|
Posted by Malke on December 30, 2005, 10:53 am
If you were Registered and logged in, you could reply and use other advanced thread options
> On one of the accounts on my computer, running under XP, I attracted
> the SpySheriff Troyan horse last Monday. As a result the desktop of
> this account, was covered with a dark bleu background with a black box
> on it and stating in big red letters that the computer was infected.
> All icons were still visible. Furthermore every few seconds a pop-up
> message appeared from the task bar indicating the same.
>
> After running AdAware SE, I was able to remove quite a few files which
> were linked to this or other unwanted programs. The bleu desktop
> background with the black box and red letters as well as the pop ups
> remained, however. Subsequently, I downloaded and ran Microsoft
> antiSpyware. Again a few unwanted files were found and remove from my
> PC. The bleu desktop background with black box and red letters,
> however, was still there; the pop ups were gone.
> Finally, McAfee was able to find even more files which were removed. I
> am now left with the bleu background, from which the black box with
> the red text is gone. I am not able to change the background of my
> desktop back to the original picture via screen properties.
>
> Furthermore, when starting up this account a now always get the
> following 2 error messages (translated from Dutch):
> VCClient.exe: Can not initialize this application properly
> (0xc0000135). Press OK to terminate the application.
> VCMain.exe: Can not initialize this application properly (0xc0000135).
> Press OK to terminate the application.
>
> In the folder C:/program files/common files a folder is present named
> “VCClient”. This contains a number of files.
>
> My other account, on the same computer, seems not to be affected.
>
> Questions:
> How can I get back the control over my desktop background and remove
> the bleu background?
> What to about the error messages when starting up the account?
> What is the function of the files in the VCClient folder; can I delete
> this? What more can I do to prevent further infections like this
> (besides not logging on to the net ;-))?
The VCClient is connected with Volcano chat and is malware. Use the
System Configuration Utility to remove the reference to it in Startup.
How to Troubleshoot By Using the Msconfig Utility in Windows XP -
http://support.microsoft.com/?id=310560
You may also want to run HijackThis and post your log to one of the
following forums (not here, please) to make sure your computer is
really clean:
http://www.aumha.org/a/hjttutor.htm - HijackThis tutorial by Merijn
http://www.bleepingcomputer.com/forums/index.php?showtutorial=42 -
another tutorial
http://aumha.net/viewforum.php?f=30
http://castlecops.com/forum67.html
http://spywarewarrior.com/viewforum.php?f=5 - Spyware Warrior HijackThis
forum
http://www.wilderssecurity.com/
http://forums.tomcoyote.org/
For the Desktop issue - Go to the Display applet in Control Panel and
look on the Desktop tab. Click on Customize Desktop, and then click on
the Web tab. You will see that there are checkmarks next to "My Current
Home Page" and probably "Lock Desktop Items". Uncheck these. By
highlighting the "My Current Home Page" and clicking on the Properties
button, you will be able to determine the name of the file that is the
message. It might be called something like "security.html" or the like.
Click Apply and OK out when you've made your changes. Then you want to
find the *.html malware file and delete it.
If you can't enable desktop backgrounds after a virus, MVP Kelly Theriot
has a fix. Look under Wallpaper-Desktop-Disable Changing here:
http://www.kellys-korner-xp.com/xp_w.htm
If Display tabs are missing, run Kelly's registry edit on line 285,
right-hand side "Restore all display tabs".
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
| 
XML site map