Anoyance/ virus / ???? please help

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi you all,
I have something running on my network; its getting to my nerves. I have
xp with sp2 and all the updates as well as win 2000 with all the patches.
The affected computer has its background changed to a porno BMP file dropped
on the system32 directory (by the way the users logged onto the system can
not write to the sys32dir. and it changes the reg key HKCU\current\COntrol
Pannel\Desktop\Wallpaper\???.bmp
on some computers it turns off the dhcp service and the dns service. It
seems to do no other harm.
I have run norton, trend, panda, add aware, spybot ant it has not found
anything.
Have you ever seen something like this.?
Please Help?
3 answers Last reply
More about anoyance virus help
  1. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    it's me wrote:

    > Hi you all,
    > I have something running on my network; its getting to my nerves. I
    > have
    > xp with sp2 and all the updates as well as win 2000 with all the
    > patches. The affected computer has its background changed to a porno
    > BMP file dropped on the system32 directory (by the way the users
    > logged onto the system can not write to the sys32dir. and it changes
    > the reg key HKCU\current\COntrol Pannel\Desktop\Wallpaper\???.bmp
    > on some computers it turns off the dhcp service and the dns service.
    > It seems to do no other harm.
    > I have run norton, trend, panda, add aware, spybot ant it has not
    > found anything.
    > Have you ever seen something like this.?
    > Please Help?

    You've been hijacked. You need to take down the network and clean each
    machine thoroughly with updated tools in Safe Mode. Get tools and
    updates from a different, unrelated known-clean computer with a good
    Internet connection and a cd burner. Do not reconnect your network
    until both machines are 100% clean. Here are removal steps:

    1) Scan in Safe Mode with current version (not earlier than 2003)
    antivirus using updated definitions.

    2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
    programs are free, so use them both since they complement each other.
    There is a new version of CWShredder from Intermute. I would not
    install the other Intermute programs, however. Alternately, there are
    CoolWebSearch malware removal steps at SilentRunners.

    Be sure to update these programs before running, and it is a good idea
    to do virus/spyware scans in Safe Mode. Make sure you are able to see
    all hidden files and extensions (View tab in Folder Options).

    HijackThis is an excellent tool to discover and disable hijackers, but
    it requires expert skill. See below for HijackThis links. A combination
    of HijackThis and About:Buster works well in removing the About:Blank
    homepage hijacker. Again, this is an expert tool and novices should get
    help with it.

    3) If you are running Windows ME or XP, you should disable/enable System
    Restore because malware will be in the Restore Points. With ME, you
    must disable System Restore completely. With XP, you can delete all but
    the most recent (presumably clean) System Restore point from the More
    Options section of Disk Cleanup (Run>cleanmgr).

    4) Make sure you've visited Windows Update and applied all security
    patches. Do not install driver updates from Windows Update.

    5) Run a firewall.

    Links to help with malware:

    Software/Methods:
    http://www.safer-networking.org - Spybot Search & Destroy
    http://www.lavasoftusa.com - Ad-aware
    http://www.majorgeeks.com - good download site
    http://www.intermute.com/spysubtract/cwshredder_download.html
    http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners

    HijackThis:
    http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
    Eshelman
    http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
    forum
    http://www.wilderssecurity.com/
    http://forums.tomcoyote.org/
    http://www.spywareinfo.com/forums/

    General:
    http://forum.aumha.org/ - look under "Security" for various forums
    http://rgharper.mvps.org/cleanit.htm
    http://mvps.org/winhelp2002/unwanted.htm
    http://www.aumha.org/a/parasite.htm - The Parasite Fight
    http://www.spywarewarrior.com/rogue_anti-spyware.htm

    Malke
    --
    MS MVP - Windows Shell/User
    Elephant Boy Computers
    www.elephantboycomputers.com
    "Don't Panic!"
  2. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    Malke;
    I have runned the AV on safe mode as well as the add aware and spybot with
    no luck i will try the other tools that you recommended to see if there is
    any luck.
    if you think of anything else please let me know.
    thanks

    "Malke" wrote:

