Strange virus/spyware problem on desktop background, need help...

By BBoW
Jul 1, 2005
Topic Status:
Not open for further replies.
  1. Hi Everyone,

    A few days ago I opened up a file which activated loads of cr*p on my computer. Computer was full of spyware, viruses, trojans and all sorts of annoying pests. I've managed to get rid of most of them but there's only one thing that I can't seem to fix.

    My desktop background is a file called screen.html , located in C:\Windows.
    And it's showing a black screen with a message in the middle saying "WARNING YOU'RE IN DANGER" and it's saying that my computer has viruses and I should install an anti-virus programme and it has a link at the bottom (which I assume would activate more cr*p if I click it).

    Anyways, trying to get rid of that background, but no luck. Nothing seems to get rid of it. Tried deleting it, no luck. 3 different virusscanners can't remove it. Ad-aware doesn't do it. So I have no idea anymore.

    Anyone got a clue how to remove this?


    Thanks,

    Bbow
  2. acf

    acf Banned

    reply

    try getting spybot and scanning ur pc. tell me if that helps
  3. IronDuke

    IronDuke Newcomer, in training Posts: 1,267

  4. BBoW

    BBoW Newcomer, in training Topic Starter Posts: 32

    Hello again,

    Acf, tried spybot, no luck. It says there's no spyware on my computer.

    IronDuke, thanks for those links...I'll read them straight away. I didn't realize that copy & pasting the log annoys people, I'll edit my original post.

    Thanks for the quick replies...I'll get cracking with HijackThis and let you know if it fixes it.


    Bbow
  5. IronDuke

    IronDuke Newcomer, in training Posts: 1,267

    BBoW
    It is not so much annoyance as just plain difficult. The log takes up a lot of space and by the time you have a couple of updates there is one hell of a length to scroll through when you need to check something from earlier.

    You could also try Ewido it is an alternative to Spybot. Two checks are better than one.
  6. BBoW

    BBoW Newcomer, in training Topic Starter Posts: 32

    Hi,

    Installed Ewido , it seemed to find more things than other scanners that I used. But the background still remains. I did exactly everything that was mentioned in that sticky thread about removing CWS, but I still can't seem to get rid of the annoying black background on my desktop.

    I've attached a my HijackThislog and I also made a screenshot of the background that I'm talking about.

    Hoping someone knows how to get rid of this....

    Many thanks,


    Bbow

    Hey,

    FIXED IT!!!! YEY!!!

    Man, I'm such a muppet...it was much simpler than I tought.

    After a long search I've found a thread here of someone with the same problem, followed what was said, and fixed it.

    Here's the link:

    http://www.techspot.com/vb/topic20613.html


    BBow (will be searching a bit more before posting from now on!)

    Attached Files:

  7. IronDuke

    IronDuke Newcomer, in training Posts: 1,267

    Removed erroneous advise, IronDuke must have just returned from the pub!

    Apologies to IronDuke
  8. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    You wish! You are by no means clean, your PC is still riddled with trojans and adware!

    Move your HJT program to its OWN directory, e.g. C:\Program Files\HJT before you proceed!

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    ebaxmlc.exe
    dxmmon.exe
    wuam.exe
    odmnvmt.exe
    WinDat.exe
    rst?.exe
    tntjya.exe
    hookdump.exe

    Next, try to UNinstall anything to do with, or left over from (not delete yet!):
    C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    This is SpywareDoctor from PCTools, a useless PoS.

