[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Adware, Spyware? Red Desktop with Ad

Posted on 2005-04-06
56
Medium Priority
?
5,561 Views
Last Modified: 2008-01-09
Hi Techs,

I must have picked up some adware or who knows what. The system seems to be running, but my desktop is not my desktop. It has been taken over with a red background with a black box in the center. In big red letters it says DANGER SPYWARE and they want me to buy their solution for $59...I don't think so. The link is to smart-security.com

I have run Adaware several times, Norton Antivirus with updated definitions several times. I found a "UCMore" and followed the instructions on Symantecs site, but that was of no help. Even removed entries in registry as instructed and under program files etc.

I cannot right click on the desktop. It ALMOST appears that this is covering my desktop. If I go into DISPLAY thru the way of the control panel, it will not allow me to change the image. So it seems to be attacking that too.

Any idea how to get rid of this and get me back to normal?

Thanks,

Wayne

0
Comment
Question by:wjo
  • 23
  • 23
  • 7
  • +3
56 Comments
 
LVL 4

Expert Comment

by:gemchest
ID: 13723388
Hi wjo,

firstly, turn off your system restore.

try running housecall to detect virus and spyware first:
http://housecall.trendmicro.com

then run the folowing:
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpywareBlaster ==> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html 

use hijack this and their analyser as well:
http://www.hijackthis.de

hope this will help

Cheers,
Luis
0
 
LVL 2

Expert Comment

by:-dev-
ID: 13723843
Try this:
Right click at the very top of the screen, click on properties....go to desktop, click on customize desktop. Find the web tab... it should have something checked that says security. Press delete and remove it then press ok and apply.
0
 
LVL 4

Expert Comment

by:FalconHawk
ID: 13724644
Microsoft Antispyware is probally best:
http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

You kinda got a funny spyware.... i never saw those using a desktop before ^^. O well...
Also download a Firewall www.Zonealarm.com (zonelanbs is one of the best free ones). They help in blocking various irritating program tactics.

On the desktop part, what exactly do you see? are there still pictograms on it, and do they work? or is it just a red screen with spyware? In the last case, it might be as well a normal windows, wich has the right mouse disabled, and is just over your normal desktop
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 27

Expert Comment

by:Tolomir
ID: 13728508
I guess this is just a fake, they have managed to activate "active desktop" to show you some web content.

Any spywarekiller like spybot search & destroy should find nothing, at least nothing it can remove.

Delete all html files in the folder: C:\WINDOWS\Web

Now: Start -> Settings-> System configuration -> Display properties

Desktop: "Change Desktop" - Select Tab WEB -> Delete all entries.

Download Firefox from Mozilla and stop messing with IE ;-)

Tolomir
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13728518
oh well

expert -dev-

found the right solution already.

Tolomir
0
 

Author Comment

by:wjo
ID: 13736049
Tokomir,

I deleted the files under C:\windows\web

But, when I go to START, there is no SETTINGS. What I have tried was to go to CONTROL PANEL->DISPLAY ->DESKTOP Tab -> CUSTOMIZE DESKTOP ->WEB   The only thing left is MY CURRENT HOME PAGE and it cannot be checked for removal.

Am I on the right track ???

What next ???

Thanks,

Wayne
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13737510
Yep you are on the right track.

After a reboot, does the "Danger spyware" appear again?

It should be gone.


Do you maybe have hidden files in your c:\windows\web directory?
0
 

Author Comment

by:wjo
ID: 13739193

It is still there after reboot. I have hidden files showing. So that shouldn't be the issue.

I am not at that system now, but I guess I need to d/l Firefox. Think that will help?

Is this something to do with Active Desktop?

The first time I ran the MS Antispyware it found a ton of stuff. I ran it again this morning and it did not find anything.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13739358
What version of windows do you use btw?

