I cant change my desktop wallpaper

[Ck10]

hey

My compuer was recently infected by spysherif however i followed some removal instructions and i think i managed to get rid of some of it.

First i did a full anti-virus system scan using SymantecAntivirus and then i used Ad-Aware SE Personal, Spybot S&D and Ewido anti-malware. After i thought i got rid of it, there was a red circle with a white x in it that kept appearing in my taskbar beside the clock and a message above it saying "your computer is infect!....please download the latest anti-spyware....". Also my desktop background has been changed. It is now all blue with a black box in the middle and red text saying "Spyware Infection" and under this red writing theres more writing in white text that says "Your system is infected with spyware. Windows recomends you to use spyware removal tools..."

I restarted my computer in safe mode and ran all the programs again and deleted any infections.

I restarted my computer in normal mode and the red circle with the white x and "your computer is infect!" message above it have now gone. However the "Spyware Infection" desktop background is still there and when i try to change it under the desktop tab in display properties, the wallpaper section is disabled. I cant scroll down or select any wallpaper.

Also when i try to open a webpage its taking alot longer then usual, so i think i still have some sort of spyware/adware or something on it still. :cry:

I also have hijack this in which i saved a logfile but i dont know what to do with it. =/

I very much appreciate any help or advice on this problem

thanks

please help

[The2]

i had the same problem... found this googling (http://www.opentechsupport.net/forums/showthread.php?t=37820&page=2)

might help..

"Hi again i fixed the background tiles thingy.. i went to the registry(regedit) and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and deleted all exept "Deafult" and "NoDriveTypeAutoRun" and rebooted and it worked... i'm not very skilled with the registry but i don't think u have t have other directories than Explorer(i don't) in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\

hope you make it. and also i installed this really good program called XoftSpy 4.16 that removed alot. anyways..."

[Ck10]

k i'll try it hadjane

thanks

habjane did you download xoftspy? Do you know if its any good?

Edited December 28, 2005 by Ck10

[Ck10]

i deleted the things in regedit and restarted my comp but no change... im still having the problem

heres the log from hijack this: please help me out someone

Logfile of HijackThis v1.99.1

Scan saved at 1:26:01 PM, on 28/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\E-Color\Common\IconMgr.exe

C:\Program Files\E-Color\Colorific\hgcctl95.exe

C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{451875C3-5A78-42C7-BA32-1C3C6528D017}: Domain = nsw.bigpond.net.au

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[Compuspital]

Hey Download the Webroot Spysweeper Trial it will get rid of that pesky spyware. I just had to do that on a customers computer. Give it a try. it should remove all spyware and viruses associated with it... It should help.. :cool:

[Ck10]

k thanks install shield. i downloaded the skysweeper but im still having the same problem.. anyone else know what i can do? please >.<

[Slimy]

Hmm, another thread eh: https://www.neowin.net/forum/index.php?showtopic=413135

I'll ask for a merge.

[s0nic69]

man, i recently came into that problem, but i cant remember the name of the program i used to fix it. Its something in the reg, thats all i know right now. Sry, maybe ill be able to find it, ill look for it right now.

okay, i dont know how much u know about computers, but i found the program that will solve ur problem, its http://www.softheap.com/how-to/dont_allow_to.html

it will work, u have to play around with the settings, like, disable to change wallapaper, and then restart, then enable it again, and restart again, hope it helps u, it helped me a lot with someones computer which had been infected with some crazy spyware. BE CAREFUL THO. when playing with the reg, u must make sure to back up any important files in case anything goes wrong. Good luck

this is my 3d edit, just wanted to say, its a trial, but totally worked for me. (bookmarked it this time)

Edited December 28, 2005 by s0nic69

[Slimy]

This seemsed to work for someone else: http://www.tek-tips.com/viewthread.cfm?qid=1074019&page=1

[Ck10]

thanks you guy and once again sry about the repost slimy.... i'll try anything and everything and im pretty good with computers so i'll be able to understand a fair bit of the instructions you give me. im gonna download that thing now and let you know what happened.

