Question:

File / virus / worm??? keeps changing my desktop background on every restart?

by | earlier

recurring file gdmae.bmp automatically loads itself as my desktop background on every restart. common easy to use removal techniques (spyware s+d, AVG, others) don't work. It doesn't do anything terribly malicious, simply changes my desktop background on every restart, changes the top of internet explorer to say "gdooey mae" automatically replicates the file gdmae.bmp upon deletion and automatically transfers to any flash drive that is put into the computer and any other computer that the flash drive is connected to in the future. It is more annoying than malicious, but that doesn't make it ok. I can find nothing meaningful by googling it... anyone else out there have this problem (look at the top of your explorer - which i rarely use)

any help is appreciated.

Tags:

Report

Answer The Question I've Same Question Too

Follow Question

6 ANSWERS

Sort By: Date | Rating

you can restart your computer completely and i suggest a better firewall
Report (0) (0) | earlier
try avira antivirus. .its for free at www.cnet.com
Report (0) (0) | earlier
I'm not sure but I suggest that you put an antivirus or delete some newly downloaded files.
Report (0) (0) | earlier
This is a harmless malware that copy itself to pc local drives

and change the title of the internet explorer to other names or phrase. The

file is automatically run during startup.

If you had created a restore point prior to the detection of the worm,

you can revert back to the restore point and everything will be back to

normal.

Here is the removal procedure - Please note that not all the steps below

may be needed:

1.Reboot you're the tester in SAFE MODE (press F9 during boot-up)

and log-in as Administrator. You will need to be logged on as the

Administrator account to perform the steps below.

2.Download StartUp ControlPanel. You will use this later. For more

information regarding StartUp Control Panel, go here

3.Open Windows Task Manager ([Ctrl] + [Alt] - [Delete] or [Ctrl] +

[LShift] - [Esc] ) and go to the Processes tab.

4.Terminate Wscript.exe and Explorer.exe process.

5.Open Command Prompt (open Run and type cmd)

6.From the Command Prompt, type the following:

"del c:\pooh.vbs /f/s/q/a" where pooh.vbs is the name of the script, ex. va6.vbs

del c:\autorun.inf

del c:\windows\system32\kernell.dll.vbs

del c:\aikelyu.html /f/s/q/a, where aikelyu.html is the Gdooey Mae.bmp in your situation

7.Now use the StartUp Control Panel you had just downloaded

earlier to remove the "Gdooey Mae.bmp" during Windows startup. Also, to

check if the "Gdooey Mae.bmp" file has been deleted, open Microsoft

Configuration (open Run and type msconfig) and select the Startup tab

and see if there is still the "Gdooey Mae.bmp" file with a check in the

checkbox. If it is still there, uncheck it.

8.Open the Run Dialog Box again and type regedit.

9. Navigate to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\...

in the left pane. After which, in the right pane, check the Shell string

and change it to: explorer.exe. The corrupted string value has a

userinit=userinit.exe combined with explorer.exe.

10.To finally check that you had deleted "va6.vbs" from your system,

go to Control Panel - Folder Options. On the View tab, choose "Show

hidden files", uncheck "Hide protected operating system files

(Recommended)" and "Hide extensions for known file types". and press OK.

11.Open Windows Explorer ( [Windows] - [E] ), and go to C:\ and

check to make sure that va6.vbs file has been deleted. Go to

C:\WINDOWS\system32 and check if the "Gdooey Mae.bmp" file and

kernell.dll.vbs file have been deleted. If they are still present,

manually delete them and empty the Recycle Bin.

12. Search the entire system, including hidden files and folders for any

of the infected files:

-kernell.dll.vbs

-va6.vbs

-autorun.inf

13. Reboot the tester. Make sure that internet explorer during

the windows startup with a webpage with black background and the word

"aikelyu" does not load. If you do not see the webpage then you have

successfully removed the worm.

Report (0) (0) | earlier
try this

http://www.download.com/SUPERAntiSpyware...
Report (0) (0) | earlier
I had a similar virus once, which changes my background on every start up to an image saying "you have a virus and you better have an anti-virus or any virus removal.

I got rid of it by installing 30 day trial Kaspersky anti-virus 2008 and updating it's database.
Report (0) (0) | earlier