This is for windows 98:
http://support.microsoft.com/?scid=kb%3Ben-us%3B190228&x=15&y=9

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13739439
And this is for all versions...

http://www.computerhope.com/issues/ch000593.htm

You can get firefox right here:

http://www.mozilla.org/products/firefox/

Usefull extentions are right here:
https://addons.update.mozilla.org/extensions/?os=Windows&application=firefox

Nice themes like noia are here:
https://addons.update.mozilla.org/themes/?os=Windows&application=firefox


And here is some kind of afterburner:
What does FireTune do?
According to your specific computer speed and internet connection speed, FireTune will optimize several internal settings of Firefox for better performance. FireTune does NOT modify the Firefox executable, or any other Firefox binary file. Everything can be undone easily provided you saved your original profile configuration file with FireTune's profile backup feature.
http://www.totalidea.com/freestuff4.htm

Tolomir
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13739561
Hi!

Check these places where background images are loaded from:
Look for "unusual" files - "desktop.html", for instance.
%Systemroot%\Web\Wallpaper
%USERPROFILE%\My Documents\My Pictures (& sub-folders)
%AppData%\Microsoft\Internet Explorer
%ProgramFiles%\Plus!\Themes (& sub-folders)

Your OS may ignore a folder with a lot of images in it.

Yes, it might have to do with Active Desktop.

RF
0
 

Author Comment

by:wjo
ID: 13746015
I stumbled onto a bunch of image files that were the red desktop with the ad. I trashed a bunch of those.

I ran hijack and created a log. A buddy of mine looked it over and advised me what to remove. I also ran CW Shredder, MS Antispyware, Adware. Norton Antivirus etc etc etc

So the red screen is now gone, but the system still isn't the norm. I cannot right click. If I go to RUN and type DESKTOP, I can see the files and folders that reside on my desktop. BUT, in reality I cannot see them. So I still say something is hiding my actual desktop. I am getting close to a format, but really don't feel like going thru that.

I am going to bump up another 50 points.  Come on techs, I know you can do it!

Wayne

P.S. I did most of what you have all suggested. BTW, I am running Win XP Pro.
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13746296
You could create a new account, and check if this might help.

Taken from http://support.hubris.net/knowledge_base/018.html

Adding User Accounts in Windows XP

   1. Open the “User Accounts” Control Panel:
         1. Click the “Start” menu.
         2. Click “Control Panel.”
         3. Double-click the icon labeled “User Accounts.”
   2. An account called “Administrator” should already exist. It is generally recommended that you do not use the Administrator account for general daily computing. Therefore, you should create a new “Standard User” account for each person:
         1. Click the button labeled “Add.”
         2. Type in the person’s username and full name. Entering a description is optional. You can create whatever username you desire.
         3. Click “Next.”
         4. Set the account type to “Limited.”
         5. Click the button labeled “Create Account.”
         6. Repeat these steps to create all the user accounts you need.
         7. In the toolbar, click the button labled “Home.” You should see all the accounts you created listed in this window. For each account:
               1. Click the account name.
               2. In the window that appears, click the button labeled “Create a password.“
               3. Enter your desired password. You must not lose this password! The only record is stored on your computer. If you lose it, there will be no way to recover it.
               4. You can also enter a sentence or phrase as a password hint which will help you remember your password in case you forget.
               5. Click the button labeled “Create Password.”
   3. When you are finished, log off of Windows XP.
   
--
Now you can log on as administrator and move all files from your old account to the new created account, since the new one doesn't have access to your old account since he is not in the administrator group.

Or you could temporarly give the new account administrator rights to access all old files you should find them in c:\documents and settings\old username  

If you are not using windows with an administrator account, most spyware and stuff isn't able to install itself and mess with your system. So it's best to have an administrator account for software installation and a normal user account for surfing the internet etc.

E.g. c:\windows\web can only be written to, if you are using an administrator account and use a web browser like internet explorer there are so many bugs check http://secunia.com/product/11/ one of them allows websites to write to any directory on your hard disk. With simple user rights even the most nasty spyware has no write access to c:\windows and it's subfolders.