[s0nic69]

thanks you guy and once again sry about the repost slimy.... i'll try anything and everything and im pretty good with computers so i'll be able to understand a fair bit of the instructions you give me. im gonna download that thing now and let you know what happened.

yeah let us know

[Ck10]

ok, i did everything you guys advised, i even deleted a few things from my registry

"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer and deleted all exept "Deafult" and "NoDriveTypeAutoRun" and rebooted and it worked... i'm not very skilled with the registry but i don't think u have t have other directories than Explorer(i don't) in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ "

Once again i rebooted in safe mode and did the scans, found a few cookies that were spyware and got rid of them.

I restarted in normal and the problem is still there, i cant change my desktop background and the wallpaper under the desktop tab in display properties is still not allowing me to scroll or click on any wallapapers.

I dont know what else to do.

Here's a fresh hijack this log:

Logfile of HijackThis v1.99.1

Scan saved at 9:09:16 PM, on 28/12/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec AntiVirus\DefWatch.exe

C:\Program Files\ewido anti-malware\ewidoctrl.exe

C:\Program Files\ewido anti-malware\ewidoguard.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

C:\Program Files\Symantec AntiVirus\Rtvscan.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\Symantec Shared\ccApp.exe

C:\PROGRA~1\SYMANT~1\VPTray.exe

C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Winamp\winampa.exe

C:\Program Files\VIAudioi\SBADeck\ADeck.exe

C:\Program Files\1st Security Agent\newadmin.exe

C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\E-Color\Common\IconMgr.exe

C:\Program Files\E-Color\Colorific\hgcctl95.exe

C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe

C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\My Documents\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bigpond.com/

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.,

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe

O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"

O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1

O4 - HKLM\..\Run: [00saskda] "C:\Program Files\1st Security Agent\newadmin.exe" saskda

O4 - HKLM\..\Run: [spySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe

O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe

O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{451875C3-5A78-42C7-BA32-1C3C6528D017}: Domain = nsw.bigpond.net.au

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)

O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll

O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll

O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe

O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

[rickm550]

Hi,

Goto run and type gpedit.msc

You get a window. Find 'Administrative Templates' under User Configuration. Expand that and then find 'Display' and click on that. In the right pane you should see 'Prevent Changing Wallpaper'. Set that value to Not Configured. Then reboot or type gpupdate /force in a command prompt.

Cheers

Rich

[Ck10]

I typed like you said but an error comes up and says "Windows can not find 'gpedit.msc'. Make sure you typed the name correctly and try again..."

Is there another name for it or somethin?

[rickm550]

What edition of XP you using.

If it is Home edition then gpedit wont work for it, only Professional edition, which I assumed you have.

[Gurudesign.no]

A friend of mine had this, really a pain in the a**. I ended up doing a full format, as he also had a couple of viruses..

[eightequalsd]

I have the exact same problem. I'm confident I've removed every trace of virus/spyware on my computer, and I also managed to get rid of the box in the middle of the screen, but its now just plain navy blue and my only existing problem is that i can't change it back to normal. I got rid of most of the crap by booting into safemode and then deleting the exes it had installed. This might be a bit risky if you dont know what you're doing, but look around C:, C:\Windows, and C:\Windows\System32 and also Program files, i right clicked and sorted the icons by "Modified" and it showed the newest created/modified files. DO NOT just delete anything though, search on google and you should be avle to find out what it is, and if not, its probably part of the virus/spyware but still be cautious.

Anyway If anyone knows how to fix the desktop it would be greatly appreciated.

[cai_sebas]

I also had this problem 2 days ago. To remove it just do this:

Use Microsoft Antispyware/Defender to get rid of all Spyware first!

Use a virus scanner to delete the Trojans/Virusses (if present) use Sophos 5 (great app).

Goto regedit, search for "desktop.htm(l)" and change it to normal and play the regedit to enablewallpapers

Thats worked for me!

[+Elі Subscriber²]

Spysheriff is malware It's pretty bad e.g. if you try to use System Restore you will find that Spysheriff erased your restore points, and do lots more damage like changing your whole desktop settings etc.

