|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread |
Rating: 
|
Display Modes |
06-16-2005, 10:12 AM
|
#1 |
|
Member (10 bit)
Join Date: Aug 2002
Location: LIVERPOOL U.K.
Posts: 930
 |
desktop problem
guys, just got some dodgy trojan adware spy death thingys. ive got rid of them all , but now i cant change my desktop back to its original picture . the desktop properties are all greyed out so it wont let me select anything. This is my work pc so any help will be appreciated
cheers . its windows 2000
__________________
Asus a8r 32mvp Deluxe motherboard, Athlon 64 4800+ Dual Core Socket 939 Water Cooled, 2048 Corsair ddr400 twin x xms pro + led lights, 2x Ati Radeon X1950XTX pci express graphics in crossfire mode, Creative soundblaster X-FI Fatal1ty series, Wd 80gb + Wd 40gb 7500 rpm se,WD Sata 2 500gb hd, Maxtor Diamondmax Plus 9 Sata 160 gb, External Maxtor OneTouch 250gb Firewired HDD, Thermaltake Tai Chi WaterCooled case, Enermax Noisetaker 600 watt Powersupply , Win Vista Ultimate Retail, 2 x Pioneer 111 16x16 Dual Layer dvdrw, Harmon kardon speakers, Samsung 226bw 22' widescreen |
|
|
|
06-16-2005, 10:57 AM
|
#2 |
|
Forum Administrator
Staff
Premium Member
Join Date: May 2000
Location: Joplin MO
Posts: 37,791
|
Set your folder options to show system and hidden files, and unhide extensions for known file types. Go to c:\documents and settings\(user name)\desktop and delete desktop.ini if it's in there.
|
|
|
|
|
06-17-2005, 03:04 AM
|
#3 |
|
Member (10 bit)
Join Date: Aug 2002
Location: LIVERPOOL U.K.
Posts: 930
|
done all that glc, no joy , its not in there .
|
|
|
|
|
06-17-2005, 10:58 AM
|
#4 |
|
Member (10 bit)
Join Date: Apr 2005
Posts: 537
|
by any chance did the dodgy trojan spyware thingy have 'smitfraud' in the title?
only askin coz i know if removed incorrectly it locks out the desktop properties. a quick google for smitfraud removal will find the fix. |
|
|
|
|
06-18-2005, 04:01 PM
|
#5 |
|
Member (6 bit)
Join Date: Oct 2004
Posts: 35
|
The same thing happened to me. Open up regedit and go to [HKCU/Software/Microsoft/Windows/CurrentVersion/Policies/System]. . . if there is a string of data that is looking for like "C:\windows\desktop.html" (the data string i found, for example) then delete that data string. Then go to where that desktop.html was found and delete that too. I hope that helps.
|
|
|
|
|
06-19-2005, 01:34 AM
|
#6 |
|
Member (9 bit)
Join Date: Mar 2002
Location: New York
Posts: 479
|
Hi guys,
I have a similar problem and someone referred me to this thread. The laptop I'm trying to fix has a weird desktop background that switches from white to light gray as the mouse pointer hovers over it. The right klick menu is different than what it should look like, and when I click properties a dialog comes up looking for C:\Windows\desktop.html, which doesn't exist. (I just realized he doesn't have notepad as well). Anyway, the registry edit fix doesnt work because he doesn't have that data string I'm supposed to delete, so is there anywhere else it might be found? I'll try the smitfraud fix in the morning, but now that I notice he's missing other programs I might just have to reformat. Thanx
__________________
Intel E6750 @ 3.2GHz | Gigabyte GA-P35-DS3R | EVGA 8800GTS 320MB ACS3 | Corsair XMS2 DDR800 (4x1GB) | Corsair 520HX | Seagate Barracuda 7200.10 320GB | Lite-On Combo Drive | Vista 32-bit |
|
|
|
|
06-19-2005, 06:04 AM
|
#7 |
|
Member (10 bit)
Join Date: Aug 2002
Location: LIVERPOOL U.K.
Posts: 930
|
Thanks for all the replies guys, ill try it on monday , when im back in work.
negava, i didnt see a name , but what happened was for no reason a load , and i mean a load of dodgy icons just appeared on my desktop, about 20 of them . i have seen this before , so i spysweeped , ad awared, and spybotted them all away. so far all ok , apart from not being able to change my desktop back to its original wallpaper. its just blue. when it boots up , u see it for 10 secs , then reverts to blue, so there is definately something still running , just cant find the little git. |
|
|
|
|
06-20-2005, 04:40 AM
|
#8 |
|
Member (6 bit)
Join Date: Apr 2002
Posts: 50
|
desktop problem
hi, i just want to know if you have solved your problem... i have the same problem with yours... the desktop is locked.. i cant change it.. and the display says 'Security Warning' ... a fatal error cause by trojan-spy.html.smithfraud... can u please help me...
|
|
|
|
|
06-20-2005, 06:05 AM
|
#9 |
|
Member (10 bit)
Join Date: Aug 2002
Location: LIVERPOOL U.K.
