HardwareHeaven.com

HardwareHeaven.com

Looking for the skin chooser?
 
 
  • Home

  • Hardware reviews

  • Articles

  • News

  • Tools

  • Gaming at HardwareHeaven

  • Forums

 

Go Back   HardwareHeaven.com > Forums > Software Discussion > Windows & Other OS Discussion & Support


Windows & Other OS Discussion & Support Discuss all versions of Microsoft Windows and any other operating system, and get support if you need it.

Reply
 
Thread Tools
Old May 25, 2005, 12:09 AM   #1
DriverHeaven Junior Member
 
Join Date: Mar 2003
Location: Mass
Posts: 22
Rep Power: 0
Johnny Chimpo is on a distinguished road

Pissed I cannot change desktop background

Recently my laptop became infected with Aurora / Nail.exe. During this infection it would download and install a wide variety of adware/spyware and various dialers and apps. Also during infection my background changed to a red box in the center stating that Windows had dedected spyware and I should clean my pc. I'm not sure exactly what it said, but i was something like that. I finally got rid of the infection using Kaspersky personal AV Demo. I have since run Adaware, Spybot S&D and Microsoft anti spyware to clean up any remains. Also I ran CleanUP!

Problem is, now I cannot change my background. It is stuck solid blue, no red box. When I try to change it through display properties>desktop the buttons are all grayed out. If I select an image on line and set as background it still does nothing. Now when I first log in, before the the icons appear I can see my background. As soon as the icons appear my background changes to blue.

I have tried searching various forums but have not found any tips that help.
Can anyone help me get my backgrounds back?

Also, now when windows first loads, after logging in I get a message... svhost file is not found. I dont know if that is related to my background problem.

Compaq Presario 700 (900 MHZ AMD, 256 MB RAM)
WinXP Home SP2 I am current with all updates.
__________________
XP3000+
Soyo Kt400 Dragon Ultra Black
2 x 80gig maxtor RAID 0
1gig Corsair ddr333 2-2-2-6-1t
BFG 6800 Ultra OC
19in Sony trinitron A440
Johnny Chimpo is offline   Reply With Quote


Old May 25, 2005, 07:43 AM   #2
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 82
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice



a few questions first...
you said "the buttons are all grayed out",
now, in this pic what button that grayed out? does the Browse.. is also grayed out?
if not, then try to use it to browse for a new B/G image, and then use Save As under the Themes tab to create/save a new xxxx.theme file and see.

also, click on the tab "Themes"... what is the name of theme that you are now using?
now, if the Theme name is for example "Luna", search your local drives for a file called "Luna.theme",
normally, this file will be in :\WINDOWS\Resources\... or :\WINDOWS\Resources\Themes or in your Documents folder if you used Save As to save the theme file and have not moved it to any where yet.
once you find the Luna.theme file open it with your text editor and copy the contain info of the file and post here. later.

also, open up Registry Editor and go to these two following registry keys...
"HKLM\SOFTWARE\M icrosoft\Windows\CurrentVersion\policies\ActiveDes ktop"
and
"HKCU\Software\Mi crosoft\Windows\CurrentVersion \Policies\ActiveDesktop"
and see if the registry value name "NoChangingWallpaper" is there.
if so, make sure that the dword value is set to 0 (zero).
or, backup and delete this registry value from your registry and reboot your PC. some viruses may create this registry value or change the value data to 1.

Last edited by Ctrl-Alt-Del; May 25, 2005 at 05:22 PM.
PangingJr is offline   Reply With Quote
Old May 27, 2005, 02:31 AM Threadstarter Thread Starter   #3
DriverHeaven Junior Member
 
Join Date: Mar 2003
Location: Mass
Posts: 22
Rep Power: 0
Johnny Chimpo is on a distinguished road


That is my display properties, I cannot even scroll the backgrounds. I can change the color but it will not stick.

as far themes go, I cannot change it from "modified theme".
It does not list Luna. But I found Luna in C:Windows>Resources>Themes

Below is Luna opened with notepad

; Copyright Microsoft Corp. 1995-2001
[Theme]
DisplayName=@themeui.dll,-2017
; My Computer
[CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon]
DefaultValue=%WinDir%explorer.exe,0
; My Documents
[CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\DefaultIcon]
DefaultValue=%WinDir%SYSTEM32\mydocs.dll,0
; My Network Places
[CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon]
DefaultValue=%WinDir%SYSTEM32\shell32.dll,17
; Recycle Bin
[CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]
full=%WinDir%SYSTEM32\shell32.dll,32
empty=%WinDir%SYSTEM32\shell32.dll,31


