"warning you are in danger" wallpaper

bjgarrick can you explain with more detail what it should be done?

 

Also, these may be of some assistance.

Adware.Topantispyware

Downloader.Harnig

 

im not logged as administrator, but this options should be open for any changes from this user, since it was like that before this problem

 

Chas, Symantec has an article about this if you would like to give it a try.

http://securityresponse.symantec.com/avcenter/venc/data/adware.topantispyware.html

 

If i was using administrator how could i change those settings? and about the links, it looks like its the same problem i have, but its hard for me to understand most of it. something i forgot to say was that in the online scans that one had to do in the READ ME FIRST one told me that i needed an anti virus program. Is this a virus problem or a malware?

 

This is a malware problem.

Delete the following files if they exist:

C:\WINDOWS\System32\spoolsrv32.exe

C:\WINDOWS\System32\srpcsrv32.dll

C:\WINDOWS\System32\txfdb32.dll

C:\WINDOWS\Web\desktop.html

Now, Click Start > Run > type in regedit and navigate to the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

In the right pane, delete the value:
(Look for the below entry in both keys)

"Srv32 spool service" = "%Windir%\System32\spoolsrv32.exe"

 

Your right but I wanted to include everything since the user was somewhat confused.

 

ok i lost internet service for a few minutes so i missed a few posts. The "Srv32 spool service" = "%Windir%\System32\spoolsrv32.exe" value did not appear. 2nd. i AM confused... lol. Ill try running scans and try changing the backround. About the right click problem it cant be the mouse couse i told you i could use it on the explorer windows, but not the rest of them and im using a laptop so i also can use the touch pad mouse and it still does not work.
I need to get some sleep too
Thanks for all the help
By the way... my computer is taking a little longer to start... hope that goes away once we solve the problem

 

When you get a chance post a current HJT log. Did you see any of the files I mentioned?

 

which files?

 

The danger:spyware ad is back.....

 

i found a desktop file on system32 folder, it is not .html though should i remove it?

 

What file extension is it?

 

im not sure... my computer is in german and im not sure how to translate it, something with settings and configuration, if by any chance you know german its Konfigurationseinstellungen. Its a SmartSecurity problem if it helps... Now im doing something i found in other forum:

"I found that it installed 4 .exe files (I have win2k, so windows dir is winnt, yours may be just windows).

winnt\seksdialer.exe
winnt\desktop.exe
winnt\system.exe
winnt\downloaded program files\load.exe

It also seemed to install winnt\system32\system32.dll, at least it had a create date as the time this f***er took over. (I was trying to help someone else debug over the phone, went to the website & it's been downhill ever since.) I checked 2 other Win2k systems and they didn't have this file, so I moved it to a floppy. Still not sure if I need it, though windows seems to run without, just without sound at the moment.

I then ran through the registry and replaced or deleted:
secure.html (on another infected pc, it was an ip, so whatever your home page is getting set to - look for that)
load.exe (this is installed into IE, like the google or yahoo toolbars, so everytime you start up IE, it loads itself again) I deleted the branch that held this file.

I didn't find the other .exe's in the registry.

Then I went to control panel -> internet options and changed the home page and deleted all files.

Then to the cookies location (varies per platform) and deleted them all.

Then I ran through Windows Updates (choose from Tools menu in IE) until there were no more CRITICAL updates. I chose to skip the rest.

Then I made sure I had the latest virus defs & scanned (nothing found).

Then I went to webroot.com & installed the trial version of Spy Sweeper & ran that.

For the most part, it seems ok, but now my sound is hosed, and the pc seems much slower.

I saw a mstask.exe as "Guest" mentioned, but I don't seem to have access to get rid of that. So off to find out where that's hiding."

hope it works...
i also did a search for smart security and i found "TheTechGuide forum > smartsecurity.html" which i think i should remove

Please tell me what you think before i can continue

 

Delete all 4 of the files you listed. It wouldnt hurt to get a GDL from your machine. Follow me below:

Download Generic Detection Tool - NT/2000/XP


Unzip the Generic Detection Tool to a safe folder of your choice and run "find.bat" - Allow it as much time as it needs to run. You may get an error message of "File Not Found," but just let it go.

The tool should generate a long text file. Attach this log as an attachment to your post.

 

should i close all browsers and programs?

 

Close anything thats not required.

 

it says the system cannot find the path

 

but im just gonna let it go as you told me

 

Yeah, just let it run, it will then spit out a log. It may take a few minutes but it will.

