Home > IT Answers > Security > picture on desktop that cannot be removed
Help

Question

  Asked: Jun 1 2007   0:41 AM GMT
  Asked by: kees1948

picture on desktop that cannot be removed


Current threats, Viruses, worms, Hacking, Spyware, Trojans, backdoors, human factors

Don't know if this is the right place, but cannot find an answer elsewhere.

Using Windows XP media centre edition with SP2. belongs to a Lao woman in the office. Displays a picture of a naked woman on the desktop which can not be moved. causes great embarrassment.

Found it in screensavers, named 'sex picture.scr' stored in Windows. described as AutoCAD file.Unlocked Windows from read only, wiped it, it came straight back. searched for other files on download date (July 3 2006) two other files, same size 50K named .VirusUpdate' and Virus Scan

Each time I delete them they come back. ran various virus scan programs who declare my system healthy.

Help

Subscribe to Alerts! Get questions and answers delivered to your Inbox.


E-mail me updates on this question



   SUBSCRIBE

hidden modal window
Help

Answer Wiki (Improve, edit or add to this answer)

IMPROVE THIS ANSWER
View History
 RATE THIS ANSWER
0
Click to Vote:
  •   0
  •  0
Last Answered: Jun 1 2007  1:51 AM GMT  by bobkberg




You (or actually the Lao lady) have been bitten by one of those two-part pests similar in spirit to "about:blank", where the infection itself (naked pic in this case) can be found, but not the actual source which sits quietly in the background, and does nothing EXCEPT reinstall the pest whenever it notices that it's missing.

First step would be to get copies of HijackThis, and Autoruns (Sysinternals utilities - now on Microsoft TechNet's web site), and perform a full scan of the system with each of them. Use the option to ignore Microsoft-digitally-signed files to cut down on what all you have to examine.

For every service, DLL, exe, etc. remaining in the list, look it up (with a details view) and check the time/date stamp for created, modified, and accessed. The file you're interested in should be opened with NOTEPAD (or a hex editor) to see if it references the file in question inside itself.

Also, show the Windows, System, and System32 directories with details showing, and look for any DLLs that have inappropriate date stamps on them (usually similar to the infection date stamp, but not always). Rename them to xxxxx.dll.old and reboot to see if the problem goes away.

You can also get regmon and filemon from the same site, and see if you can trap the event that installs the unwanted file, but that's more labor intensive and should be reserved in case the first method fails.

Write back if you need more assistance. I've uncovered and cleaned many similar pests over the last several years.

In fact, I ought to write a paper on the subject.

Bob
  • AddThis Social Bookmark Button

Browse more Questions and Answers on Security.

Looking for relevant Security Whitepapers? Visit the SearchSecurity.com Research Library.


RSS - Discussions Help

Discuss This Answer


You must be logged-in to discuss a question. Log-in/Register

this213  |   Jun 11 2007  12:34AM GMT

Bob’s solution does fix the problem, but does nothing from stopping it from happening again.

Download and run SpyBot S&D, get the updates, immunize scan your system, fix the problems, reboot. Open Spybot again (if it doesn’t start up automatically) and go to Tools > Startup, uncheck anything that shouldn’t be running (this includes all the proprietary stuff like qttask and jusched that don’t need to be running all the time), from here you can also stop the offending app from starting if it wasn’t removed. Once done, go to Resident and make sure Teatimer is running which will force the user to OK any registry changes in the future (you can actually set this option during the initial run after you install spybot). Granted however, the user is going to have to be smart enough to not allow malware to write to the registry.

Another thing your friend should be doing is running as a user without write permissions to the Windows directory.

 

bobkberg  |   Jun 11 2007  12:57AM GMT

Key point that you may have missed in your search for the culprit. It’s very easy to get focused on the visible problem. (Been there, done that - and sometimes STILL do that)

Remember that this is a two-part nuisance. The second part is very quiet and not generally detected by anti-spyware or anti-virus. The only thing it does is to re-install the pest.

Open a command prompt, and click on the “C:” icon on the upper left and select properties. When that window opens, select the “Layout” folder tab, and set the Width to 200 and Rows to 9999 (as large as possible)

When you OK, select the “Save properties…” option

CD to the root directory (”cd “) and then then perform (in series) “dir *.dll /s /od”.

This will look for DLLs in all directories, and then sort them by date.

Alternately, you can do “Start -> Search”l and then search for all files…. and look for *.dll, and select a date before the first appearance of the problem.

Nailing down this sort of problem is NOT trivial, but it IS within your reach. You just have to stay focused on the real objective. I speak from countless hours of experience in trying to track these things down, and getting sidetracked by what appeared to be the problem - and then losing track of my actual goal.

If you still have problems, contact me privately, and I’ll try to help that way.

Bob