vvrchandra
asked on
Desktop Hijack..
Hi,
Recently when I'm browsing the net, some files/applications got installed automatically. My system does a a Norton Anti Virus Corporate edition and Microsoft Anti Spyware(beta) installed. The anti spyware got alerted and asked me to block or allow the changes/installation. I blocked everything . But some how my system got infected with some sort of virus/spyware/adware. My original desktop is gone and now a new desktop with complete Blue background with some text written on it saying ''SDecurity warning - A fatal error in IE has occured at ....in VXD..... Error was caused by Trojan-Spy.HTML.Smitfraud. c. And then below it showed 'System cannot function in normal mode. PL. check you security settings and also asked to scanthe PC with available antivirus/spyware remover program to fix the problem'.
I ran the Norton antivirus but it could not find anything. When the anti spyware from Mirosoft was run, it found out some bugs and i deleted them . I later uninstalled Norton anti virus and installed Trend Micro's Pc cillin anti virus and it found some trojan virus that i deleted.
But, when I tried to change the wall paper , Display properties(right click on desktop), I could not find the themes, wallpapers and other tabs where in we can change the desktop properties. Only 'Screen Saver' and 'Settings' tabs were found and hence could not find the other tabs. Some how i found out the wall paper that has the virus warning and when i tried to delete it , it says that the file is in use. I logged in safe mode and deleted the wallpaper . Now the normal black background desktop is seen. But could not get the other tabs in the display properties of desktop.
How can I get the other tabs so that can change my desktop properties with ease. ANy help is highly appreciated. Also, find enclosed is the Hijack this log ..
************************** *****
Logfile of HijackThis v1.99.1
Scan saved at 12:45:45 AM, on 4/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\igfxtr ay.exe
C:\WINDOWS\system32\hkcmd. exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\AdwareFilter\adwaref ilter.exe
C:\WINDOWS\Setup2K\SnapDet ect.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
C:\WINDOWS\System32\svchos t.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\VVRAME~1\LOCAL S~1\Temp\T emporary Directory 6 for hijackthis_199.zip\HijackT his.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\PROGRA~1\Yahoo!\COMPAN~ 1\Installs \cpn\ycomp 5_5_7_0.dl l
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEH elper.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr ay.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd. exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP. exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe " /tray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe " /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa ger.exe -quiet
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwaref ilter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnapDetect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch .htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict .htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-0 0C04F9A3B6 1} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\T cpip\..\{6 51BA556-99 51-416C-93 00-382AF01 F83CF}: NameServer = 202.88.174.6,202.88.130.67
O17 - HKLM\System\CCS\Services\T cpip\..\{7 902F8D2-66 3C-4711-93 44-9668EFA 60C27}: NameServer = 202.88.174.6,202.88.130.67
O17 - HKLM\System\CS1\Services\T cpip\..\{4 2E013E5-0C 73-4FD7-84 80-CDC97E2 C02B0}: NameServer = 202.88.174.6,202.88.130.67
O17 - HKLM\System\CS2\Services\T cpip\..\{6 51BA556-99 51-416C-93 00-382AF01 F83CF}: NameServer = 202.88.174.6,202.88.130.67
O17 - HKLM\System\CS3\Services\T cpip\..\{6 51BA556-99 51-416C-93 00-382AF01 F83CF}: NameServer = 202.88.174.6,202.88.130.67
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e xe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
*****************
Thanks & Regards,
Ramesh Chandra
Recently when I'm browsing the net, some files/applications got installed automatically. My system does a a Norton Anti Virus Corporate edition and Microsoft Anti Spyware(beta) installed. The anti spyware got alerted and asked me to block or allow the changes/installation. I blocked everything . But some how my system got infected with some sort of virus/spyware/adware. My original desktop is gone and now a new desktop with complete Blue background with some text written on it saying ''SDecurity warning - A fatal error in IE has occured at ....in VXD..... Error was caused by Trojan-Spy.HTML.Smitfraud.
I ran the Norton antivirus but it could not find anything. When the anti spyware from Mirosoft was run, it found out some bugs and i deleted them . I later uninstalled Norton anti virus and installed Trend Micro's Pc cillin anti virus and it found some trojan virus that i deleted.
But, when I tried to change the wall paper , Display properties(right click on desktop), I could not find the themes, wallpapers and other tabs where in we can change the desktop properties. Only 'Screen Saver' and 'Settings' tabs were found and hence could not find the other tabs. Some how i found out the wall paper that has the virus warning and when i tried to delete it , it says that the file is in use. I logged in safe mode and deleted the wallpaper . Now the normal black background desktop is seen. But could not get the other tabs in the display properties of desktop.
How can I get the other tabs so that can change my desktop properties with ease. ANy help is highly appreciated. Also, find enclosed is the Hijack this log ..
**************************
Logfile of HijackThis v1.99.1
Scan saved at 12:45:45 AM, on 4/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\spools
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\igfxtr
C:\WINDOWS\system32\hkcmd.
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\AdwareFilter\adwaref
C:\WINDOWS\Setup2K\SnapDet
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
C:\WINDOWS\System32\svchos
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\VVRAME~1\LOCAL
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtr
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypa
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwaref
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnapDetect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O16 - DPF: {74D05D43-3236-11D4-BDCD-0
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CCS\Services\T
O17 - HKLM\System\CS1\Services\T
O17 - HKLM\System\CS2\Services\T
O17 - HKLM\System\CS3\Services\T
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.e
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
*****************
Thanks & Regards,
Ramesh Chandra
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I've installed the fix given by u. All the tabs have reappeared but I'm unable to change the background in the 'Desktop' tab.
Regards,
Ramesh Chandra
Regards,
Ramesh Chandra
Here are the locations where XP stores background images:
%Systemroot%\Web\Wallpaper
%USERPROFILE%\My Documents\My Pictures (& sub-folders)
%AppData%\Microsoft\Intern et Explorer
%ProgramFiles%\Plus!\Theme s (& sub-folders)
Check them for "strange" files - one "bad" one that's been showing up is "desktop.html" -
look for html, htm, hta, files.
Folder.hta and desktop.ini are usually valid.
Try this:
Desktop fix -
http://ralphcaddell.com/Uploads/Background.zip
Back up your "Registry" before making changes.
Also, a good thing to do is change the default action for registry files (reg) from "Merge"
to "Edit".
RF
%Systemroot%\Web\Wallpaper
%USERPROFILE%\My Documents\My Pictures (& sub-folders)
%AppData%\Microsoft\Intern
%ProgramFiles%\Plus!\Theme
Check them for "strange" files - one "bad" one that's been showing up is "desktop.html" -
look for html, htm, hta, files.
Folder.hta and desktop.ini are usually valid.
Try this:
Desktop fix -
http://ralphcaddell.com/Uploads/Background.zip
Back up your "Registry" before making changes.
Also, a good thing to do is change the default action for registry files (reg) from "Merge"
to "Edit".
RF
Ramesh
Make sure you're logged on with Administrative privileges.
RF
Make sure you're logged on with Administrative privileges.
RF
Do you know what this is:
C:\WINDOWS\Setup2K\SnapDet
Do you have a USB camera?
RF