"Warning-message-desktop-wallpaper" spyware

By kbobba · 6 replies
Mar 21, 2009
  1. Apart from the wallpaper changing to the link specified down below, symptoms include

    a. Spyware trying to send several e-mails (hundreds at the same time). But, norton doesn't send them.
    b. Not being able to change the desktop wallpaper from Display Settings->Desktop.

    So, I have followed the instructions given in the 8-steps article to get rid of the spyware.

    I am not sure if the steps cleared my spyware. So, I am attaching my log files...

    Please help me get rid of this Spyware.

    Thanks in advance.

    Wallpaper image looked exactly like the first picture posted on this web page.


    So....please replace [dot] with dots.

    Attached Files:

  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Let see what we can do. To begin with, you have both Avira and Symantec (Norton) AV leading. I advise you to keep Avira, remove Norton:

    Use Norton Removal Tool:

    You have numerous infections in Temp files. Malwarebytes found some and removed them. SuperAntispyware found some and removed them. But some are still coming up in HijackThis:

    Download ATF (Atribune Temp File) Cleaner© by Atribune HERE and save to your desktop.

    When finished,:
    Download SDFix HERE and save it to your Desktop.
    * Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Boot into Safe Mode
    * Restart your computer and start pressing the F8 key on your keyboard.
    * Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    Run SDFix
    Then update and run a new scan with HijackThis. Attach new log and SDFix Report.

    Please resolve the 2 antivirus conflict BEFORE running the scans.https://www.techspot.com/vb/topic115941.html
  3. kbobba

    kbobba TS Rookie Topic Starter

    I will run the scan and will post you the logs.


    Here are my logs after removing norton antivirus and running the SDFix.

    Please let me know next steps.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    Did you run the ATF (Atribune Temp File) Cleaner©? See Post #3

    After that: Remove bad HijackThis entries
    • Run HijackThis
    • Click on the System Scan Only button
    • Put a check beside all of the items listed below (if still present):
    • Close all open windows and browsers/email, etc...
    • Click on the "Fix Checked" button
    • When completed, close the application.

    Run ComboFix:
    Please download ComboFix. HERE

    Do not click on the ComoboFix window, as it may cause it to stall.

    CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Update and run new HijackThis log. Attach ComboFix Report and HJ log.

    FYI: IBM had pre-loaded a large number of Lenova and ThinkPad processes. You can review them in the HijackThis log. It would be in your best interest to search for each process and program, learn what it does, decide if you need/use it and if not, uninstall it.

    In the mean time, if you would like to experience a brief burst of speed, do this:

    Start> Run> msconfig> enter> Selective Startup> Startup menu> UNCHECK everything EXCEPT:
    The processes for Avira
    SynTPLpr.exe and SynTPEnh.exe (for your touchpad)
    Then click on Apply> OK and Reboot

    NOTE: when you reboot, you will get a nag message that you can ifnore and close after checking 'don't show this message again.' Stay in Selective Startup.

    Some of these process may start again because they will need to be disabled in the program itself, but this should give you some idea what your system COULD be like without unnecessary startups running in the background.
  5. kbobba

    kbobba TS Rookie Topic Starter

    I really appreciate your help for giving detailed steps. Find logs in the attachments.

    Thanks for tips on disabling ThinkPad applications. It helped a lot. Let me know next set of steps.

    BTW, I forgot to answer this. I did run ATF and Report.txt is the log from that run.

  6. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Still exists:
    You may need to run the removal tool once more (Bobbye linked above)

    Also Malwarebytes has updated to a whole new version
    Please open Malwarebytes, select the Update tab, and update it fully (which will automatically download and install the new Malwarebytes program right over the top of the old one)

    Then once updated, also confirm Avira Antivirus is updated (I usually just right click on the Avira tray icon and select "Start Update"

    Then run a full scan with Malwarebytes again (pretty certain there are still more infections to remove) With Avira by default also protecting
    Post back with the Malwarebytes log and a fresh HJT log :)


    Also if you need to add any further info to a new reply, please use EDIT if your is the last reply in the thread (presently not)
    I have so far Merged 5 posts by you in this thread
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,334   +36

    23 of the "Running Processes" showing in the HijackThis log are from ThinkPad or Lenova. Toshiba and Sony Vaio also pre-load a bunch of trash. Most people don't use many of those options and most users don't even know the processes are running or that most can be disabled! I use to think Dell was bad- until I began looking at the logs from the other manufacturers.

    Here's just one example of the trash loading:
    O4 - HKLM\..\Run: [EZEJMNAP] C:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.Exe
    Good grief! No one need a process like this starting at boot and run in the background! Even though they are legitimate programs and processes, few, if any, need to start on boot and run in the background.

    I didn't catch this. Ad-Watch needs to be temporarily disabled during the scans, so do this before running the scans kimsland has suggested:
    Those TEMP files are finally gone but the following entry needs to be handled:
    Active X entry: 016 in HJ log: Webex;
    If you're having trouble getting rid of Norton, check this:
    It is scheduled to do system scans. You may need to stop this in order to fully uninstall:
    Control Panel> Schedule Tasks> Remove Norton if there.

    Please tell us if the original problems have been resolved and if there are any new problems.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...