[Control Panel\Cursors]
Arrow=
Help=
AppStarting=
Wait=
NWPen=
No=
SizeNS=
SizeWE=
Crosshair=
IBeam=
SizeNWSE=
SizeNESW=
SizeAll=
UpArrow=
DefaultValue=Windows default
DefaultValue.MUI=@themeui.dll,-2043
[Control Panel\Desktop]
Wallpaper=%WinDir%web\wallpaper\Bliss.bmp
Wallpaper.MUI=@themeui.dll,-2036
TileWallpaper=0
WallpaperStyle=2
Pattern=
ScreenSaveActive=1


Only the HKLM key has "nochangingwallpaper" Dword = 0

HKLM\SOFTWARE\M icrosoft\Windows\CurrentVersion\policies\ActiveDes ktop"
and
"HKCU\Software\Mi crosoft\Windows\CurrentVersion \Policies\ActiveDesktop"


If you need any more info from me just ask.
__________________
XP3000+
Soyo Kt400 Dragon Ultra Black
2 x 80gig maxtor RAID 0
1gig Corsair ddr333 2-2-2-6-1t
BFG 6800 Ultra OC
19in Sony trinitron A440
Johnny Chimpo is offline   Reply With Quote
Old May 27, 2005, 02:45 AM Threadstarter Thread Starter   #4
DriverHeaven Junior Member
 
Join Date: Mar 2003
Location: Mass
Posts: 22
Rep Power: 0
Johnny Chimpo is on a distinguished road




Also, I get this everytime I log on to windows. It appears right before my icons load.

Any idea what that is from, or if it is my problem?

Thanks.
__________________
XP3000+
Soyo Kt400 Dragon Ultra Black
2 x 80gig maxtor RAID 0
1gig Corsair ddr333 2-2-2-6-1t
BFG 6800 Ultra OC
19in Sony trinitron A440
Johnny Chimpo is offline   Reply With Quote
Old May 27, 2005, 04:21 AM   #5
Delete Me
 
Join Date: Mar 2004
Posts: 14,526
Rep Power: 0
pr0digal jenius is a name known to allpr0digal jenius is a name known to allpr0digal jenius is a name known to allpr0digal jenius is a name known to allpr0digal jenius is a name known to allpr0digal jenius is a name known to all

svchost should be there, yes...that's wierd.
pr0digal jenius is offline   Reply With Quote
Old May 27, 2005, 05:34 AM   #6
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 82
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

Quote:
Originally Posted by pr0digal jenius
svchost should be there, yes...that's wierd.
in this case, the actual Windows system file is "svchost.exe", the svhost.exe is not and it's just a part of a virus attack.
your virus or spyware scanner may not properly remove it...

Johnny C.,

to stop the "Could not load or run..." dialog from popping up at everytime you start Windows you need to remove the regisrtry value "svhost.exe" from your Run registry keys...
to do this open your Registry Editor and go to these below registry keys...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run (and RunOnce if present)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (and RunOnce if present)

look in the right pane for value name svhost.exe or for value data "X:\WINDOWS\system32\Svhost.exe"
and delete this value form your registry. and then, search your local drive for a file named "svhost.exe" (not svchost.exe) and remove it and reboot the PC.

as for the problem about the wallpaper...
i'm sure that this can also be fixed, it's just take time since there are/can be many registries associated with the problem... and i need to look at your registry for more info before i can give you the right solution, but i can't, you cannot sent it to me because it'll be a big file and i will not be able to recieve it since, i'm on a very slow net connection. i'll get on one of a newsgroups and PM you some links in a few mins.

in the mean time, i like to see the contain info of the xxxx.theme file that you're using now (not the Luna ones),
and i like you to D/L this .reg file --- http://www.kellys-korner-xp.com/regs...aperenable.reg
once you have the file import/merge it into your registry and reboot the PC and see if this helps,
if it does not then pls wait for my PM.
PangingJr is offline   Reply With Quote
Old May 27, 2005, 06:02 AM   #7
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 82
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

my surprise. there are a lot of cases that people will not be able to change their wallpaper or desktop background after some viruses or virus-like attacked.

anyway, i just posted some links on your private message,
read them and check them out. one of those fixing registry is the solution for your case.
and please, feel free to post any question you may have in this thread.

after read a few of cases and if i understand correctly this is a small registry problem, some small and not so important parts of your registry are missing, or, some value that exists in your registry are not supposed to be there. this causes the problem that you've already found in/about the desktop background only.
this's unlike some other registry problems, sometimes just a small or one missing registry key can do a lot of damages to Windows. but anyway, do a complete virus/trojan/spyware scan again.
as i said, check the links that i give you for a solution first. you could think about repair Windows install later. and if you want to do a repair install i'd suggest you to backup your files and go for a re-format and a clean Windows install instend.
i hope it won't come to this.

Last edited by Ctrl-Alt-Del; May 27, 2005 at 06:55 AM.
PangingJr is offline   Reply With Quote
Old May 29, 2005, 01:48 PM Threadstarter Thread Starter   #8
DriverHeaven Junior Member
 
Join Date: Mar 2003
Location: Mass
Posts: 22
Rep Power: 0
Johnny Chimpo is on a distinguished road

OK I tried the reg entry from Kelly's and that did not help.