Tolomir




Tolomir
0
 

Author Comment

by:wjo
ID: 13747273
Tolomir,

Tried what you mentioned above, I created the new user account. I still cannot modify desktop. When I run all of the above spyware checkers, Norton antivirus etc, I still get a ton of stuff. I went thru the hijack log and removed files as someone instructed me. Norton finds a ton of spyware, but even in safe mode it cannot remove everything.

Still puzzled,

Getting close to a format. (but still trying to avoid)

Wayne
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13747363
Can you give me the link of the highjack log (you should get that after pasting the result of the scan on that website) so I get an idea what you are dealing with, please.

I'm using spybot search & destroy - seems quite reliable.

http://www.safer-networking.org/en/index.html

The problem is, after a format you will be back here real soon , as long as you or we don't find out, what happend to your computer.

Tolomir
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13747444
Hi!

Yes, please do as Tolomir suggests - one of the things that this "Desktop Hijacker"
does; it writes a lot of changes to the Registry (among other things).
Give us a LINK to your HijackThis log.
We may be able to help you deal with it through HiajckThis.
Also, check to see if "Active Desktop" is enabled - if it is - uncheck it.

RF
0
 

Author Comment

by:wjo
ID: 13747456
http://www.hijackthis.de/logfiles/9331b19935184136fc93c9650ef9d06c.html

I have tried search and destroy, still no luck!
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13747655
C:\Program Files\Internet Explorer\IEXPLORE.EXE

Internet Explorer - Wir empfehlen einen sichereren alternativen Browser zu verwenden. (z.B. Firefox)

What could that mean <biggrin>

checkout ---> www.getfirefox.com

alright:

There are some not so nice programs in your c:\windows and c:\windows\system32 folder.

Use this http://www.sysinternals.com/files/autoruns.zip (use autoruns.exe)

...to prevent them from starting, don't remove all entries some of them are needed like userinit.exe and explorer are need to start windows, so be carefull.

But disabling all files below autostart and run should be no problem.

Reboot, now use spybot again (have you updated it, btw?)

Tolomir
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13747686
To start with -
Move HijackThis into a folder of it's own - something like C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
You're running it from a "temp" folder - not a good idea!!

Search your computer for all off the following "exe's"
Make sure you check the dllcache, Prefetch, and "temp" folders
Delete all that you find.

        O4 - HKCU\..\Run: [Dee] C:\WINDOWS\System32\Fma.exe                 Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Hve] C:\WINDOWS\Gbe.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Cfg] C:\WINDOWS\Cph.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Faj] C:\WINDOWS\System32\Ecl.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Gbd] C:\WINDOWS\System32\Psj.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Rjb] C:\WINDOWS\System32\Goo.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Nik] C:\WINDOWS\System32\Ddq.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Ldh] C:\WINDOWS\System32\Kcg.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Vjb] C:\WINDOWS\Gff.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Nrr] C:\WINDOWS\Egq.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Len] C:\WINDOWS\Rou.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Qns] C:\WINDOWS\Had.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Rdr] C:\WINDOWS\Aeo.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Dgq] C:\WINDOWS\System32\Ich.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Bqc] C:\WINDOWS\System32\Aam.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Htj] C:\WINDOWS\System32\Mnn.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Kbl] C:\WINDOWS\System32\Lae.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Cnu] C:\WINDOWS\Pja.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Joa] C:\WINDOWS\Cts.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Lja] C:\WINDOWS\Ole.exe

Here's some interesting info on the last entry -"ole.exe" -
http://vil.nai.com/vil/content/v_10537.htm

Check the 016 entries - do you know what all of them are - did you add all of them?

RF
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13747804
@ rossfingal:

these programs look like malware to me. These are random filenames to cover traces.

The "autoruns" program I mentioned above, is a first start to stop them from autorunning after startup.

A programm not in use can easily be deleted a program in use only with tricks...

Tolomir
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13747840
>Tolomir
"these programs look like malware to me. These are random filenames to cover traces."
I agree!  :)
I only listed them out so that wjo could see exactly what to look for.
No problem with "Autoruns" - I use it!
Also, I would like to see that; if after removing these and a reboot -
do they "regenerate" with or without different names.
I Like "tricks"!  :)

Regards!

