Spyware - Desktop background and no desktop/taskbar

Roady

Roady

Roady

Soldato
Joined
18 Oct 2002
Posts
8,700
Location
Hereford
Hi guys, thought i'd just post all my info here regarding a nasty Spyware infection that seems to have exploded everywhere over the last couple of days... Just hope it helps someone else as it gave me quite a late night! :mad:

Machine boots as normal, logon screen and then no taskbar/desktop icons with the desktop background changed to blue and a message (wallpaper) that reads "Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer!" you can run taskmanager but most things don't work.

Machine had AVG Network edition and was upto date.

Hijackthis reports several entries related to 'Antivirus XP 2008' but removal doesn't help.

Ran 'Malwarebytes Anti-Malware' - although it finds things the machine falls over with a STOP error about 50% through the scan - 3 different errors @ different points.

Rebooted to safe mode and ran 'SDFix', reported it needed a reboot to complete - did so (now in normal mode) no more desktop background & colour but still no taskbar/icons.

Ran 'Malwarebytes Anti-Malware' and it found 18 (Adware.Hotbar, Rogue.Multiple, Adware.Zango, Malware.Trace) infections and completed. Rebooted.

Now i'm still at the blank desktop stage with no taskbar/icons and thinking my next step is a repair install. Unless someone else has a better idea anyway! :)
 
There is a plenty of great free spyware removal sites around. You simply have to join the forum and post a Highjack this log and someone will help you remove the infection. Sound like you have Vondo virus. It's a nasty little swine to remove, but can be done. Reinstalling windows is the last thing I do.
 
This machine has a lot of data and programs on it (100gig+) as it acts like a fileserver for a parts and invoice program in a garage. I've told them time and again to get a fileserver, maybe this time they'll listen!

Snakedoctor, what makes you think i've got Vondo? Symptoms? From the info i've just googled that doesn't sound half as tricky as what i've encountered?!

Running a 'ComboFix' now, might try a 'sfc /scannow' before i attempt the repair install.

Have got a good backup before i did anything ;) i <3 Ghost :D
 
The desktop and bootup messages are gone but i'm left with a blank background, no start menu or icons - if i run "c:\windows\explorer.exe" from task manager i get "Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
 
if you have the system point restore working then boot in safe mode (if you can) and restore to a point before it became a problem....
 
Already tried that cooljimy84, no luck! :(

Running through 'VundoFix' now, nothing found so far...
 
'VundoFix' found nothing, running through ComboFix with a script someones suggested from experts-exchange, if successful i'll post it here.

Its looking more and more like a repair install is going to be the best way to fix this (certainly the quickest?) which poses me another problem... This machine has no licence code stuck on it and after asking the customer for one his reply was "I'm not sure if we had one originally, can you load one for us?"

I've got retail copies here but that doesn't help me as the setup doesn't display a repair option (i'm thinking whoever installed it used a volume licence or OEM install?)

It's 1 thing after another with this damn PC! :L
 
Managed to run a repair install from a pre-SP1 original windows xp cd i had in 1 of my cupboards (knew i had 1 somewhere!) now its just fingers crossed...

A combination of Malwarebytes and SDFix/ComboFix sorted the infection out for me, i'd recommend people use SDFix/ComboFix first as they certainly found things that Malwarebytes didn't.
 
The XP Setup repair install fixed my windows explorer/shell issue, i'm doublechecking now the infection is removed and then i'll readd all service packs.
 
What i did worked, learnt since it is the Vundo virus.

No idea why the 'fix' i tried didn't work, i've used SDFix since to remove it a couple of times.
 
hi someone got this at work on a laptop

its a full windows reinstall as the program messes that much of the registry up that its almost impossible to get it back

plus did you notice that all your browsers are redirected to their 'antivirus' sign up pages?

i dont see what viruses like this achieve to be honest.

luckily had a easier time reinstalling windows as the user had created an nlite disk
[i was pretty shocked as he is normally a bit dumb]
 
This got rid of it for good for me:

1. Directory list C:\WINDOWS\system32 and sort by date to look for files created since the infection began. In my case there were three suspicious ones:-
blphcv76j0e76a.scr
lphcv76j0e76a.exe
phcv76j0e76a.bmp
Notice that part of the name is common to all of them (cv76j0e76a). Delete these files.

2. Run msconfig, click on the startup tab and untick the startup for the virus .exe file (in my case lphcv76j0e76a.exe)

3. Restart your computer.

4. Check that the virus files above have not come back. You may also need to reset the wallpaper in Control Panel Display settings.
5. Run regedit and search for items containing the “common” name (cv76j0e76a). You should find at least two (the screensaver and the startup register). Delete the items found from the registry.

6. Restart your computer again.

7. Job done!

It may remove some of the tabs from the display properties, if so the following will get them back:

Start > Run > gpedit.msc > OK > User Configuration > Administrative Templates > Control Panel > Display. Disable anything that says “Hide…”.
 
You must log in or register to reply here.
Back
Top Bottom