I've seen similar stuff before. Install Ad-Aware, update its definitions and
run. Also make sure the latest Spybot definitions are installed before running.

If Ad-Aware and Spybot don't nail the problem, look at each entry shown by
HiJackThis. It helps to have internet access alongside the infected computer,
so you can access NAV and other anti-virus/spyware/adware info.

Finally, ask your client when this behavior started. It may sound a bit risky,
but often a careful deletion of strangely named files from the WINDOWS and
WINDOWS/SYSTEM32 folders is the answer. The date when all this started is the
key, because the strangely name files will have file dates/times coinciding with
the start of the nasties. Of course, some of the nastyware installs itself with
equally bizarre file dates like Dec 31 1979, which is before the creation of the
world, according the Gates... Ben Myers

On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
PLZZZnc.rr.com> wrote:

>
>I just picked up a PC from one of my customer and it has this very
>bizard problem:
>
>After the system came up to normal mode, there are four about 3" X 4"
>boxes on the Desktop ---- Gambling, Dating, Pharmacy, XXX, Spyware, &
>Insurance. When the mouse is move over the box, it says loading and
>then put an extra box of Text/link for whatever the subject title of
>that box is about. For example, move the mouse over to Dating will list
>links for local girls, X Rated things, ect.
>
>I've checked system with Spybot Search & Destroy, AVG. I've also check
>the system with "Hijack this" and have gone into the Registry and try to
>see what is going on. When I booted the system up to Safe Mode, the
>boxes DID NOT show.
>
>Anyone has seen this before?? All helps are wlecome.
>
>Dewaine
>
>

Dewaine:

If you really want to remove the maleware I suggest taking
the following steps:

1) Get latest Ad-Aware spyware definition file from:
http://www.lavasoft.de/support/download/
I suggest that you download this defs.zip file on an uninfected computer;
then copy it to a 1.44M floppy diskette or a CD-R.

2) Reboot your infected computer and tap F8 once per second during restart
and when the menu appears select: Safe Mode without networking.

3) Unzip and insert the downlaoded file, defs.ref, in file location:

c:\Program Files\Lavasoft\Ad-Aware SE Personal/defs.ref
This insures that a subsequent scan for malware will use the latest
spyware definition files.

4) Launch Start/Program/Files/Lavasoft Ad-Aware SE Personal/Ad-Aware SE Personal
and click the initial bullet to do a Full System Scan.
When done, right click the list of maleware found and choose: Select All
Then click Next, and finaly click OK.

This will remove the maleware that you are experiencing.

5) Restart the system in normal mode.


Skip Knoble, Penn State


On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
wrote:

-|
-|I just picked up a PC from one of my customer and it has this very
-|bizard problem:
-|
-|After the system came up to normal mode, there are four about 3" X 4"
-|boxes on the Desktop ---- Gambling, Dating, Pharmacy, XXX, Spyware, &
-|Insurance. When the mouse is move over the box, it says loading and
-|then put an extra box of Text/link for whatever the subject title of
-|that box is about. For example, move the mouse over to Dating will list
-|links for local girls, X Rated things, ect.
-|
-|I've checked system with Spybot Search & Destroy, AVG. I've also check
-|the system with "Hijack this" and have gone into the Registry and try to
-|see what is going on. When I booted the system up to Safe Mode, the
-|boxes DID NOT show.
-|
-|Anyone has seen this before?? All helps are wlecome.
-|
-|Dewaine
-|

"Dewaine Chan" <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com> wrote in message
news:%Wtlf.2040$7b4.763945@twister.southeast.rr.co m...
|
| I just picked up a PC from one of my customer and it has this very
| bizard problem:
|
| After the system came up to normal mode, there are four about 3" X 4"
| boxes on the Desktop ---- Gambling, Dating, Pharmacy, XXX, Spyware, &
| Insurance. When the mouse is move over the box, it says loading and
| then put an extra box of Text/link for whatever the subject title of
| that box is about. For example, move the mouse over to Dating will list
| links for local girls, X Rated things, ect.
|
| I've checked system with Spybot Search & Destroy, AVG. I've also check
| the system with "Hijack this" and have gone into the Registry and try to
| see what is going on. When I booted the system up to Safe Mode, the
| boxes DID NOT show.
|
| Anyone has seen this before?? All helps are wlecome.
|
| Dewaine
|

It would appear to me, that a malware web page has been set up as the
desktop.

