One of my users managed to open a spoof email supposedly from UPS which
unleashed a trojan - some sort of fake virus warning. I managed to remove the
virus which has installed a .bmp file as the desktop image but then managed
to turn off a couple of the tabs on desktop properties.

When you fire up desk.cpl in Control Panel there are only three tabs:

Themes
Appearance
Settings

two missing ones:
Desktop
ScreenSaver

So now I can't reset desktop images or set screensaver properties.

I looked in Local Security Policies but couldn't find anything obvious there
and can't seem to find a config file for desk.cpl which could have been
altered.

If anyone has any ideas on where to look I'd be much obliged.



ps If you come across any virus writers please kill them.

Thanks

Maurice wrote:
> One of my users managed to open a spoof email supposedly from UPS which
> unleashed a trojan - some sort of fake virus warning. I managed to remove the
> virus which has installed a .bmp file as the desktop image but then managed
> to turn off a couple of the tabs on desktop properties.
>
> When you fire up desk.cpl in Control Panel there are only three tabs:
>
> Themes
> Appearance
> Settings
>
> two missing ones:
> Desktop
> ScreenSaver
>
> So now I can't reset desktop images or set screensaver properties.
>
> I looked in Local Security Policies but couldn't find anything obvious there
> and can't seem to find a config file for desk.cpl which could have been
> altered.
>
> If anyone has any ideas on where to look I'd be much obliged.
>
>
>
> ps If you come across any virus writers please kill them.
>
> Thanks

http://www.kellys-korner-xp.com/xp_tweaks.htm
128. (r-h column) Restore Desktop and Screensaver Tabs

--
Joe =o)

Hi, thanks for that link I will try that a bit later.

"Elmo" wrote:

> Maurice wrote:
> > One of my users managed to open a spoof email supposedly from UPS which
> > unleashed a trojan - some sort of fake virus warning. I managed to remove the
> > virus which has installed a .bmp file as the desktop image but then managed
> > to turn off a couple of the tabs on desktop properties.
> >
> > When you fire up desk.cpl in Control Panel there are only three tabs:
> >
> > Themes
> > Appearance
> > Settings
> >
> > two missing ones:
> > Desktop
> > ScreenSaver
> >
> > So now I can't reset desktop images or set screensaver properties.
> >
> > I looked in Local Security Policies but couldn't find anything obvious there
> > and can't seem to find a config file for desk.cpl which could have been
> > altered.
> >
> > If anyone has any ideas on where to look I'd be much obliged.
> >
> >
> >
> > ps If you come across any virus writers please kill them.
> >
> > Thanks
>
> http://www.kellys-korner-xp.com/xp_tweaks.htm
> 128. (r-h column) Restore Desktop and Screensaver Tabs
>
> --
> Joe =o)
>

The machine remains infected (i.e., ZLOB/Vundo/SDBot, all protected by a
rootkit) and you've got a lot more work to do (unless you wipe & reload).

cf.
http://msmvps.com/blogs/harrywaldron...-delivery.aspx

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_R...:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/...moving_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


Maurice wrote:
> One of my users managed to open a spoof email supposedly from UPS which
> unleashed a trojan - some sort of fake virus warning. I managed to remove
> the virus which has installed a .bmp file as the desktop image but then
> managed to turn off a couple of the tabs on desktop properties.
>
> When you fire up desk.cpl in Control Panel there are only three tabs:
>
> Themes
> Appearance
> Settings
>
> two missing ones:
> Desktop
> ScreenSaver
>
> So now I can't reset desktop images or set screensaver properties.
>
> I looked in Local Security Policies but couldn't find anything obvious
> there
> and can't seem to find a config file for desk.cpl which could have been
> altered.
>
> If anyone has any ideas on where to look I'd be much obliged.
>
>
>
> ps If you come across any virus writers please kill them.
>
> Thanks

