wgrogers
asked on
Display Properties: Themes & Desktop have been disabled by antivirus 2009
Recently, I visited a website that tried to load the AntiVirus 2009 on my laptop. While I did not install anything, Kaspersky failed to block it from getting to the computer. I ran Malwarebytes immediately and it removed several threats but I had to run it a few times to get them all. I also deleted some .exe files that were in either C: or C:/windows that didn't belong.
However, when going to display properties from the desktop (or CP), the first two tabs are disabled to the point I can't click any background image nor browse the folders. The browse button and slide bar are greyed out and so are the images in the Background field under the Desktop tab. I can click the "Customize Desktop" bar but not change or view other images.
I have gone to start - run - regedit and HKEY_CURRENT_USER\Software
I've run SDFix, Malwarebytes Full Scan, in normal and safe modes, and I can't figure out where else to go to change whatever settings were changed on me.
The computer is a Dell Laptop with XP Pro SP3.
Thank you for your help.
Greg
However, when going to display properties from the desktop (or CP), the first two tabs are disabled to the point I can't click any background image nor browse the folders. The browse button and slide bar are greyed out and so are the images in the Background field under the Desktop tab. I can click the "Customize Desktop" bar but not change or view other images.
I have gone to start - run - regedit and HKEY_CURRENT_USER\Software
I've run SDFix, Malwarebytes Full Scan, in normal and safe modes, and I can't figure out where else to go to change whatever settings were changed on me.
The computer is a Dell Laptop with XP Pro SP3.
Thank you for your help.
Greg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You may want to check out this site as well for total removal
http://www.xp-vista.com/spyware-removal/antivirus2009-antivirus-2009-removal-instructions
See below for extracted ways tried successfully by others:
Make sure you shut down the antivirus 2009 before you try to delete the file from you system.
I was able to remote it by doing:
- Killed the av2009.exe process using Task Manager
- Took a look at where the Antivirus 2009 shortcut pointed (they put one in the desktop)
- Took a note on the date and time of the av2009.exe file
- Searched the Registry to see if they were any references to av2009.exe. Did not find any.
- Removed the C:\Program Files\Antivirus 2009 directory and all files
- Removed the desktop shortcut
- Removed the shortcut in the Start Menu (be aware they put it in the upper area, where Windows Update is located)
- Rebooted, but then discovered that IE was still infected, in particular when I tried to navigate to Sysinternals. Also discovered that the Security Center applet in Control Panel was not working
- Went to Windows\System32 and found 3 files from about the same time of the infection:
ieupdates.exe
scui.cpl
winsrc.dll
- Again before removing the files I searched the registry and deleted references to ieupdates.exe (register to start automatically) and winsrc.dll (registered as a COM file)
- Reboot again and tried IE and Security Center, both are working now
http://www.xp-vista.com/spyware-removal/antivirus2009-antivirus-2009-removal-instructions
See below for extracted ways tried successfully by others:
Make sure you shut down the antivirus 2009 before you try to delete the file from you system.
I was able to remote it by doing:
- Killed the av2009.exe process using Task Manager
- Took a look at where the Antivirus 2009 shortcut pointed (they put one in the desktop)
- Took a note on the date and time of the av2009.exe file
- Searched the Registry to see if they were any references to av2009.exe. Did not find any.
- Removed the C:\Program Files\Antivirus 2009 directory and all files
- Removed the desktop shortcut
- Removed the shortcut in the Start Menu (be aware they put it in the upper area, where Windows Update is located)
- Rebooted, but then discovered that IE was still infected, in particular when I tried to navigate to Sysinternals. Also discovered that the Security Center applet in Control Panel was not working
- Went to Windows\System32 and found 3 files from about the same time of the infection:
ieupdates.exe
scui.cpl
winsrc.dll
- Again before removing the files I searched the registry and deleted references to ieupdates.exe (register to start automatically) and winsrc.dll (registered as a COM file)
- Reboot again and tried IE and Security Center, both are working now
ASKER
phototropic:
Thank you, I ran the smitfraudfix and it removed the remaining background. When I go to the Desktop Display Properties now though, I cannot select a new background or Browse the options for a background. Is there a way to restore that function?
David-Howard:
Thank you, I ran Malwarebytes right after seeing it. This was the 3rd time I'd gotten it, the other two times were the 2008 version which was no problem to remove. I believe I made a mistake though when I started running Malwarebytes by running the full scan rather than the quick scan. It never did finish and I had to shut down and start over with the quick scan. I think that could have been part of the problem. HJT is clean, the problem with the background did not show anywhere. I ran Malwarebytes, SDFix, spybot, AVG as well as kaspersky which is on all the time. (I d/l the free AVG, disabled kaspersky, ran AVG and it removed a few threats, then I uninstalled it). But this time, Malwarebytes took 3 passes before it showed clean and the desktop was still infected.
breadtan:
Thanks for the input, I too manually scanned the registry for any reference to av2009 I could find. I also went to the registry and added to ActiveDesktop the DWord entry: NoChangingWallPaper with a value of 0. It made no difference with the background.
Thank you, I ran the smitfraudfix and it removed the remaining background. When I go to the Desktop Display Properties now though, I cannot select a new background or Browse the options for a background. Is there a way to restore that function?
David-Howard:
Thank you, I ran Malwarebytes right after seeing it. This was the 3rd time I'd gotten it, the other two times were the 2008 version which was no problem to remove. I believe I made a mistake though when I started running Malwarebytes by running the full scan rather than the quick scan. It never did finish and I had to shut down and start over with the quick scan. I think that could have been part of the problem. HJT is clean, the problem with the background did not show anywhere. I ran Malwarebytes, SDFix, spybot, AVG as well as kaspersky which is on all the time. (I d/l the free AVG, disabled kaspersky, ran AVG and it removed a few threats, then I uninstalled it). But this time, Malwarebytes took 3 passes before it showed clean and the desktop was still infected.
breadtan:
Thanks for the input, I too manually scanned the registry for any reference to av2009 I could find. I also went to the registry and added to ActiveDesktop the DWord entry: NoChangingWallPaper with a value of 0. It made no difference with the background.
ASKER
By the way, as I have been searching for a fix on the greyed out display properties for the background, I have tried the following:
1) Find an image on the web and save as background. (Does not work, that option is also greyed out)
2) Go to HKEY_CURRENT_USER\Software
Thank you
1) Find an image on the web and save as background. (Does not work, that option is also greyed out)
2) Go to HKEY_CURRENT_USER\Software
Thank you
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad to hear you got it sorted.
Good job.
Good job.
I recommend downloading and updating it.
You can get it free from www.malwarebytes.org
Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
You should do this with your current antivirus product as well.
You may also need to download and run HiJackThis from
http://www.merijn.org/programs.php
Once you run the utility save the log file.
You can post it for free analysis here or at
www.hijackthis.de
You are primarily looking for items marked with red X's.
You can get a brief overview of Hijackthis here:
http://www.merijn.org/htlogtutorial.php
David