Right-click the desktop outside of the boxes and select Properties.

Does the Display Properties window pop-up?

(If no, go to Control Panel and select Display.)

Click the Desktop tab and click the "Customize Desktop..." button.

Select the Web tab, if anything is selected there, unselect it.
And delete anything but "My Current Home Page", but make sure it too is
unselected.

If Lock Desktop Items is seleced, unselect it.

Click OK till all Windows are closed.


JaF

Well:

Spent a bit more time on this and here is what I found:

It created the following files in the C:\Windows\system32 folder:

C:\WINDOWS\system32\insurance.bmp
C:\WINDOWS\system32\close.bmp
C:\WINDOWS\system32\spyware.bmp
C:\WINDOWS\system32\xxx.bmp
C:\WINDOWS\system32\pharmacy.bmp
C:\WINDOWS\system32\gambling.bmp
C:\WINDOWS\system32\dating.bmp
C:\WINDOWS\system32\idesk.conf

It also created a file rdt.ini in the C:\WINDOWS directory.
Renaming the rdt.ini did not do anything. I removed the above files from the
C:\WINDOWS\SYSTEM32 directory from Safe Mode and rebooted the PC. It came up without
the Popup Boxes but after rebooted again, all the above files got recreated and
appeared in the C:\WINDOWS\SYSTEM32 directory.

I did a google search and a couple places suggested to look for:
ie2cltr.dll
rdt.ini

or
C:\WINDOWS\system32\favset.exe --> Trojan.Favadd
C:\WINDOWS\system32\howiper.exe --> Win32/Qhosts


I couldn't find the files except rdt.ini file.

I have removed basically everything that shows in Hijack This and system registry's
Run area. I suspect the Spyware is loaded as a system service that I just need to
find the dll file.

BTW, Adaware SE doesn't detect it either.

Thanks for all the helps.

Dewaine

Ben Myers wrote:

> I've seen similar stuff before. Install Ad-Aware, update its definitions and
> run. Also make sure the latest Spybot definitions are installed before running.
>
> If Ad-Aware and Spybot don't nail the problem, look at each entry shown by
> HiJackThis. It helps to have internet access alongside the infected computer,
> so you can access NAV and other anti-virus/spyware/adware info.
>
> Finally, ask your client when this behavior started. It may sound a bit risky,
> but often a careful deletion of strangely named files from the WINDOWS and
> WINDOWS/SYSTEM32 folders is the answer. The date when all this started is the
> key, because the strangely name files will have file dates/times coinciding with
> the start of the nasties. Of course, some of the nastyware installs itself with
> equally bizarre file dates like Dec 31 1979, which is before the creation of the
> world, according the Gates... Ben Myers
>
> On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
> PLZZZnc.rr.com> wrote:

Checked that already. It wasn't it. Please see the update I posted under Ben
Meyer's posting for follow up info. It is weird. I'm going out to get a copy
of Spysweeper tomorrow and check the system later.

Thanks.

Dewaine

Just a Friend wrote:

> It would appear to me, that a malware web page has been set up as the
> desktop.
>
> Right-click the desktop outside of the boxes and select Properties.
>
> Does the Display Properties window pop-up?
>
> (If no, go to Control Panel and select Display.)
>
> Click the Desktop tab and click the "Customize Desktop..." button.
>
> Select the Web tab, if anything is selected there, unselect it.
> And delete anything but "My Current Home Page", but make sure it too is
> unselected.
>
> If Lock Desktop Items is seleced, unselect it.
>
> Click OK till all Windows are closed.
>
> JaF

Herman:

Thanks. Still no goes. Back in the hunt again.

Dewaine

"Herman D. Knoble" wrote:

> Dewaine:
>
> If you really want to remove the maleware I suggest taking
> the following steps:
>
> 1) Get latest Ad-Aware spyware definition file from:
> http://www.lavasoft.de/support/download/
> I suggest that you download this defs.zip file on an uninfected computer;
> then copy it to a 1.44M floppy diskette or a CD-R.
>
> 2) Reboot your infected computer and tap F8 once per second during restart
> and when the menu appears select: Safe Mode without networking.
>
> 3) Unzip and insert the downlaoded file, defs.ref, in file location:

Dewaine,

You're right. This varmint starts up as a system service and/or a program NOT
in the startup folder. It could also be a visual basic script or a CMD file.
That's how it keeps replenishing itself, even after repeated attempts to delete
the files.