Posts: 930
|
looked for those reg strings , and i havent got them. all those programs installed themselves again before , so something is on here.
|
|
|
|
|
06-20-2005, 07:19 AM
|
#10 |
|
Member (10 bit)
Join Date: Aug 2002
Location: LIVERPOOL U.K.
Posts: 930
|
meckhey , try this link , http://www.bleepingcomputer.com/foru...FY-t17258.html
Seems i havent got this smithfraud thing , but you have . see if the link helps you. |
|
|
|
|
06-20-2005, 10:14 PM
|
#11 |
|
Member (6 bit)
Join Date: Apr 2002
Posts: 50
|
thanks for the reply... but it's a very long process.. i think i have to re install XP instead..
|
|
|
|
|
06-20-2005, 11:55 PM
|
#12 |
|
Barefoot on the Moon!
Staff
Premium Member
Join Date: Aug 2002
Location: Northeastern USA
Posts: 13,385
|
regans cortina,
right click on deskop > properties > "background" tab. Check to see what the name of the selected image is. Go into C:\winnt and delete the file(s) that have this name.
__________________
There are two secrets to staying young, being happy, and achieving success. You have to laugh and find humor every day, and you have to have a dream.
|
|
|
|
|
06-21-2005, 05:15 AM
|
#13 |
|
Member (10 bit)
Join Date: Aug 2002
Location: LIVERPOOL U.K.
Posts: 930
|
Force , it just comes up with an explorer icon . the active desktop icon is greyed out , and i cant turn that off either.
|
|
|
|
|
06-21-2005, 06:00 AM
|
#14 |
|
Member (10 bit)
Join Date: Aug 2002
Location: LIVERPOOL U.K.
Posts: 930
|
Thought id post a copy of the hijack this logfile , see if it helps
Logfile of HijackThis v1.99.1 Scan saved at 11:55:41, on 21/06/2005 Platform: Windows 2000 SP3 (WinNT 5.00.2195) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\SYS\WINDOWS\System32\smss.exe C:\SYS\WINDOWS\system32\winlogon.exe C:\SYS\WINDOWS\system32\services.exe C:\SYS\WINDOWS\system32\lsass.exe C:\SYS\WINDOWS\system32\svchost.exe C:\SYS\WINDOWS\system32\LEXBCES.EXE C:\SYS\WINDOWS\system32\spoolsv.exe C:\SYS\WINDOWS\System32\drivers\trcboot.exe C:\SYS\Pcom\PCS_AGNT.EXE C:\SYS\WINDOWS\system32\Brmfrmps.exe C:\SYS\WINDOWS\System32\BrmfRsmg.exe C:\Program Files\NavNT\defwatch.exe C:\SYS\WINDOWS\System32\svchost.exe C:\SYS\WINDOWS\system32\cba\pds.exe C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE C:\Program Files\NavNT\rtvscan.exe C:\SYS\WINDOWS\system32\MSTask.exe C:\SYS\WINDOWS\system32\stisvc.exe C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe C:\SYS\WINDOWS\RCSERV.EXE C:\SYS\WINDOWS\System32\WBEM\WinMgmt.exe C:\SYS\WINDOWS\system32\cba\xfr.exe C:\SYS\WINDOWS\system32\MsgSys.EXE C:\SYS\WINDOWS\System32\drivers\ldlcserv.exe C:\SYS\WINDOWS\system32\os2ss.exe C:\SYS\WINDOWS\Explorer.EXE C:\Program Files\Scansoft\PaperPort\pptd40nt.exe C:\SYS\WINDOWS\System32\internat.exe C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe C:\Program Files\Scansoft\PaperPort\PPLinks.exe C:\SYS\WINDOWS\System32\OS2SRV.EXE C:\Documents and Settings\admin\Desktop\hijack this\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.peugeotlink.co.uk/formslo...p?/Default.asp O1 - Hosts: 172.21.11.120 SNA1 O1 - Hosts: 172.21.11.120 SNA2 O1 - Hosts: 172.21.11.120 SNA3 O1 - Hosts: 172.21.11.112 accecit.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 sngauth.INETPSA.COM O1 - Hosts: 172.21.11.110 ereca.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 epgc.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 estory.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 dialog.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 sagai.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 forbox.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 viper.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 pays.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 ereca.citroen.INETPSA.COM O1 - Hosts: 172.21.11.112 connect.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 parts.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 stefi.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 trmsdcssafir.INETPSA.COM O1 - Hosts: 172.21.11.110 download.dcs.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 force.INETPSA.COM O1 - Hosts: 172.21.11.110 edoc-partners.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 edoc-partners.INETPSA.COM O1 - Hosts: 172.21.11.110 stefi.INETPSA.COM O1 - Hosts: 172.21.11.110 www.infotec.INETPSA.COM O1 - Hosts: 172.21.11.110 www.laser.INETPSA.COM O1 - Hosts: 172.21.11.110 parts.INETPSA.COM O1 - Hosts: 172.21.11.110 file-transfer.INETPSA.COM O1 - Hosts: 172.21.11.110 download.dcs.INETPSA.COM O1 - Hosts: 172.21.11.125 agape.INETPSA.COM O1 - Hosts: 172.21.11.110 recolte.weboscope.INETPSA.COM O1 - Hosts: 172.21.11.110 ogd.