spam inserted as wall paper

[Guest]

Hi -- Some spam was inserted on my son's computer -- a message about the
dangers of spyware. It has a black background, takes up the whole screen with
a "Danger" warning, and I can't get rid of it. Otherwise the computer
functions normally. At the bottom, there's a link for "removal instructions"
but when you click it, it takes you to "topantispyware.com" and lists search
results for various spyware software.

We subscribe to McAfee antvirus software online, and ran the scan, removing
all the spyware it could find. Any clues on how I can get rid of this junk?
Thanks.

David

 

[Guest]

Sounds like adware/spyware.

Install Ad-Aware Personal Edition, Spybot, and the MS AntiSpyware Beta and
run a scan.

 

[Malke]

Hi -- Some spam was inserted on my son's computer -- a message about
the dangers of spyware. It has a black background, takes up the whole
screen with
a "Danger" warning, and I can't get rid of it. Otherwise the computer
functions normally. At the bottom, there's a link for "removal
instructions"
but when you click it, it takes you to "topantispyware.com" and lists
search results for various spyware software.

We subscribe to McAfee antvirus software online, and ran the scan,
removing all the spyware it could find. Any clues on how I can get rid
of this junk? Thanks.

This has nothing to do with viruses, so your McAfee can't deal with it.
You need to clean up your computer because I can assure you with almost
100% certainty that the cr*p causing your immediate problem is not the
only malware on your system.

To remove the spam message, you will need to go to the Display applet in
Control Panel. Click on the Desktop tab and then on the Customize
Desktop button. Now click on the Web tab. Clear all checkmarks on that
tab, Apply and OK out. I just had something like this on a client's
machine and the infector page was "security.html". Also, every time I
would open Display Properties from the Desktop, the infector would
crash Explorer. I was able to kill it from the Control Panel, and then
find the referenced file and delete it.

As I said in the first paragraph, it is extremely likely that you have
other malware on the system. Go through the following removal steps,
doing everything with updated tools in Safe Mode:

1) Scan in Safe Mode with current version (not earlier than 2004)
antivirus using updated definitions.

Before you remove malware, get LSPFix (or WinSockFix for XP which you
can get from MajorGeeks) - see links below.

2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
programs are free, so use them both since they complement each other.
There is a new version of CWShredder from Intermute. I would not
install the other Intermute programs, however. Alternately, there are
CoolWebSearch malware removal steps at SilentRunners.

Be sure to update these programs before running, and it is a good idea
to do virus/spyware scans in Safe Mode. Make sure you are able to see
all hidden files and extensions (View tab in Folder Options).

If the malware remains even after you used Ad-aware and Spybot, you can
scan with HijackThis. HijackThis is an excellent tool to discover and
disable hijackers, but it requires expert skill. See below for
HijackThis links, including sites where you can post your HJT logs. A
combination of HijackThis and About:Buster works well in removing the
About:Blank homepage hijacker. Again, this is an expert tool and
novices should get help with it.

3) If you are running Windows ME or XP, you should disable/enable System
Restore after the system is clean because malware will be in the
Restore Points. With ME, you must disable System Restore completely.
With XP, you can delete all but the most recent (presumably clean)
System Restore point from the More Options section of Disk Cleanup
(Run>cleanmgr).

4) Make sure you've visited Windows Update and applied all security
patches. Do not install driver updates from Windows Update.

5) Run a firewall.

Links to help with malware:

Software/Methods:
http://www.safer-networking.org - Spybot Search & Destroy
http://www.lavasoftusa.com - Ad-aware
http://www.majorgeeks.com - good download site
http://www.intermute.com/spysubtract/cwshredder_download.html
http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
http://www.cexx.org/lspfix.htm - Repair Winsock 2 settings after
removing spyware
http://www.spychecker.com/program/winsockxpfix.html - WinsockXPFix.exe

HijackThis:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
Eshelman
http://aumha.net - forums
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/

General:
http://aumha.net - look under "Security" for various forums
http://rgharper.mvps.org/cleanit.htm
http://mvps.org/winhelp2002/unwanted.htm
http://www.aumha.org/a/parasite.htm - The Parasite Fight
http://www.spywarewarrior.com/rogue_anti-spyware.htm

Malke

 

[Guest]

Malke -- Thanks a ton. Your advice got rid of the message. I will follow up
the the further spyware software you mention. Thanks again. -- David

 

[Guest]

Phil -- Thanks for the help. -- David

Sounds like adware/spyware.

Install Ad-Aware Personal Edition, Spybot, and the MS AntiSpyware Beta and
run a scan.

 

[Guest]

Malke -- Could you clarify -- in step 1), what is the anti-virus scan in safe
mode you refer to? Is it a Windows XP utility that I need to update? Thanks
for all your time. -- David

 

[Malke]

Malke -- Thanks a ton. Your advice got rid of the message. I will
follow up the the further spyware software you mention. Thanks again.
-- David

Excellent. Do continue with the cleaning steps. Step 1 means that you
scan with whatever full-featured antivirus you have installed. I
believe you said you have McAfee? In that case you would update the
virus definitions and do a scan in Safe Mode. To get into Safe Mode,
repeatedly tap the F8 key as the computer is starting up. This will get
you to the proper menu. The reason for doing all the av and malware
tools scans in Safe Mode is because you cannot delete files that are in
use. Malware will be running in Regular Mode. Although there are some
nasties that will run in Safe Mode, most will not.

HTH,

Malke

 

[Guest]

This sounds like a newer type of browser hijacking. If you open your windows
explorer does it have a new home page with these messages? And you can't
re-set it? Then you browser is hijacked and you have a spyware/trojan virus.
Try microsoft antispyware beta or a good program like spysweeper. Note be
careful some of these trojans log keystrokes and can steal personal info

 

[Guest]

If you open your windows

explorer does it have a new home page with these messages?

No, it didn't seem to hijack IE. It planted itself as the wallpaper, but had
a link to a spyware search in it. Obnoxious but not particularly malicious.
Malke's instructions got rid of it. Thanks. -- David