To find some of these files, you need to change some of the options in the Files
icon of the control panel. Allow the system to display known file extensions,
which is the "old way" of doing things. The "new" way, obscures useful info.
Also, enable the display of hidden files AND system files.

Other areas to look for these files include the %TEMP% folder and other areas in
the primary user's Documents and Settings.

I usually fine hijackthis to be an indispensible tool for removing rogue
software not removed somewhat automatically by other software.

Doesn't all this make you want to shoot the bastards who perpetrate this stuff?

.... Ben Myers

On Thu, 08 Dec 2005 05:09:17 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
PLZZZnc.rr.com> wrote:

>Well:
>
>Spent a bit more time on this and here is what I found:
>
>It created the following files in the C:\Windows\system32 folder:
>
>C:\WINDOWS\system32\insurance.bmp
>C:\WINDOWS\system32\close.bmp
>C:\WINDOWS\system32\spyware.bmp
>C:\WINDOWS\system32\xxx.bmp
>C:\WINDOWS\system32\pharmacy.bmp
>C:\WINDOWS\system32\gambling.bmp
>C:\WINDOWS\system32\dating.bmp
>C:\WINDOWS\system32\idesk.conf
>
>It also created a file rdt.ini in the C:\WINDOWS directory.
>Renaming the rdt.ini did not do anything. I removed the above files from the
>C:\WINDOWS\SYSTEM32 directory from Safe Mode and rebooted the PC. It came up without
>the Popup Boxes but after rebooted again, all the above files got recreated and
>appeared in the C:\WINDOWS\SYSTEM32 directory.
>
>I did a google search and a couple places suggested to look for:
>ie2cltr.dll
>rdt.ini
>
>or
>C:\WINDOWS\system32\favset.exe --> Trojan.Favadd
>C:\WINDOWS\system32\howiper.exe --> Win32/Qhosts
>
>
>I couldn't find the files except rdt.ini file.
>
>I have removed basically everything that shows in Hijack This and system registry's
>Run area. I suspect the Spyware is loaded as a system service that I just need to
>find the dll file.
>
>BTW, Adaware SE doesn't detect it either.
>
>Thanks for all the helps.
>
>Dewaine
>
>Ben Myers wrote:
>
>> I've seen similar stuff before. Install Ad-Aware, update its definitions and
>> run. Also make sure the latest Spybot definitions are installed before running.
>>
>> If Ad-Aware and Spybot don't nail the problem, look at each entry shown by
>> HiJackThis. It helps to have internet access alongside the infected computer,
>> so you can access NAV and other anti-virus/spyware/adware info.
>>
>> Finally, ask your client when this behavior started. It may sound a bit risky,
>> but often a careful deletion of strangely named files from the WINDOWS and
>> WINDOWS/SYSTEM32 folders is the answer. The date when all this started is the
>> key, because the strangely name files will have file dates/times coinciding with
>> the start of the nasties. Of course, some of the nastyware installs itself with
>> equally bizarre file dates like Dec 31 1979, which is before the creation of the
>> world, according the Gates... Ben Myers
>>
>> On Wed, 07 Dec 2005 04:55:23 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM
>> PLZZZnc.rr.com> wrote:
>

Dewaine: Did you do an up-to-date scan while in SAFE MODE?
Did you do a Full System Scan with Ad-Aware?

When starting in Safe Mode only basic services are started,
and no startup modules (e.g.,
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run)
are not started.