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    C:\WINDOWS\System32\ebaxmlc.exe
    C:\WINDOWS\System32\dxmmon.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
    O2 - BHO: CFilter Object - {2A7B720A-7A28-4e99-80A0-2DF985EC93D0} - C:\WINDOWS\System32\font.dll
    O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
    O4 - HKLM\..\Run: [p7oW3nX] ebaxmlc.exe
    O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
    O4 - HKCU\..\Run: [Microsoft Update Machine Network] odmnvmt.exe
    O4 - HKCU\..\Run: [Windows Database] WinDat.exe
    O4 - HKCU\..\Run: [Podt] C:\Documents and Settings\Bosiocic\Application Data\rst?.exe
    O4 - HKCU\..\Run: [Microsoft Update] tntjya.exe
    O4 - HKCU\..\Run: [Yw76RhbtR] dxmmon.exe
    O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
    O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
    O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
    FIX O17 unless these IPs are from your ISP!
    O17 - HKLM\System\CCS\Services\Tcpip\..\{F5C8E0E1-DCE7-4998-A3DE-972E04B51341}: NameServer = 194.74.65.68 194.72.9.38
    O20 - AppInit_DLLs: sfklg.dll
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the dotted lines, delete the highlighted bold files.
    When a \directory-name\ is bold, delete everything in it, including that directory itself.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
    Boot normal. When all OK, switch System Restore back on.

    You have THREE antivirus programs, ONE is enough! (McAfee, AVG, AntiVir).
    Keep the one you paid for (for the moment). If you paid for none, keep only AVG.
  9. BBoW

    BBoW Newcomer, in training Topic Starter Posts: 32

    Ok, I've done allmost all of the above. Except that HJT was unable to fix the sfklg.dll file.

    I've tried to delete that file, but I'm unable to do that, windows won't let me.

    When I rebooted in normal mode...I received an error message at startup of XP, saying that 'windows was unable to find the delus.exe file'. That file was in my C:\Documents and settings\[username]\local settings\temp folder, and at the moment it's in the recycle bin.

    What do you think I should do about that?

    BBow
  10. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Reboot in Safe Mode.
    Click Start/Run and type in cmd and hit OK
    Type in regsvr32 /u sfklg.dll and hit Enter, then delete it.
    Empty the recycle bin.

    Run HJT and post a fresh log please (as an attachment).
  11. liltex79

    liltex79 Newcomer, in training

    i need help removing a virus/spyware

    hello all i am new to this site and i was wondering if someone could help me
    i was online lastnight and when i went to log off my computer said i was infected with a virus/spyware
    i have anti-virus protection and spyware protection that runs every week from aol
    but i ran and scanned all deleted all that came back but still says i am infected what should i do?
  12. ENIGmA216

    ENIGmA216 Newcomer, in training

    I was so glad to find this topic on a website as i just got this EXACT same thing mysel. i have tried multiple things like you and just read the post and went to restart in safe mode then realising taht my hjt wouldnt be the same as his anyway ould anyone PLEASE help me PLEASE!!! :)

    Attached Files:

  13. RealBlackStuff

    RealBlackStuff Newcomer, in training Posts: 8,165

    Move HJT to a PROPER directory, not on Desktop!
    C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

    Boot in Safe Mode.
    Switch System restore OFF, see how here.
    In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
    Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:

    loadqm.exe

    Next, run a HJT scan and place a tick-mark in the little square before (if still there):
    ...................................................................................................
    C:\WINNT\loadqm.exe

    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
    O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
    Unless these IPs are from your ISP, fix thie O17
    O17 - HKLM\System\CCS\Services\Tcpip\..\{A6CD8CE5-2FBD-45C8-B05D-A59FE6485108}: NameServer = 194.168.4.100 194.168.8.100
    ...................................................................................................
    Now click on the Fix Checked button in HJT.

    When done, from between the above dotted lines, delete the highlighted bold files.
    Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
    Repeat this for ALL [usernames].
    Delete all files and directories from: C:\WINNT\Temp (except files dated from TODAY).
    Boot normal.

    Now go get an Antivirus program, free AVG from http://free.grisoft.com
    Next, stop running W2K as Administrator, use a Username with Admin rights instead.
    Next, install SP4 and do all the online Windows updates
    Next, stop using IE, except for Windows-updates. Go to www.getfirefox.com and install Firefox instead.
     
  14. ENIGmA216

    ENIGmA216 Newcomer, in training

    lol looks like i was doing a lot wrong there. thanks a bunch!!!

    i have been having a few problems since doing this eg some programs dont work? like msn and xfire and windows media player? lol i comes up with the eror message The application failed to initialize properly (0Xc0000005). click on OK to terminate the application and it only happned to a few things
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.