Here is the theme that I am using. I cannot change away from this theme either. I tried to browse to luna and activate, but it reverts back to "modified theme", which looks the same as windows classic.

; Copyright Microsoft Corp. 1995-2001

[Theme]

; My Computer
[CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon]
DefaultValue=C:\WINDOWS\Explorer.exe,0

; My Documents
[CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\DefaultIcon]
DefaultValue=C:\WINDOWS\SYSTEM32\mydocs.dll,0

; My Network Places
[CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon]
DefaultValue=C:\WINDOWS\system32\SHELL32.dll,17

; Recycle Bin
[CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]
full=C:\WINDOWS\System32\shell32.dll,32
empty=C:\WINDOWS\System32\shell32.dll,31



[Control Panel\Colors]
ActiveTitle=128 0 0
Background=0 0 0
Hilight=128 0 0
HilightText=255 255 255
TitleText=255 255 255
Window=255 255 255
WindowText=0 0 0
Scrollbar=192 192 192
InactiveTitle=128 128 128
Menu=192 192 192
WindowFrame=0 0 0
MenuText=0 0 0
ActiveBorder=192 192 192
InactiveBorder=192 192 192
AppWorkspace=255 255 255
ButtonFace=192 192 192
ButtonShadow=128 128 128
GrayText=128 128 128
ButtonText=0 0 0
InactiveTitleText=192 192 192
ButtonHilight=255 255 255
ButtonDkShadow=0 0 0
ButtonLight=192 192 192
InfoText=0 0 128
InfoWindow=255 255 255
GradientActiveTitle=0 16 168
GradientInactiveTitle=186 190 201
ButtonAlternateFace=192 192 192
HotTrackingColor=128 0 0
MenuHilight=128 0 0
MenuBar=192 192 192


[Control Panel\Cursors]
Arrow=
Help=
AppStarting=
Wait=
NWPen=
No=
SizeNS=
SizeWE=
Crosshair=
IBeam=
SizeNWSE=
SizeNESW=
SizeAll=
UpArrow=
DefaultValue=Windows default
Link=

[Control Panel\Desktop]
Wallpaper=C:\WINDOWS\desktop.html
TileWallpaper=0
WallpaperStyle=0
Pattern=
ScreenSaveActive=0

[Control Panel\Desktop\WindowMetrics]

[Metrics]
IconMetrics=76 0 0 0 75 0 0 0 75 0 0 0 1 0 0 0 245 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 1 0 0 0 0 77 105 99 114 111 115 111 102 116 32 83 97 110 115 32 83 101 114 105 102 0 0 0 0 0 0 0 0 0 0 0 0
NonclientMetrics=84 1 0 0 1 0 0 0 13 0 0 0 13 0 0 0 19 0 0 0 19 0 0 0 241 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 188 2 0 0 0 0 0 1 0 0 0 0 84 105 109 101 115 32 78 101 119 32 82 111 109 97 110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 17 0 0 0 17 0 0 0 243 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 188 2 0 0 0 0 0 1 0 0 0 0 84 105 109 101 115 32 78 101 119 32 82 111 109 97 110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 18 0 0 0 18 0 0 0 243 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 1 0 0 0 0 84 105 109 101 115 32 78 101 119 32 82 111 109 97 110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 243 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 1 0 0 0 0 84 105 109 101 115 32 78 101 119 32 82 111 109 97 110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 243 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 1 0 0 0 0 84 105 109 101 115 32 78 101 119 32 82 111 109 97 110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