    > it's me wrote:
    >
    > > Hi you all,
    > > I have something running on my network; its getting to my nerves. I
    > > have
    > > xp with sp2 and all the updates as well as win 2000 with all the
    > > patches. The affected computer has its background changed to a porno
    > > BMP file dropped on the system32 directory (by the way the users
    > > logged onto the system can not write to the sys32dir. and it changes
    > > the reg key HKCU\current\COntrol Pannel\Desktop\Wallpaper\???.bmp
    > > on some computers it turns off the dhcp service and the dns service.
    > > It seems to do no other harm.
    > > I have run norton, trend, panda, add aware, spybot ant it has not
    > > found anything.
    > > Have you ever seen something like this.?
    > > Please Help?
    >
    > You've been hijacked. You need to take down the network and clean each
    > machine thoroughly with updated tools in Safe Mode. Get tools and
    > updates from a different, unrelated known-clean computer with a good
    > Internet connection and a cd burner. Do not reconnect your network
    > until both machines are 100% clean. Here are removal steps:
    >
    > 1) Scan in Safe Mode with current version (not earlier than 2003)
    > antivirus using updated definitions.
    >
    > 2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
    > programs are free, so use them both since they complement each other.
    > There is a new version of CWShredder from Intermute. I would not
    > install the other Intermute programs, however. Alternately, there are
    > CoolWebSearch malware removal steps at SilentRunners.
    >
    > Be sure to update these programs before running, and it is a good idea
    > to do virus/spyware scans in Safe Mode. Make sure you are able to see
    > all hidden files and extensions (View tab in Folder Options).
    >
    > HijackThis is an excellent tool to discover and disable hijackers, but
    > it requires expert skill. See below for HijackThis links. A combination
    > of HijackThis and About:Buster works well in removing the About:Blank
    > homepage hijacker. Again, this is an expert tool and novices should get
    > help with it.
    >
    > 3) If you are running Windows ME or XP, you should disable/enable System
    > Restore because malware will be in the Restore Points. With ME, you
    > must disable System Restore completely. With XP, you can delete all but
    > the most recent (presumably clean) System Restore point from the More
    > Options section of Disk Cleanup (Run>cleanmgr).
    >
    > 4) Make sure you've visited Windows Update and applied all security
    > patches. Do not install driver updates from Windows Update.
    >
    > 5) Run a firewall.
    >
    > Links to help with malware:
    >
    > Software/Methods:
    > http://www.safer-networking.org - Spybot Search & Destroy
    > http://www.lavasoftusa.com - Ad-aware
    > http://www.majorgeeks.com - good download site
    > http://www.intermute.com/spysubtract/cwshredder_download.html
    > http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
    >
    > HijackThis:
    > http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
    > Eshelman
    > http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
    > forum
    > http://www.wilderssecurity.com/
    > http://forums.tomcoyote.org/
    > http://www.spywareinfo.com/forums/
    >
    > General:
    > http://forum.aumha.org/ - look under "Security" for various forums
    > http://rgharper.mvps.org/cleanit.htm
    > http://mvps.org/winhelp2002/unwanted.htm
    > http://www.aumha.org/a/parasite.htm - The Parasite Fight
    > http://www.spywarewarrior.com/rogue_anti-spyware.htm
    >
    > Malke
    > --
    > MS MVP - Windows Shell/User
    > Elephant Boy Computers
    > www.elephantboycomputers.com
    > "Don't Panic!"
    >
  3. Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

    it's me wrote:

    > Malke;
    > I have runned the AV on safe mode as well as the add aware and
    > spybot with
    > no luck i will try the other tools that you recommended to see if
    > there is any luck.
    > if you think of anything else please let me know.
    > thanks

    Since you've already scanned with Ad-aware and Spybot, try HijackThis as
    I suggested. Please read the tutorial and then you can post your log
    at: http://forum.aumha.org/

    Malke
    --
    MS MVP - Windows Shell/User
    Elephant Boy Computers
    www.elephantboycomputers.com
    "Don't Panic!"
Ask a new question

Read More

Windows XP