Spyware, Viruses, & Security forum

General discussion

desktop hijack #??:&%^$&

by trick / November 8, 2004 9:26 AM PST

I had a large icon on my desktop (4" by 3")from a rogue website. it had a hotlink on it that said "to remove click here" but that took me to a website that sold security systems. I deleted a file "desktop.html" and now the icon is gone but the screen is all white and blank (ex normal icons). The desktop wallpaper is there but behind the white screen - i can see it if i remove the bottom taskbar. Any ideas on how to eliminate this white screen. cleaned all viruses, adaware, spybot already

Discussion is locked
You are posting a reply to: desktop hijack #??:&%^$&
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: desktop hijack #??:&%^$&
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Re: desktop hijack #??:&%^$& - a bit more info
by trick / November 8, 2004 10:51 AM PST

Maybe this will help - also any advice on what i can erase would be appreciated - it takes so long for my computer to boot up


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\system32\drivers\KodakCCS.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
C:\WINDOWS\system32\devldr32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309190.dll
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - C:\Program Files\SysShield Tools\Internet Eraser\pkext.dll
O2 - BHO: (no name) - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - (no file)
O2 - BHO: C:\WINDOWS\lbbho.dll - {E08525BD-EAB1-4511-B7F4-6D3E0484D6CC} - C:\WINDOWS\lbbho.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AbsoluteShield - {EE9DD090-902D-4623-9360-FB7D8666202B} - C:\Program Files\SysShield Tools\Internet Eraser\AbsoluteBar.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\Symantec\LIVEUP~1\SNDMon.EXE
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.EXE 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: ZoneAlarm.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: AIM (HKLM)
O9 - Extra button: MoneySide (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O9 - Extra button: WeatherBug (HKCU)
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {0335A685-ED24-4F7B-A08E-3BD15D84E668} - http://www.photoparade.com/autoinstall/phpsetup.cab
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://office.microsoft.com/officeupdate/content/opuc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/25d67e52ead81a836f15/netzip/RdxIE601.cab
O16 - DPF: {597C45C2-2D39-11D5-8D53-0050048383FE} (OPUCatalog Class) - http://office.microsoft.com/productupdates/content/opuc.cab
O16 - DPF: {768D513A-C75B-4FAA-8452-E906CDAB6545} - http://digitalflip.net/fvlite/fvliteY.cab
O16 - DPF: {860D5AAC-D059-4C9F-93D3-3FD6FBB6872F} (AuroraCtrl Class) - http://icebergradio.com/aurora/1.0.2.259/client.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37577.2008333333
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
O16 - DPF: {CD17FAAA-17B4-4736-AAEF-436EDC304C8C} - http://a840.g.akamai.net/7/840/5805/v1503/www.contentwatch.com/audit/includes/ContentAuditControl.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DF6A0F17-0B1E-11D4-829D-00C04F6843FE} - http://officeupdate.microsoft.com/TemplateGallery/downloads/outc.cab

Collapse -
Re: desktop hijack #??:&%^$&
by Marianna Schmudlach / November 8, 2004 11:44 AM PST

Try this:

Go to Start > Control Panel and open Display. Click on the Desktop tab and click Customize Desktop button then the Web tab. Both of those check boxes should be clear click and OK, click OK again

Collapse -
More details on the hijack desktop remover.
by elvisbrucearie / January 27, 2005 9:43 AM PST

Have some more information. I was two times screwed up by this. the first time, I let it removed by Spysweeper, but my desktop was not working anymore.
Seems like, spysweeper works to remove it.
Now I saw the solution of: Marianna Schmudlach. And I could recover my desktop! Thank you.
I had my desktop with a big black advertisment with a big warning that I am in danger and there is spyware. To remove, you could click on a link below it. You will get linked to a website, url: http://213.159.117.130/?affid=NAT-1
There you can click for example on:
http://www.smart-security.info/main.php?affid=NAT-1.

So you go to the site of smart-security and they ask you to buy there product to remove the spyware.
That really sucks. I did send them an email, if it works, I don't know. I removed manually the files:

c:\windows\system32\intffdsronsad.exe
c:\windows\desktop.html
c:\(somewhere)!smartsecurity.url

My desktop was still not working, thanks to this, I found out. Here it goes:

Go to Start > Control Panel, appearrance and themes, open Display. Click on the Desktop tab and click Customize Desktop button then the Web tab. I had only security being enabled, just disable that, set it off.
Click OK and OK, that's it, your desktop works again!