RF
0
 

Author Comment

by:wjo
ID: 13748238


      Y   I   K   E   S   !!!!!!!

Looks like I have my work cut out for me.

Just curious, if I was to zero out my hard drive how would these come back. Again, I prefer not to format at this time. So I will work on this tomorrow (Monday). I am on my laptop, so hopefully tomorrow I can try your updated suggestions.

Thanks,

Wayne
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13748320
Hi1

If by "zero out" you mean a "low-level" format using the utility specific to the make of your hard drive -
No - they probably wouldn't come back (fingers crossed :)

If you do attempt to remove them -
Make sure "Show all Files and Folders", including hidden and system is enabled.
Disable "System Restore" - some of this "stuff" likes to hide in there
Check in Task Manager to see if they (or anything else suspicious) are running -
stop them, then disable them.
Remember to check dllcache, Prefetch, temp folders

After you have removed them clean out all your "temp" files ( Hope you've moved HijackThis !!!)  :)

# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)

Empty your "Recycle Bin".

You may want to do this in "safe" mode, as well as "normal" mode.

Good luck!
RF
0
 

Author Comment

by:wjo
ID: 13752766
I have tried removing files from folders as instructed, running all the spyware programs reccommended, etc.

I ran Norton antivirus in safe mode and it showed these files. I can not find my recycle bin except Norton Protected Bin. That shows to be emptied.

It says DELETE FAIL for these files listed below.

The file C:\RECYCLER\NPROTECT\00007294 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007295 is a Adware threat
The file C:\RECYCLER\NPROTECT\00007296 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007297 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007306 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007307 is a Adware threat.
The compressed file C:/WINDOWS/System32/exdl.exe within C:\RECYCLER\NPROTECT\00005725 is a Adware threat.
The compressed file C:/WINDOWS/System32/exul.exe within C:\RECYCLER\NPROTECT\00005725 is a Adware threat.
The compressed file C:/WINDOWS/System32/javexulm.vxd within C:\RECYCLER\NPROTECT\00005725 is a Adware threat.
The compressed file C:/WINDOWS/System32/mqexdlm.srg within C:\RECYCLER\NPROTECT\00005725 is a Adware threat.
The compressed file C:/WINDOWS/System32/msexreg.exe within C:\RECYCLER\NPROTECT\00005725 is a Adware threat.

What now ? ? ?

0
 

Author Comment

by:wjo
ID: 13752797
Also, I assume Firefox is a browser that would replace IE.

The browser doesn't seem to be the issue.....or is it?

0
 

Author Comment

by:wjo
ID: 13752827
another question:   What is MSOCache ?

Is it supposed to be loaded with CAB files?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13753097
Firefox is a decend browser a good replacement for IE:

just check http://secunia.com/product/11/

There a a lot of ways, how spyware can install itself even without user interaction, but just by surfing the net with IE.

---
The norton protected bin replaces the normal recycle bin, so this is no problem.

Please Use this http://www.sysinternals.com/files/autoruns.zip (use autoruns.exe)

...to prevent them from starting, don't remove all entries some of them are needed like userinit.exe and explorer are need to start windows, so be carefull.

But disabling all files below autostart and run should be no problem.

Reboot, now use spybot if possible in windows save mode again (have you updated it, btw?)
0
 

Author Comment

by:wjo
ID: 13755795
I did update spybot.

I did do the autoruns  and disabled all but IE & userinit. I left those running.

My system is running. Seems to be running fairly normal, but I still can't get rid of everything. If I run spybot it says there is files in memory and can it run again after reboot. I say yes. I reboot it runs and does the same loop.

The main thing I still notice is, not my normal desktop, and the mouse will still not work on the right click.

(so sad)   :(

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13757000
What about spybot in safe mode?

Can you locate those files in memory, are they named?

You should prepare a backup to safe all important files (no exe of cause;-)

Well I'm a bit running out of options, you could give us an update on highjackthis, what files are still detected.