Instead follow these steps:

Open task manager by pressing Ctrl-Alt-Del, and click on the "Processes" tab. Look for Spysheriff there and kill the process if you see it. If you see a process named "winstall" (winstall.exe) then delete this one also.

In the control panel goto "Add/ Remove Programs" and remove the "SpySheriff" program. If it says that it cannot uninstall, then you still have it running. It will uninstall once it's not running.

Your desktop background will not be restored by that uninstall. Go into the registry by starting RegEdit.exe from the start button

Look for this key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

It will have about 6 values stored that disable certain things. Delete this whole branch ActiveDesktop - the system will work with default values afterwards.

Also delete this branch in your registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Look in your root directory for a file named winstall.exe. Most of the time it is found in in c:\ and 24064 Bytes in size.

This file is scheduled to execute each time you boot and it will re-install Spysheriff.

Delete that file.

there may also be additional executable files that were created at the same time as winstall.exe. Those files may be named 'winstall.exe' and 'ibm00001.exe'. You should delete those files as well.

You should search on your system for any files with "ibm000" or "Tool"on their name, This virus also creates files with names and executables such as "Tool.exe", "Tools2.exe" "tools3.exe" etc and also go to your Windows and System32 folders and organize your files view by "Dated Modified" look carefully for ANY files created or modified the day you were infected, remove any suspicious ones, they shouldnt be there if you havent installed anything that day, If any system file was modified DO NOT remove it but watch it carefully, There should probably be some .html files too called something like secure32.html, desktop.html or wallpaper.html those should also be look for and removed, You can find them by searching by date created.

This virus also drops files at:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\

So search carefully into this folder and delete any suspicious files created in the day of the infection.

Restart your system.

Done.

Edited December 28, 2005 by Ely

[eightequalsd]

Thanks for the help Ely, much appreciated - it worked fine for me.

[Crowbar]

Sorry Mate haven't read all the replies so forgive if someone has already said this

Try right clicking on your desktop > properties > desktop > customize desktop > pick web from the tab at the top and you might find that the virus has set your background to a webpage, it happened to me too just delete the current setting :D

[+Elі Subscriber²]

Thanks for the help Ely, much appreciated - it worked fine for me.

No problem, Make sure you re-read my post as I have updated it with some extra info on files created and the such.

[Ck10]

ok first of all, thanks all for trying to help and im trying the advice/tips.

Rick i do have Windows xp Home edition. uglydan after my first few scans i went through every file and got rid of anything suspicious or that was created on the 28/12/05 but nothing much happened.

cai_sebas i dont really know what you mean. Which hkey and sub folders to i go to?

And now Ely. Firstly i have already done the following:

- alt ctrl del to end those processes and then i unistalled spysherif from add/remove

- i deletd those 6 items in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer except for one which is called NoDriveAutoRun which has the type REG_DWORD and the data 0x00000091 (145). Do i delete this?

+ In the following HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System i have a file called Wallpaper with type REG_SZ and the data C:\WINDOWS\desktop.html. Should i delete this? Can i somehow modify it? Why is it html?

- You said to delete the whole branch in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop. Does that also mean i should delete the file called (Default) with the typ REG_SZ and data (value not set)?

I did a search on the computer for anything with winstall, tool and ibm0000 in it but came up with no results.

I also look in here C:\Program Files\Common Files\Microsoft Shared\Web Folders\ but didnt find anything that was created/modified recently or that looked suspicious.

One last thing:

The part where i circled in red and have the question mark beside it is an unknown wallpaper which i assume is my current background. Notice how it looks like a webpage format file :unsure:

[Slimy]

customize desktop>web>delete.

[+Elі Subscriber²]

Check my post you MUST delete all the entries I told you they are all part of the virus, the wallpaper.html is probably on your System32 or Windows folders. it should have a name such as: desktop.html , wallpaper.html or secure32.html it could have other names too. yes delete the whole branch of the registry keys I told you about however Im NOT sure about HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer I have to investigate more about it.

[Ck10]

Im so sorry for double posting >.<

But i the wallpaper in webpage format in c:\WINDOWS and deleted it. I also put everything in C:\WINDOWS in modified order and heres what i came up with: