Malware and Virus RemovalProblems removing malware/viruses? Get help from our Malware removal experts.
Mission Statement
WindowsBBS is an online community dedicated to easily accessible technical support for those using Microsoft operating systems and other Windows software.
Our goal is to become the leading resource for computer users that require assistance with their day-to-day computer usage, including full support for networking PC's, virus & malware removal, system upgrades and general support questions.
I clicked on a link to a nude photo for "Angelina Jolie"
The following day,when I started the computer,the Desktop Background had been replaced with a "Your Computer Has a Virus,Please Clean your Computer" [blue background,yellow/black lettering]...
I immediately scanned the computer with Avast anti-virus,wich found two files that it put into the 'Safe Area'following the scan.
However,on and off,the computer goes into ScreenSaver mode. I typically dont have the Screensaver in use.This ScreenSaver shows erroneous errors,that could not be taking place.At least for now that is what I think it is since,I do not understand how a program can just 'run'without someplace on the computer to do so.
I later figured this must be a ScreenSaver. So then- the Display Properties,The "Desktop " tab,and "ScreenSaver"tabs are missing. I cannot change what is being shown on the computer at my Desktop. Or 'Change The Background'howebeit,there is still the individual file option that will set the Background.
If I right click to 'Show the Desktop',the option to do so does not work.
At present am scanning with Online,House Call.(Trend Micro).Dont know the extent of what is /has been done to computer from clicking this .avi.exe file as I did. Suggestions would be helpful. Dont have programming expertise below the interface.
Im under the impression that I will have to replace some files,but I dont know wich. Or replace the video driver files. Going on to Scan the hardrive/defrag. Since the two files found for/from the Avast Antivirus- were also in the Systems 'Restore'file. Since removed.
Have computer with ScreenSaver..perhaps. Will Travel.
Didn't find the information you thought to find? Check out these Similar Threads
This may not be a ScreenSaver. However.. I know that.. If the 'error message/-era maybe avi.com comes on...
I can..
er-a..usually..use 'Esc' key - or any other key to bring up the Windows Screen Desktop.
If I watch the thing run,too long.,this does not work so ...easily.. esc key.
I'm pretty sure that I have several video driver files damage. And maybe the ACPI(power) problems comming on,as a direct result of some damaged System Files,. Or more stooge lunacy from the aspects of the virus program.
Seems the more I let it run,the more difficult it is to get the Desktop back up. Still running the House Call (Trend Micro). Have not Defragged the Hardrive. Yet. Would like to run System File Checker.
XP SP3...machine.
Last edited by KaleidiScope; 31st July 2008 at 08:00.
Ran Avast Antivirus..found two files wich are locked up. Others were deleted when found.
Ran Spybot Search&Destroy .Innoculated Explorer.
.Stopped program after 5 hours of slow going.
Ran online version of Trend Micros ..Housecall. 2 hours slow going.
-Discovered Tabbs missing within Display Properties (ScreenSaver,and Appearance).
Rolled Video Driver Back to previous version.
Rolled Video Driver Forward (Using Microsofts UPdate)
- no change to Display panels.
Also found interesting reference Microsofts KNowledge base concerning running System File
Checker (with only the Restore option using re-installing the Op.Sys.)
+Creating a New User Account on My Computer.
+Ran System File Checker* Following doing this,for another angle.
*the specific command I found in XP Home Edition Cowart&Kittel page 875
...it did not run until a new Start-up.
**curious as to the differences between this and what Windows Update
may now see.
Result,..on the new user account,the Display Panel Tabs are back
User Icons are Displayed along with Desktop
-set sufficient power settings.
.....................Reading Your Post.....
Switching over to previous user account.With a Restart.
->This User: The Display Panel Tabs are still gone.
no access to the Desktop icons.Previously Hidden.
Run Hijack This
Run Deckards...
Note:Creating Restore Points this Computer is not advisable (restore points).
They are disabled for a reason ! These system files must be taking a beating,
with all these scans.As noted above,I have/had done several things previous
to Running Hijack This,and Deckards.The removed files via Avast Antivirus
are available for upload to Trend Micro if needed.
Creating a new User Account,Seemed (so far)to enable a running system.Intend
to run System File Checker,on This User Account.Also- XP Home Edition does
not have much control of User/User policies.With only two different Account
Types.
I:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe"
*was a program from a 'Trial Version',that insists on being part of the system.!
B)**** Declined By Poster. Thanks.
