thanks a million!!! I had to run it twice. Second time in safe mode
| but it found another issue I've had for a long time. Every time I visit a
| site that required Java, my antivirus software would detect a trojan.
|
| You've made my day better.

Fantastic !

Could you please copy and paste the contents of the HTML Log file;
C:\mcafee\ScanReport.HTML in your reply.
 
I didn't keep the first one but here is the one that did the trick in safe
mode:
Thanks Again

Virus Scan Report File

--------------------------------------------------------------------------------
Virus Scan Information
--------------------------------------------------------------------------------

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4655 created Dec 21 2005
Scanning for 167009 viruses, trojans and variants.


--------------------------------------------------------------------------------
Virus Scan Results
--------------------------------------------------------------------------------




12/21/2005 14:33:43


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /MIME /HTML
"C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*
C:\Documents and Settings\John\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-31f949fc.zip\GETACCESS.CLASS ... Found the Exploit-ByteVerify trojan !!!
C:\Documents and Settings\John\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-775c503c.zip\MATRIX.CLASS ... Found the JV/Shinwow trojan !!!
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0011503.ocx
.... Found potentially unwanted program CouponBar.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0011504.exe
.... Found the Generic Downloader.s trojan !!!
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0011505.inf
.... Found potentially unwanted program Adware-abetterintrnt.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0011506.dll
.... Found the Generic MultiDropper.f trojan !!!
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0011507.exe
.... Found potentially unwanted program Virtual Bouncer.
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0011508.dll
.... Found the Generic MultiDropper.f trojan !!!
The file or process has been deleted.
C:\System Volume
Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP22\A0011509.exe
.... Found potentially unwanted program Dialer-262.
The file or process has been deleted.

Summary report on C:\*.*
File(s)
Total files: ........... 218068
Clean: ................. 217860
Possibly Infected: ..... 5
Cleaned: ............... 0
Deleted: ............... 7
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 01:08.10



--------------------------------------------------------------------------------

Visit the McAfee Online Web Site
Need some help or advice? Send email to Technical Support.
 
From: "JTR" <[email protected]>

< snip >

| C:\Documents and Settings\John\Application
| Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-cb66fa7-31f949fc.zip\GETACCESS.CLA
| SS ... Found the Exploit-ByteVerify trojan !!! C:\Documents and Settings\John\Application
| Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv470.jar-217a6652-775c503c.zip\MATR
| IX.CLASS ... Found the JV/Shinwow trojan !!!

< snip >

Just what I thought.....

Dump the contents of your Sun Java cache -
Start --> settings --> control panel --> Java applet --> cache --> clear
or
Start --> settings --> control panel --> Java applet --> general --> settings --> delete
files

Or at least delete all ZIP files in...

C:\Documents and Settings\John\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar
 
Back
Top