[boot]
SCRNSAVE.EXE=%WinDir%system32\logon.scr


[MasterThemeSelector]
MTSM=DABJDKT
ThemeColorBPP=4


[AppEvents\Schemes\Apps\.Default\.Default\.Current]
DefaultValue=%WinDir%media\Windows XP Ding.wav
[AppEvents\Schemes\Apps\.Default\AppGPFault\.Curren t]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\Close\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\DeviceConnect\.Cur rent]
DefaultValue=%WinDir%media\Windows XP Hardware Insert.wav
[AppEvents\Schemes\Apps\.Default\DeviceDisconnect\. Current]
DefaultValue=%WinDir%media\Windows XP Hardware Remove.wav
[AppEvents\Schemes\Apps\.Default\DeviceFail\.Curren t]
DefaultValue=%WinDir%media\Windows XP Hardware Fail.wav
[AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\.C urrent]
DefaultValue=%WinDir%media\Windows XP Battery Low.wav
[AppEvents\Schemes\Apps\.Default\MailBeep\.Current]
DefaultValue=%WinDir%media\Windows XP Notify.wav
[AppEvents\Schemes\Apps\.Default\Maximize\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\MenuCommand\.Curre nt]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\MenuPopup\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\Minimize\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\Open\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\PrintComplete\.Cur rent]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\RestoreDown\.Curre nt]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\RestoreUp\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\RingIn\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\Ringout\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Cu rrent]
DefaultValue=%WinDir%media\Windows XP Error.wav
[AppEvents\Schemes\Apps\.Default\SystemExclamation\ .Current]
DefaultValue=%WinDir%media\Windows XP Exclamation.wav
[AppEvents\Schemes\Apps\.Default\SystemExit\.Curren t]
DefaultValue=%WinDir%media\Windows XP Shutdown.wav
[AppEvents\Schemes\Apps\.Default\SystemHand\.Curren t]
DefaultValue=%WinDir%media\Windows XP Critical Stop.wav
[AppEvents\Schemes\Apps\.Default\SystemNotification \.Current]
DefaultValue=%WinDir%media\Windows XP Balloon.wav
[AppEvents\Schemes\Apps\.Default\SystemQuestion\.Cu rrent]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\SystemStart\.Curre nt]
DefaultValue=%WinDir%media\Windows XP Startup.wav
[AppEvents\Schemes\Apps\.Default\SystemStartMenu\.C urrent]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\WindowsLogoff\.Cur rent]
DefaultValue=%WinDir%media\Windows XP Logoff Sound.wav
[AppEvents\Schemes\Apps\.Default\WindowsLogon\.Curr ent]
DefaultValue=%WinDir%media\Windows XP Logon Sound.wav
[AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.C urrent]
DefaultValue=%WinDir%media\Windows XP Recycle.wav
[AppEvents\Schemes\Apps\Explorer\Navigating\.Curren t]
DefaultValue=%WinDir%media\Windows XP Start.wav



ctrl-alt-del, I have started reading through the info from the PM you sent. Much of that I have already tried, and not helped yet. I also did thorough AV and spyware scans again, all clean. I will continue to read through what you sent me. Let me know if you need anything.

Thank you.
__________________
XP3000+
Soyo Kt400 Dragon Ultra Black
2 x 80gig maxtor RAID 0
1gig Corsair ddr333 2-2-2-6-1t
BFG 6800 Ultra OC
19in Sony trinitron A440
Johnny Chimpo is offline   Reply With Quote
Old May 29, 2005, 02:20 PM   #9
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 82
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

check again that the "Themes" service is set to Automatic or Manual and is Started,
then you should be able to see the theme named "Windows XP" (Luna theme) in themes tab of the Display Properties. No?
PangingJr is offline   Reply With Quote
Old May 29, 2005, 02:56 PM Threadstarter Thread Starter   #10
DriverHeaven Junior Member
 
Join Date: Mar 2003
Location: Mass
Posts: 22
Rep Power: 0
Johnny Chimpo is on a distinguished road

Themes service is set to automatic and running. I can see "Windows XP" theme, but if I select and apply, nothing changes. Still classic.
__________________
XP3000+
Soyo Kt400 Dragon Ultra Black
2 x 80gig maxtor RAID 0
1gig Corsair ddr333 2-2-2-6-1t
BFG 6800 Ultra OC
19in Sony trinitron A440
Johnny Chimpo is offline   Reply With Quote
Old May 29, 2005, 03:02 PM   #11
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 82
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

so, at this point there is no other problem with Windows but this desktop B/G problem ?
i'll look around in other newsgroups and let you know when i find anything.

-------

Make a registry edit (backup each registry key before deleting each value)

Delete the value named "NoChangingWallPaper" from these two registry keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop
and/or
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop

Delete any default wallpaper value set in this key (if it does already exist)
HKCU\Software\Policies\Microsoft\Windows\System

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System
Delete these two values named "Wallpaper" and "WallpaperStyle" (if it does exist)

HKEY_USERS\.DEFAULT\Control Panel\Desktop
Modify the value data of the value named "Wallpaper"
from whatever value you're now having to "(None)"
(if it does exist)

i'll continue to add more info when i can find more...

Last edited by Ctrl-Alt-Del; May 29, 2005 at 05:30 PM.
PangingJr is offline   Reply With Quote
Old Jun 2, 2005, 04:56 PM   #12
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 82
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

Quote:
Originally Posted by Johnny Chimpo
; Copyright Microsoft Corp. 1995-2001

[Theme]
[Control Panel\Desktop]
Wallpaper=C:\WINDOWS\desktop.html
this is what i've found for now about the "desktop.html"
it may not be same virus but check all the keys and values...
if they do exists, let me know which ones because some of them will need to be removed (mostly). but some of them will need to be replaced with/using atleast Windows default values.


Quote:
http://www3.ca.com/securityadvisor/v....aspx?id=42422

The trojan sets the following registry values in order to change the Desktop wallpaper. The wallpaper is set to display the dropped web page "desktop.html", which is similar to "popup.html", except that the links to Anti spyware products are to a different domain.

