[jchan]

okay, so my brother was using the laptop surfing the net. but when i came back home, the entire desktop just disappeared, just replaced by the big red screen and a huge spyware warning. i know that it was malware and that the warning was an ad placed by the malware. i managed to remove the trojan off my machine. only problem now is that my original desktop icons and folders are gone. but now i have this "new" desktop which still has the my computer and the other system icons. this new desktop won't even allow me to change the background. so in summary:

1)was infected by desktop hijack
2)removed the malware
3)cannot restore original desktop
4)have 2 desktop folders (the "new" one cannot be deleted)
5)background cannot be selected in the display properties

anybody can shed any light on my situation?

[Advertisements]

problem fixed

here's a solution i came up with

ok there buddy
the whole change display may be a solution, but it is a band-aid solution nevertheless.

What you have here is a nasty little trojan, it modifies your desktop, replaces it with a newly created one eg. desktop.html or C:\desktop (notice how it's different from c:\documents and settings\user\Desktop)
this little bugger also modifies your regedit in reference to your disabled right mouseclick options. lastly, it disables your ability to change the background wallpaper. One must also not forget that a keylogger/pw stealer is usually attached with this bug.

Run a virus scan using Trend microsystems, Panda Software, and etc. Do this in safemode and make sure you disable system restore.

you'll need these programs: Cleanup! v3.1, Pocket Killbox, HJT, CWS, Spysubtract, Spybot search and destroy, and Lavasoft.

run the antispyware programs and virus scanners in safe mode. When they ask for a reboot make sure you boot into safe mode again.

Once you're done that reboot in safe mode, run Hijackthis. make note of the "odd" files. those tend to be bad. remove them. if you can't move to the next step run Cleanup!

Let Cleanup! finish, reboot into safemode again, run it again to finish up it's final processes. Once that is done, remember the files you couldn't delete? Run Killbox.

In Killbox, you'll have to manually input each individual file. type in the directory of the file (in my case it was vdm32, mszx23.exe, pa.ad3, p2.ini etc....) check off the "remove from registry" option and the "delete on reboot" option. now you click the delete option, it will ask u if you are sure, click yes, then it will ask if you want to reboot: if you have not finished inputing the names of the files, press no to continue inputing more files. if you've finished click yes to reboot.

reboot into safemode again. run HJT and all the antispyware, antivirus programs. you should be clear of the virus.

now on to the registry: remember don't mess around with it, consequences can be astronomical!

open regedit in Start>Run>Regedit
find the NoViewContextMenu using Ctrl-F
double click NoViewContextMenu and enter 0 for its value

UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoViewContextMenu
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

as for your missing desktop, in regedit look for all instances of
c:\desktop

and replace with
c:\documents and settings\user\Desktop *
*note user would be the name of the user it can be Bob, Jane Etc.. in short it's the name of the account

hope that helps, it worked for me, only thing i'm trying to figure out is re-enabling the wallpapers

[jchan]

problem fixed

here's a solution i came up with

ok there buddy
the whole change display may be a solution, but it is a band-aid solution nevertheless.

What you have here is a nasty little trojan, it modifies your desktop, replaces it with a newly created one eg. desktop.html or C:\desktop (notice how it's different from c:\documents and settings\user\Desktop)
this little bugger also modifies your regedit in reference to your disabled right mouseclick options. lastly, it disables your ability to change the background wallpaper. One must also not forget that a keylogger/pw stealer is usually attached with this bug.

Run a virus scan using Trend microsystems, Panda Software, and etc. Do this in safemode and make sure you disable system restore.

you'll need these programs: Cleanup! v3.1, Pocket Killbox, HJT, CWS, Spysubtract, Spybot search and destroy, and Lavasoft.

run the antispyware programs and virus scanners in safe mode. When they ask for a reboot make sure you boot into safe mode again.

Once you're done that reboot in safe mode, run Hijackthis. make note of the "odd" files. those tend to be bad. remove them. if you can't move to the next step run Cleanup!

Let Cleanup! finish, reboot into safemode again, run it again to finish up it's final processes. Once that is done, remember the files you couldn't delete? Run Killbox.

In Killbox, you'll have to manually input each individual file. type in the directory of the file (in my case it was vdm32, mszx23.exe, pa.ad3, p2.ini etc....) check off the "remove from registry" option and the "delete on reboot" option. now you click the delete option, it will ask u if you are sure, click yes, then it will ask if you want to reboot: if you have not finished inputing the names of the files, press no to continue inputing more files. if you've finished click yes to reboot.

reboot into safemode again. run HJT and all the antispyware, antivirus programs. you should be clear of the virus.

now on to the registry: remember don't mess around with it, consequences can be astronomical!

open regedit in Start>Run>Regedit
find the NoViewContextMenu using Ctrl-F
double click NoViewContextMenu and enter 0 for its value

UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoViewContextMenu
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

as for your missing desktop, in regedit look for all instances of
c:\desktop

and replace with
c:\documents and settings\user\Desktop *
*note user would be the name of the user it can be Bob, Jane Etc.. in short it's the name of the account

hope that helps, it worked for me, only thing i'm trying to figure out is re-enabling the wallpapers

[gbynum]

re 5)background cannot be selected in the display properties;

I have that problem ... and no other of these. Does anyone know what controls it? I can set background from other programs such as IrfanView. I want to get back to "none".

[audioboy]

I have been seeing Treveren post this for other people with the problem. It seems to restore your original desktop, but not necessarily clean out the bug. read through his help for others to get the complete fix...


Click "Start", "Settings", and then click "Control Panel".
Open the "Display" applet.
Click on "Desktop", "Customise Display..." and "Web".
In the box under "Web pages" look for a checkbox named "Security". If found select it and click "Delete".



reboot! Then fun a HJT log and deal with the other nasty files.

[gbynum]

nothing named security ... only one there is "my current home page" and it isn't selected ... THANKS for the try! (BTW, it is "Customize Desktop")

George

[Robert22]

Hi. Thanx for it. It helped. Right button is ok now.
But there is still problem with desktop. I still not able to change bacground.
I foun in registry any reference for wallpaper to C:/windows/desktop.html . Is it right?
I deleted this file because it was that picture with spyware message.
Does really exist this file in XP or it was only created by spyware?
How to correc it or what could be written in registry instead of C:/windows/desktop.html ?

Tanx very much

robert

[Avohir]

To the topic starter: if you still need assistance please wait and a staff member will help you.

to the others, please start your own topics if you have problems