Strange virus/spyware problem on desktop background, need help...

[BBoW]

Hi Everyone,

A few days ago I opened up a file which activated loads of cr*p on my computer. Computer was full of spyware, viruses, trojans and all sorts of annoying pests. I've managed to get rid of most of them but there's only one thing that I can't seem to fix.

My desktop background is a file called screen.html , located in C:\Windows.
And it's showing a black screen with a message in the middle saying "WARNING YOU'RE IN DANGER" and it's saying that my computer has viruses and I should install an anti-virus programme and it has a link at the bottom (which I assume would activate more cr*p if I click it).

Anyways, trying to get rid of that background, but no luck. Nothing seems to get rid of it. Tried deleting it, no luck. 3 different virusscanners can't remove it. Ad-aware doesn't do it. So I have no idea anymore.

Anyone got a clue how to remove this?


Thanks,

Bbow

 

[acf]

reply

try getting spybot and scanning ur pc. tell me if that helps

 

[IronDuke]

BBOW
Update your copy of HiJackThis from here.

Then read these two stickies from realblackstuff

https://www.techspot.com/vb/topic17297.html
How to post your Hijackthis log-files.

Having digested those words of wisdom and follow the instructions exactly you'll be in a posittion to post your log.

Welcome to Techspot.

 

[BBoW]

Hello again,

Acf, tried spybot, no luck. It says there's no spyware on my computer.

IronDuke, thanks for those links...I'll read them straight away. I didn't realize that copy & pasting the log annoys people, I'll edit my original post.

Thanks for the quick replies...I'll get cracking with HijackThis and let you know if it fixes it.


Bbow

 

[IronDuke]

BBoW
It is not so much annoyance as just plain difficult. The log takes up a lot of space and by the time you have a couple of updates there is one hell of a length to scroll through when you need to check something from earlier.

You could also try Ewido it is an alternative to Spybot. Two checks are better than one.

 

[BBoW]

Hi,

Installed Ewido , it seemed to find more things than other scanners that I used. But the background still remains. I did exactly everything that was mentioned in that sticky thread about removing CWS, but I still can't seem to get rid of the annoying black background on my desktop.

I've attached a my HijackThislog and I also made a screenshot of the background that I'm talking about.

Hoping someone knows how to get rid of this....

Many thanks,


Bbow

Hey,

FIXED IT!!!! YEY!!!

Man, I'm such a muppet...it was much simpler than I tought.

After a long search I've found a thread here of someone with the same problem, followed what was said, and fixed it.

Here's the link:

https://www.techspot.com/vb/topic20613.html


BBow (will be searching a bit more before posting from now on!)

 

[IronDuke]

Removed erroneous advise, IronDuke must have just returned from the pub!

Apologies to IronDuke

 

[RealBlackStuff]

You wish! You are by no means clean, your PC is still riddled with trojans and adware!

Move your HJT program to its OWN directory, e.g. C:\Program Files\HJT before you proceed!

Boot in Safe Mode.
Switch System restore OFF, see how here.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
ebaxmlc.exe
dxmmon.exe
wuam.exe
odmnvmt.exe
WinDat.exe
rst?.exe
tntjya.exe
hookdump.exe

Next, try to UNinstall anything to do with, or left over from (not delete yet!):
C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
This is SpywareDoctor from PCTools, a useless PoS.

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\WINDOWS\System32\ebaxmlc.exe
C:\WINDOWS\System32\dxmmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: CFilter Object - {2A7B720A-7A28-4e99-80A0-2DF985EC93D0} - C:\WINDOWS\System32\font.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O4 - HKLM\..\Run: [p7oW3nX] ebaxmlc.exe
O4 - HKCU\..\Run: [Microsoft Update Time] wuam.exe
O4 - HKCU\..\Run: [Microsoft Update Machine Network] odmnvmt.exe
O4 - HKCU\..\Run: [Windows Database] WinDat.exe
O4 - HKCU\..\Run: [Podt] C:\Documents and Settings\Bosiocic\Application Data\rst?.exe
O4 - HKCU\..\Run: [Microsoft Update] tntjya.exe
O4 - HKCU\..\Run: [Yw76RhbtR] dxmmon.exe
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\hookdump.exe
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: (no name) - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - (no file)
FIX O17 unless these IPs are from your ISP!
O17 - HKLM\System\CCS\Services\Tcpip\..\{F5C8E0E1-DCE7-4998-A3DE-972E04B51341}: NameServer = 194.74.65.68 194.72.9.38
O20 - AppInit_DLLs: sfklg.dll
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the dotted lines, delete the highlighted bold files.
When a \directory-name\ is bold, delete everything in it, including that directory itself.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINDOWS\Temp (except files dated from TODAY).
Boot normal. When all OK, switch System Restore back on.