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoAddingComponents = '0'

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoAddingComponents = '0'

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoChangingWallpaper = '0'

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoChangingWallpaper = '0'

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoComponents = '0'

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoComponents = '0'

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoDeletingComponents = '0'

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoDeletingComponents = '0'

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoEditingComponents = '0'

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoEditingComponents = '0'

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoHTMLWallPaper = '0'

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop\NoHTMLWallPaper = '0'

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\NoActiveDesktop = '0'

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\ClassicShell = '0'

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\ForceActiveDesktopOn = '1'

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\NoViewContextMenu = '2'

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\NoViewContextMenu = '2'

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperStyle = '2'

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\TileWallpaper = '2'

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\ComponentsPositioned = '2'

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperFileTime = <value>

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperLocalFileTime = <value>

HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperFileTime = <value>

HKLM\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\WallpaperLocalFileTime = <value>

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\Wallpaper = "%Windows%\desktop.html"

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\General\BackupWallpaper = "%Windows%\desktop.html"

HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\SafeMode\General\Wallpaper = "%Windows%\desktop.html"

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Pol icies\System\Wallpaper = "%Windows%\desktop.html"

HKCU\Control Panel\Desktop\Wallpaper = "%Windows%\desktop.html"

HKCU\Control Panel\Desktop\OriginalWallpaper = "%Windows%\desktop.html"

HKCU\Control Panel\Desktop\ConvertedWallpaper = "%Windows%\desktop.html"

HKCU\Control Panel\Desktop\ConvertedWallpaperLastWriteTime = <value>

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\User shell folders\Common Desktop = "C:\Desktop"

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\User shell folders\Common Desktop = "C:\Desktop"

HKU\SOFTWARE\Microsoft\Windows\CurrentVersion\Expl orer\Shell folders\Desktop = "C:\Desktop"

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Explorer\Shell folders\Desktop = "C:\Desktop"

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Explorer\User shell folders\Desktop = "C:\Desktop"

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\User shell folders\Desktop = "C:\Desktop"
PangingJr is offline   Reply With Quote
Old Jun 26, 2005, 08:23 AM   #13
DriverHeaven Newbie
 
Join Date: Jun 2005
Posts: 1
Rep Power: 0
Beg4Mercy is on a distinguished road

Hi I am new to this forum and I believe I found the answer to your question since I had the same problem. A key in your registry is probably pointing to a deleted file refered to as desktop.html

If you go into your regedit and follow this path: HKEY_CURRENT USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/POLICIES/SYSTEM

In there you may see a key that points to the C:\Windows\Web\desktop.html

If you see that key DELETE IT. Your virus software probably found this hijack desktop viruz and deleted the infected file already.

This took me 2 days to figure out and it was this forum that helped me figure it out. THANKS and I hope this helps!

Last edited by Beg4Mercy; Aug 4, 2005 at 07:40 AM.
Beg4Mercy is offline   Reply With Quote
Old Jul 3, 2005, 03:40 PM   #14
DriverHeaven Newbie
 
Join Date: Jul 2005
Posts: 1
Rep Power: 0
bunk is on a distinguished road

Free at last

Excellent this worked I use regcool and search desktop.html and deleted all keys ( after backing up) and presto I'm FREEEEEEEEEEEEEE. Spy sheriff is the culprit for me. That company should be tarred and feathered for that POS hijack!!!!

thanks Beg4!!!

Bunk





Quote:
Originally Posted by Beg4Mercy
Hi I am new to this forum and I believe I found the answer to your question since I had the same problem. A key in your registry is probably pointing to a deleted file refered to as desktop.html

If you go into your regedit and follow this path: HKEY_CURRENT USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/POLICIES/SYSTEM

In there you may see a key that points to the C:\Windows\Web\desktop.html

If you see that key DELETE IT. Your virus software probably found this hijack desktop viruz and deleted the infected file already.

This took me 2 days to figure out and it was this forum that helped me figure it out. THANKS and I heop this helps!
bunk is offline   Reply With Quote
Old Jul 3, 2005, 04:39 PM   #15
HardwareHeaven Extreme Member
 
The_Neon_Cowboy's Avatar
 
Join Date: Dec 2002
Location: Bloomington, Indiana, United States
Posts: 16,054
Rep Power: 138
The_Neon_Cowboy has a divinity and aura the likes we have never seenThe_Neon_Cowboy has a divinity and aura the likes we have never seenThe_Neon_Cowboy has a divinity and aura the likes we have never seenThe_Neon_Cowboy has a divinity and aura the likes we have never seenThe_Neon_Cowboy has a divinity and aura the likes we have never seenThe_Neon_Cowboy has a divinity and aura the likes we have never seenThe_Neon_Cowboy has a divinity and aura the likes we have never seenThe_Neon_Cowboy has a divinity and aura the likes we have never seenThe_Neon_Cowboy has a divinity and aura the likes we have never seenThe_Neon_Cowboy has a divinity and aura the likes we have never seenThe_Neon_Cowboy has a divinity and aura the likes we have never seen
System Specs

Always use spybot, ad-aware and spyware blaster!

