Help ASAP !!!

Status
Not open for further replies.
swatkat

swatkat

Technomancer
Actually your Desktop has been hijacked by Deskyop.html hijacker (probably from Smart Security).


Frist download WebRoot SpySweeper Trial and CleanUp! and install them.
Reboot in SAFE Mode, and run Spysweeper. Click "Options" button and then click "Sweep Options" tab, and here select all the Hard Disk Partitions. Then click "Sweep Now" button and click "Start"
Remove all the malwares it finds.

After this delete all the URLs (links) of Smart Security present in these folders:-
DriveLetter:\Documents and Settings\%username%\Recent
DriveLetter:\Documents and Settings\%username%\Desktop
DriveLetter:\Documents and Settings\%username%\Start Menu
DriveLetter:\Documents and Settings\%username%\Favorites
DriveLetter:\Documents and Settings\%username%\Local Settings\Temp
where DriveLetter is the drive where your Windows is installed, like C and username is your Username.

Run CleanUp!, and click "CleanUp!" button and after cleaning, click OK to restart.

Reboot and post back the results. (No need of HijackThis now)
 
swatkat

swatkat

Technomancer
After doing all the things posted above, do this:-
Go to Start> Run and type regedit and press ENTER. Here navigate to this key (by click the "+" icon infront of the keys) HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies and then go to to File Menu, and click "Export". Here type a filename as bakup and in the "Export Range" option box, click "Selected Branch" and click "Ok".

Next, open NotePad and from File> Open, open the file bakup.reg and then copy it's content and post it here.
 
OP
H

harmik

Journeyman
sorry for taking so much time
i had done all the above steps b4 the last step

and everything was returned to normal
now i just did the last step as told be swatkat and here is the asked info


Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=dword:00000000
"NoActiveDesktopChanges"=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"WallpaperStyle"=dword:00000000
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"Wallpaper"="c:\\wp.bmp"



anyway everything is fine now
thx
 
swatkat

swatkat

Technomancer
There are some traces of the bad program in the Registry.

Firs take a COMPLETE backup of the registry, as given here.

Reboot in SAFE mode

Do this, go to Start> Run and type regedit and press ENTER.
Then navigate to this key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] and click on it to select it. Then some VALUES will be displayed on the RIGHT Side pane, there right-click on this --> "NoActiveDesktopChanges"=dword:00000001 Value and click "Delete".

Similarly navigate to this key [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] and click on it to select it. Then in the right pane, right-click on each of the below values and click "Delete" to delete them.
"WallpaperStyle"=dword:00000000
"NoDispBackgroundPage"=dword:00000001
"NoDispAppearancePage"=dword:00000001
"Wallpaper"="c:\\wp.bmp"

Then delete the file wp.bmp.
 
OP
H

harmik

Journeyman
also plz tell wot to do when the file that trojan hunter backed up is needed as it just kinda only changed the extension of that file by adding .tcf in the end

also i changed the registry as required

if no problems persist after the changes in a couple of days or so, can i delete the file that was made during the backup coz its taking up about 250 mb space???
 
swatkat

swatkat

Technomancer
Ok, keep the backup for some 3 to 5 days, and check for any problems in your system, if everything is alright, you can delete it safely!

TrojanHunter changes the file extension to .tcf so that the trojan is not able to run again and also removes trojan's Registry entry so that the Trojan is not able to run automatically. If you change the file extension back to it's original, you can get the original file, and also trojan will not get activated, but if you open/run it, it again re-registers with the Registry and runs automatically.
 
Status
Not open for further replies.
Top Bottom