"warning you are in danger" wallpaper

"Warning you are in danger" wallpaper has appeared on my desktop and it has been imposible for me to remove it. Had tried running spybot , ad-aware, spy sweeper, Spyware Doctor and Microsofts Anti-spyware program. So far none of these programs have picked this up. Any ideas on how to remove this off of my PC. I also have tried changing the wallpaper through control-panel, but still doesnt work. I think this isnt a spyware problem and thats why the programs are not removing this problem, but im not sure and my last chance was to post in this forum.
I appreciate the help

 

First, please follow ALL the steps in this Sticky thread READ ME FIRST BEFORE ASKING FOR SUPPORT: Basic Spyware, Trojan And Virus Removal

After doing ALL of the above if you still have a problem:

• Download HijackThis 1.99.1

• Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

• Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file.

• Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

• Run HijackThis and save your log file.

• Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post).

 

wow! thanks for the quick response. Well i had already read and tried your "READ ME FIRST" but it did not help me, here is my hijackthis log file, hope i did it correctly.
Thank you

 

First:
Please download: HSFix.zip

• Do not run it yet!

Second:
Download this proram and follow the below steps Hoster.

• Unzip Hoster to a convenient folder such as C:\Hoster

• Run Hoster.exe, click Restore Original Hosts and then click OK.
• Click the X to exit the program.

Third:
Please print out these instructions so that you can operate with All Browser Windows CLOSED.

Please make sure System Restore is OFF and the Viewing of Hidden Files & Folders is Enabled as per the tutorial.



Now, look in Task Manager (Ctrl-Alt-Del) for the following running processes and, if you see it, try to END it:

iisver.exe


Fourth:
Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.1.1:4100/applet.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: EachDebug - {85572F82-D979-16F6-BE59-C10E091EC067} - C:\PROGRA~2\MEDIAL~1\rule eggs.dll (file missing)

O3 - Toolbar: Bone Warn Mix - {8B80133B-16E5-69B6-0AAC-26C726F3C3DA} - C:\PROGRA~2\MEDIAL~1\rule eggs.dll (file missing)

O4 - HKLM\..\Run: [ScanRegistry] C:\W
O4 - HKLM\..\Run: [!!!AAAA-aaaagiochimkt] C:\DOKUME~1\4aaar\ANWEND~1\GIOCHI~1.EXE /ns
O4 - HKLM\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe
O4 - HKLM\..\Run: [iisver] C:\WINDOWS\iisver.exe
O4 - HKLM\..\Run: [vfdhkrkz] c:\windows\system32\vfdhkrkz.exe
O4 - HKCU\..\Run: [Jawa32] C:\WINDOWS\jawa32.exe
O4 - HKCU\..\Run: [Jawa322] C:\WINDOWS\jawa32.exe

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes0521.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Programme\Yahoo!\Messenger\yhexbmes0521.dll (file missing)

O15 - Trusted Zone: *.slotchbar.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.skoobidoo.com (HKLM)
O15 - Trusted Zone: *.slotchbar.com (HKLM)
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84

O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c18.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c18.cab
O16 - DPF: {7EB15626-CB8E-4174-8A72-C055B12B4310} - http://smartdownloader.com/installer.dll
O16 - DPF: {F72BC3F0-6C20-4793-9DDA-258589D8A907} - http://akamai.downloadv3.com/binaries/IA/netslv32_ES_XP.cab

O20 - Winlogon Notify: draw32 - C:\WINDOWS\SYSTEM32\draw32.dll


Again, make sure All Browser Windows are Closed when you Click FIX.

Fifth:
NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

C:\WINDOWS\iisver.exe

C:\WINDOWS\jawa32.exe

C:\WINDOWS\System32\vfdhkrkz.exe

C:\WINDOWS\SYSTEM32\draw32.dll


Sixth:
Now, the file HSFix.zip you downloaded, located it and extract the tool from the ZIP File to a folder you can easily find (preferably in its own folder - like c:\HSFix).

DoubleClick hsfix.bat and let it run. It will produce a log here - C:\hslog.txt

After this is complete, attach the log to your next post once you have rebooted. Complete the rest of these steps first!

Seventh:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"


Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.



Reboot to Normal Windows , Scan with HijackThis and attach the new log in cluding the HSFix log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

ok now.... three questions: 1.how can i turn System Restore off? 2.how can i boot into Safe mode and 3.where can i download CCleaner?
Thanks again for the help

 

I see someone didnt pay close attention to the READ ME as requested.

