Link to home
Start Free TrialLog in
Avatar of vvrchandra
vvrchandra

asked on

Desktop Hijack..

Hi,
  Recently when I'm browsing the net, some files/applications got installed automatically. My system does a a Norton Anti Virus Corporate edition and Microsoft Anti Spyware(beta) installed. The anti spyware got alerted and asked me to block or allow the changes/installation. I blocked everything . But some how my system got infected with some sort of virus/spyware/adware. My original desktop is gone and now a new desktop with complete Blue background with some text written on it saying ''SDecurity warning - A fatal error in IE has occured at ....in VXD..... Error was caused by Trojan-Spy.HTML.Smitfraud.c. And then below it showed 'System cannot function in normal mode. PL. check you security settings and also asked to scanthe PC with available antivirus/spyware remover program to fix the problem'.
I ran the Norton antivirus but it could not find anything. When the anti spyware from Mirosoft was run, it found out some bugs and i deleted them . I later uninstalled Norton anti virus and installed Trend Micro's Pc cillin anti virus and it found some trojan virus that i deleted.
  But, when I tried to change the wall paper , Display properties(right click on desktop), I could not find the themes, wallpapers and other tabs where in we can change the desktop properties. Only 'Screen Saver' and 'Settings' tabs were found and hence could not find the other tabs. Some how i found out the wall paper that has the virus warning and when i tried to delete it , it says that the file is in use. I logged in safe mode and deleted the wallpaper . Now the normal black background desktop is seen. But could not get the other tabs in the display properties of desktop.
  How can I get the other tabs so that  can change my desktop properties with ease. ANy help is highly appreciated. Also, find enclosed is the Hijack this log ..
*******************************
Logfile of HijackThis v1.99.1
Scan saved at 12:45:45 AM, on 4/20/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\AdwareFilter\adwarefilter.exe
C:\WINDOWS\Setup2K\SnapDetect.exe
C:\Program Files\Trend Micro\PC-cillin 2002\WebTrap.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\VVRAME~1\LOCALS~1\Temp\Temporary Directory 6 for hijackthis_199.zip\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: AdwareFilter Background Protection.lnk = C:\Program Files\AdwareFilter\adwarefilter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnapDetect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{651BA556-9951-416C-9300-382AF01F83CF}: NameServer = 202.88.174.6,202.88.130.67
O17 - HKLM\System\CCS\Services\Tcpip\..\{7902F8D2-663C-4711-9344-9668EFA60C27}: NameServer = 202.88.174.6,202.88.130.67
O17 - HKLM\System\CS1\Services\Tcpip\..\{42E013E5-0C73-4FD7-8480-CDC97E2C02B0}: NameServer = 202.88.174.6,202.88.130.67
O17 - HKLM\System\CS2\Services\Tcpip\..\{651BA556-9951-416C-9300-382AF01F83CF}: NameServer = 202.88.174.6,202.88.130.67
O17 - HKLM\System\CS3\Services\Tcpip\..\{651BA556-9951-416C-9300-382AF01F83CF}: NameServer = 202.88.174.6,202.88.130.67
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
*****************

Thanks & Regards,
Ramesh Chandra

 
ASKER CERTIFIED SOLUTION
Avatar of rossfingal
rossfingal
Flag of United States of America image
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of rossfingal
rossfingal
Flag of United States of America image
By the way - your log file doesn't show anything that stands out as bad.

Do you know what this is:
C:\WINDOWS\Setup2K\SnapDetect.exe
Do you have a USB camera?

RF
 
Avatar of vvrchandra
vvrchandra

ASKER

I've installed the fix given by u. All the tabs have reappeared but I'm unable to change the background in the 'Desktop' tab.

Regards,
Ramesh Chandra
Avatar of rossfingal
rossfingal
Flag of United States of America image
Here are the locations where XP stores background images:

%Systemroot%\Web\Wallpaper
%USERPROFILE%\My Documents\My Pictures (& sub-folders)
%AppData%\Microsoft\Internet Explorer
%ProgramFiles%\Plus!\Themes (& sub-folders)

Check them for "strange" files - one "bad" one that's been showing up is "desktop.html" -
look for html, htm, hta, files.
Folder.hta and desktop.ini are usually valid.

Try this:
Desktop fix -
http://ralphcaddell.com/Uploads/Background.zip
Back up your "Registry" before making changes.

Also, a good thing to do is change the default action for registry files (reg) from "Merge"
to "Edit".

RF
Avatar of rossfingal
rossfingal
Flag of United States of America image
Ramesh

Make sure you're logged on with Administrative privileges.

RF