Use it now and then run these cleaners:

http://www.kellys-korner-xp.com/xp_s.htm#spy

--

All the Best,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

SupportSpace
www.supportspace.com/pages?aiu=kellyskorner

"Maurice" <(E-Mail Removed)> wrote in message
news:66644DDC-F3F5-4802-87F7-(E-Mail Removed)...
> Hi, thanks for that link I will try that a bit later.
>
> "Elmo" wrote:
>
>> Maurice wrote:
>> > One of my users managed to open a spoof email supposedly from UPS which
>> > unleashed a trojan - some sort of fake virus warning. I managed to
>> > remove the
>> > virus which has installed a .bmp file as the desktop image but then
>> > managed
>> > to turn off a couple of the tabs on desktop properties.
>> >
>> > When you fire up desk.cpl in Control Panel there are only three tabs:
>> >
>> > Themes
>> > Appearance
>> > Settings
>> >
>> > two missing ones:
>> > Desktop
>> > ScreenSaver
>> >
>> > So now I can't reset desktop images or set screensaver properties.
>> >
>> > I looked in Local Security Policies but couldn't find anything obvious
>> > there
>> > and can't seem to find a config file for desk.cpl which could have been
>> > altered.
>> >
>> > If anyone has any ideas on where to look I'd be much obliged.
>> >
>> >
>> >
>> > ps If you come across any virus writers please kill them.
>> >
>> > Thanks
>>
>> http://www.kellys-korner-xp.com/xp_tweaks.htm
>> 128. (r-h column) Restore Desktop and Screensaver Tabs
>>
>> --
>> Joe =o)
>>

Yes it was the UPS spoof that caused the trouble. Fortunately it hadn't got
very far in doing any damage and I managed to stop it in its tracks manually
even tho McAfee at that point didn't see it.

"PA Bear [MS MVP]" wrote:

> The machine remains infected (i.e., ZLOB/Vundo/SDBot, all protected by a
> rootkit) and you've got a lot more work to do (unless you wipe & reload).
>
> cf.
> http://msmvps.com/blogs/harrywaldron...-delivery.aspx
>
> Unexplained computer behavior may be caused by deceptive software
> http://support.microsoft.com/kb/827315
>
> Run a /thorough/ check for hijackware, including posting your hijackthis log
> to an appropriate forum.
>
> Checking for/Help with Hijackware
> http://aumha.org/a/parasite.htm
> http://aumha.org/a/quickfix.htm
> http://aumha.net/viewtopic.php?t=5878
> http://wiki.castlecops.com/Malware_R...:_Introduction
> http://mvps.org/winhelp2002/unwanted.htm
> http://inetexplorer.mvps.org/data/prevention.htm
> http://inetexplorer.mvps.org/tshoot.html
> http://www.mvps.org/sramesh2k/Malware_Defence.htm
> http://defendingyourmachine2.blogspot.com/
> http://www.elephantboycomputers.com/...moving_Malware
>
> When all else fails, HijackThis v2.0.2
> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
> conjuction with some other utilities). HijackThis will NOT fix anything on
> its own, but it will help you to both identify and remove any
> hijackware/spyware with assistance from an expert. **Post your log to
> http://aumha.net/viewforum.php?f=30,
> http://forums.spybot.info/forumdisplay.php?f=22,
> http://castlecops.com/forum67.html, or other appropriate forums for review
> by an expert in such matters, not here.**
>
> If the procedures look too complex - and there is no shame in admitting this
> isn't your cup of tea - take the machine to a local, reputable and
> independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.
> --
> ~Robear Dyer (PA Bear)
> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
> AumHa VSOP & Admin http://aumha.net
> DTS-L http://dts-l.net/
>
>
> Maurice wrote:
> > One of my users managed to open a spoof email supposedly from UPS which
> > unleashed a trojan - some sort of fake virus warning. I managed to remove
> > the virus which has installed a .bmp file as the desktop image but then
> > managed to turn off a couple of the tabs on desktop properties.
> >
> > When you fire up desk.cpl in Control Panel there are only three tabs:
> >
> > Themes
> > Appearance
> > Settings
> >
> > two missing ones:
> > Desktop
> > ScreenSaver
> >
> > So now I can't reset desktop images or set screensaver properties.
> >
> > I looked in Local Security Policies but couldn't find anything obvious
> > there
> > and can't seem to find a config file for desk.cpl which could have been
> > altered.
> >
> > If anyone has any ideas on where to look I'd be much obliged.
> >
> >
> >
> > ps If you come across any virus writers please kill them.
> >
> > Thanks
>
>

