Help Virus that changes Desktop Theme?

[Drax]

I installed no new software or made any new updates yet, when I boot
my computer the Classic Windows Style was replaced with the Windows XP
Style. I have had the computer for about 3 months and never had a
problem like this before. I fixed it by just going into Control Panel
clicking on Appearance and Themes then clicking on Display opening
Appearance then changing it back to Classic Windows Style but, what
caused it to happen?

Was this a virus? I check with Norton but, found no virus.

 

[David H. Lipman]

From: "Drax" <[email protected]>

| I installed no new software or made any new updates yet, when I boot
| my computer the Classic Windows Style was replaced with the Windows XP
| Style. I have had the computer for about 3 months and never had a
| problem like this before. I fixed it by just going into Control Panel
| clicking on Appearance and Themes then clicking on Display opening
| Appearance then changing it back to Classic Windows Style but, what
| caused it to happen?
|
| Was this a virus? I check with Norton but, found no virus.

Sounds like a smitFraud Trojan, not a virus.



Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate section.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE/JSE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
This is most likely why you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE/JSE Version 5.0 Update 7
be installed ASAP.

Simple check, look under...
C:\Program Files\Java

The only folder under that folder should be the latest version...

C:\Program Files\Java\jre1.5.0_07


http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud, SpyAxe, SpyFalcon, et. al., removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic43659.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\Normal_ScanReport.HTML or
C:\mcafee\Safe_ScanReport.HTML will be generated. At the end of the scan, it will be
displayed in your browser (Opera, FireFox or Internet Explorer). However, if you are using
WinXP, Win2K or Win2003 your system will be left in a state where you will have to manually
shutdown/reboot the PC. On Win9x/ME platforms the report will not be shown in your bowser
but your PC will automatically be shutdown. It is suggested that you move the report out of
c:\mcafee before performing another scan.

It would be best to scan in both Safe Mode and in Normal Mode and save a copy of the HTML
report for each session.


ALTERNATE:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Part 2
-----------

S!ri's SmitfraudFix
http://siri.urz.free.fr/Fix/SmitfraudFix_En.php


Please Copy and Paste the contents of the HTML Log files;
C:\mcafee\Normal_ScanReport.HTML & C:\mcafee\Safe_ScanReport.HTML in your reply.

* * * Please report back your results * * *

 

[Drax]

From: "Drax" <[email protected]>

| I installed no new software or made any new updates yet, when I boot
| my computer the Classic Windows Style was replaced with the Windows XP
| Style. I have had the computer for about 3 months and never had a
| problem like this before. I fixed it by just going into Control Panel
| clicking on Appearance and Themes then clicking on Display opening
| Appearance then changing it back to Classic Windows Style but, what
| caused it to happen?
|
| Was this a virus? I check with Norton but, found no virus.

Sounds like a smitFraud Trojan, not a virus.

Thanks for your help but, SmitFraud gives a Warning message "your
computer is infected with SmitFraud virus/spyware" and I never got
such a message. I also never found any of the SmitFraud files listed
on website about removing SmitFraud on my computer? Now with
SmitFraud you should not be able to change their warning
message/Screen Saver by changing the Setting in Windows Control Panel
yet, that what I did?

Ad-Aware never found SmitFraud?

My problem seems to have been the Setting had just been changed from
Classic Windows Style to the Windows XP Style. I am the only one with
access to the computer and I didn't change the setting or click on any
strange E-mails.

Thanks Again for taking the time to help me

 

[David H. Lipman]

From: "Drax" <[email protected]>


| Thanks for your help but, SmitFraud gives a Warning message "your
| computer is infected with SmitFraud virus/spyware" and I never got
| such a message. I also never found any of the SmitFraud files listed
| on website about removing SmitFraud on my computer? Now with
| SmitFraud you should not be able to change their warning
| message/Screen Saver by changing the Setting in Windows Control Panel
| yet, that what I did?
|
| Ad-Aware never found SmitFraud?
|
| My problem seems to have been the Setting had just been changed from
| Classic Windows Style to the Windows XP Style. I am the only one with
| access to the computer and I didn't change the setting or click on any
| strange E-mails.
|
| Thanks Again for taking the time to help me

Thereis alctuually a family of malware that I and others relate to the SmitFraud.

The possibility of the FakeAlet, ZLob/Puper and other Trojans are associated with this type
of activitiy. While you might not have the exact message "your computer is infected with
SmitFraud virus/spyware", that is old and has been replaced by numerous messages.

Here are some web sites this family send 'ya to..

hxxp://www.securityuptodate.com/
hxxp://www.safetyuptodate.com/
hxxp://www.syssecuritysite.com/

Here are some warning messages...
Computer is infected w/trojan i worm-attck-v122.02a

warning: w32.myzor.fk@yf is a virus that infects files with .exe extensions.
It attempts to steal passwords and private information from the infected computer.

Title: 'Alert! Trojan.Virus.Z.32.exe launch attempt detected...'
Message: 'It is recommended that you run a full system scan now to
reveal other possible threats. Click here to download spyware
remover.'

