Active Desktop popup slammed

[bblvadmin]

OK Spybot did detect this one at first, but did not remove all of the files and it reinstalled within minutes of being removed. The executeable file I found and removed was Vsl04.exe once removed, no reinfections occurred.

This little bugger plaqced ad.html in the winnt directory and then turned on active directory and placed that page as the page to show on the desktop.

This page spawns some 100 popup adds, downloaders etc. all at once, filling up the desktop entirely. It continues every time the screen is refreshed slamming a new load of popups each time.

This all occurred when a user mistakenly entered a web site address manully for stanley steamer carpet cleaning. He says the site he entered was wxx.stanleysteemer.com (it may be a slight variation of that) the infection and popup slam happened immediately upon loading the page. I haven't tried it myself, since I don't have a test computer available at the moment. The legitimate site for stanley steamer carpet cleaner is completely different.

[tashi]

Hello, thank you for the information.

Do you have any files to send zipped to: detections(AT)spybot.info

Would you like to post the users Spybot-S&D log so that someone can take a look at the System and determine if any remnants remain of the infection?

[bblvadmin]

sorry, i was just happy to get rid of the thing and didn't keep the info.
OK, here goes: found the problem, turned off active desktop and ran spybot:

05.05.2006 15:28:12 - ##### check started #####
05.05.2006 15:28:12 - ### Version: 1.4
05.05.2006 15:28:12 - ### Date: 5/5/2006 3:28:12 PM
05.05.2006 15:28:34 - ##### checking bots #####

Realized I didn't have the latest updates, updated and ran spybot & adaware SE seperately. both Adaware & Spybot found and "removed" deskwizz.

05.05.2006 15:44:21 - ##### check started #####
05.05.2006 15:44:21 - ### Version: 1.4
05.05.2006 15:44:21 - ### Date: 5/5/2006 3:44:21 PM
05.05.2006 15:44:28 - ##### checking bots #####
05.05.2006 15:48:52 - found: Deskwizz Web page
05.05.2006 15:48:52 - found: Deskwizz Executable
05.05.2006 15:49:48 - found: Windows.System User settings
05.05.2006 15:51:59 - ##### check finished #####

Problem resurfaced almost immediately. I reran spybot & adaware

05.05.2006 16:07:35 - ##### check started #####
05.05.2006 16:07:35 - ### Version: 1.4
05.05.2006 16:07:35 - ### Date: 5/5/2006 4:07:35 PM
05.05.2006 16:07:47 - ##### checking bots #####
05.05.2006 16:14:38 - found: Deskwizz Web page
05.05.2006 16:14:38 - found: Deskwizz Executable
05.05.2006 16:15:34 - found: Windows.ActiveDesktop User settings
05.05.2006 16:18:15 - ##### check finished #####

Now I went hunting... did Google searches and verything I could think of to find a reason for vsl04.exe and could find none. I found this executable in several places, on the root of c:\, inside c:\WINNT\ & inside the temporary internet files folder for the user. This was too much of a coincidence so I deleted all copies of the file and reran spybot & adaware (sorry, but seperately neither program removes everything, but done together I get much better results)

05.05.2006 17:19:51 - ##### check started #####
05.05.2006 17:19:51 - ### Version: 1.4
05.05.2006 17:19:51 - ### Date: 5/5/2006 5:19:51 PM
05.05.2006 17:19:57 - ##### checking bots #####
05.05.2006 17:25:46 - found: Deskwizz Executable
05.05.2006 17:29:49 - ##### check finished #####

Now I'm upset, so I go the next step and remove all Spybot restore files of all found items. Result: Clean run of both Spybot & Adaware, clean computer and no more user problems with this executeable so far through today, the 10th.

Files involved: (Meaning the files that I had to remove after running spybot & adaware SE) vsl04.exe and ad.html --(from c:\WINNT\)
In retrospect, I wish I had saved them, but the user issue was time/business critical and I just needed it to go away.

OH! I almost forgot. At some point in this process I also found walpap.exe and removed it too I found the details of this one at ahnlab spyzero http://auction.ahnlab.com/badcode_in...t.asp&seq=3824
listed as Win-Adware/Walpap.4096 and mentions walpap.exe and ad.html specifically

[tashi]

Thanks.
Any chance you could get the log report from user for the date in question.
Mode>Advanced>Tools>View Report>select the "browse" button; navigate to and attach or post if report is there.

Failing that:

• Open SpyBot, check for and get any updates available.
• Close all browsers, check for problems and fix everything found in red
• Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
  
• Uncheck[ ] do not report disabled or known legitimate Items.
• uncheck[ ] Include a list of services in report.
• Uncheck[ ] Include uninstall list in report.
  
• Now select (near the top) view report.
• Press export in the save in box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.