Tolomir
0
 

Author Comment

by:wjo
ID: 13771055
Search & Destroy keeps finding these two entries. It cannot delete them even if I OK it to run on next startup and also in safe mode.
Can I delete the WinTools folder in the registry (or even the files listed under it?)


HuntBar: Settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\WinTools

HuntBar: Settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\WinTools




--- Spybot - Search && Destroy version: 1.3  ---
2005-03-03 Includes\Cookies.sbi
2005-04-07 Includes\Dialer.sbi
2005-04-07 Includes\Hijackers.sbi
2005-03-22 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-04-07 Includes\Malware.sbi
2005-03-17 Includes\PUPS.sbi
2005-03-17 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-04-07 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-04-07 Includes\Trojans.sbi
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13771189
You could start regedit

go to these key entries.

Select the 1st, click on the right mouse button

Below "Export" there should be "Permissions" remove all permissions (for any users)

Same procedure with 2nd key.

This way those keys are blocked, windows is not able to get access by itself. You could delete them later or simply forget them.

Tolomir





0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13771267
when it says, those permission cannot be deleted because there taken from parent (something like that)

go to Advanced and UNCHECK the mark in the box: Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.

It will ask you if it should copy or remove the inhertited permissions.

Select remove.

Do this for both keys.

Tolomir
0
 

Author Comment

by:wjo
ID: 13802618
Tolomir,

Sorry, I do not understand your last comment. I DO see the Parent and the child listings. I tried to remove each one seperatly, but it will not allow me to remove. I might be doing something incorrectly here ???????????????????



let me add this.....

If I go to RUN and type DESKTOP I can see the original icons on my desktop


If I go thru Windows Explorer I can only see new icons that have been added.

Wayne
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13804255
Please check this page:

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418&sd=tech

How inheritance affects file and folder permissions
After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit these permissions. If you do not want the files and folders to inherit permissions, click This folder only in the Apply onto box when you set up special permissions for the parent folder. If you want to prevent only certain files or subfolders from inheriting permissions, follow these steps:
1.      Right-click the file or subfolder.
2.      Click Properties.
3.      Click the Security tab.
4.      Click Advanced.
5.      Clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box.
0
 

Author Comment

by:wjo
ID: 13805786
I removed the two entries that Search & Destroy showed.

After I removed the files, I ran the following.
Search & Destroy
CWShredder
MS Antispyware

They all come up clean. I could leave things as is, but it is difficult sometimes when I need to use the RIGHT-CLICK and it will not allow me. I know my old desktop exists somewhere. As I mentioned, if I go RUN -> DESKTOP all my desktop items appear. But I cannot see these items on my actual desktop. (Sorry...I keep repeating myself)

Any advice to that?

Thanks,

Wayne
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13806039
Sorry I had no idea how to enable your desktop items, but now I found something:

Please check if this is set in the registry:

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop REG_DWORD:1

If possible set it to 0

---
You might also try this:

If you want to unhide desktop items in XP, right click on the desktop and select Arrange Icons By | Show Items on desktop.

---
Tolomir
0
 

Author Comment

by:wjo
ID: 13811782
I had these srtrings:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

with these listings:   ForceActiveDesktopOn   and NoActiveDesktop    I changed them to zero. But no help.

The second comment you suggested I cannot due...no right click  .....<so sad>   :(


Seems we have reached a dead end. It appears the spyware has been cleaned up, but have not resolved the desktop issue. I will give you the points Tolomir for sticking with me thru this. Do you suggest I try the OS or Windows area of EE to see if I can resolve the desktop issue?

Wayne
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13813262
I never had an idea how anoying that spyware was.

Here I have found a solution for you mouse problem:

http://www.geekstogo.com/forum/Desktop_Spyware_Danger_Warning-t15165-s15.html

(don't have much time right now, sorry)

You should download microsoft antispyware, it stays resistent in memory and protects you.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Tolomir
0
 

Author Comment

by:wjo
ID: 13830340
Tolomir,

I downloaded the file you suggested. But it would not merge.
Another thing is, when I d/l to my desktop, duplicate icons get created.