Title: 'Internet attack attempt detected...'
Message: 'Somebody's trying to infect your system with spyware or
harmful viruses. Run system scan now to secure your PC from Internet
attacks and hijacking attempts!
Click here to download spyware remover now...'

Title: 'Alert!'
Message: 'Trojan.Virus.Z.32.exe launch attempt detected and blocked!
It is recommended that you run a full system scan to reveal other
possible threats.
Click here to visit Security Center web site and protect your system
against spyware and harmful viruses...'

Title: 'Credit card hijacking attempt detected...'
Message: 'This is a result of harmful spyware activity.
Scan your PC now to reveal and remove malicious spyware.
Visit Windows Security site to download antispyware...'

Title: 'Alert: You are receiving spam!'
Message: 'This means your computer is infected with malicious spyware.
Scan your computer now. Click here to protect your computer against
spyware, adware and trojans!'

Title: 'Danger! Spyware activity detected on your computer...'
Message: 'Full system scan highly recommended to remove possible
malicious spyware. Scan now to remove all spyware and adware!
Visit Windows Security Center web site to protect your computer...'

Title: 'Warning! Your computer is not protected against spyware...'
Message: 'This may lead to your PC getting infected with malicious
spyware able to steal your data including passwords, credit card
numbers, etc.
Scan your computer for spyware now!'

Title: 'Your data is being transmitted to another computer...'
Message: 'DATA MINER - a dangerous spyware stealing and collecting
your data, possibly does this. Scan your PC now to get rid of this
malicious program. Click here to download spyware remover to protect
your PC.'

Title: 'Warning: Your security and privacy are at risk!'
Message: 'Spyware has been detected on your computer.
Click here to run a full system scan to protect your PC...'

Title: 'Alert:'
Message: 'The following program C:\windows\system\keylogger.exe#CR#is
trying to monitor and log login names and passwords entered from your
keyboard. Scan your PC now to remove possible keyloggers and other
spyware!'

Title: 'Danger: Potential spyware operation!'
Message: 'Your computer is making unauthorized copies of your system
and Internet log files. Run full scan now to prevent any unauthorized
access to your log files!
Visit Windows Security Center web site now...'

Title: 'Warning! Outside access attempt detected:'
Message: 'Somebody's trying to gain access to your PC using DATA MINER
program. Run System Scan now to block further unauthorized access
attempts.
Click here to visit Windows Security web site...'

Title: 'Your computer is working slowly!'
Message: 'Slow operation speed might have been caused by malicious
spyware. Run Spyware scan now to remove all viruses and spyware
programs from your computer!
Click here to visit Windows Security Center web site...'

Title: 'System alert:'
Message: 'Warning! Spyware detected on your computer.
Click here to remove all spyware and viruses immediately...
Protect your system today.'

Title: 'Warning: System Protection notice!'
Message: 'Protect your system against spyware and harmful viruses.
Click here to protect your PC immediately!'

 

[Drax]

From: "Drax" <[email protected]>


| Thanks for your help but, SmitFraud gives a Warning message "your
| computer is infected with SmitFraud virus/spyware" and I never got
| such a message. I also never found any of the SmitFraud files listed
| on website about removing SmitFraud on my computer? Now with
| SmitFraud you should not be able to change their warning
| message/Screen Saver by changing the Setting in Windows Control Panel
| yet, that what I did?
|
| Ad-Aware never found SmitFraud?
|
| My problem seems to have been the Setting had just been changed from
| Classic Windows Style to the Windows XP Style. I am the only one with
| access to the computer and I didn't change the setting or click on any
| strange E-mails.
|
| Thanks Again for taking the time to help me

Thereis alctuually a family of malware that I and others relate to the SmitFraud.

The possibility of the FakeAlet, ZLob/Puper and other Trojans are associated with this type
of activitiy. While you might not have the exact message "your computer is infected with
SmitFraud virus/spyware", that is old and has been replaced by numerous messages.

snip

Thanks but, there was no Warning Message or pop-up or anything else
just the Display setting was changed so the buttons were XP style not
Classic style.

 

[Offbreed]

My problem seems to have been the Setting had just been changed from
Classic Windows Style to the Windows XP Style. I am the only one with
access to the computer and I didn't change the setting or click on any
strange E-mails.

Considering the way MS feels free to screw with custom settings, I'd
suspect the upgrade just before the problem showed up was involved.

Undue cynicism?

 

[edgewalker]

Considering the way MS feels free to screw with custom settings, I'd
suspect the upgrade just before the problem showed up was involved.

Undue cynicism?

I was thinking the same thing, but the OP said no updates were done.

Always check your setting after updates - Windows Update will even
mess with security settings (at least on W98 it does).

 

[Art]

I was thinking the same thing, but the OP said no updates were done.

Always check your setting after updates - Windows Update will even
mess with security settings (at least on W98 it does).

It does with Win 2K as well. If you have disabled NetBios and all the
other things required to disable services that hold ports open, the
WU Trojan will reverse some of your work and leave you a sitting
duck if you don't have active firewall blocking.

Art
http://home.epix.net/~artnpeg

 

[Drax]

I was thinking the same thing, but the OP said no updates were done.

Always check your setting after updates - Windows Update will even
mess with security settings (at least on W98 it does).

I use Win XP and have not updated in over a month