Good luck!

Collapse -
White HTML Screen Hiding Wallpaper is GONE! Thanx!
by RobValley / February 25, 2005 6:59 PM PST

Hi

I had the white-screen, icons-on-top, wallpaper-hidden-from-view problem after a Trojan attack several months ago. The file is generated by Microsoft, so it says, and is called desktop.html but I could not find to delete. I searched through Google last night and came upon this website and solution, and it worked! I am not sure if it will effect negatively the pc in other ways, but it is terrific to see the wallpaper again, even after turning the pc off and back on again this morning.

Thanks for sharing!

Rob

My desktop was still not working, thanks to this, I found out. Here it goes:

Go to Start > Control Panel, appearrance and themes, open Display. Click on the Desktop tab and click Customize Desktop button then the Web tab. I had only security being enabled, just disable that, set it off.
Click OK and OK, that's it, your desktop works again!

Good luck!

Collapse -
Re: desktop hijack #??:&%^$&
by bvandeventer / December 3, 2004 3:23 AM PST

Same here and it was a Yahoo site that installed it. I've tried several "spy/adware" removal programs but to no avail. When right/click on the desktop, the context menues are that of when right/click on a file, not the normal desktop settings.

Collapse -
Re: desktop hijack #??:&%^$&
by bvandeventer / December 3, 2004 4:08 AM PST

Try this:
1. Goto Control Panel;Appearance
2. Select Display;
3. Select Desktop tab;
4. Click on the Customize Desktop button;
5. Select Web tab;
6. Uncheck or delete whatever seems to be suspicious in the WEBPAGE box (most likely called "Security")

This should get your desktop back. Hope this helps!!!

Collapse -
Re: desktop hijack #??:&%^$&
by rafin / December 4, 2004 3:24 AM PST

Hi. I got that too.
Try this

hide your taskbar and rightclick on the
empty desktop > properties > DESKTOP
tab > CUSTOMIZE DESKTOP > WEB
uncheck or delete whatever semms to be
suspicious in the WEBPAGE box...

it works. you'll see

Collapse -
1 way to bypass it
by TonyFordz / December 25, 2004 5:27 AM PST

I also had this many times. It was a real pain to deal with. I found that if you go into your control panel, and click on display and then the desktop tab, than choose a wall paper, that it gets rid of it nicely.

As far as to how it got there is beyond me, but im sure some spyware site placed it there.

It is a shame that Affiliate sites dont keep better control of the people they pay to advertise for them. And even more a shame that there is no law to protect us from software companies who place programs, and spyware in our pc without our knowing, and without our permission.

Ad-aware dont pick it up, spy doctor didnt get it, webroot spy sweeper didnt get it either. Those where the top thee apps that I liked after testing, but I wonder now...

Collapse -
Desktop hijacker
by subaru / January 5, 2005 3:21 PM PST
In reply to: 1 way to bypass it

Hi,
I was also infected with the same trojan. But the solution of changing the desktop via web tab through display properties just changes it for a while. But there is a process called 123*.dlr which runs in the background using up system and internet resources. When this is activated it disables the task manager.It is so wicked that i ran online virus scanners of Panda antivirus and Trend micro. Then i tried to eradicate it with TrojanHunter,TuneupUtilities 2004(For accessing the process manager to disable the running 1234*.dlr file), Trojan remover, Spyware Doctor, HijackThis, and through registry and by removing the SmartSecurity.urls from various places but after excruciating 5 attempts and 5 days i am still pestered with the baby of an evil genius who is hell bent on destroying of our internet lives.After everything got cleaned i agaign restarted and after few seconds of booting up it came back agaign sitting in front of my desktop smirking at my crestfallen face.

If anybody or any soul on the face of this earth Knows the solution to this menance please for GODs sake email me at Subarusyd@yahoo.com.I am getting short of smashing my computer up.PLease Help me.

Collapse -
ive got that smartsecurity virus too.
by leekerttu / January 14, 2005 5:19 PM PST
In reply to: Desktop hijacker

i got it a few weeks ago and i got rid of it for a while but it came back, i dont know if it was there all the time or if i got it again from another web page.
would someone please kill the people who made this thing?

