Screen saver, wallpaper tabs disabled (AntiVirXP08)

A friend's computer got infected with AntiVirXP08, a fake "anti spyware" program/trojan. I have removed the trojan, but it left things a little messed up. He's running XP SP2.

It replaced the wallpaper with a fake Virus Warning box. It also removed the tab where you choose the wallpaper from the Display properties window. I changed the background by right-clicking on his original background .bmp and selecting "use as wallpaper", but I would like to restore the tab under display properties.

It also replaced the screen saver with a very elaborate fake blue screen. It switches between showing a fake blue screen and showing the Windows XP boot screen.. However it's all fake because you can alt+tab out of the screensaver. Again, the screensaver tab is also gone so I can't just disable it.

How do I restore the tabs and get rid of the screensaver?

How long ago did the infection happen? If it wasn't long ago, you could copy any recent changes and roll back the O/S.

Get rid of the associated .exe and .srv in c:\windows\system32, sort it by date and you should see it. Or there is a program to remove the spyware, i forget the name though lol

The trojan is already deleted. The associated tray icon that spat out warnings about viruses is gone and all randomly named .exe's have been removed from startup by Windows Defender, which I installed and ran.

The screensaver, while part of the trojan, doesn't seem to contain any trojan or malware, it's simply an elaborate fake blue screen. I've deleted the screensaver from the System32 folder now, however.

The virus must have modified the registry or something to hide the Screensaver and wallpaper tabs from display properties. I don't think it needs to be running for those to remain disabled.

One of the employee's computer here also had that problem when the AntiVirus2008 virus struck his laptop. This is what I did to reset his wallpaper option:

1. Start the Registry Editor (click Start, Run and enter regedit.)

2. Expand HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies.

3. Select Policies

4. If Policies contains a key named ActiveDesktop, select ActiveDesktop and delete it.

5. Now expand HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies.

6. Select Policies

7. If Policies contains a key named ActiveDesktop, select ActiveDesktop and delete it.

You can also restore these settings by going to: Start > Run > gpedit.msc > OK > User Configuration > Administrative Templates > Control Panel > Display. Disable anything that says "Hide...".

Vundu/ZLob trojan, they're popular over the past several months.

I've had luck cleaning it just fine using CCleaner first, then SuperAntispyware, Spybot 1.6 with updates, and SDFix.exe