recovery from desktop hijacker

1) Download TrojanHunter

2) Install TrojanHunter, At the end of the install setup will prompt you to update definitions. Please do so!

3) Once installed and updated, select drive C:\ and do a Full Scan. Remove all found infections.

After doing this attach a current HJT log.

For your desktop & wallpaper issues, please see this thread below. This user had the same problem as I posted several things that will help you as well. Have a look and let me know if you still need any help with it.

"warning you are in danger" wallpaper

 

regarding my desktop, i followed these instructions from the other thread...

i rebooted my computer and the values were reset to c:\desktop once again. something or someone seems to be resetting these values.

also, trojanhunter found only 1 possible trojan, which i promptly deleted.

new HJT log is attached.

 

Get me a startup list from HJT. Do you know how to do this?

 

no, i'm not sure.

 

Run Hijack This

Select "Open the Misc. Tools section"

Click the button "Generate Startup List Log"

Attach this log to your next post.

 

log is attached. thank you.

 

Okay! Shut down Microsoft AntiSpyware, temporarily disable Avast and your firewall and try the registry edits again.

Afterwards reboot and see if they come back. Your log looks ok.

 

i followed your instructions and the problem still remains. do you have any other ideas?

 

I hate to ask you this again but I have had so much going on, what was your exact problem?

 

it's not problem. basically, the desktop that i had before all of this mess occured with the desktop hijacker has yet to return. also, i am unable to change the desktop when i click under 'properties' because the option is greyed out. when i do save a file onto the current desktop, a duplicate file is created for some reason. currently, there is an 'active desktop recovery' screen.

i followed the directions you gave to wizz in regards to changing the registry settings, but they are continually reset back to c:\desktop after i reboot and i cannot figure out why - especially because my log appears to be clean now. so, my original desktop remains in c:\documents and settings\jeff\desktop but windows is reading c:\desktop to be my desktop instead.

 

See if this fixes your desktop where it created the duplicate files.

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file desktopfix.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the desktopfix.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

 

unfortunately, no. this didn't fix either problem.

 

I now have 3 of these, hang on let me research a little.

 

Copy the contents of the Quote Box below to Notepad. Then click File and then Save As. Change the Save as Type to All Files. Name the file desktopfix1.reg and then click save. (make sure you save it somewhere you can find it. Saving it to your Desktop may make that easy.)

Double-click on the desktopfix1.reg file on your desktop (or locate it with Windows Explorer and double click on it if not saved to the Desktop) and when it prompts to merge, click YES!

 

this didn't work for me, either. i should tell you, though, that now my desktop is absolutely blank and i am unable to even right-click on it.

 

Its something in the registry, I do know this much and its related to C:\Desktop. I have been researching this new baddie and havnt came up with anything yet. Will let you know as soon as something comes up. Thank you for your patience

 

thank you, bjgarrick. i'll continue to check back on a regular basis.

 

Okay!

 

I ran into this last night but was unable to kill it. After some research I found this:
____________
open regedit in Start>Run>Regedit
find the NoViewContextMenu using Ctrl-F
double click NoViewContextMenu and enter 0 for its value

UKey:[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
SKey:[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
Value Name: NoViewContextMenu
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

as for your missing desktop, in regedit look for all instances of
c:\desktop

and replace with
c:\documents and settings\user\Desktop *
*note user would be the name of the user it can be Bob, Jane Etc.. in short it's the name of the account
______________

I'm unable to get to the infected computer to test it at the moment. bj what do you think? I see some to the same stuff you've suggested. What concerns do you have?

 

Try looking at this!

Click Start, Run, and enter regedit and click OK. This will bring up the registry editor.

I want you to navigate first to the below key and find out what the Data value is set to:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

then in the right pane locat the key name "Desktop" then look at what the Data value is! It should be:

%USERPROFILE%\Desktop

Then navigate to the below key and find out what the Data value is set to:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

then in the right pane locat the key name "Common Desktop" then look at what the Data value is! It should be:

%ALLUSERSPROFILE%\Desktop

Its sounds to me like both of them are set to point to the same place (profile).