Collapse -
This really works on the desktop.html hijacking problem
by subaru / January 5, 2005 5:12 PM PST

Desktop Hijacker Solution

After searching throiugh various sites and solutions and after 5 days and numerous attempts

, here is the solution of what temporarily solves the problem until next reboot or restart

OR LOGOFF.

1. Make sure you have downloaded and installed Giant antispyware and Trojanhunter softwares.

Then disabling your System restore option in windows Xp.Run all these softwares including

Noadware and spyware doctor.Try to play with Hijackthis.exe only if you are an expert at

computers. Since this trojan disables taskmanager.exe download Tuneuputilities 2004 and

through that you can kill the process generally 123dfs.dlr or something like that. Or you

can install the Winxp manager and restore the disabled task manager.

2. Go to c:\windows and delete desktop.html and ssic.ico.

3. go to start->run->regedit

4. Then find key HKEY_CURRENT_USER\SOftware\Microsoft\Internet Explorer\Desktop\Components

5. Delete the subkey folder beneath components labelled "o".

6. delete all the smartsecurity.urls from the following destinations

C:\Documents and Settings\%username%\Recent
C:\Documents and Settings\%username%\Desktop
C:\Documents and Settings\%username%\Start Menu
C:\Documents and Settings\%username%\Favorites
C:\Documents and Settings\ANNIE\Local Settings\Temp (Try to delete all the files in this

folder especially 1.qtdmp nad files like that and if any deletion gives error terminate that

process which are running from this folder and then delete it).

7. Go to Right mouse click on the desktop->Propertoes->desktop->CustomizeDesktop->Web->If

you see a security named checked box in the web pages box just select it and click delete.

8. If everything gone as planned you will be getting a white or any other colour blank

screen on the desktop. Now Since this Desktop.html virus does not comletely cover the

wallpaper you will see a small opening in the topmost screen area where you will be seeing

that the wallpaer is showing through the back.Right click there and then you will be able to

access the properties. Anyway right click and got to Arrange icons by->Check the "Lock Web

Items on Desktop". Then uncheck it back agaign. You will get your restore desktop.


After such a struggle i have finally devised this way myself. If you find this successful

please do email me at subarusyd@yahoo.com names to subaru. That will be the only token of

thanks i want. AND IN ANY CASE IF YOU DO FIND A PERMAMANET SOLUTION PLEASE DO EMAIL ME AS I

HAVE NOT FOUND YET.tHSNX

Collapse -
I'm really surprised that no one here has found a fix for it
by leekerttu / January 14, 2005 5:31 PM PST

Changing the active desktop every time you restart your computer isn't much of a solution. I'm sure theres a way to remove this thing because I got rid of it for about a week before it got reinstalled by another web page. I just don't remember exactly how i did it.
does anyone here know enough about registry editing to safely remove this?

Collapse -
The easiest way to get rid of it.....

is downloading HJT - scan your computer > save the list and copy\paste and post it in one of the HJT forums.

No headaches - NO nothing Wink

Collapse -
desktop hijack
by clemson / March 14, 2005 1:10 AM PST

i have done that and hjt log ic clean and no one there can answer my question either? I have tried the customozed desktop option and deselected the security tab and also deleted and neither works for me. I had the black background and deleted the file and now it is just white. i have no toolbar at the bottom , no start button, etc...

Collapse -
Desktop Hijack
by bill102763 / January 28, 2005 12:16 AM PST

Look for a hidden file in the root of the C: drive called explorer.cab, change the attributes and delete this file.

then follow all the other steps listed in the other replies to this thread. this file is the key if any of the registry entries are missed, or the fix is not done in safe mode, this hijack will re load.

Popular Forums
icon
Computer Help 51,912 discussions
icon
Computer Newbies 10,498 discussions
icon
Laptops 20,411 discussions
icon
Security 30,882 discussions
icon
TVs & Home Theaters 21,253 discussions
icon
Windows 10 1,672 discussions
icon
Phones 16,494 discussions
icon
Windows 7 7,855 discussions
icon
Networking & Wireless 15,504 discussions

REVIEW

Meet the drop-resistant Moto Z2 Force

The Moto Z2 Force is really thin, with a fast processor and great battery life. It can survive drops without shattering.