Changed Wallpaper

Secure Home | Search | About

Lost Password?

Microsoft Antivirus Discussions

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Subject

Author

Date

Changed Wallpaper

James@avecsys

12-21-2005

Re: Changed Wallpaper

Malke

12-21-2005

Re: Changed Wallpaper

David H. Lipman

12-21-2005

Re: Changed Wallpaper

Matt Thompson

12-21-2005

Posted by =?Utf-8?B?SmFtZXNAYXZlY3N5cw== on December 21, 2005, 4:22 am

If you were Registered and logged in, you could reply and use other advanced thread options

I have a computer that was badly infected with spyware. I installed
Microsoft Anti-spyware and scanned it several times and it now reports that
the computer is free of spyware. However when I log on as the user who was
infected orginally, his wallpaper get changed from what is should be (you do
see the original wallpaper momentarily) to some spoof wallpaper reporting
that he is infected with spyware. When I try and
change the wallpaper by using the Display Properties form, everything seems
to be
disabled. I thought there must be a service or something similar which
gets run when the user logs on which is changing the wallpaper and disabling
the
Display properties so I ran msconfig and started the computer in safe mode.

However, it still does it. What can be changing the wallpaper everytime
the user logs on?
Note that when I log on as another user this doesn't happen. It seems to
be definitely connected to this one user's account.
Thanks
James

Posted by Malke on December 21, 2005, 7:57 am

If you were Registered and logged in, you could reply and use other advanced thread options

James@avecsys wrote:

> I have a computer that was badly infected with spyware. I installed

> Microsoft Anti-spyware and scanned it several times and it now reports

> that

> the computer is free of spyware. However when I log on as the user

> who was infected orginally, his wallpaper get changed from what is

> should be (you do see the original wallpaper momentarily) to some

> spoof wallpaper reporting

> that he is infected with spyware. When I try and

> change the wallpaper by using the Display Properties form, everything

> seems to be

> disabled. I thought there must be a service or something similar

> which gets run when the user logs on which is changing the wallpaper

> and disabling the

> Display properties so I ran msconfig and started the computer in safe

> mode.

Your computer is still not clean. There are per-user settings in each
account and that's why the issue only shows up in the one account.

I would run noahdfear's SmitFraud and SpyAxe removal tool to be sure:

http://noahdfear.geekstogo.com/click%20counter/click.php?id=8
References:
http://www.bleepingcomputer.com/forums/topic36868.html
http://malwareremoval.com/plog/index.php?op=ViewArticle&articleId=48&blogId=3

I'd also add Ad-aware and Spybot Search & Destroy to my antimalware
arsenal, update them and scan in Safe Mode. If you weren't doing your
MSAS scans in Safe Mode, you should do that also. Here are some general
malware removal steps:

http://www.elephantboycomputers.com/page2.html#Removing_Malware

And finally, here is information about removing the desktop "warning"
coming from malware. Go to the Display applet in Control Panel and look
on the Desktop tab. Click on Customize Desktop, and then click on the
Web tab. You will see that there are checkmarks next to "My Current
Home Page" and probably "Lock Desktop Items". Uncheck these. By
highlighting the "My Current Home Page" and clicking on the Properties
button, you will be able to determine the name of the file that is the
message. It might be called something like "security.html" or the like.

Click Apply and OK out when you've made your changes. Then you want to
find the *.html malware file and delete it.

If you can't enable desktop backgrounds after a virus, MVP Kelly Theriot
has a fix. Look under Wallpaper-Desktop-Disable Changing here:

http://www.kellys-korner-xp.com/xp_w.htm

If Display tabs are missing, run Kelly's registry edit on line 285,
right-hand side "Restore all display tabs".

Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User

Posted by David H. Lipman on December 21, 2005, 11:18 am

If you were Registered and logged in, you could reply and use other advanced thread options

| I have a computer that was badly infected with spyware. I installed
| Microsoft Anti-spyware and scanned it several times and it now reports that
| the computer is free of spyware. However when I log on as the user who was
| infected orginally, his wallpaper get changed from what is should be (you do
| see the original wallpaper momentarily) to some spoof wallpaper reporting
| that he is infected with spyware. When I try and
| change the wallpaper by using the Display Properties form, everything seems
| to be
| disabled. I thought there must be a service or something similar which
| gets run when the user logs on which is changing the wallpaper and disabling
| the
| Display properties so I ran msconfig and started the computer in safe mode.
|
| However, it still does it. What can be changing the wallpaper everytime
| the user logs on?
| Note that when I log on as another user this doesn't happen. It seems to
| be definitely connected to this one user's account.
| Thanks
| James

Download MULTI_AV.EXE from the URL --
http://www.ik-cs.com/programs/virtools/Multi_AV.exe

To use this utility, perform the following...
Execute; Multi_AV.exe { Note: You must use the default folder C:\AV-CLS }
Choose; Unzip
Choose; Close

Execute; C:\AV-CLS\StartMenu.BAT
{ or Double-click on 'Start Menu' in C:\AV-CLS }

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go
through your
FireWall to allow it to download the needed AV vendor related files.

C:\AV-CLS\StartMenu.BAT -- { or Double-click on 'Start Menu' in C:\AV-CLS}
This will bring up the initial menu of choices and should be executed in Normal
Mode.
This way all the components can be downloaded from each AV vendor's web site.
The choices are; Sophos, Trend, McAfee, Kaspersky, Exit this menu and Reboot the
PC.

You can choose to go to each menu item and just download the needed files or you
can
download the files and perform a scan in Normal Mode. Once you have downloaded
the files
needed for each scanner you want to use, you should reboot the PC into Safe Mode
[F8 key
during boot] and re-run the menu again and choose which scanner you want to run
in Safe
Mode. It is suggested to run the scanners in both Safe Mode and Normal Mode.

When the menu is displayed hitting 'H' or 'h' will bring up a more comprehensive
PDF help
file. http://www.ik-cs.com/multi-av.htm

* * * Please report back your results * * *

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Posted by Matt Thompson on December 21, 2005, 11:55 am

If you were Registered and logged in, you could reply and use other advanced thread options

The AntiPuper tool may be able to quickly and easily help remove this
problem. It doesn't change the desktop background, but should remove some of
the hijackers that change the desktop and allow you to reset your
background. There are instructions at the link:
http://forums.mcafeehelp.com/viewtopic.php?t=65072

>I have a computer that was badly infected with spyware. I installed

> Microsoft Anti-spyware and scanned it several times and it now reports

> that

> the computer is free of spyware. However when I log on as the user who

> was

> infected orginally, his wallpaper get changed from what is should be (you

> do

> see the original wallpaper momentarily) to some spoof wallpaper reporting

> that he is infected with spyware. When I try and

> change the wallpaper by using the Display Properties form, everything

> seems

> to be

> disabled. I thought there must be a service or something similar which

> gets run when the user logs on which is changing the wallpaper and

> disabling

> the

> Display properties so I ran msconfig and started the computer in safe

> mode.

> However, it still does it. What can be changing the wallpaper everytime

> the user logs on?

> Note that when I log on as another user this doesn't happen. It seems to

> be definitely connected to this one user's account.

> Thanks

> James

Similar Threads	Posted
Desktop wallpaper hijacked	March 7, 2006, 8:20 am
Port Block Allow NetBIOS changed	November 9, 2005, 8:01 pm
E-mail sender changed (probalby Virus)	September 27, 2007, 8:23 am
Problem with freezing computer and IE6 security settings being changed	September 16, 2005, 12:44 pm
McAfee Site Advisor has "changed its privacy policy"?	August 31, 2007, 4:51 am

The site map in XML format XML site map