"warning you are in danger" wallpaper

i got some .html files on my C:\WINDOWS folder that were changed the date my problem started and some have been changed today... should i remove them? for example: kag.html, tms.html, sea.html, popup.html, oul.html, lip.html, jcq.html, ddp.html, baq.html
and i got others that are .exe files for example: ava.exe, bam.exe, bij.exe, bvd.exe, cad.exe, dms.exe, dvm.exe, evr.exe, gje.exe, hll.exe, hrr.exe, ipe.exe, jbn.exe, jfr.exe, jst.exe, m7.exe, msd.exe, mss.exe, nvb.exe, ocf.exe, off.exe, onl.exe, ook.exe, qrc.exe, rql.exe, thin-137-3-x-x.exe, tmq.exe, tsc.exe, uig.exe, vgc.exe also in C:\WINDOWS folder...
all this look suspicious to me...

 

Yes, they are not supposed to exist.

C:\WINDOWS should only contain these few .exe files. There may be a few more depending on what software you have installed, but you get the idea of what should be there and what shouldnt.

explorer.exe
hh.exe
IsUninst.exe
notepad.exe
regedit.exe
setdebug.exe
slrundll.exe
TASKMAN.EXE
twunk_16.exe
twunk_32.exe
winhelp.exe
winhlp32.exe

The files you mentioned, all 3 characters long sounds like a certain trojan. Let me get you some information, hang on!

 

should i delete .html files too? what about thin-137-3-x-x.exe any idea of what that could be

 

Yes, delete them and about the file, no idea all I know is that it doesnt look safe. I would delete it as well.

 

i was looking for other files that were created the date the problem started and today and i found ACFIGOHQ i dont know the extension. BPMNT.dll LPT$VPN.514 (this one looks very suspicious) PATCH.exe system(same extension as ACFIGOHQ) TMUPDATE.DLL VPTNFILE.514 vsapi32.dll
popup.html and desktop.html keep coming back

 

LPT$VPN.514 ←–– Part of TrendMicro's Pattern File
BPMNT.dll ←–– Part of TrendMicro's Scan Engine
ACFIGOHQ ←–– What file extension is this one?
PATCH.exe ←–– Part of Trend Micro AutoUpdater
TMUPDATE.DLL ←–– Part of Trend Micro AutoUpdater
vsapi32.dll ←–– Part of TrendMicro's Scan Engine

 

i dont know how to translate the extension. a picture showing the file is attached... its the best thing i can do
by the way... the keys that i should remove... remember... active desktop... they keep coming back

 

What folder is that file in?

 

C:\WINDOWS
i can keep telling you other files i suspect that exist on other folders... i just want to try and help

 

Okay! You can delete that file.

Since you have so many "suspicious" files, I want you to do something to clean them up. Please follow my instructions below.

Download Kaspersky Anti-Virus Personal 5.0.

Note: This version is a 30 day trial.

You must disable any AntiVirus programs you have installed

Now install KAV 5.0

When Installing, do the following as you come to them:

Uncheck the Operate According to Recommended Settings Box

Uncheck the Use Real-time Protection against Network Attacks Box

Uncheck the Use The iStreams Technology Box

Now, allow KAV 5.0 to download and install Updates. Then, look under Settings > Configure Updater and select Extended Database > OK > Check for Updates and allow those to install.

Then, Click Settings > Configure On-Demand Scan Settings and Set Scan Level to Maximum > Perform Recommended Action > OK

NOW, Close ALL Programs (including KAV 5.0) and Browsers!

Physically Disconnect from the Internet - Pull the Cable!!

Boot into SAFE MODE

Now : Start a FULL SYSTEM SCAN. Click the Protection Tab and select Scan My Computer .


This process may take HOURS . . . . LET IT RUN!

After this is complete, post the results.

Good Luck!

 

ok... so ill see you in a couple of hours then

 

Will be awaiting your results, Good Luck my friend!

 

Thanks Chas! I was looking for this but I couldnt find it!

 

ok! it found 147 viruses.... WOW!!! the scanning took hours to finish but its ok i let it scan overnight. today it was able to download new updates so i want to scan the computer again, but ill do it after a few questions i still have. I found while navigating through the keys things like FunWebProducts, FruityLoops, etc things i have already uninstalled and errased i found some Ares Lite Edition i think i never installed... can i errase all these keys? i also found HKEY_CURRENT_USER/Software/Microsoft/Osk i found
Setting = 04 00 00 00 01 00 00 00 00 00 00 00 c0 c0 c0 00 ff 80 c0 00 00 ff 40 00 80... etc
Stepping = 0x00000003 (3)
what should i do with them?
i can right click and change the wallpaper, we are still with the last problem how can i move my C:/Documents and Setting/User name/desktop items

 

interesting... i found a key... HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/HideDesktopIcons
HKEY_CURRENT_USER/Software/Microsoft/Windows/CurrentVersion/Explorer/HideMyComputerIcons
any suggestions?

 

C:\WINDOWS\system32\ias got two files ias, dnary they are used by Microsoft Access
what about C:\WINDOWS\system32 iiserver.exe?
what about the explorer.exe process
and i got another process which says its using 99% im not sure about the exact translation but its like EMPTYBIN PROCESS User name SYSTEM CPU% = 99

 

HideDesktopIcons ←–– Delete this!