Wayne
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13831306
That There are 2 files.

1. is background.zip, it must be unpacked before use and contains this file: background.reg

here is the content:

----(you could copy & paste it to a textfile,save it, rename it  to yourchoice.reg, double click on it, see no reason why it should not merge.)
You can open regedit.exe, can't you?----



REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ClassicShell"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoViewContextMenu"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktop"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop"="%USERPROFILE%\\Desktop"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Custom Desktop"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Desktop"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,44,65,73,6b,74,6f,\
  70,00

[HKEY_CURRENT_USER\Control Panel\desktop]
"ConvertedWallpaper"="C:\\WINDOWS\\Web\\Wallpaper\\Windows XP.jpg"
"ConvertedWallpaper Last WriteTime"=hex:00,88,40,84,d3,2b,c1,01
"OriginalWallpaper"="%USERPROFILE%\\Application Data\\Microsoft\\Wallpaper1.bmp"
"Wallpaper"="%USERPROFILE%\\Application Data\\Microsoft\\Wallpaper1.bmp"  
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Desktop"=hex(2):25,00,41,00,4c,00,4c,00,55,00,53,00,45,00,52,00,53,00,\
  50,00,52,00,4f,00,46,00,49,00,4c,00,45,00,25,00,5c,00,44,00,65,00,73,00,6b,\
  00,74,00,6f,00,70,00,00,00

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Desktop"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,44,65,73,6b,74,6f,\
  70,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Desktop"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,\
  4c,00,45,00,25,00,5c,00,44,00,65,00,73,00,6b,00,74,00,6f,00,70,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
"ComponentsPositioned"=dword:00000001
"TileWallpaper"="0"
"WallpaperStyle"="2"
"Wallpaper"=hex(2):25,41,50,50,44,41,54,41,25,5c,4d,69,63,72,6f,73,6f,66,74,5c,\
  57,61,6c,6c,70,61,70,65,72,31,2e,62,6d,70,00
"BackupWallpaper"=hex(2):25,41,50,50,44,41,54,41,25,5c,4d,69,63,72,6f,73,6f,66,\
  74,5c,57,61,6c,6c,70,61,70,65,72,31,2e,62,6d,70,00
"WallpaperFileTime"=hex:00,77,28,0a,07,2e,c5,01
"WallpaperLocalFileTime"=hex:00,37,05,fc,c3,2d,c5,01

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\General]
"Wallpaper"="C:\\WINDOWS\\Web\\SafeMode.htt"
"VisitGallery"=dword:00000000

----
Here is the right mouse button problem: same procedure, copy& paste it to an empty textfile, save it, rename it to your2ndchoice.reg, double click on it voila:---
---

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSetTaskbar"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

---

You could monitor with http://www.sysinternals.com/ntw2k/source/regmon.shtml

...Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. ...

http://www.sysinternals.com/files/ntregmon.zip

what happens to your registry while merging the settings.

Hope that helps.

Tolomir
0
 

Author Comment

by:wjo
ID: 13863853
I did as you suggested, I saved into notepad, saved as regtest.reg and saved to desktop. The icon is a registry icon on desktop. When I double click I get error  something to this effect ..........The file does not have program associtaed with it for performing the action. Create an association in the Folders Option control panel

So I checked the folder options and the reg extension is associated with registration files

Yes I can open regedit. If I were to open REGEDIT and IMPORT this file would that delete my registry?

Wayne
0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13864039
No, it will not delete your "Registry" -
Tolomir is just trying to give you a registry fix to use -
and it might work.
Right-click on it and choose "Merge" -
don't think it will hurt anything -
Back up your "Registry" if you're concerned.
RfF
0
 

Author Comment

by:wjo
ID: 13864079
PLEEEEEASE note. Right-click does not work. That is one of the issues

Thanks,

Wayne
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13864564
A simple doubleclick should be ok, since Merge is the default action.

Tolomir
0
 

Author Comment

by:wjo
ID: 13866709
Double-click gives this error msg:

The file does not have program associtaed with it for performing the action. Create an association in the Folders Option control panel

So I checked the folder options and the reg extension is associated with registration files
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13866987
Can you start regedit?

