Desktop Hijack..

Posted on 2005-04-19
Last Modified: 2007-12-19
  Recently when I'm browsing the net, some files/applications got installed automatically. My system does a a Norton Anti Virus Corporate edition and Microsoft Anti Spyware(beta) installed. The anti spyware got alerted and asked me to block or allow the changes/installation. I blocked everything . But some how my system got infected with some sort of virus/spyware/adware. My original desktop is gone and now a new desktop with complete Blue background with some text written on it saying ''SDecurity warning - A fatal error in IE has occured at VXD..... Error was caused by Trojan-Spy.HTML.Smitfraud.c. And then below it showed 'System cannot function in normal mode. PL. check you security settings and also asked to scanthe PC with available antivirus/spyware remover program to fix the problem'.
I ran the Norton antivirus but it could not find anything. When the anti spyware from Mirosoft was run, it found out some bugs and i deleted them . I later uninstalled Norton anti virus and installed Trend Micro's Pc cillin anti virus and it found some trojan virus that i deleted.
  But, when I tried to change the wall paper , Display properties(right click on desktop), I could not find the themes, wallpapers and other tabs where in we can change the desktop properties. Only 'Screen Saver' and 'Settings' tabs were found and hence could not find the other tabs. Some how i found out the wall paper that has the virus warning and when i tried to delete it , it says that the file is in use. I logged in safe mode and deleted the wallpaper . Now the normal black background desktop is seen. But could not get the other tabs in the display properties of desktop.
  How can I get the other tabs so that  can change my desktop properties with ease. ANy help is highly appreciated. Also, find enclosed is the Hijack this log ..
Logfile of HijackThis v1.99.1
Scan saved at 12:45:45 AM, on 4/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\AdwareFilter\adwarefilter.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\VVRAME~1\LOCALS~1\Temp\Temporary Directory 6 for\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwarefilter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnapDetect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{651BA556-9951-416C-9300-382AF01F83CF}: NameServer =,
O17 - HKLM\System\CCS\Services\Tcpip\..\{7902F8D2-663C-4711-9344-9668EFA60C27}: NameServer =,
O17 - HKLM\System\CS1\Services\Tcpip\..\{42E013E5-0C73-4FD7-8480-CDC97E2C02B0}: NameServer =,
O17 - HKLM\System\CS2\Services\Tcpip\..\{651BA556-9951-416C-9300-382AF01F83CF}: NameServer =,
O17 - HKLM\System\CS3\Services\Tcpip\..\{651BA556-9951-416C-9300-382AF01F83CF}: NameServer =,
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

Thanks & Regards,
Ramesh Chandra

Question by:vvrchandra
    LVL 12

    Accepted Solution


    Try this fix:

    Restore All Display Tabs

    LVL 12

    Expert Comment

    By the way - your log file doesn't show anything that stands out as bad.

    Do you know what this is:
    Do you have a USB camera?


    Author Comment

    I've installed the fix given by u. All the tabs have reappeared but I'm unable to change the background in the 'Desktop' tab.

    Ramesh Chandra
    LVL 12

    Expert Comment

    Here are the locations where XP stores background images:

    %USERPROFILE%\My Documents\My Pictures (& sub-folders)
    %AppData%\Microsoft\Internet Explorer
    %ProgramFiles%\Plus!\Themes (& sub-folders)

    Check them for "strange" files - one "bad" one that's been showing up is "desktop.html" -
    look for html, htm, hta, files.
    Folder.hta and desktop.ini are usually valid.

    Try this:
    Desktop fix -
    Back up your "Registry" before making changes.

    Also, a good thing to do is change the default action for registry files (reg) from "Merge"
    to "Edit".

    LVL 12

    Expert Comment


    Make sure you're logged on with Administrative privileges.


    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    how to add IIS SMTP to handle application/Scanner relays into office 365.
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now