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 optics.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 credipar.sandra.INETPSA.COM O1 - Hosts: 172.21.11.113 portail.INETPSA.COM O1 - Hosts: 172.21.11.110 edoc-partners.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 stefi.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 epgc.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 optics.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 download.dcs.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 cit-learning.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 forboxv3.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 forbox.citroen.INETPSA.COM O1 - Hosts: 171.21.11.110 fr.dialog.citroen.INETPSA.COM O1 - Hosts: 171.21.11.110 dialog.citroen.INETPSA.COM O1 - Hosts: 171.21.11.110 sagai.citroen.INETPSA.COM O1 - Hosts: 171.21.11.110 parts.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 edoc.fr.citroen-net.INETPSA.COM O1 - Hosts: 172.21.11.110 estory.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 planetdefi.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 planetdefi.pub.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 plms.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 else.INETPSA.COM O1 - Hosts: 172.21.11.110 sesame.INETPSA.COM O1 - Hosts: 172.21.11.110 sici.INETPSA.COM O1 - Hosts: 172.21.11.110 oasispr.INETPSA.COM O1 - Hosts: 172.21.11.110 back.oasispr.INETPSA.COM O1 - Hosts: 172.21.11.110 livia.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 networkservice.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 servicebox.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 edocapvpr.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 edocapvpr.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 estim.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 estim.peugeot.INETPSA.COM O1 - Hosts: 172.21.11.110 dealerview.citroen.INETPSA.COM O1 - Hosts: 172.21.11.110 dealerview.peugeot.INETPSA.COM O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl03a\BrStDvPt.exe O4 - HKCU\..\Run: [internat.exe] internat.exe O4 - Global Startup: Brother SmartUI PopUp.lnk = C:\Program Files\Scansoft\PaperPort\PopUp\SmartUI.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O15 - Trusted Zone: *.windupdates.com (HKLM) O15 - Trusted IP range: 67.19.178.84 O15 - Trusted IP range: 67.19.178.84 (HKLM) O16 - DPF: {76E5AF9D-2B3E-4FEB-A31F-A9E63A27FA29} (IASRunner Class) - https://www.ibm.com/pc/support/acces...tent/AcpIR.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab O20 - Winlogon Notify: NavLogon - C:\SYS\WINDOWS\System32\NavLogon.dll O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\SYS\WINDOWS\system32\Brmfrmps.exe" -service (file missing) O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\SYS\WINDOWS\System32\dmadmin.exe O23 - Service: Intel File Transfer - Intel® Corporation - C:\SYS\WINDOWS\system32\cba\xfr.exe O23 - Service: Intel PDS - Intel® Corporation - C:\SYS\WINDOWS\system32\cba\pds.exe O23 - Service: Tivoli Endpoint (lcfd) - Unknown owner - C:\Program Files\Tivoli\lcf\bin\w32-ix86\mrt\LCFD.EXE O23 - Service: ldlcserv - Unknown owner - C:\SYS\WINDOWS\System32\drivers\ldlcserv.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\SYS\WINDOWS\system32\LEXBCES.EXE O23 - Service: svchost.exe (moto) - Unknown owner - C:\SYS\WINDOWS\svchost.exe (file missing) O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe O23 - Service: Tivoli Remote Control Service (TME10RC) - TIVOLI Systems - C:\SYS\WINDOWS\RCSERV.EXE O23 - Service: TrcBoot - Unknown owner - C:\SYS\WINDOWS\System32\drivers\trcboot.exe |
|
|
|
|
10-17-2005, 11:40 AM
|
#15 |
|
Member (1 bit)
Join Date: Oct 2005
Posts: 1
|
Fix to allow changes to desktop again
I had the same problem where a client's desktop displayed the title message "SPYWARE INFECTION" along with another message below that. The solution offered by GTetraKai resolved my issue. Once I logged out and logged back in, my desktop came back after having removed the value "desktop.html" from the string "Walpaper" within the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Although I'm sure you've since fixed this issue, I've created a registry fix that you can download and merge into your own registry that will clear the string value automagically: http://jacobi.cc/fixwall.reg Vince |
|
|
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Linear Mode
