Unwanted Popups Cured - Need Help with Remaining Desktop Problem

[PBushman]

Hi,

I recently experienced the DOWNLOADER.MISLEADAPP problem described by others on this forum. I was able to eliminate the unwanted popups by following the instructions in the PP STICKY. When I ran the Trend Micro Online Virus Scan in Safe Mode it identified the virus, eliminated it and in so doing eliminated the unwanted popups. Only one problem remains and I have been unable to correct it ... the virus has overlaid my desktop wallpaper with a red screen and the message "YOUR PRIVACY IS IN DANGER!". I have not been able to correct this situation using the Control Panel which indicates that my regular wallpaper is being displayed although it is not. I have identified the location of this .jpg image (along with several others) at C:\Windows\privacy_danger\images. This folder is not visible when viewing My Computer but can be seen after a search for "privacy". When the folder is deleted the image no longer appears on the desktop however a Windows error message stating that C:\Windows\privacy_danger\images cannot be found appears at startup and repeatedly thereafter.
Your advice on how to eliminate the virus was priceless. Any advice you can provide on how to get my desktop back to "normal" would also be appreciated. Scan logs are attached.
Thank You.

[pheonix73]

Since you have already strated in following some of the appropriate steps in the stickys'.Follow through with the rest of the steps and post all appropriate logs here for the admins to take a look at.Judy or one the other admins will be more than willing to take a look and tell you what else they find.

[PBushman]

Phoenix,
Thanks for the advice. I've attached my logs to the original message.
PSB

[TurcoLoco]

Hi, I won't have time at the moment to provide detailed info but please see the revised version of your Kaspersky and HJT Logs and pay attention to my notes in them, ok?

Judy should be around to follow up on it, when she does, what she will say should supersede mine...

[ShadowPuterDude]

Judy is on vacation. I'll be covering for her until she gets back.

Download to your Desktop:
RougeRemover by MalwareBytes
SmitFraudFix by S!Ri
ATF Cleaner by Atribune (Windows 2000/XP/2003/Vista)
ISeeYouXP by ShadowPuterDude (Windows 2000/XP/2003/Vista)

Extract the contents of ISeeYouXP.zip to the root directory of drive C:\. This will create a folder named ISeeYouXP in the root directory of Drive C

Using Windows Explorer (right click the Start button and select Explore to open Windows Explorer) navigate to C:\ISeeYouXP and locate the following script:
ShowIT.bat

Unzip RogueRemover, and run the installer. Start RogueRemover and select Scan. The program will walk you through the remaining steps.

Double-click smitfraudfix.exe

Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. The below is a link to what process.exe is.

http://www.beyondlogic.org/consultin...rocessutil.htm

IMPORTANT: Do NOT run any other options until you are asked to do so!

RENAME THE FIRST LOG NOW BEFORE CONTINUING OR YOU WILL OVERWRITE IT!!! And then immediately continue on to the below steps.

STEP 2: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Please print out or copy these instructions to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below.

Reboot your computer into Safe Mode.

Run ATF Cleaner:
Double-click ATF- Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Run SmitfraudFix
Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If it is infected and a clean version is found, you will be prompted to replace the infected wininet.dll with the clean file. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. BUT Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

STEP 3: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Clean out your Temporary Internet files. Proceed like this:

Quit Internet Explorer, all browsers and quit any instances of Windows Explorer.

For Internet Explorer 7

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete... under Browsing History.
• Next to Temporary Internet Files, click Delete files, and then click OK.
• Next to Cookies, click Delete cookies, and then click OK.
• Next to History, click Delete history, and then click OK.
• Click the Close button.
• Click OK.

For Internet Explorer 4.x - 6.x

• Click Start, click Control Panel, and then double-click Internet Options.
• On the General tab, click Delete Files under Temporary Internet Files.
• In the Delete Files dialog box, tick the Delete all offline content check box, and then click OK.
• On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
• Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
• Click OK.

For Netscape 4.x and Up

• Click Edit from the Netscape menubar.
• Click Preferences... from the Edit menu.
• Expand the Advanced menu by clicking the triangle sign.
• Click Cache.
• Click both the Clear Memory Cache and the Clear Disk Cache buttons.

For Mozilla 1.x and Up

• Click Edit from the Mozilla menubar.
• Click Preferences... from the Edit menu.
• Expand the Advanced menu by clicking the plus sign.
• Click Cache.
• Click the Clear Cache button.

For Opera

• Click File from the Opera menubar.
• Click Preferences... from the File menu.
• Click the History and Cache menu.
• Click the two Clear buttons next to Typed in addresses and Visited addresses (history) and click the Empty now button to clear the Disk cache.
• Click Ok to close the Preferences menu.

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

STEP 4: PLEASE READ ALL OF THESE INSTRUCTIONS FIRST BEFORE DOING ANYTHING.

Open the SmitfraudFix Folder of your Desktop, then double-click smitfraudfix.cmd file to start the tool.

Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note: if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Using Windows Explorer(right click the Start button and select Explore to open Windows Explorer) navigate to C:\ISeeYouXP and locate the following scripts:
ISeeYouXP.bat

Attach the following logs:

2. Both rapport.txt logs from SmitFraudFix
3. ISeeYouXp log
4. HijackThis log

[PBushman]

I've completed the clean up process and my computer seems to have returned to normal. THANK YOU!
I have attached all requested files except ISeeYouXP which which exceeded the file size limit. Is there another way to send this file?
What would you suggest for onging virus, spyware etc. protection? I am currently running only Norton anti-virus and the MS firewall.
Thanks again for your help.