and now I can't change it back... I've run the proper anti-spyware software after being infected with spyware. Everything seems to be back to normal except that my desktop reads : SPYWARE INFECTION on a blue desktop. I've gone into properties and tried changing my desktop but it's locked so that I can't changed my desktop... any idea?
Does it look like the photo I uploaded? If so, you have one of the new Win XP exploits. Most if not all antivirus makers should have definitions for it by now but if you already have the exploit, I'm not sure if you can get updated?
If you can't update your antivirus, try downloading Dr Web CureIT and running it. After you start it, go into the Options and turn off the heuristics detection. Then let it scan all of your PC.
Thats exactly what it looks like, I've downloaded and am running a scan on (C w/ Dr. Web [with heuristic detection off] It looks like it will take a while so I will get back to you. Thanks again :]
okay i ran the scan and it found a few objects and deleted them, but my desktop remains locked as the blue screen you showed me, is there something im missing?
Craze221: This is not looking good. I have looked at tons of places of how to get rid of the .wmf exploit and cannot find any. I posted the question over at dslreports (at the .wmf exploit thread) and they say there is no recovery. One has to wipe the drive and start fresh. http://www.dslreports.com/forum/rema...9~start=80#end
I will keep looking but so far, this thing looks as bad as anything EVER!
Thanks a lot for looking into it, I've been reading and if I'm not mistaken this thing is new and there is no cure *yet* so do you think instead of wiping my drive I should just wait and see if something is figured out in terms of riding my computer of this exploit? Or should I just get this clearing process over and done with? =\
If you can wait, I would. I do feel that that I would disconnect it from the web. Especially if you use your PC for any personal stuff (banking, PDA syncing and so forth.) That will keep you from potentially losing anything or letting the exploit download any further junk.
I read in one thread that you could try a doing a restore from before you were infected. And then search for any files created after that restore and delete them. I have very mixed feelings about this and I don't know if that is a good idea. If the exploit installs rootkits (as some have said) then a restore may not help at all (rootkits become part of Windows processes themselves and can be very difficult to find and correct.)
Somewhat related...IMO, Dr Web CureIT is a very good product and it is updated quite often. By any chance, did you write down what malware it found?
No, I thought about doing that but I absent mindedly closed the program after it was done scanning and deleting them, and there's no sort of archive to see what I deleted I think im going to stick with this and not try to rollback my computer seeing as how you don't really seem to know yourself what would happen. My computer should be safe, and ill be checking that blog you linked earlier to see if they figure anything out. Thanks for all your help today! Just hope they nail this!
I hope I am not too late...
Han, why do you think this is the WMF exploit?
What he has is Spysheriff spyware which locks the desktop and places some annoying files in the c:\windows\system32. Paytime.exe is one of the files. I recently fixed a computer with the same spyware. There were rootkits on the computer as well, which I am not sure whether they came from Spysheriff or not. They could have come from something else. In any case, Spysheriff can be beaten. What you need to do is unlock the desktop with a registry key, use HijackThis to get rid of some bad entries, and a rootkit removal program (such as Blacklight. I will post a link with the registry fix and other useful things to get rid of SpySheriff. http://www.bleepingcomputer.com/foru...xe-t22402.html
I know the background picture is different, but we are talking about the same malware.
Last edited by usil; January 4th, 2006 at 02:17 PM.
usil: Truthfully, I can't say that it is positively the WMF exploit. But I felt (and still feel) that the signs sure point to it. It apparently happened (more or less) in the right time frame. Plus, Craze221 had the exact screen that the blog at Sunbelt (maker of CouterSpy) listed as one of the first known versions of the issue. By all accounts I have read, both at that time through today, the general concensus is that there is no way to clean up the mess that is left behind. Several folks looking at the WMF issues have said they would never trust the PC again without starting over.
That said, I'm very open (and I would imagine Craze221 is too) to other ideas. To me, if a PC can be cleaned up, that is much more preferable to a complete reinstall. In my case, reinstalling everything would take a couple days or more...
Thanks for the link Usil my laptop got infected yesterday and despite following the removal instructions at Norton which removed the problem [I assume] the desktop background persisted so I`ll have a gander later and try the fix.
Well, that changes things a bit. Cause I don't believe you downloaded Spysheriff. You didn't, right 10?
Han, I tried to look for the connection between the locked desktop and the WMF but didn't find one. Can you send the link to the article you read?
OK, this clears things up for me. Turns out we are both correct Han.
According to F-Secure, Trojan downloaders are taking advantage of the vulnerability to install Trojan-Downloader.Win32.Agent.abs, Trojan-Dropper.Win32.Small.zp, Trojan.Win32.Small.ga and Trojan.Win32.Small.ev. F-Secure also reports that some of the Trojans install hoax anti-malware programs such as Avgold.
That explains why I've seen different "anti-spyware" malware programs connected with that desktop background, and why 10 could have gotten it simply by surfing certain websites. I read somewhere that a certain legitimate bank website was hit with the same problem. So the banks customers got the exploit simply by going to the site.
Reply With Quote
w/ Dr. Web [with heuristic detection off] It looks like it will take a while so I will get back to you. Thanks again :]
Just hope they nail this! 
Originally Posted by HAN
