Hijacked Desktop?

My desktop has the factory dell background but...
there is a blank HTML image, Tan in color that covers my real background.
It is a little window that says "Internat" and expands to full screen on startup.
Have run spybot, adaware and macafee, all 3 says I'm clean.
The HTML document "Properties" when I rightclick names calls it...
file://C:\WINDOWS\Web\desktop.html

 

Welcome to WindowsBBS flatfoot1

I personally would download and install Move-on-Boot. Once installed, you will have a new option when right clicking on files, to 'delete on the next boot'. Navigate to C:\Windows\Web and mark the desktop.html file for deletion, then reboot.

 

What is the version of Windows you are running? And have you tried changing the desktop image?

 

Running XP
The desktop theme is the factory setting.
There is an HTML page that covers it shortly after start-up.

 

dear noahdfear,
I've installed "Move-on Boot "
However when it asks for the file to be removed...
and I paste in "C:\WINDOWS\Web\desktop.html "
It says "Incorrect file name "

signed, blank expression, I mean.. flatfoot1

 

Open C:\WINDOWS\Web and right click on the desktop.html file, then choose delete on next boot. Then reboot.

 

Right click on the desktop and select properties. Click the desktop tab, then the customize desktop button. Click on the web tab. Do you see the file listed where it says web pages? If so, uncheck it. Also, I'd uncheck the line that says "lock desktop items" if it's currently checked.

 

I moved this over to XP.

 

Thanks for placing this in the proper forum.
Here is an update of this wierd thing...
1) It is not visible in "Windows Explorer "
2) It is not found using the Search function.
3) When I right click, there is a "View Source" menu item.
I clicked it and got a notepad named _webrebates0_pid4148d94b711d[1]
Here is the content of the notepad file.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN ">
<!----
***** This file is automatically generated by Microsoft Windows *****
--------><HTML><HEAD>
<META http-equiv=Content-Type content= "text/html; charset=windows-1252 "></HEAD>
<BODY
style= "BORDER-RIGHT: medium none; BORDER-TOP: medium none; BORDER-LEFT: medium none; BORDER-BOTTOM: medium none"
bottomMargin=0 bgColor=#004e98 leftMargin=0 background=" " topMargin=0
rightMargin=0>
<DIV
style= "LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 0px; HEIGHT: 768px "><IMG
style= "LEFT: 0px; WIDTH: 100%; POSITION: absolute; TOP: 0px; HEIGHT: 100%" cache
src= "file:///C:/Documents%20and%20Settings/dave/Local%20Settings/Application%20Data/Microsoft/Wallpaper1.bmp ">
</DIV><IFRAME id=0
style= "BACKGROUND: none transparent scroll repeat 0% 0%; LEFT: 0px; WIDTH: 1024px; POSITION: absolute; TOP: 1px; HEIGHT: 733px"
name=DeskMovrW marginWidth=0 marginHeight=0
src= "file:///C:/WINDOWS/Web/desktop.html" frameBorder=0 scrolling=no
subscribed_url= "C:\WINDOWS\Web\desktop.html" resizeable= "粶
舙 "> </IFRAME>
<OBJECT id=ActiveDesktopMover
style= "LEFT: 0px; VISIBILITY: hidden; WIDTH: 0px; POSITION: absolute; TOP: 0px; HEIGHT: 0px; container: positioned; zIndex: 5"
classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT>
<OBJECT id=ActiveDesktopMoverW
style= "Z-INDEX: -1; LEFT: -1px; VISIBILITY: hidden; WIDTH: 1026px; POSITION: absolute; TOP: 0px; HEIGHT: 735px; container: positioned"
classid=clsid:72267F6A-A6F9-11D0-BC94-00C04FB67863></OBJECT>&nbsp;
</BODY></HTML>

I have run Ad-Aware, Spybot, MacAffee and even RAV
It doesn't appear to be doing anything to the machine...
but I think it's something from WebRebates.
Thanks for your input so far,
regards, flatfoot1

 

I'm assuming that the right click option to delete on next boot is not working for you. Try selecting properties and remove the read only attribute if present. Then see if you can rename the file with a different extension, such as desktop.old If successful, cut and paste it to a different folder. Then try to delete. Also would be a good idea to check C:\Program Files for a folder named Web Rebates, and delete it too. With Web Rebates on the machine, it wouldn't hurt to post a HijackThis log.

 

The desktop.htm file has Hidden and maybe System attributes, and your Windows Explorer is not set to show Hidden or System files. Because of this, it will not appear in any search. Right click on the file, and look to the bottom of the Properties window, and you may see a checkmark for Hidden, the System attribute does not appear in the window.
When you do delete this file, you will get an error message because it is not found.
However, after reading though the HTML code, you should look at the file 'Wallpaper1.Bmp', located in C:\Documents and Settings\dave\Local Settings\Application Data\Microsoft, and see if it looks familiar, and maybe tan in color.

 

Did you try my suggestion? It sounds an awful lot like you have a web item of some type on your desktop. From your description of the problem it could be the answer.

If this reference to right clicking is in responce to my post, I meant to right click on your desktop, not the actual file. If this is the problem and you use move on boot to delete the file you may end up with a file not found error (or something similar) everytime you boot your computer. I don't know for sure but I can certainly see where it would be possible. It's worth checking out.

 

I would use move-on-boot, but the file does not exist in C:Windows/Web
It only exists on the desktop. (Am I crazy? he he, no I'm serious).
Here is a Hijack-This Log I just ran today.
-----------------------------------------
Logfile of HijackThis v1.98.2
Scan saved at 3:08:35 PM, on 9/18/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\PROGRA~1\mcafee.com\agent\McAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\temp\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\McAgent.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [swhost] C:\WINDOWS\system32\swhost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

 

Have you checked out the suggestions given by both Mark and Zander?

You should first create a new folder in C: (I use C:\HJT) and place HijackThis.exe in that folder. You will be emptying the temp folder it is currently in and it will be lost otherwise.

Scan again with HijackThis and place a check next to the following entries. Close ALL other windows and click fix.


O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [swhost] C:\WINDOWS\system32\swhost.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

Right click My Computer and choose properties. On system restore tab, check the box to turn off. OK out.

Go to start>run and type msconfig, hit enter. On the boot.ini tab, check the box next to /safeboot and OK. Yes to restart. This will restart your computer in safe mode. Logon to the Administrator account.

Now in safe mode, you will need to show hidden files and folders, as well as system files.

With hidden files shown, check C:\Windows\Web again for the desktop.html file. You should also check C:\Documents and settings\your username\desktop for any suspicious files.

Open C:\WINDOWS\system32 and delete the file swhost.exe.
Open C:\Program Files\Common Files\Real\Update_OB and rename realsched.exe to realsched.old
Open C:\Temp, select all and delete.
Open C:\Windows\Temp, select all and delete.
Open C:\Documents and settings\username\Local Settings\temp, select all and delete. Do this for all usernames.
Open C:\Windows\Prefetch, select all and delete.
Open My Computer, right click Local disk C: and choose properties, then disk cleanup. Check all boxes except compress old files and OK.
Uncheck the /safeboot box in msconfig and ok to reboot.

Re-enable system restore.

Run another HJT scan and post the new log. Are you sure you posted the entire log? It seems as though there may be quite alot of normal entries missing.