Desktop settings tabs disappear after virus attack.

[Maurice]

One of my users managed to open a spoof email supposedly from UPS which
unleashed a trojan - some sort of fake virus warning. I managed to remove the
virus which has installed a .bmp file as the desktop image but then managed
to turn off a couple of the tabs on desktop properties.

When you fire up desk.cpl in Control Panel there are only three tabs:

Themes
Appearance
Settings

two missing ones:
Desktop
ScreenSaver

So now I can't reset desktop images or set screensaver properties.

I looked in Local Security Policies but couldn't find anything obvious there
and can't seem to find a config file for desk.cpl which could have been
altered.

If anyone has any ideas on where to look I'd be much obliged.



ps If you come across any virus writers please kill them.

Thanks

 

[Elmo]

One of my users managed to open a spoof email supposedly from UPS which
unleashed a trojan - some sort of fake virus warning. I managed to remove the
virus which has installed a .bmp file as the desktop image but then managed
to turn off a couple of the tabs on desktop properties.

When you fire up desk.cpl in Control Panel there are only three tabs:

Themes
Appearance
Settings

two missing ones:
Desktop
ScreenSaver

So now I can't reset desktop images or set screensaver properties.

I looked in Local Security Policies but couldn't find anything obvious there
and can't seem to find a config file for desk.cpl which could have been
altered.

If anyone has any ideas on where to look I'd be much obliged.



ps If you come across any virus writers please kill them.

Thanks

http://www.kellys-korner-xp.com/xp_tweaks.htm
128. (r-h column) Restore Desktop and Screensaver Tabs

 

[Maurice]

Hi, thanks for that link I will try that a bit later.

 

[PA Bear [MS MVP]]

The machine remains infected (i.e., ZLOB/Vundo/SDBot, all protected by a
rootkit) and you've got a lot more work to do (unless you wipe & reload).

cf.
http://msmvps.com/blogs/harrywaldro...vice-fake-email-for-package-non-delivery.aspx

Unexplained computer behavior may be caused by deceptive software
http://support.microsoft.com/kb/827315

Run a /thorough/ check for hijackware, including posting your hijackthis log
to an appropriate forum.

Checking for/Help with Hijackware
http://aumha.org/a/parasite.htm
http://aumha.org/a/quickfix.htm
http://aumha.net/viewtopic.php?t=5878
http://wiki.castlecops.com/Malware_Removal_and_Prevention:_Introduction
http://mvps.org/winhelp2002/unwanted.htm
http://inetexplorer.mvps.org/data/prevention.htm
http://inetexplorer.mvps.org/tshoot.html
http://www.mvps.org/sramesh2k/Malware_Defence.htm
http://defendingyourmachine2.blogspot.com/
http://www.elephantboycomputers.com/page2.html#Removing_Malware

When all else fails, HijackThis v2.0.2
(http://aumha.org/downloads/hijackthis.exe) is the preferred tool to use (in
conjuction with some other utilities). HijackThis will NOT fix anything on
its own, but it will help you to both identify and remove any
hijackware/spyware with assistance from an expert. **Post your log to
http://aumha.net/viewforum.php?f=30,
http://forums.spybot.info/forumdisplay.php?f=22,
http://castlecops.com/forum67.html, or other appropriate forums for review
by an expert in such matters, not here.**

If the procedures look too complex - and there is no shame in admitting this
isn't your cup of tea - take the machine to a local, reputable and
independent (i.e., not BigBoxStoreUSA or Geek Squad) computer repair shop.

 

[Kelly]

Use it now and then run these cleaners:

http://www.kellys-korner-xp.com/xp_s.htm#spy

--

All the Best,
Kelly (MS-MVP/DTS&XP)

Taskbar Repair Tool Plus!
http://www.kellys-korner-xp.com/taskbarplus!.htm

SupportSpace
www.supportspace.com/pages?aiu=kellyskorner

 

[Maurice]

Yes it was the UPS spoof that caused the trouble. Fortunately it hadn't got
very far in doing any damage and I managed to stop it in its tracks manually
even tho McAfee at that point didn't see it.

 

[PA Bear [MS MVP]]

I strongly recommend post to one of the forums I cited in my previous reply,
Maurice, as the machine may be compromised (despite you seeing no outward
signs of same right now).