But I to be safe format and reinstall becouse after the system is seriouly compramised you
will never be able to 100% reverse the damage done. Alot of them adjust security settings
replace windows os files etc...
__________________
The_Neon_Cowboy is offline   Reply With Quote
Old Jul 3, 2005, 05:04 PM   #16
HardwareHeaven Senior Member
 
Join Date: Dec 2004
Posts: 1,037
Rep Power: 0
e v o will become famous soon enoughe v o will become famous soon enough
System Specs

Donator
i 2nd those three. Those are the only ones that i use. More and i feel like im over doing it. I've also found that those three have the least problems working with each other...

Ben
__________________

e v o is offline   Reply With Quote
Old Jul 8, 2005, 04:38 PM   #17
DriverHeaven Newbie
 
Join Date: Jul 2005
Posts: 1
Rep Power: 0
theavenger is on a distinguished road

hey i am not sure if i should back up the C:\WINDOWS\desktop.html then delete it.. or should i just delete right away. Also if i have to back up then delete.. how do i back up..? thank you
theavenger is offline   Reply With Quote
Old Jul 10, 2005, 10:06 PM   #18
Member
 
Join Date: Mar 2003
Posts: 5,989
Rep Power: 82
PangingJr is just really nicePangingJr is just really nicePangingJr is just really nicePangingJr is just really nice

that file (desktop.html) itself might not be an virus infection file or a malicious file but it is belong to a computer virus. no reason to keep it. but if you're not sure you can just zip/rar it.

but for registry... there is always a good idea for you to make a backup of your registry info before modifying it in case the original of the good values in the same registry keys/subkeys was accidentally damaged or erased during the modification process.
PangingJr is offline   Reply With Quote
Old Aug 12, 2005, 02:37 AM   #19
DriverHeaven Newbie
 
Join Date: Aug 2005
Posts: 1
Rep Power: 0
slashpine is on a distinguished road

Thumbs Up!

Unfortunately I also got this virus which disables the background setting. I was able to undo the changes thanks to the information made public on this forum! Thank you again!

I also found out that SVCHOST.EXE in WINDOWS\SYSTEM32 was part of the virus itself.
Also, a file named KERNEL32.EXE ABC.EXE and several others are all part of the same package!!! Also, you may find a file called SYS35*.* -- these are also parts of the virus.
And another which is called VR_SYS.DLL - I think this is also part of the virus. And there was another called USER32M.EXE or something like that.

These files must be essential part of the virus, because I checked the file creation date and time. These files were created exactly at the moment when I clicked on a bad link and my computer was infected. When I discovered this, I restarted my computer from a Win98 boot disk, and I manually deleted these files. After I deleted them, the virus was gone! Actually, SpySheriff is a spyware itself. It says that your computer is infected, and you need to purchase it in order to get rid of it.


SpySheriff also adds a bunch of bad websites to your list of trusted sites! Make sure that you remove all of them! Go to Internet Options >> Security >> Trusted Sites. And click on the Sites button. You will see what I'm talking about...

Last edited by slashpine; Aug 12, 2005 at 02:58 AM.
slashpine is offline   Reply With Quote
Old Sep 10, 2005, 09:35 PM   #20
HardwareHeaven Extreme Member
 
swimtech's Avatar
 
Join Date: May 2002
Location: North Carolina
Posts: 3,993
Rep Power: 148
swimtech has a reputation beyond refuteswimtech has a reputation beyond refuteswimtech has a reputation beyond refuteswimtech has a reputation beyond refuteswimtech has a reputation beyond refuteswimtech has a reputation beyond refuteswimtech has a reputation beyond refuteswimtech has a reputation beyond refuteswimtech has a reputation beyond refuteswimtech has a reputation beyond refuteswimtech has a reputation beyond refute
System Specs

Quote:
Originally Posted by The_Neon_Cowboy
Always use spybot, ad-aware and spyware blaster!

But I to be safe format and reinstall becouse after the system is seriouly compramised you
will never be able to 100% reverse the damage done. Alot of them adjust security settings
replace windows os files etc...
Agreed, but I can get away with using spybot manually, the others in the backround...
swimtech is offline   Reply With Quote
Old Sep 12, 2005, 12:37 PM   #21
DriverHeaven Newbie
 
Join Date: Sep 2005
Posts: 1
Rep Power: 0
Honey is on a distinguished road

Thumbs Up!

