Archived from groups: microsoft.public.windowsxp.security_admin (
More info?)
Malke;
I have runned the AV on safe mode as well as the add aware and spybot with
no luck i will try the other tools that you recommended to see if there is
any luck.
if you think of anything else please let me know.
thanks
"Malke" wrote:
> it's me wrote:
>
> > Hi you all,
> > I have something running on my network; its getting to my nerves. I
> > have
> > xp with sp2 and all the updates as well as win 2000 with all the
> > patches. The affected computer has its background changed to a porno
> > BMP file dropped on the system32 directory (by the way the users
> > logged onto the system can not write to the sys32dir. and it changes
> > the reg key HKCU\current\COntrol Pannel\Desktop\Wallpaper\???.bmp
> > on some computers it turns off the dhcp service and the dns service.
> > It seems to do no other harm.
> > I have run norton, trend, panda, add aware, spybot ant it has not
> > found anything.
> > Have you ever seen something like this.?
> > Please Help?
>
> You've been hijacked. You need to take down the network and clean each
> machine thoroughly with updated tools in Safe Mode. Get tools and
> updates from a different, unrelated known-clean computer with a good
> Internet connection and a cd burner. Do not reconnect your network
> until both machines are 100% clean. Here are removal steps:
>
> 1) Scan in Safe Mode with current version (not earlier than 2003)
> antivirus using updated definitions.
>
> 2) Remove spyware with Spybot Search & Destroy and Ad-aware. These
> programs are free, so use them both since they complement each other.
> There is a new version of CWShredder from Intermute. I would not
> install the other Intermute programs, however. Alternately, there are
> CoolWebSearch malware removal steps at SilentRunners.
>
> Be sure to update these programs before running, and it is a good idea
> to do virus/spyware scans in Safe Mode. Make sure you are able to see
> all hidden files and extensions (View tab in Folder Options).
>
> HijackThis is an excellent tool to discover and disable hijackers, but
> it requires expert skill. See below for HijackThis links. A combination
> of HijackThis and About:Buster works well in removing the About:Blank
> homepage hijacker. Again, this is an expert tool and novices should get
> help with it.
>
> 3) If you are running Windows ME or XP, you should disable/enable System
> Restore because malware will be in the Restore Points. With ME, you
> must disable System Restore completely. With XP, you can delete all but
> the most recent (presumably clean) System Restore point from the More
> Options section of Disk Cleanup (Run>cleanmgr).
>
> 4) Make sure you've visited Windows Update and applied all security
> patches. Do not install driver updates from Windows Update.
>
> 5) Run a firewall.
>
> Links to help with malware:
>
> Software/Methods:
>
http://www.safer-networking.org - Spybot Search & Destroy
>
http://www.lavasoftusa.com - Ad-aware
>
http://www.majorgeeks.com - good download site
>
http://www.intermute.com/spysubtract/cwshredder_download.html
> http://www.silentrunners.org/sr_cwsremoval.html. - SilentRunners
>
> HijackThis:
>
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Jim
> Eshelman
>
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
> forum
> http://www.wilderssecurity.com/
> http://forums.tomcoyote.org/
> http://www.spywareinfo.com/forums/
>
> General:
> http://forum.aumha.org/ - look under "Security" for various forums
>
http://rgharper.mvps.org/cleanit.htm
>
http://mvps.org/winhelp2002/unwanted.htm
>
http://www.aumha.org/a/parasite.htm - The Parasite Fight
>
http://www.spywarewarrior.com/rogue_anti-spyware.htm
>
> Malke
> --
> MS MVP - Windows Shell/User
> Elephant Boy Computers
> www.elephantboycomputers.com
> "Don't Panic!"
>
Facebook
Twitter
Instagram