You have THREE antivirus programs, ONE is enough! (McAfee, AVG, AntiVir).
Keep the one you paid for (for the moment). If you paid for none, keep only AVG.

 

[BBoW]

Ok, I've done allmost all of the above. Except that HJT was unable to fix the sfklg.dll file.

I've tried to delete that file, but I'm unable to do that, windows won't let me.

When I rebooted in normal mode...I received an error message at startup of XP, saying that 'windows was unable to find the delus.exe file'. That file was in my C:\Documents and settings\[username]\local settings\temp folder, and at the moment it's in the recycle bin.

What do you think I should do about that?

BBow

 

[RealBlackStuff]

Reboot in Safe Mode.
Click Start/Run and type in cmd and hit OK
Type in regsvr32 /u sfklg.dll and hit Enter, then delete it.
Empty the recycle bin.

Run HJT and post a fresh log please (as an attachment).

 

[liltex79]

i need help removing a virus/spyware

hello all i am new to this site and i was wondering if someone could help me
i was online lastnight and when i went to log off my computer said i was infected with a virus/spyware
i have anti-virus protection and spyware protection that runs every week from aol
but i ran and scanned all deleted all that came back but still says i am infected what should i do?

 

[ENIGmA216]

I was so glad to find this topic on a website as I just got this EXACT same thing mysel. I have tried multiple things like you and just read the post and went to restart in safe mode then realising taht my hjt wouldnt be the same as his anyway ould anyone PLEASE help me PLEASE!!!

 

[RealBlackStuff]

Move HJT to a PROPER directory, not on Desktop!
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

Boot in Safe Mode.
Switch System restore OFF, see how here.
In Windows Explorer, turn on "show all files and folders, including hidden and system". See how here.
Press Ctrl/Alt/Del simultaneously, select Taskmanager/Processes, select the process (if there), click "End Process" for:
loadqm.exe

Next, run a HJT scan and place a tick-mark in the little square before (if still there):
...................................................................................................
C:\WINNT\loadqm.exe

O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O16 - DPF: {64D01C7F-810D-446E-A07E-365764235644} (AtlAtomadersCtlAttrib Class) - http://kraisoft.com/files/realone/atomaders.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/4h/player.virtools.com/downloads/player/Install3.0/Installer.exe
Unless these IPs are from your ISP, fix thie O17
O17 - HKLM\System\CCS\Services\Tcpip\..\{A6CD8CE5-2FBD-45C8-B05D-A59FE6485108}: NameServer = 194.168.4.100 194.168.8.100
...................................................................................................
Now click on the Fix Checked button in HJT.

When done, from between the above dotted lines, delete the highlighted bold files.
Delete all files and directories from: C:\Documents and Settings\[username]\Local Settings\Temp
Repeat this for ALL [usernames].
Delete all files and directories from: C:\WINNT\Temp (except files dated from TODAY).
Boot normal.

Now go get an Antivirus program, free AVG from http://free.grisoft.com
Next, stop running W2K as Administrator, use a Username with Admin rights instead.
Next, install SP4 and do all the online Windows updates
Next, stop using IE, except for Windows-updates. Go to www.getfirefox.com and install Firefox instead.

 

[ENIGmA216]

lol looks like i was doing a lot wrong there. thanks a bunch!!!

i have been having a few problems since doing this eg some programs dont work? like msn and xfire and windows media player? lol i comes up with the eror message The application failed to initialize properly (0Xc0000005). click on OK to terminate the application and it only happned to a few things