I found this thread doing a search on google and thanks to Beg4Mercy, my problem is also fixed! This site is great. Thanks everyone!
Honey is offline   Reply With Quote
Old Feb 21, 2006, 05:07 AM   #22
DriverHeaven Newbie
 
Join Date: Feb 2006
Posts: 1
Rep Power: 0
marsh_mucker is on a distinguished road

post #13 got me out of my bind. thank you very much. it was right on the money.
marsh_mucker is offline   Reply With Quote
Old Feb 21, 2006, 01:06 PM   #23
HardwareHeaven Senior Member
 
EcPercy's Avatar
 
Join Date: Jul 2002
Location: Iraq
Posts: 1,534
Rep Power: 0
EcPercy has a spectacular aura aboutEcPercy has a spectacular aura aboutEcPercy has a spectacular aura about

Quote:
Originally Posted by The_Neon_Cowboy
But I to be safe format and reinstall becouse after the system is seriouly compramised you
will never be able to 100% reverse the damage done. Alot of them adjust security settings
replace windows os files etc...
My thoughts exactly.

I would recommend putting some sort of external harddrive on the laptop. Just put all of the important data on the external drive. (e.g. pictures, mp3, documents) That way the next time something bad happens you can just format and reload.
EcPercy is offline   Reply With Quote
Old Mar 12, 2006, 10:02 PM   #24
DriverHeaven Junior Member
 
Join Date: Mar 2006
Posts: 33
Rep Power: 0
cyclops4 is on a distinguished road

I am a veteran of the anti-spyware war and while running Spybot, SpywareBlaster and Norton Anti-Virus 2006, all completely up-to-date, I somehow managed to get infected with Spy Sheriff. I am insane about protecting myself and to this day I still do not know how it got past all three of those programs. I remember visiting Annoyances.org and then doing some other stuff and all of a sudden my desktop was locked up and Spy Sheriff was doing its whole song and dance. I download quite a bit of material from Usenet and I have never had any problems, but now everything gets scanned by Norton after that experience. That's the only other way I can think of that something crept onto my machine. I'm a Help Desk guy and have been working with computers for years, so for me to get Spy Sheriff was the ultimate embarrassment and humiliation. I hadn't gotten infected by anything before this in probably close to a year and DEFINITELY not by anything that affected my system in such an obvious way. Occasionally Spybot would pick up something and I would investigate it and delete it and that would be the end of it (for the reason I state below regarding SpywareBlaster inexplicably turning off my protection for Firefox), but this was like one of those horror stories you hear about from a few years back when CoolWebSearch or some other parasite would start changing homepages and installing dialers etc.

One thing I HAVE noticed:

When using SpywareBlaster and Mozilla Firefox, sometimes after updating or after a restart, for some reason the Mozilla Firefox protection will become disabled and must be re-enabled in SpywareBlaster. Has anyone else noticed this ?

I also wholeheartedly agree regarding the reformat and fresh installation of Windows XP Pro. If you're smart and run backups to an external source every night like you should, it's only a few hours to get your machine back to its original state if system restore fails. A reformat and reinstallation is the only way I can sleep soundly again knowing that there's not some rogue DLL lying dormant in the system32 directory somewhere. It's kind of like in Aliens, when they're talking about nuking the planet from orbit....."it's the only way to be sure".
__________________
Intel Pentium D processor 830 Dual Core @ 3.0Ghz - Intel Desktop Board D975XBX - 4GB DDR2 533 4200 Kingston Memory - nVidia GeForce 7900 GT 450MHz Core Clock 256MB DDR3 - Western Digital 320GB SATA WDCaviarSE - Gateway 21 Inch Flat Screen FPD2185W - Maxtor One Touch 120GB USB External
cyclops4 is offline   Reply With Quote
Old Mar 16, 2006, 03:06 PM   #25
DriverHeaven Newbie
 
Join Date: Mar 2006
Posts: 1
Rep Power: 0
fron261 is on a distinguished road

I also had this problem, but I have an even bigger problem along with it. Not only could I not change my background but I also cannot access the internet now. Has anyone had this porblem as well and know a fix for it? Thanks.
fron261 is offline   Reply With Quote
Old Mar 16, 2006, 07:45 PM   #26
DriverHeaven Junior Member
 
Join Date: Mar 2006
Posts: 33
Rep Power: 0
cyclops4 is on a distinguished road

I actually was uncomfortable with all the possible registry changes and potential hidden .dll files that "spy sheriff" may have left behind, so rather than manually fix it with spybot, ad aware, registryfix, norton anti-virus and a million other tools, I just reinstalled Windows XP and used my backup of the C drive from the night before to get back in business (and have no worries of future issues or an unstable OS).