Maybe here is the problem...

0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13867010
ah, ok:

Do exactly this, with regtest.reg:
Yes I can open regedit. If I were to open REGEDIT and IMPORT this file ....

Tolomir

0
 
LVL 12

Expert Comment

by:rossfingal
ID: 13867078
Hi!

Sorry about the right-click confusion above! (my computer default is edit)  :)
If Regedit is not working - try this:
http://www.dougknox.com/xp/utils/xp_emerutils.htm

RF
0
 

Author Comment

by:wjo
ID: 13881251
Tolomir,

Can you repeat your last comment I do not understand

Ross,

My regedit seems to be working. I can access regedit

0
 
LVL 27

Accepted Solution

by:
Tolomir earned 700 total points
ID: 13883229
I said: open regedit, import the file via:

file -> import -> regtest.reg (the text file containing the suggested modifications)

Tolomir
0
 

Author Comment

by:wjo
ID: 13894316
Tolomir,

Guess what.....that seemed to do the trick. Looks like my desktop is back, I CAN again right click. I have to run now...off to work, but I will check in with you tomorrow. Let me see if all else is working properly.

Thank you,

Wayne

0
 

Author Comment

by:wjo
ID: 13902695
Tolomir,

I haven't spent too much time on my system since your last submission. But it appears to be working fine(maybe I shouldn't say that so loud). Anyway, you have spent a lot of time on this with me and I am going to give you 225 points. I also want to say "Thank You Very Much". It looks like that last comment from you did the trick and brought my desktop back to normal and my right click is now again in working order.

It saved me a format, probably a low level one, and all the hassle of reinstalling software.

Again, Thank you,

Wayne

P.S. Thanks to all the other Experts who tried to assist.
0
 

Author Comment

by:wjo
ID: 13902704
Tolomir,

Please let me know if you got the 225 points. If not, let me know how I can add the addition points.

Thanks,

Wayne
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13903897
Thank you,

Actually I got 700 points, since a mark of A quadruples the given points.

I suggest you install this microsoft antispyware tool : http://www.microsoft.com/athome/security/spyware/software/default.mspx

and might consider using a different web browser like firefox.

www.getfirefox.com

This helps a lot to keep your system clean.

Tolomir
0
 

Author Comment

by:wjo
ID: 13903910
TOlomir,

Actually I had installed MS Anti Spyware when we first started with this issue.

I will d/l firefox now that the system seems to be in order.

As I mentioned, I was trying to increase the points, but it seems like you got 175 instead of 225. If you can tell me how to transfer the other 50 points, I guess that will give you 200 more (50 quadtrupled)

Let me know,

Thanks, Wayne

P.S. Off to d/l firefox!
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 13904406
Alright, here are some usefull extentions:

https://addons.update.mozilla.org/extensions/?application=firefox

You can try a lot, but don't expect firefox to run fast after that...

Great is:

Adblock (right mouse click on image, choose "Adblock Image", you won't see it again...)
Flashblock (play flash on demand, it's no complete block)
FlashGot (An extention to use up to 20 different download managers even in firefox, I use net transport from http://www.xi-soft.com/default.htm )
Linkification: doubleclick on any texturl,  https://addons.update.mozilla.org/extensions/moreinfo.php?id=190
Googlebar (Special firefox version) https://addons.update.mozilla.org/extensions/moreinfo.php?id=190

For help (especially after using IE -> click on the Help menuentry in firefox)

To speedup firefox a bit use firetune: http://www.totalidea.com/freestuff4.htm
According to your specific computer speed and internet connection speed, FireTune will optimize several internal settings of Firefox for better performance. FireTune does NOT modify the Firefox executable, or any other Firefox binary file. Everything can be undone easily provided you saved your original profile configuration file with FireTune's profile backup feature before.

Tolomir

0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Let's take a look into the basics of ransomware—how it spreads, how it can hurt us, and why a disaster recovery plan is important.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question