HideMyComputerIcons ←–– Delete this!

C:\WINDOWS\System32\iiserver.exe ←–– Delete this!

After you delete these, reboot! Do another scan with the AV if you like. Sounds like you had/have a TON of infections.

Let me know!

 

Hi bjgarrick,

Can you please help me with my problem? I really appreciate it.

 

i was wrong... its not iiserver but iisver.exe... sometimes a letter does the difference... just to be sure and it was created on February... so...

 

Yes, go ahead and remove that as well. Also, did you do another scan with Kaspersky AV using the updated defs?

 

no i couldnt i had to work on my homework and some presentation. i was to busy all week with my computer i wasnt able to do them... ill tell you tomorrow how things are going... now i need to keep working
Thanks again for all the help and all the time, karma rules

 

Okay! Will be awaiting results

 

ok lets see.... my computer is fine now except for the hidden files... errasing the keys did not do the work... i found some other keys though
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\ControlPanelInMyComputer
with the name and value
RegPath = Software\Microsoft\Windows\CurrentVersion\Explorer\HideMyComputerIcons

and
HKEY_LOCAL_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced
with the keys or folders... dont sure what the name is but they are on the left panel
HideIcons
Hidden
SuperHidden

i still want to know if explorer.exe should be removed

AV did not found new threats!!!

 

Those keys are ok. Navigate to the below key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons

Does anything exist other than the (default) string?

 

I thought you told me to delete the key!!

 

Negative! The keys you mentioned in post 174 are normal.

 

This key was not mentioned on #174, but in #168

So HideDesktopIcons folder was deleted...
I looked for this key in other computers and it was not found... i suppose it isnt that important

 

i still want to know if explorer.exe should be deleted

 

This guy has the exact problem i have, maybe his explanation will help you understand what the problem is.

 

yes, basically there is a rogue desktop that has taken over while the original desktop remains hidden. for whatever reason, windows looks to c:/desktop as the source for the desktop that you see instead of the usual c:/documents and settings/...

have you had any more luck with recovering, wizz?

 

Post #174, those keys are safe, I think we're getting confused.

Where is explorer.exe located? Are you referring to the file or registry entry?

The file C:\WINDOWS\explorer.exe is a legitamate file. DO NOT DELETE THIS FILE!

 

on HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
and
HKEY_CURRENT_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
there is a name and value
Desktop = c:\desktop
i tried to change it to Documents and Settings\desktop but after reboot value changed back...
im running out of ideas...

 

on both
registry entry is HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\explorer.exe
i asked because iexplore.exe also exists
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Applications\iexplorer.exe

HKEY_CLASSES_ROOT\Applications\explorer.exe also exists

on my taskmanager i got explore.exe and iexplore.exe...

 

Before making these changes, close ANY programs like SpyBot S&D TeaTimer, Ad-Aware, etc;

These will block changes from being made, so close any unnecessary programs!

The Desktop string should set at:
C:\Documents and Settings\YOUR USERNAME\Desktop

The CommonDesktop string should be set at:
C:\Documents and Settings\All Users\Desktop

 

These are safe do not delete them!

 

I forgot to mention
HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
this should be changed to all users or "user name"

 

The desktop string in the key you mentioned above should be blank!

To confirm!

The below key, on the right side a string called "Desktop". The value data should be blank!

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

 

you mean with no value or %USERPROFILE%
just to be sure, because all the other values on this folder are like this

 

Okay! Ignore all of this as this has nothing to do with the problem.

Has your desktop icons not showed back up yet? Are you still able to change wallpaper and other settings?

 

there are like a million of this desktop values...
HKEY_USERS\S-1-5-21-54745924-225268896-2130403006-1894\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
name value
custom desktop c:\desktop
desktop c:\desktop
Im sure there will be a lot of others... should i just change them when found?

 

no desktop icons have not showed up yet and new icons created on desktop are duplicated... post #180
all other problems are solved!!

 

Just a little hint, I would be careful in the registry and it can cause serious problems that could lead to windows not loading. So be careful!

All of those are set based upon your settings, user accounts, etc;

Leave them as is unless told otherwise. Im looking for something, hang in there a minute.

 

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop
Do you have this key? If so, are there any values?

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Do you have any other values than NoDriveTypeAutoRun in this key?

 

Just to be sure! Try this again.

Right-click the desktop, Arrange Icons By, Show Desktop Icons.

 

No values on ActiveDesktop besides Default

for policies\explorer
ClassicShell
ForceActiveDesktopOn
NoActiveDesktop
NoDriveTypeAutoRun

 

I believe this is your problem. Do the below, reboot and see if problem remains.

In the below key, you should only have the string NoDriveTypeAutoRun with a value data of 91. If anything else remains, right click and delete it.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Edit by chaslang: that value is 145 decimal or 0x91 in hexidecimal

 

again to be sure... i did not understand much what Chas wrote but the value is: 91 00 00 00

 

The string NoDriveTypeAutoRun, the values are:

Value Data 91 Hexadecimal

Value Data 145 Decimal