This is a lesson that teaches you to backup everything overnight to an external source, so you can start fresh in a relatively short period of time without having anything lost. I do this stuff for a living and the results of "spy sheriff" frightened me enough to reinstall my OS if that tells you anything. Yeah, you can fix it manually, but I like things to remain pristine. So, now that I've lectured you, here is the solution that supposedly works from post #13:

"Hi I am new to this forum and I believe I found the answer to your question since I had the same problem. A key in your registry is probably pointing to a deleted file refered to as desktop.html

If you go into your regedit and follow this path: HKEY_CURRENT USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/POLICIES/SYSTEM

In there you may see a key that points to the C:\Windows\Web\desktop.html

If you see that key DELETE IT. Your virus software probably found this hijack desktop viruz and deleted the infected file already.

This took me 2 days to figure out and it was this forum that helped me figure it out. THANKS and I hope this helps!"

Also, here is a link to an automatic removal tool, although I cannot guarantee its safe use, by reading the information on the site it seems legitimate to me. Read it thoroughly before using as it actually may remove a couple of files that you want to replace and you should get the replacements BEFOREHAND.

http://noahdfear.geekstogo.com/

If you're having problems accessing the net, I would first run turn off system restore, run Spybot and Ad Aware and remove anything that they find, restart into safe mode, run them again, remove anything they find, restart into normal Windows, turn system restore back on, restart and attempt to access the web again. This is your first basic step in getting rid of all the problem files that may be blocking your access to the internet. Then you can follow the above steps in making sure you get rid of EVERYTHING that it infects.
__________________
Intel Pentium D processor 830 Dual Core @ 3.0Ghz - Intel Desktop Board D975XBX - 4GB DDR2 533 4200 Kingston Memory - nVidia GeForce 7900 GT 450MHz Core Clock 256MB DDR3 - Western Digital 320GB SATA WDCaviarSE - Gateway 21 Inch Flat Screen FPD2185W - Maxtor One Touch 120GB USB External
cyclops4 is offline   Reply With Quote
Old Apr 8, 2006, 11:04 PM   #27
DriverHeaven Newbie
 
Join Date: Apr 2006
Posts: 1
Rep Power: 0
shanks is on a distinguished road

All of you using Norton and McAfee need to stop and immediately go get Avira AntiVir.

The best virus scanner available, and it's free. I guarantee you, once you use this, you won't go back.
Also, alot of times with spyware, another program that will help your issues is HijackThis. Lists alot of entrys that you normally cant get to and allows you to get rid of them. I can swear by both of these, as well as spybot s&d.
shanks is offline   Reply With Quote
Old May 13, 2006, 02:27 AM   #28
DriverHeaven Newbie
 
Join Date: May 2006
Posts: 1
Rep Power: 0
sweetnsassyntex is on a distinguished road

I'm new, too. I had spyware today. I used software to get rid of it but I cannot change my desktop display. Beg. . I tried what you said but I do not have a key that points to C:\Windows, etc. I did have that sheriff thing that guy was talking about. It's gone, now.
HELP!
My screen was blue and then I got my old wallpaper back and then it went blue, again and now it's back. I had to keep running a spyware check and deleting the trojans.
Quote:
Originally Posted by Beg4Mercy
Hi I am new to this forum and I believe I found the answer to your question since I had the same problem. A key in your registry is probably pointing to a deleted file refered to as desktop.html

If you go into your regedit and follow this path: HKEY_CURRENT USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/POLICIES/SYSTEM

In there you may see a key that points to the C:\Windows\Web\desktop.html

If you see that key DELETE IT. Your virus software probably found this hijack desktop viruz and deleted the infected file already.

This took me 2 days to figure out and it was this forum that helped me figure it out. THANKS and I hope this helps!
sweetnsassyntex is offline   Reply With Quote
Old Dec 31, 2006, 03:41 AM   #29
DriverHeaven Newbie
 
Join Date: Dec 2006
Posts: 1
Rep Power: 0
pingram is on a distinguished road

Dec 30 2006
Thank you so much for your insight.
in June 2005 you posted this solution to a person having a problem with their desktop background

I found your answer through a google search and the other posts in the thread were way to complicated for me. Your post was simple and direct and solved my porblem right away.

It was a small problem but it was driving me crazy for several days, - thank you
Have a great day
pingram is offline   Reply With Quote
Old Jan 14, 2007, 10:30 AM   #30
DriverHeaven Newbie
 
Join Date: Jan 2007
Posts: 1
Rep Power: 0
brdbh is on a distinguished road

[COLOR=green]Dear friends,[/COLOR]
[COLOR=green][/COLOR]
[COLOR=green]I had spyware yesterday and have the desktop background problem too. Unfortunatelly I could not solve my problem. I followed all the advice here. With Avira AntiVir I identified 8 Trojan horses which now are in quarantine. Shall I delete them? What shall I do next in order to to solve the background problem? Please advise me. I am a simple pc user. [/COLOR]
[COLOR=green][/COLOR]
[COLOR=green]Thank you in advance.[/COLOR]
brdbh is offline   Reply With Quote
Reply

Thread Tools