DO NOT POST UNTIL YOU HAVE READ THIS: How to: Spyware, Trojan And Virus Removal

The README is added for a reason, its not here for looks, its here for your benefit. Go back and read it!

How to Enable/Disable System Restore

How to start your computer in Safe Mode

Download CCleaner Here!


Next time, pay more attention to save both of us time

 

woops.... sorry about that... well my new problem is that i dont have a desktop, everything is covered by the wallpaper. Then when i look for My Computer in the Dokuments and Settings desktop folder all i see is a short cut and when i use it to find the real folder, i cant use the right click, something i forgot to say on my first post. I cant use the right click in all windows except for explorer

 

Can you get into Control Panel? Can you access the RUN window?

 

yes, both

 

Okay! Go into Control Panel, Double Click on System, select the System Restore tab and disable it.

Now, Double Click on Display and select the Desktop Tab. Click the button "Customize Desktop" and select the "Web" Tab. Uncheck any boxes in here.

After this procede with my fix, let me know if you have any further problems with this.

 

they are already unchecked. i read in other posts that this was the way to solve the wallpaper problem but it didnt work for me.

 

Please follow all the steps listed in my fix, after you complete it post a new HJT log.

 

well i guess i did as you told me, but still it did not work. Please tell me if i did something wrong. HijackThis and HSFix log are attached as you asked me.

 

i forgot to say that the wallpaper is still there and right click still does not work...

 

Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.1.1:4100/applet.html

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} - http://www.miniclip.com/bestfriends/retro64_loader.dll

Again, make sure All Browser Windows are Closed when you Click FIX.


NOW:
Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled and navigate to and DELETE the following if they should remain:

Search for both files and delete when found!

draw32.dll

vtd_16.exe

NEXT:
Run CCleaner

Reboot to Normal Windows

Please download "StartDreck", from here: http://www.niksoft.at/_data/startdreck.zip

Unzip to its own folder and start the program,
Press 'Config'
Press 'Unmark All'
Check the following boxes only:
Registry -> Run Keys
System/drivers> Running processes
Press 'Ok'
Press 'Save' and select the location to save the log file
(default is the same folder as the application)

Please attach the log in this thread.

Also, Scan with HijackThis and attach the new log.

 

Here they are

 

sigh... i forgot to run CCleaner... forget about the last post... ill send you the log files again.

 

again... here they are...

 

Nop no change... i uninstalled Spy Cleaner. Should i attach HijackThis log?

 

Yes i did reboot

 

Hey guys,

Did you look for C:/WINDOWS/Web/desktop.html? That might be the culprit, if it exists on this machine.

Just an idea . . . .

PP

 

Should i uninstall PestPatrol and Spy Sweeper, i only installed them to see if they could remove my problem, but it seems they couldnt. About the desktop.html file... i cant seem to find it, there is this one deskmovr HyperText Template should i do anything with it?

 

yes they are trial versions. I found the desktop.html file on C:/WINDOWS should i delete it?

 

it just stays as a .html file. i cant right click to rename it, couse as i said before right click doesnt work. Im trying in safe mode now

 

Same as in Normal mode

 

OK i moved the file, should i reboot now or after using Pocket Killbox? can u introduce me to Pocket Killbox too?

 

I thought this was a spyware problem, but it seems it isnt. You know who can i talk to that knows how to solve this? Im still counting on you though

 

something happened i did not realize. The Danger: spyware wallpaper is gone, but my actual desktop does not appear. i cant change the desktop and still i cant use the right click, so basically i still have the same problem but the danger: spyware thingi is gone

 

is the night over? ok then... ill see you tomorrow, this thing is driving me crazy

 

ok file is deleted

 

same as before... sigh... why isnt there any crying smilies!?!?! lol

 

Yup already did that and everything looks ok to me. When i go to the desktop tab, the only thing i can press is the customize desktop button, everything else is in grey as in not permited to do any changes
desktop problem and right click = "same as before"

 

yes i see both

 

Well the check box was unchecked and in the section of the window the only thing there is is My Current Home Page which was unchecked

 

Chas, would this help any, to get the filename and location so it can be deleted.

HKEY_CURRENT_USER\Control Panel\Desktop

In the Wallpaper string on the right side, copy the filename and location and paste into Killbox?

 

No i mean in the window where you select the backround and how you want it to appear on your desktop. Thats where im not permited to do any changes, just for the custumize desktop button. Hey... you said something about a Pocket Killbox?