Hang in there

 

same message "the system cannot find the path". Theres a popup.html file on windows... i think i have to remove it too right? i better ask...

 

finally log came here it is... wait... i cant attach files... gonna keep trying

 

ok now

 

Download Pocket KillBox

Now, Copy and Paste C:\WINDOWS\SYSTEM32\8955FC87B4.sys into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES .

When windows loads, procede to the following:

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

After this Reboot and let me know how things are doing.

 

well now i know my computer is really clean, i just was unable to clean trojan file C:\Programme\Yahoo!\YPSR\Quarantine\20040812204806851.zip/ATPartners.dll because it is contained in an archive. I dont see major change though. I still cant change the desktop...

 

What were the results from TrojanHunter? Also, Delete everything in this folder and it will remove this.

C:\Programme\Yahoo!\YPSR\Quarantine

 

wizz,

Boot into Safe Mode and see if any of these below files exist, if so delete and post back what your found and deleted. Also, does the wallpaper show in Safe Mode?

C:\WINDOWS\System\secure32.txt
C:\WINDOWS\System32\secure32.txt
C:\WINDOWS\system.exe
C:\WINDOWS\System32\system32.dll
C:\WINDOWS\desktop.exe
C:\WINDOWS\toolbar.exe
C:\WINDOWS\mstasks1.exe
C:\WINDOWS\mstasks2.exe
C:\WINDOWS\test
C:\WINDOWS\seksdialer.exe
C:\WINDOWS\System32\wintime.exe
C:\WINDOWS\System32\dkdial.exe
C:\WINDOWS\System32\dial32.exe
C:\WINDOWS\Web\i_xx.gif (Where xx is a number between 01 and 20.)
C:\WINDOWS\Web\desktop.html


Also while in Safe Mode do the following:

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

 

it deleted 8 possible trojans

 

And the results from Post #82 ?

 

mstask2.exe and test was found and deleted, everything else was done in administrator during safe mode... the problem is that when i reboot i found that the security settings were not in default, so i changed them, everything else i changed stayed like that

 

Make a backup of your registry before modifying it to be safe!
How to make a backup of the Windows registry


Now, Click Start, and then click Run.

Type regedit

Then click OK.

Navigate to the following key and delete it:

HKEY_CLASSES_ROOT\CLSID\{0A323FA1-38DE-44EC-B2FA-4002183C143E}


Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
In the right pane, delete the value:

"Wintime"="Wintime.exe"


Navigate to the key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
In the right pane, delete the value:

"ShellServiceObjectDelayLoadSystem"="{0A323FA1-38DE-44EC-B2FA-4002183C143E}"


Let me know how this goes, after your done with this reboot and see if problem remains.

 

hmm... i cant do a back up, because the computer says that it could not find ntbackup.exe im 100% sure i did not delete it. should i continue without a backup or how can i do a backup without using that program

 

You'll be ok if your remove EXACTLY whats mentioned. However if its one character different ask me about it before you modify it.

Some of these may or may not exist, just look and see what you find.

 

just to be sure... i have to delete the folder right? and when i navigate to the other keys i just have to delete the value and not the folders right?

 

No, your are deleting registry keys/values. If the EXACT key/value exist delete that and nothing else.

 

Sorry none was found... do this values HAVE to exist? by the way i found in the currentversion folder "WallPaperDir" with the value %SystemRoot%\Web\Wallpaper just to see if it has anything to do....

 

No, they do not have to exist its just possible as you have something nasty. Are you still having the background problem?

 

just i cant change the backround, the ad is gone but the desktop is all black. i could just move my desktop items to my new desktop but the right click problem is still there...

 

Okay!

Right Click on the desktop or go into Control Panel and click on Display. Go to the Desktop tab. What happens when you select a wallpaper and click apply, Ok??

 

i cant right click nor select a wallpaper

 

Is it greyed out or none in the list?

 

greyed out... what i think is "desktop.html" can still be seen on the list... im sure it is deleted

 

Okay! Do this for me please, go to the Desktop tab in Display Properties and create a snapshot so I can see exactly what it looks like.

Do this by pressing the key Print Screen|SysRq and opening MS Paint and pressing Control + V pasting the image there. Save it as a .jpg

After doing this attach it to your next post.

 

Also, I want you to give me some information.

Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

On the right side, if anything exist in this area take a snapshot and show me what exist. Do the same as before.

 

sorry i took so long... lost internet connection again...
i think we are getting somewhere...