Comment:I'm posting this against my better judgement. With the disclaimer that the
'composition of its components are those of the poster.Illegal uses of the
information is prohibited.<KaleidiScope>
Deckard's System Scanner v20071014.68
Run by Mr. Mike on 2008-07-31 04:31:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------
-- System Restore --------------------------------------------------------------
System Restore is disabled; attempting to re-enable...success.
Backed up registry hives.
Performed disk cleanup.
-- HijackThis (run as Mr. Mike.exe) --------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:38:55 AM, on 7/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Hi KaleidiScope
First I have a question and some requests.
Is the I drive the one that was infected? I ask because normally the main Drive is C or sometimes D.
Next, You will need to run any tools while logged onto the user account that was first infected.
Please open Notepad and uncheck Word Wrap, it is found in the format tab.
dss.exe needs to be on your Desktop, not in a folder on the desktop or any other location The Green icon needs to be showing on the desktop.
Now please do this in the order given.
** dss.exe must be on the desktop for the following command to work. **
Highlight and copy the bolded command below.
"%userprofile%\desktop\dss.exe" /daft
Click Start>Run and paste the command in the run box, then hit enter.
An interface of Deckards file association fix will open.
Click Scan.
Check the box next to the following, then click Fix.
.cpl
Exit when complete.
Now this.
Download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.
Double click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select 'Perform Quick Scan', then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Post the entire report in your next reply along with a fresh HijackThis log.
Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.
posting at your site is hit and miss 5:08 pm...got limitations to using two users. Considering the south bridge on a KT7 does not multi-task that well. Nor the applications ..Zone Alarm,Avast etc. Turn them on ,turn them off. (I might just say I'm jumping off the south bridge .With a Q9450 someday).
Wont be able to post for a couple of days till I get some more time. Thanks for help.
Yeah I dont have a desktop..No Icons are available. To Do this !
As for backing up ,or turning on Restore Points. I usually have one,and one only. On a 6+ Drive/partitioned system. Problem being a Dual Boot machine/Fat32 - were while using Applications (and File System) Registry,and
Applications (saved files settings) ..I do not want to mesh.
+Think I will first: +Defrag the drive/Delete the User.
+Scan the Registry on a New User. And Migrate the settings to the new user.
Something such as this. When I return to use the Tools you showed me,. I will be doing a different user on the same machine. Need some schooling on how to run User Policies. Yet on a Home Edition machine,....
We'll have to agree to disagree on Backing Up an Infected set of information. Depends a lot on your setup.
note:The Screen Saver wich runs when switching between users...this may be a problem for securities sake. As well in addition it is a problem on a 1/8 operating machine such as mine still using a 200Mhz bus for sure.
Try Castigating from the hardware side....and PS: I'm listening. Will use your post very carefully. Sorry couldn't do that just now.
Last edited by KaleidiScope; 1st August 2008 at 02:41.
Reason: Sorry about ''next',adjacent. No DSS,or MBAM post info.
Hi KaleidiScope
If you are unwilling to do things in the order given, and no more than required to complete those instructions, I will be unable to assist you.
There's no way I'll be able to tell what you have or have not done and what the consequences of the changes you make may be, when telling you to run the tools I ask you to run.
You do what you feel you need to do, then after you have done all you feel you need to do, then come back if you still require help.
Hi KaleidiScope
If you are unwilling to do things in the order given, and no more than required to complete those instructions, I will be unable to assist you.
There's no way I'll be able to tell what you have or have not done and what the consequences of the changes you make may be, when telling you to run the tools I ask you to run.
You do what you feel you need to do, then after you have done all you feel you need to do, then come back if you still require help.
Geri
Lets See..was no way to look at the desktop. However through Files/Folder could negotiate
seeing them.
DSS..exe did not want to start.Had to delete it. Then,download the file a second attempt.
Malware Bytes..the Updater - ..did not update. However with the larger application running,
simply updated it.Then run the program.
Desktop Right Click Menu- returned.
Desktop Icons - returned.
Holding for any of the error messages.Shown below deleted.
Will still run Defrag,System File checker.
Interesting. Groovy.
Note:Same disclaimer here as previous post. Composition of these files and stuctures are those of the poster <KaleidiScope>***.Illegal use of its contents are prohibited.
***Declined by poster.Thanks.
Results..Found two malware "Trojan Fake Alerts" (.bmp,and .scr).
Converted Original Wall Paper,Converted Wall Paper,
Screensaver.exe
Should I worry about "O24 - Desktop Component 0: (no name) - (no file)"?
Files Infected:
I:\WINDOWS\system32\phcv4kj0e1ga.bmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
I:\WINDOWS\system32\blphcv4kj0e1ga.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Hijack This Fresh Log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:20:26 PM, on 7/31/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal
Should I send their information to the malware application people from the scan ?
