desktop problem

[regans cortina]

guys, just got some dodgy trojan adware spy death thingys. ive got rid of them all , but now i cant change my desktop back to its original picture . the desktop properties are all greyed out so it wont let me select anything. This is my work pc so any help will be appreciated
cheers .

its windows 2000

[glc]

Set your folder options to show system and hidden files, and unhide extensions for known file types. Go to c:\documents and settings\(user name)\desktop and delete desktop.ini if it's in there.

[regans cortina]

done all that glc, no joy , its not in there .

[Negeva]

by any chance did the dodgy trojan spyware thingy have 'smitfraud' in the title?

only askin coz i know if removed incorrectly it locks out the desktop properties. a quick google for smitfraud removal will find the fix.

[GTetraKai]

The same thing happened to me. Open up regedit and go to [HKCU/Software/Microsoft/Windows/CurrentVersion/Policies/System]. . . if there is a string of data that is looking for like "C:\windows\desktop.html" (the data string i found, for example) then delete that data string. Then go to where that desktop.html was found and delete that too. I hope that helps.

[Dswissmiss]

Hi guys,

I have a similar problem and someone referred me to this thread. The laptop I'm trying to fix has a weird desktop background that switches from white to light gray as the mouse pointer hovers over it. The right klick menu is different than what it should look like, and when I click properties a dialog comes up looking for C:\Windows\desktop.html, which doesn't exist. (I just realized he doesn't have notepad as well).

Anyway, the registry edit fix doesnt work because he doesn't have that data string I'm supposed to delete, so is there anywhere else it might be found?

I'll try the smitfraud fix in the morning, but now that I notice he's missing other programs I might just have to reformat.

Thanx

[regans cortina]

Thanks for all the replies guys, ill try it on monday , when im back in work.
negava, i didnt see a name , but what happened was for no reason a load , and i mean a load of dodgy icons just appeared on my desktop, about 20 of them . i have seen this before , so i spysweeped , ad awared, and spybotted them all away. so far all ok , apart from not being able to change my desktop back to its original wallpaper. its just blue. when it boots up , u see it for 10 secs , then reverts to blue, so there is definately something still running , just cant find the little git.

[meckhay]

hi, i just want to know if you have solved your problem... i have the same problem with yours... the desktop is locked.. i cant change it.. and the display says 'Security Warning' ... a fatal error cause by trojan-spy.html.smithfraud... can u please help me...

[regans cortina]

looked for those reg strings , and i havent got them. all those programs installed themselves again before , so something is on here.

[regans cortina]

meckhey , try this link , http://www.bleepingcomputer.com/foru...FY-t17258.html


Seems i havent got this smithfraud thing , but you have . see if the link helps you.

[meckhay]

thanks for the reply... but it's a very long process.. i think i have to re install XP instead..

[Force Flow]

regans cortina,

right click on deskop > properties > "background" tab.

Check to see what the name of the selected image is. Go into C:\winnt and delete the file(s) that have this name.

[regans cortina]

Force , it just comes up with an explorer icon . the active desktop icon is greyed out , and i cant turn that off either.

[regans cortina]

