picture on desktop that cannot be removed

pts.
Tags:
backdoors
Current threats
Hacking
human factors
Spyware
Trojans
Viruses
worms
Don't know if this is the right place, but cannot find an answer elsewhere. Using Windows XP media centre edition with SP2. belongs to a Lao woman in the office. Displays a picture of a naked woman on the desktop which can not be moved. causes great embarrassment. Found it in screensavers, named 'sex picture.scr' stored in Windows. described as AutoCAD file.Unlocked Windows from read only, wiped it, it came straight back. searched for other files on download date (July 3 2006) two other files, same size 50K named .VirusUpdate' and Virus Scan Each time I delete them they come back. ran various virus scan programs who declare my system healthy. Help

Answer Wiki

Thanks. We'll let you know when a new response is added.

You (or actually the Lao lady) have been bitten by one of those two-part pests similar in spirit to “about:blank”, where the infection itself (naked pic in this case) can be found, but not the actual source which sits quietly in the background, and does nothing EXCEPT reinstall the pest whenever it notices that it’s missing.

First step would be to get copies of HijackThis, and Autoruns (Sysinternals utilities – now on Microsoft TechNet’s web site), and perform a full scan of the system with each of them. Use the option to ignore Microsoft-digitally-signed files to cut down on what all you have to examine.

For every service, DLL, exe, etc. remaining in the list, look it up (with a details view) and check the time/date stamp for created, modified, and accessed. The file you’re interested in should be opened with NOTEPAD (or a hex editor) to see if it references the file in question inside itself.

Also, show the Windows, System, and System32 directories with details showing, and look for any DLLs that have inappropriate date stamps on them (usually similar to the infection date stamp, but not always). Rename them to xxxxx.dll.old and reboot to see if the problem goes away.

You can also get regmon and filemon from the same site, and see if you can trap the event that installs the unwanted file, but that’s more labor intensive and should be reserved in case the first method fails.

Write back if you need more assistance. I’ve uncovered and cleaned many similar pests over the last several years.

In fact, I ought to write a paper on the subject.

Bob

Discuss This Question: 2  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • This213
    Bob's solution does fix the problem, but does nothing from stopping it from happening again. Download and run SpyBot S&D, get the updates, immunize scan your system, fix the problems, reboot. Open Spybot again (if it doesn't start up automatically) and go to Tools > Startup, uncheck anything that shouldn't be running (this includes all the proprietary stuff like qttask and jusched that don't need to be running all the time), from here you can also stop the offending app from starting if it wasn't removed. Once done, go to Resident and make sure Teatimer is running which will force the user to OK any registry changes in the future (you can actually set this option during the initial run after you install spybot). Granted however, the user is going to have to be smart enough to not allow malware to write to the registry. Another thing your friend should be doing is running as a user without write permissions to the Windows directory.
    0 pointsBadges:
    report
  • Bobkberg
    Key point that you may have missed in your search for the culprit. It's very easy to get focused on the visible problem. (Been there, done that - and sometimes STILL do that) Remember that this is a two-part nuisance. The second part is very quiet and not generally detected by anti-spyware or anti-virus. The only thing it does is to re-install the pest. Open a command prompt, and click on the "C:" icon on the upper left and select properties. When that window opens, select the "Layout" folder tab, and set the Width to 200 and Rows to 9999 (as large as possible) When you OK, select the "Save properties..." option CD to the root directory ("cd ") and then then perform (in series) "dir *.dll /s /od". This will look for DLLs in all directories, and then sort them by date. Alternately, you can do "Start -> Search"l and then search for all files.... and look for *.dll, and select a date before the first appearance of the problem. Nailing down this sort of problem is NOT trivial, but it IS within your reach. You just have to stay focused on the real objective. I speak from countless hours of experience in trying to track these things down, and getting sidetracked by what appeared to be the problem - and then losing track of my actual goal. If you still have problems, contact me privately, and I'll try to help that way. Bob
    1,070 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following