Skip

On Thu, 08 Dec 2005 05:10:44 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
wrote:

-|Herman:
-|
-|Thanks. Still no goes. Back in the hunt again.
-|
-|Dewaine
-|
-|"Herman D. Knoble" wrote:
-|
-|> Dewaine:
-|>
-|> If you really want to remove the maleware I suggest taking
-|> the following steps:
-|>
-|> 1) Get latest Ad-Aware spyware definition file from:
-|> http://www.lavasoft.de/support/download/
-|> I suggest that you download this defs.zip file on an uninfected computer;
-|> then copy it to a 1.44M floppy diskette or a CD-R.
-|>
-|> 2) Reboot your infected computer and tap F8 once per second during restart
-|> and when the menu appears select: Safe Mode without networking.
-|>
-|> 3) Unzip and insert the downlaoded file, defs.ref, in file location:

Doing a Google search on rdt.ini shows
that you may have the TR/Dldr.Agent.tc.4 - Trojan
See: http://www.avira.com/en/threats/TR_D...4_details.html
and http://www3.ca.com/securityadvisor/p...x?id=453096275

Skip

On Thu, 08 Dec 2005 05:09:17 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
wrote:

-|rdt.ini

Running Ad-Aware and Spybot in safe mode will do a good job of removing FILES
which are causing the damage, but parts of the registry are definitely left
untouched in safe mode. Whether the system is booted in safe mode or not, the
result is sort of a "working" registry. I do not know what else to call it.
Windows boots up and builds a different working registry every time, merging in
the HKCU entries for whomever logged onto the system.

I have had to de-louse infected systems by repeatedly logging off and logging on
as a different user of a computer used by five different family members. With
each login, I ran Spybot and Ad-Aware to remove the infected registry entries
for each HKCU... Ben Myers

On Thu, 08 Dec 2005 11:20:24 -0500, Herman D. Knoble
wrote:

>Dewaine: Did you do an up-to-date scan while in SAFE MODE?
>Did you do a Full System Scan with Ad-Aware?
>
>When starting in Safe Mode only basic services are started,
>and no startup modules (e.g.,
>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run)
>are not started.
>
>Skip
>
>On Thu, 08 Dec 2005 05:10:44 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
>wrote:
>
>-|Herman:
>-|
>-|Thanks. Still no goes. Back in the hunt again.
>-|
>-|Dewaine
>-|
>-|"Herman D. Knoble" wrote:
>-|
>-|> Dewaine:
>-|>
>-|> If you really want to remove the maleware I suggest taking
>-|> the following steps:
>-|>
>-|> 1) Get latest Ad-Aware spyware definition file from:
>-|> http://www.lavasoft.de/support/download/
>-|> I suggest that you download this defs.zip file on an uninfected computer;
>-|> then copy it to a 1.44M floppy diskette or a CD-R.
>-|>
>-|> 2) Reboot your infected computer and tap F8 once per second during restart
>-|> and when the menu appears select: Safe Mode without networking.
>-|>
>-|> 3) Unzip and insert the downlaoded file, defs.ref, in file location:
>

Ben: thanks.

It is my understanding that if Ad-Aware SE Personal is run in Safe Mode
and the type of scan is: Full System Scan
it will remove spyware in registry entries (it will report "deep scanning
registry). Also Ad-Aware has settings: (under Tweak Settings)
Scan Registry for all users which if checked will scan the registry
for all users (from an user with Admin privileges). Likewise under
Scan Settings there are two options to Scan Registry and Deep Scan
Registry. These should be set on.

Finally, There are settings for Ad-Aware SE Plus (and above) which
(by setting Ad=Watch on and configuring it properly)will prevent
registry modifications in the first place.
The cost for Ad-Aware SE Plus is modest ($27).

Skip


On Thu, 08 Dec 2005 18:49:00 GMT, ben_myers_spam_me_not @ charter.net (Ben Myers) wrote:

-|Running Ad-Aware and Spybot in safe mode will do a good job of removing FILES
-|which are causing the damage, but parts of the registry are definitely left
-|untouched in safe mode. Whether the system is booted in safe mode or not, the
-|result is sort of a "working" registry. I do not know what else to call it.
-|Windows boots up and builds a different working registry every time, merging in
-|the HKCU entries for whomever logged onto the system.
-|
-|I have had to de-louse infected systems by repeatedly logging off and logging on
-|as a different user of a computer used by five different family members. With
-|each login, I ran Spybot and Ad-Aware to remove the infected registry entries
-|for each HKCU... Ben Myers
-|
-|On Thu, 08 Dec 2005 11:20:24 -0500, Herman D. Knoble
-| wrote:
-|
-|>Dewaine: Did you do an up-to-date scan while in SAFE MODE?
-|>Did you do a Full System Scan with Ad-Aware?
-|>
-|>When starting in Safe Mode only basic services are started,
-|>and no startup modules (e.g.,
-|>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run)
-|>are not started.
-|>
-|>Skip
-|>
-|>On Thu, 08 Dec 2005 05:10:44 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
-|>wrote:
-|>
-|>-|Herman:
-|>-|
-|>-|Thanks. Still no goes. Back in the hunt again.
-|>-|
-|>-|Dewaine
-|>-|
-|>-|"Herman D. Knoble" wrote:
-|>-|
-|>-|> Dewaine:
-|>-|>
-|>-|> If you really want to remove the maleware I suggest taking
-|>-|> the following steps:
-|>-|>
-|>-|> 1) Get latest Ad-Aware spyware definition file from:
-|>-|> http://www.lavasoft.de/support/download/
-|>-|> I suggest that you download this defs.zip file on an uninfected computer;
-|>-|> then copy it to a 1.44M floppy diskette or a CD-R.
-|>-|>
-|>-|> 2) Reboot your infected computer and tap F8 once per second during restart
-|>-|> and when the menu appears select: Safe Mode without networking.
-|>-|>
-|>-|> 3) Unzip and insert the downlaoded file, defs.ref, in file location:
-|>

Ooooh! Those are interesting options. Thank YOU for the info... Ben Myers

On Thu, 08 Dec 2005 14:46:04 -0500, Herman D. Knoble
wrote:

>Ben: thanks.
>
>It is my understanding that if Ad-Aware SE Personal is run in Safe Mode
>and the type of scan is: Full System Scan
>it will remove spyware in registry entries (it will report "deep scanning
>registry). Also Ad-Aware has settings: (under Tweak Settings)
>Scan Registry for all users which if checked will scan the registry
>for all users (from an user with Admin privileges). Likewise under
>Scan Settings there are two options to Scan Registry and Deep Scan
>Registry. These should be set on.
>
>Finally, There are settings for Ad-Aware SE Plus (and above) which
>(by setting Ad=Watch on and configuring it properly)will prevent
>registry modifications in the first place.
>The cost for Ad-Aware SE Plus is modest ($27).
>
>Skip
>
>
>On Thu, 08 Dec 2005 18:49:00 GMT, ben_myers_spam_me_not @ charter.net (Ben Myers) wrote:
>
>-|Running Ad-Aware and Spybot in safe mode will do a good job of removing FILES
>-|which are causing the damage, but parts of the registry are definitely left
>-|untouched in safe mode. Whether the system is booted in safe mode or not, the
>-|result is sort of a "working" registry. I do not know what else to call it.
>-|Windows boots up and builds a different working registry every time, merging in
>-|the HKCU entries for whomever logged onto the system.
>-|
>-|I have had to de-louse infected systems by repeatedly logging off and logging on
>-|as a different user of a computer used by five different family members. With
>-|each login, I ran Spybot and Ad-Aware to remove the infected registry entries
>-|for each HKCU... Ben Myers
>-|
>-|On Thu, 08 Dec 2005 11:20:24 -0500, Herman D. Knoble
>-| wrote:
>-|
>-|>Dewaine: Did you do an up-to-date scan while in SAFE MODE?
>-|>Did you do a Full System Scan with Ad-Aware?
>-|>
>-|>When starting in Safe Mode only basic services are started,
>-|>and no startup modules (e.g.,
>-|>HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run)
>-|>are not started.
>-|>
>-|>Skip
>-|>
>-|>On Thu, 08 Dec 2005 05:10:44 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
>-|>wrote:
>-|>
>-|>-|Herman:
>-|>-|
>-|>-|Thanks. Still no goes. Back in the hunt again.
>-|>-|
>-|>-|Dewaine
>-|>-|
>-|>-|"Herman D. Knoble" wrote:
>-|>-|
>-|>-|> Dewaine:
>-|>-|>
>-|>-|> If you really want to remove the maleware I suggest taking
>-|>-|> the following steps:
>-|>-|>
>-|>-|> 1) Get latest Ad-Aware spyware definition file from:
>-|>-|> http://www.lavasoft.de/support/download/
>-|>-|> I suggest that you download this defs.zip file on an uninfected computer;
>-|>-|> then copy it to a 1.44M floppy diskette or a CD-R.
>-|>-|>
>-|>-|> 2) Reboot your infected computer and tap F8 once per second during restart
>-|>-|> and when the menu appears select: Safe Mode without networking.
>-|>-|>
>-|>-|> 3) Unzip and insert the downlaoded file, defs.ref, in file location:
>-|>
>