Thought id post a copy of the hijack this logfile , see if it helps

Logfile of HijackThis v1.99.1
Scan saved at 11:55:41, on 21/06/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\SYS\WINDOWS\System32\smss.exe
C:\SYS\WINDOWS\system32\winlogon.exe
C:\SYS\WINDOWS\system32\services.exe
C:\SYS\WINDOWS\system32\lsass.exe
C:\SYS\WINDOWS\system32\svchost.exe
C:\SYS\WINDOWS\system32\LEXBCES.EXE
C:\SYS\WINDOWS\system32\spoolsv.exe
C:\SYS\WINDOWS\System32\drivers\trcboot.exe
C:\SYS\Pcom\PCS_AGNT.EXE
C:\SYS\WINDOWS\system32\Brmfrmps.exe
C:\SYS\WINDOWS\System32\BrmfRsmg.exe
C:\Program Files\NavNT\defwatch.exe
C:\SYS\WINDOWS\System32\svchost.exe
C:\SYS\WINDOWS\system32\cba\pds.exe
C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\SYS\WINDOWS\system32\MSTask.exe
C:\SYS\WINDOWS\system32\stisvc.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\SYS\WINDOWS\RCSERV.EXE
C:\SYS\WINDOWS\System32\WBEM\WinMgmt.exe
C:\SYS\WINDOWS\system32\cba\xfr.exe
C:\SYS\WINDOWS\system32\MsgSys.EXE
C:\SYS\WINDOWS\System32\drivers\ldlcserv.exe
C:\SYS\WINDOWS\system32\os2ss.exe
C:\SYS\WINDOWS\Explorer.EXE
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\SYS\WINDOWS\System32\internat.exe
C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
C:\Program Files\Scansoft\PaperPort\PPLinks.exe
C:\SYS\WINDOWS\System32\OS2SRV.EXE
C:\Documents and Settings\admin\Desktop\hijack this\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.peugeotlink.co.uk/formslo...p?/Default.asp
O1 - Hosts: 172.21.11.120 SNA1
O1 - Hosts: 172.21.11.120 SNA2
O1 - Hosts: 172.21.11.120 SNA3
O1 - Hosts: 172.21.11.112 accecit.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 sngauth.INETPSA.COM
O1 - Hosts: 172.21.11.110 ereca.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 epgc.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 estory.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 dialog.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 sagai.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 forbox.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 viper.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 pays.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 ereca.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.112 connect.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 parts.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 stefi.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 trmsdcssafir.INETPSA.COM
O1 - Hosts: 172.21.11.110 download.dcs.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 force.INETPSA.COM
O1 - Hosts: 172.21.11.110 edoc-partners.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 edoc-partners.INETPSA.COM
O1 - Hosts: 172.21.11.110 stefi.INETPSA.COM
O1 - Hosts: 172.21.11.110 www.infotec.INETPSA.COM
O1 - Hosts: 172.21.11.110 www.laser.INETPSA.COM
O1 - Hosts: 172.21.11.110 parts.INETPSA.COM
O1 - Hosts: 172.21.11.110 file-transfer.INETPSA.COM
O1 - Hosts: 172.21.11.110 download.dcs.INETPSA.COM
O1 - Hosts: 172.21.11.125 agape.INETPSA.COM
O1 - Hosts: 172.21.11.110 recolte.weboscope.INETPSA.COM
O1 - Hosts: 172.21.11.110 ogd.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 optics.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 credipar.sandra.INETPSA.COM
O1 - Hosts: 172.21.11.113 portail.INETPSA.COM
O1 - Hosts: 172.21.11.110 edoc-partners.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 stefi.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 epgc.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 optics.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 download.dcs.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 cit-learning.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 forboxv3.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 forbox.citroen.INETPSA.COM
O1 - Hosts: 171.21.11.110 fr.dialog.citroen.INETPSA.COM
O1 - Hosts: 171.21.11.110 dialog.citroen.INETPSA.COM
O1 - Hosts: 171.21.11.110 sagai.citroen.INETPSA.COM
O1 - Hosts: 171.21.11.110 parts.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 edoc.fr.citroen-net.INETPSA.COM
O1 - Hosts: 172.21.11.110 estory.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 planetdefi.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 planetdefi.pub.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 plms.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 else.INETPSA.COM
O1 - Hosts: 172.21.11.110 sesame.INETPSA.COM
O1 - Hosts: 172.21.11.110 sici.INETPSA.COM
O1 - Hosts: 172.21.11.110 oasispr.INETPSA.COM
O1 - Hosts: 172.21.11.110 back.oasispr.INETPSA.COM
O1 - Hosts: 172.21.11.110 livia.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 networkservice.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 servicebox.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 edocapvpr.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 edocapvpr.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 estim.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 estim.peugeot.INETPSA.COM
O1 - Hosts: 172.21.11.110 dealerview.citroen.INETPSA.COM
O1 - Hosts: 172.21.11.110 dealerview.peugeot.INETPSA.COM
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.windupdates.com (HKLM)
O15 - Trusted IP range: 67.19.178.84
O15 - Trusted IP range: 67.19.178.84 (HKLM)
O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/acces...tent/AcpIR.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O20 - Winlogon Notify: NavLogon - C:\SYS\WINDOWS\System32\NavLogon.dll
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\SYS\WINDOWS\system32\Brmfrmps.exe" -service (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\SYS\WINDOWS\System32\dmadmin.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\SYS\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\SYS\WINDOWS\system32\cba\pds.exe
O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE
O23 - Service: ldlcserv - Unknown owner - C:\SYS\WINDOWS\System32\drivers\ldlcserv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\SYS\WINDOWS\system32\LEXBCES.EXE
O23 - Service: svchost.exe (moto) - Unknown owner - C:\SYS\WINDOWS\svchost.exe (file missing)
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\SYS\WINDOWS\RCSERV.EXE
O23 - Service: TrcBoot - Unknown owner - C:\SYS\WINDOWS\System32\drivers\trcboot.exe

[vjacobi]

I had the same problem where a client's desktop displayed the title message "SPYWARE INFECTION" along with another message below that. The solution offered by GTetraKai resolved my issue. Once I logged out and logged back in, my desktop came back after having removed the value "desktop.html" from the string "Walpaper" within the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

Although I'm sure you've since fixed this issue, I've created a registry fix that you can download and merge into your own registry that will clear the string value automagically:

http://jacobi.cc/fixwall.reg

Vince