I cant change my desktop wallpaper

[Ck10]

hey

My compuer was recently infected by spysherif however i followed some removal instructions and i think i managed to get rid of some of it.

First i did a full anti-virus system scan using SymantecAntivirus and then i used Ad-Aware SE Personal, Spybot S&D and Ewido anti-malware. After i thought i got rid of it, there was a red circle with a white x in it that kept appearing in my taskbar beside the clock and a message above it saying "your computer is infect!....please download the latest anti-spyware....". Also my desktop background has been changed. It is now all blue with a black box in the middle and red text saying "Spyware Infection" and under this red writing theres more writing in white text that says "Your system is infected with spyware. Windows recomends you to use spyware removal tools..."

I restarted my computer in safe mode and ran all the programs again and deleted any infections.

I restarted my computer in normal mode and the red circle with the white x and "your computer is infect!" message above it have now gone. However the "Spyware Infection" desktop background is still there and when i try to change it under the desktop tab in display properties, the wallpaper section is disabled. I cant scroll down or select any wallpaper.

Also when i try to open a webpage its taking alot longer then usual, so i think i still have some sort of spyware/adware or something on it still. :cry:

I also have hijack this in which i saved a logfile but i dont know what to do with it. =/

I very much appreciate any help or advice on this problem

thanks

please help

[Slimy]

Wonder what that 0.txt is doing there. I'd say the system32 folder would be more important to check out.

[+Elі Subscriber²]

Dude read my post, god! I can see there things such as secure32 which is part of the virus, right click EVERY file which was created on that date and check its version and date created and date modified, remove ANY file created on that day, not the ones just modified. looks to me that the one called isRS-000.temp is also part of the virus, check it out and probably remove it too.

PS: Please notice that I originally said to remove: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System I didnt say anything about HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer though this one looks suspicious I think it at least the branch should be there, do a search on google for that key and you will see, the branch should be there but not sure about all of its items to the right.

Edited December 28, 2005 by Ely

[Ck10]

k slimy i deleted that 0 file. Would you have any idea what it is? I opend it and it was empty... :huh:

hehe sry Ely (by the way im a girl, not a dude). I deleted the secure file and some of the others that were created on the 28/12/05. The rest were created either months ago or a year ago but have been modified on the 28/12/05 so i was to scared to delete those and just left them. These are the ones i left (do i still delete them even though they were created a whiiile back):

and slimy heres what my C:\WINDOWS\system32 looks like in modified order:

[+Elі Subscriber²]

lol sorry for calling you dude, ok if they were not created that day but just modified then do not delete the ones that were just modified, do the same for C:\WINDOWS\system32 but I think that folder is safe for you I only see one that was modified on 28/12 and that is a system file, you should NOT delete it. Also be sure that you have Windows explorer set to show hidden files too. dont forget to do this whole check on your root folder too that is C:\

[Ck10]

yayayayay Elyyy you did it... I deleted that that file in HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

about the wallpaper thing and my desktop went this weird grey colour. This time however when i went into the desktop tab in display properties i was able to choose and modify my background again.

Once again heres the file:

(what i typed earlier when i found this)

"In the following HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System i have a file called Wallpaper with type REG_SZ and the data C:\WINDOWS\desktop.html "

And this is my new display properties, =D see how everything is enabled again like the scroll on the side and the buttons

Thankyou sooo much Ely and slimy and uglydan and everyone else..Thanks so much Ely. Im going to do a spyware, malware and addware clean once again in safe mode and normal mode.

God this thing was driving me crazy. Ely how can i be sure that i got rid of it all? As in theres no file hiding somewhere in my computer?

[Slimy]

God this thing was driving me crazy. Ely how can i be sure that i got rid of it all? As in theres no file hiding somewhere in my computer?

You cannot be 100% sure but you can remove basically everything. A few registry keys or a file may still lingerbut as long as it's not an exe, it won't do you any harm.

Glad you got it fixed. Good work Ely ;)

[+Elі Subscriber²]

LOL Ck10 I'm glad you got it fixed, you are probably now fine, but its not a bad idea to do full scans with different programs, for the time being while Microsoft puts up a patch make sure you DO NOT go to untrusted sites using Internet Explorer. and be sure to update your anti virus, there's supposely a command you can type to fix the vulnerability momentarily but it will break some things check it Here however that will break Picture Viewer, paint and others and you wont be able to see authentic files with that extension if you use that command.

[Ck10]

:huh:

I read that post and clicked on the link he posted to but im soo confused. I didnt understand anything.

Is it something to do with stopping bugs, spyware, adware or malware from opening in different software/programs and saving itself as that software/programs file format (like .html or .jpeg or fax viewer format) and onto your computer? and if so does this stop the bug (for example spysherif) from being executed onto your computer?

lol if none of this made sense to anyone then just ignore this post, i think i confused myself more to :rofl:

:yes: :shiftyninja: :whistle: <<< heh their so cute

[+Elі Subscriber²]

Hey if you type that command (which supposedly stops the vulnerability) you will not automatically get infected anymore when you browse a site which contains the infection, however when you type that command it will protect you but it will break things such as Windows Picture & Fax viewer and Paint or any program which attempts to open or use WMF files, I dont think it will break them totally but just when you try to see those types of files, so for the time being the best suggestion is DO NOT use Internet Explorer to visit untrusted sites till Microsoft puts out a patch, otherwise type the command but your system will be unable to view WMF files till that patch comes out and fixes it back.

[Guisande]

I didnt checked if this topic is new/old

But i have a problem with this Spyware and need some help

I followed the instructions and deleted all this **** and reestarted with no problems

But when the windows load, i have a Error Message saying the file ibm000....exe was not found, but i deleted

And with Tune Up StartUP Manager, i dont foudn this ibm there..

The other problem: My WIN is SP2 and after that **** i cant Enable the WIN Firewall.. No way

People this is my first message so sorry for anything..

[chocol8_flake]

ok. ely's instruction worked but now my desktop icon titles have background colors in it. how do i make it transparent again? mine is win xp btw. thanks