Ben & Skip:

Yes. I suspect it is a service being loaded or hooked into the Windows Explorer. As for
all these Virus & Malware writers, to a degree we the computer geeks should actually
thank them and Microsoft for creating job opportunity for us. My customer has decided
to replace this PC because it was sold to him with a bootlegged copy of XP Pro & Office
loaded on it. I've already backed and transferred the data to his new computer. It is
now more personal. I just don't like being beaten by a PC. I got busy today fixing a
couple laptops that have bad power connectors and a few Laser printers.

Skip. I have already checked the first link out and the second link I have not seen yet.
I'll try it out when I have a chance. Will keep you guys updated on this thing.

Thanks.
Dewaine

"Herman D. Knoble" wrote:

> Doing a Google search on rdt.ini shows
> that you may have the TR/Dldr.Agent.tc.4 - Trojan
> See: http://www.avira.com/en/threats/TR_D...4_details.html
> and http://www3.ca.com/securityadvisor/p...x?id=453096275
>
> Skip
>
> On Thu, 08 Dec 2005 05:09:17 GMT, Dewaine Chan <"dchanNOSPAM"@NOSPAM PLZZZnc.rr.com>
> wrote:
>
> -|rdt.ini

Until the usual adware programs are updated to deal with it (I can't
get rid of it either) you can, as a temporary measure, edit idesk.conf
(C:\windows\system32) to make it empty, then make it read-only (then
can do the same with the .bmp files). That stops it displaying.

You got the latest and greatest in malware, courtesy of a
exploitation in explorer. The files are hidden via Rootkit.
Clicking on show all hidden files will NOT show the files. You hav
to get a program that will show the rootkit hidden files. Spysweepe
as someone mentioned, has under options, a check for these files, bu
I havent tried it

I cleaned them off from mine by using Autodad suggestion (which i
free).

Go here - http://forums.subratam.org/index.php?showtopic=6121 , an
scroll halfway down to Autodad, where he gives link to downloa
blacklight, and then rootkill. You will need one program to find
and the other to eliminate. Then use spysweeper to clean up th
remnants, if you wish. (I dont know how well spysweeper's versio
works for initial, I bought it and used it after doing above). Yo
will find between 5 and 8 hidden files on your computer, and mos
likely idesk (idemlog.exe) adware crap as well. I had to us
spysweeper to get the idesk crap off

good luck

wrote in message
news:439852ca.314661@nntp.charter.net...
> Dewaine,
>
> You're right. This varmint starts up as a system service and/or a program
> NOT
> in the startup folder. It could also be a visual basic script or a CMD
> file.
> That's how it keeps replenishing itself, even after repeated attempts to
> delete
> the files.
>
> To find some of these files, you need to change some of the options in the
> Files
> icon of the control panel. Allow the system to display known file
> extensions,
> which is the "old way" of doing things. The "new" way, obscures useful
> info.
> Also, enable the display of hidden files AND system files.

Also, look for dll's that have a file date/time that is more or less the
last time you rebooted. Some nasties have a 2 program approach where each
program generates the other at system start, using random names.

I'm calling this the iDesk Trojan. When I had a few clients with these
issues, I couldn't find any good info on how to get rid of it, as
Adaware, Spybot and the others couldn't get rid of it.. Had to figure
this one out on my own...

Forget trying to install this and that in hopes of removing the
virus/trojan/etc. It's MUCH easier than that...

c:\windows\system32\taskkill.exe /IM idemlog.exe

Then delete all files that the program put in system32 folder. Check
the dates (sort by date), all the dates/times are likely the same.
Some of the files I had to deal with were named:

idesk.conf
howiper.exe
sphlp32.exe
close.bmp
favset.exe
spyware.bmp
insurance.bmp
xxx.bmp
dating.bmp
pharmacy.bmp
gambling.bmp
hgqhp.exe
pppcgm.exe
idemlog.exe
fran-hot.exe
qurrv.dll
filesafer23.exe


Afterwards, reboot. Should be all set now...

Regards,
TJ Tryon, President
Lighthouse Consulting Group
http://www.lhc-group.com