I strongly recommend post to one of the forums I cited in my previous reply,
Maurice, as the machine may be compromised (despite you seeing no outward
signs of same right now).

Maurice wrote:
> Yes it was the UPS spoof that caused the trouble. Fortunately it hadn't
> got
> very far in doing any damage and I managed to stop it in its tracks
> manually
> even tho McAfee at that point didn't see it.
>
> "PA Bear [MS MVP]" wrote:
>
>> The machine remains infected (i.e., ZLOB/Vundo/SDBot, all protected by a
>> rootkit) and you've got a lot more work to do (unless you wipe & reload).
>>
>> cf.
>> http://msmvps.com/blogs/harrywaldron...-delivery.aspx
>>
>> Unexplained computer behavior may be caused by deceptive software
>> http://support.microsoft.com/kb/827315
>>
>> Run a /thorough/ check for hijackware, including posting your hijackthis
>> log to an appropriate forum.
>>
>> Checking for/Help with Hijackware
>> http://aumha.org/a/parasite.htm
>> http://aumha.org/a/quickfix.htm
>> http://aumha.net/viewtopic.php?t=5878
>> http://wiki.castlecops.com/Malware_R...:_Introduction
>> http://mvps.org/winhelp2002/unwanted.htm
>> http://inetexplorer.mvps.org/data/prevention.htm
>> http://inetexplorer.mvps.org/tshoot.html
>> http://www.mvps.org/sramesh2k/Malware_Defence.htm
>> http://defendingyourmachine2.blogspot.com/
>> http://www.elephantboycomputers.com/...moving_Malware
>>
>> When all else fails, HijackThis v2.0.2
>> (http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use
>> (in conjuction with some other utilities). HijackThis will NOT fix
>> anything on its own, but it will help you to both identify and remove any
>> hijackware/spyware with assistance from an expert. **Post your log to
>> http://aumha.net/viewforum.php?f=30,
>> http://forums.spybot.info/forumdisplay.php?f=22,
>> http://castlecops.com/forum67.html, or other appropriate forums for
>> review
>> by an expert in such matters, not here.**
>>
>> If the procedures look too complex - and there is no shame in admitting
>> this isn't your cup of tea - take the machine to a local, reputable and
>> independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair
>> shop.
>> --
>> ~Robear Dyer (PA Bear)
>> MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
>> AumHa VSOP & Admin http://aumha.net
>> DTS-L http://dts-l.net/
>>
>>
>> Maurice wrote:
>>> One of my users managed to open a spoof email supposedly from UPS which
>>> unleashed a trojan - some sort of fake virus warning. I managed to
>>> remove
>>> the virus which has installed a .bmp file as the desktop image but then
>>> managed to turn off a couple of the tabs on desktop properties.
>>>
>>> When you fire up desk.cpl in Control Panel there are only three tabs:
>>>
>>> Themes
>>> Appearance
>>> Settings
>>>
>>> two missing ones:
>>> Desktop
>>> ScreenSaver
>>>
>>> So now I can't reset desktop images or set screensaver properties.
>>>
>>> I looked in Local Security Policies but couldn't find anything obvious
>>> there
>>> and can't seem to find a config file for desk.cpl which could have been
>>> altered.
>>>
>>> If anyone has any ideas on where to look I'd be much obliged.
>>>
>>>
>>>
>>> ps If you come across any virus writers please kill them.
>>>
>>> Thanks