Wonder how come Avast didn't find screensaver.exe .?
Is this sufficient,should I be weary of simply continuing as normal now. Anything else I should do ? I wouldn't want to be putting crud out to anybody/everyone/anyone I visited . Or dump some unknown application on just running it.
Have run Avast,HouseCall,Hijack this,Malware Bytes,Spybott Search& Destroy.
Or should I be anything other than 'happy'',do have this stuff found ? I'll just leave this anwser to 'well enough alone'. To your reply..good day,good night.
Ps:Got Tabs Back On Display Properties
Icons Showing On Desktop
Show Icons' menu returned.
Last edited by KaleidiScope; 1st August 2008 at 07:28.
Should I send their information to the malware application people from the scan ?
That's not necessary.
Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.***.com/ <<Fix this if you don't know what it is, the board blocked out the name.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O24 - Desktop Component 0: (no name) - (no file)
Now close all windows other than HiJackThis, then click Fix Checked.
Close HJT.
Now do this.
Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.***.com/ <<Fix this if you don't know what it is, the board blocked out the name.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O24 - Desktop Component 0: (no name) - (no file)
Now close all windows other than HiJackThis, then click Fix Checked.
Close HJT.
Now do this.
Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Thanks
Geri
Somehow the sequence of your instructions are off. In Panda ActiveScan.
Perhaps I might have been told to 'register'for the program wich 'Deletes'the found files. There are a couple of Options at that Panda Site. One Option is the Freebie w/o Registration wich only scans and Sends data back to Panda. The The Other Option Is the Register ...Then Scan - wich has the Option of Cleaning files found.
I did the Scan,where I could not understand..Nothing asked for Email,address,and nothing for country etc (as you show). It is how I stated though. I would have to first 'Register,Receiving an Email for Verification,then,Sign In.
It would have of course been simpler to first,Register ,then Scan. Since even though there was a prompt to Register with the sequence I did AFTER Scanning. I did not receive an Email. Then upon attempting to Log In. I was told to wait for the Email. The browser shut down.
This after a 5 hr scan.
Oops! There's been an error...
Don't worry, we've taken note and we're working on a solution. Please try again later.
Annyway..
Im not complaining. Patience is like stone around here.
Try again tommorow.Maybe I'll have the email when I wake.
Panda Active Scan 2 with "Export File.txt" Results
Quote:
Originally Posted by Geri
Hi
That's not necessary.
Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.***.com/ <<Fix this if you don't know what it is, the board blocked out the name.
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O24 - Desktop Component 0: (no name) - (no file)
Now close all windows other than HiJackThis, then click Fix Checked.
Close HJT.
Now do this.
Please download ATF Cleaner by Atribune. This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Thanks
Geri
This is the PandaActive Scan 2.Page I get from your link:
;************************************************************************** *************************************************************************** ******************************
ANALYSIS: 2008-08-02 07:40:48
PROTECTIONS: 1
MALWARE: 3
SUSPECTS: 1
;************************************************************************** *************************************************************************** ******************************
PROTECTIONS
Description Version Active Updated
;========================================================================== =========================================================================== ==============================
Zone Alarm Security Suite 7.0.483.000 No No
;========================================================================== =========================================================================== ==============================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;========================================================================== =========================================================================== ==============================
00168076 Cookie/BurstNet TrackingCookie No 0 Yes No C:\WINDOWS\Cookies\***[2].txt[/email]
00168097 Cookie/BurstBeacon TrackingCookie No 0 Yes No C:\WINDOWS\Cookies\***[2].txt[/email]
03074964 Trj/CI.A Virus/Trojan No 0 No No G:\More Archives\Camel XII To Jan 26 04d\Camel XII Workshop Nov 19 03\Working Downloads\newslimbrowser\sbrowser.exe[²≡\ExtractDLL.dll]
;========================================================================== =========================================================================== ==============================
SUSPECTS
Sent Location
;========================================================================== =========================================================================== ==============================
Yes C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
;========================================================================== =========================================================================== ==============================
VULNERABILITIES
Id Severity Description
;========================================================================== =========================================================================== ==============================
;========================================================================== =========================================================================== ==============================
Maybe Panda Updated their web site since you last visited ? These cookies should have been searched and found first I think.
Could have typo'd my email address on signing in. The Virus was detected on the C: Drive. Where I have W98SE.
Last edited by KaleidiScope; 2nd August 2008 at 17:07.
Reason: Poster Declined. <KaleidiScope>