 

I have figured it out!

Click Start > Run > type in regedit

Navigate to and modify the registry entries below:

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Select "Desktop" and change the value to %USERPROFILE%\Desktop



HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Select "Desktop" and change the value to %USERPROFILE%\Desktop



HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Select "Desktop" and change the value to %USERPROFILE%\Desktop



HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Select "Desktop" and change the value to %USERPROFILE%\Desktop



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Select "Desktop" and change the value to %ALLUSERSPROFILE%\Desktop



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Select "Common Desktop" and change the value to C:\Documents and Settings\All Users\Desktop




HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Select "Desktop" and change the value to %USERPROFILE%\Desktop



HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Select "Desktop" and change the value to C:\Documents and Settings\LocalService\Desktop



HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Select "Desktop" and change the value to C:\Documents and Settings\NetworkService\Desktop



Now, with the viewing of hidden files & folders enabled per the tutorial go into C:\ and delete the folder C:\DESKTOP. Reboot and problem should be resolved!

 

EDIT

This should be 18 instead of 19!

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Select "Desktop" and change the value to %USERPROFILE%\Desktop

 

Yo da man! I will try it out as soon as I can get my hands on that machine, (probably tomorrow night), let you know how it goes. Thanks a ton

PS: I'm starting to see alot more of these coming in lately, second time this week (and I only work part-time on this stuff). I fear this one will be spreading a lot more, real fast.

 

The official fix for the Desktop Problem!

Download the attached file to a folder where you can locate it. And then extract the fixdesktop.reg file from the ZIP file. Double click on the fixdesktop.reg file and when prompted to add the changes into registry say yes.

 

OK, it seems as though my registry is correct after downloading the fix, but i am still unable to see my desktop and unable to right-click on it! any ideas?

 

Click Start > Run > type regedit

Navigate to the following key:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Again, Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Look for a DWORD value called "NoViewContextMenu"

When located right click and delete it!


Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

Look for a DWORD value called "NoChangingWallPaper"

When located right click and delete it!



Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Only Should have "NoDriveTypeAutoRun"

Remove This Value "NoActiveDesktop"
Remove This Value "ForceActiveDesktopOn"

Navigate to the following key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop

There should on be the (default) string here

Remove This Value NoComponents
Remove This Value NoAddingComponents
Remove This Value NoDeletingComponents
Remove This Value NoEditingComponents
Remove This Value NoHTMLWallpaper


After doing the above, reboot and let me know what problems if any remain.

 

my desktop has returned!

THANK YOU very much for your time and commitment to this issue of mine. i appreciate it!

 

Your Welcome!

It took me three days of research but we finally nailed this baddie!

So everything is ok, no further problems?

 

no further problems, for now. and i think that i should be much more secure after downloading all of the software you've recommended!

 

Glad everything is ok!

You should see this article on How to Protect yourself from malware!

 

Just wanted to thank you guys for putting this up. Also, a little heads-up, I don't know where this came from, but expect to get some more reports. I work for a company called Geeks On Call that does on-site computre repair, and I saw this a week ago and it absolutely KILLED ME. I ultimately had to just reload their system. And thank GOD you guys did this, because I just checked dispatch, and I've got a call TOMMOROW for someone with the same problem. Luckily I'll have your fixes on the weekly tool CD's I make.

Looks like we've got an all-new epidemic.

P.S., anyone wanna make a reg file that includes bjgarrick's last instruction set?

 

Glad we could help, it took me 3 days of research to bust this new baddie!! We finally got it though

 

Hey, any chance you can make another reg fix with the final solution? I don't know how long those things take to make, one of these days I have to just break down and learn at least some basic coding skills.

 

Post 74 & 76, that is the final fix for this problem. If you need help with this hijacker, start a new thread with it or have a look at these threads with the same problem.

"warning you are in danger" wallpaper

another "warning you are in danger" wallpaper