Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works

Desktop taken over by insidious advertisement

  • Please log in to reply



    New Member

  • Member
  • Pip
  • 2 posts
Yesterday I was watching the newest Harry Potter DVD, and after I finished, my desktop had been replacec by something I can not for the life of me get rid of, although I highly doubt that it was put there by the very naughty Mister Potter. The link is: file://C:\WINDOWS\Web\desktop.html

Also, there's a little exclamation point in the systray which keeps popping up a bogus spyware mesage. I haven't clicked on it yet... in fact, as soon as it hapened, I checked online, found this site, ran through the steps, and disconnected the ethernet cable to the infected computer.

I did some research by pasting the link and googling it. I'm at least glad I am not the only one who is having this problem, and I'm really glad you guys exist. I ran through the standard cleansing process, using AAW, SB S&D, et al, and here's my Hijack This log:

Logfile of HijackThis v1.99.0
Scan saved at 8:17:01 AM, on 4/9/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKLM\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Local runole service] C:\WINDOWS\System32\srvc32.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NVIDIA Driver Helper Service - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Any and all help is GREATLY appreciated. Thanks!

Edited by ratgrendel, 09 April 2005 - 03:05 PM.

  • 0




    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts

Okay, I fixed it, or so it seems. Here's what I did...

First, I spent all day at work today perusing this site and collecting links. Then, I got home, followed all the links, downloaded a lot of software, and rebooted into safe mode, with the network cable unplugged.

I installed all the following bits:

BHODemon 2.0
The Cleaner

...and I updated Spybot, HijackThis!, and ad-aware, and ran an online trojan scan (look like 30 minutes!).

Holy crap was I surprised at all I found! Nuked it all, ran the whole gamut again just for safekeeping, and came away satisfied.

I rebooted, loaded up my normal user profile, and the couple of recent popups and exclamation point thing were gone, but the desktop was still messed up. Opened desktop properties from the control panel, Clicked the "Desktop" tab, then the "Customize Desktop" button, then the "Web" tab. In there, I saw "Security" as a web page option, deleted it from the list. The file it was linking had already been removed by one of the above programs.

Two hours later, it's all smooth sailing... Woot!

Thanks again to this awesome website for existing.
  • 0

Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP