I cannot change desktop background

Johnny Chimpo

Recently my laptop became infected with Aurora / Nail.exe. During this infection it would download and install a wide variety of adware/spyware and various dialers and apps. Also during infection my background changed to a red box in the center stating that Windows had dedected spyware and I should clean my pc. I'm not sure exactly what it said, but i was something like that. I finally got rid of the infection using Kaspersky personal AV Demo. I have since run Adaware, Spybot S&D and Microsoft anti spyware to clean up any remains. Also I ran CleanUP!

Problem is, now I cannot change my background. It is stuck solid blue, no red box. When I try to change it through display properties>desktop the buttons are all grayed out. If I select an image on line and set as background it still does nothing. Now when I first log in, before the the icons appear I can see my background. As soon as the icons appear my background changes to blue.

I have tried searching various forums but have not found any tips that help.
Can anyone help me get my backgrounds back?

Also, now when windows first loads, after logging in I get a message... svhost file is not found. I dont know if that is related to my background problem.

Compaq Presario 700 (900 MHZ AMD, 256 MB RAM)
WinXP Home SP2 I am current with all updates.

PangingJr

a few questions first...
you said "the buttons are all grayed out",
now, in this pic what button that grayed out? does the Browse.. is also grayed out?
if not, then try to use it to browse for a new B/G image, and then use Save As under the Themes tab to create/save a new xxxx.theme file and see.

also, click on the tab "Themes"... what is the name of theme that you are now using?
now, if the Theme name is for example "Luna", search your local drives for a file called "Luna.theme",
normally, this file will be in :\WINDOWS\Resources\... or :\WINDOWS\Resources\Themes or in your Documents folder if you used Save As to save the theme file and have not moved it to any where yet.
once you find the Luna.theme file open it with your text editor and copy the contain info of the file and post here. later.

also, open up Registry Editor and go to these two following registry keys...
"HKLM\SOFTWARE\M icrosoft\Windows\CurrentVersion\policies\ActiveDes ktop"
and
"HKCU\Software\Mi crosoft\Windows\CurrentVersion \Policies\ActiveDesktop"
and see if the registry value name "NoChangingWallpaper" is there.
if so, make sure that the dword value is set to 0 (zero).
or, backup and delete this registry value from your registry and reboot your PC. some viruses may create this registry value or change the value data to 1.

Johnny Chimpo

That is my display properties, I cannot even scroll the backgrounds. I can change the color but it will not stick.

as far themes go, I cannot change it from "modified theme".
It does not list Luna. But I found Luna in C:Windows>Resources>Themes

Below is Luna opened with notepad

; Copyright © Microsoft Corp. 1995-2001
[Theme]
DisplayName=@themeui.dll,-2017
; My Computer
[CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon]
DefaultValue=%WinDir%explorer.exe,0
; My Documents
[CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\DefaultIcon]
DefaultValue=%WinDir%SYSTEM32\mydocs.dll,0
; My Network Places
[CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon]
DefaultValue=%WinDir%SYSTEM32\shell32.dll,17
; Recycle Bin
[CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]
full=%WinDir%SYSTEM32\shell32.dll,32
empty=%WinDir%SYSTEM32\shell32.dll,31


[Control Panel\Cursors]
Arrow=
Help=
AppStarting=
Wait=
NWPen=
No=
SizeNS=
SizeWE=
Crosshair=
IBeam=
SizeNWSE=
SizeNESW=
SizeAll=
UpArrow=
DefaultValue=Windows default
DefaultValue.MUI=@themeui.dll,-2043
[Control Panel\Desktop]
Wallpaper=%WinDir%web\wallpaper\Bliss.bmp
Wallpaper.MUI=@themeui.dll,-2036
TileWallpaper=0
WallpaperStyle=2
Pattern=
ScreenSaveActive=1


Only the HKLM key has "nochangingwallpaper" Dword = 0

HKLM\SOFTWARE\M icrosoft\Windows\CurrentVersion\policies\ActiveDes ktop"
and
"HKCU\Software\Mi crosoft\Windows\CurrentVersion \Policies\ActiveDesktop"


If you need any more info from me just ask.

Johnny Chimpo

Also, I get this everytime I log on to windows. It appears right before my icons load.

Any idea what that is from, or if it is my problem?

Thanks.

pr0digal jenius

svchost should be there, yes...that's wierd.

PangingJr

in this case, the actual Windows system file is "svchost.exe", the svhost.exe is not and it's just a part of a virus attack.
your virus or spyware scanner may not properly remove it...

Johnny C.,

to stop the "Could not load or run..." dialog from popping up at everytime you start Windows you need to remove the regisrtry value "svhost.exe" from your Run registry keys...
to do this open your Registry Editor and go to these below registry keys...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run (and RunOnce if present)
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (and RunOnce if present)

look in the right pane for value name svhost.exe or for value data "X:\WINDOWS\system32\Svhost.exe"
and delete this value form your registry. and then, search your local drive for a file named "svhost.exe" (not svchost.exe) and remove it and reboot the PC.

as for the problem about the wallpaper...
i'm sure that this can also be fixed, it's just take time since there are/can be many registries associated with the problem... and i need to look at your registry for more info before i can give you the right solution, but i can't, you cannot sent it to me because it'll be a big file and i will not be able to recieve it since, i'm on a very slow net connection. i'll get on one of a newsgroups and PM you some links in a few mins.

in the mean time, i like to see the contain info of the xxxx.theme file that you're using now (not the Luna ones),
and i like you to D/L this .reg file --- http://www.kellys-korner-xp.com/regs...aperenable.reg
once you have the file import/merge it into your registry and reboot the PC and see if this helps,
if it does not then pls wait for my PM.

PangingJr

my surprise. there are a lot of cases that people will not be able to change their wallpaper or desktop background after some viruses or virus-like attacked.

anyway, i just posted some links on your private message,
read them and check them out. one of those fixing registry is the solution for your case.
and please, feel free to post any question you may have in this thread.

after read a few of cases and if i understand correctly this is a small registry problem, some small and not so important parts of your registry are missing, or, some value that exists in your registry are not supposed to be there. this causes the problem that you've already found in/about the desktop background only.
this's unlike some other registry problems, sometimes just a small or one missing registry key can do a lot of damages to Windows. but anyway, do a complete virus/trojan/spyware scan again.
as i said, check the links that i give you for a solution first. you could think about repair Windows install later. and if you want to do a repair install i'd suggest you to backup your files and go for a re-format and a clean Windows install instend.
i hope it won't come to this.

Johnny Chimpo

OK I tried the reg entry from Kelly's and that did not help.

Here is the theme that I am using. I cannot change away from this theme either. I tried to browse to luna and activate, but it reverts back to "modified theme", which looks the same as windows classic.

; Copyright © Microsoft Corp. 1995-2001

[Theme]

; My Computer
[CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\DefaultIcon]
DefaultValue=C:\WINDOWS\Explorer.exe,0

; My Documents
[CLSID\{450D8FBA-AD25-11D0-98A8-0800361B1103}\DefaultIcon]
DefaultValue=C:\WINDOWS\SYSTEM32\mydocs.dll,0

; My Network Places
[CLSID\{208D2C60-3AEA-1069-A2D7-08002B30309D}\DefaultIcon]
DefaultValue=C:\WINDOWS\system32\SHELL32.dll,17

; Recycle Bin
[CLSID\{645FF040-5081-101B-9F08-00AA002F954E}\DefaultIcon]
full=C:\WINDOWS\System32\shell32.dll,32
empty=C:\WINDOWS\System32\shell32.dll,31



[Control Panel\Colors]
ActiveTitle=128 0 0
Background=0 0 0
Hilight=128 0 0
HilightText=255 255 255
TitleText=255 255 255
Window=255 255 255
WindowText=0 0 0
Scrollbar=192 192 192
InactiveTitle=128 128 128
Menu=192 192 192
WindowFrame=0 0 0
MenuText=0 0 0
ActiveBorder=192 192 192
InactiveBorder=192 192 192
AppWorkspace=255 255 255
ButtonFace=192 192 192
ButtonShadow=128 128 128
GrayText=128 128 128
ButtonText=0 0 0
InactiveTitleText=192 192 192
ButtonHilight=255 255 255
ButtonDkShadow=0 0 0
ButtonLight=192 192 192
InfoText=0 0 128
InfoWindow=255 255 255
GradientActiveTitle=0 16 168
GradientInactiveTitle=186 190 201
ButtonAlternateFace=192 192 192
HotTrackingColor=128 0 0
MenuHilight=128 0 0
MenuBar=192 192 192


[Control Panel\Cursors]
Arrow=
Help=
AppStarting=
Wait=
NWPen=
No=
SizeNS=
SizeWE=
Crosshair=
IBeam=
SizeNWSE=
SizeNESW=
SizeAll=
UpArrow=
DefaultValue=Windows default
Link=

[Control Panel\Desktop]
Wallpaper=C:\WINDOWS\desktop.html
TileWallpaper=0
WallpaperStyle=0
Pattern=
ScreenSaveActive=0

[Control Panel\Desktop\WindowMetrics]

[Metrics]
IconMetrics=76 0 0 0 75 0 0 0 75 0 0 0 1 0 0 0 245 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 1 0 0 0 0 77 105 99 114 111 115 111 102 116 32 83 97 110 115 32 83 101 114 105 102 0 0 0 0 0 0 0 0 0 0 0 0
NonclientMetrics=84 1 0 0 1 0 0 0 13 0 0 0 13 0 0 0 19 0 0 0 19 0 0 0 241 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 188 2 0 0 0 0 0 1 0 0 0 0 84 105 109 101 115 32 78 101 119 32 82 111 109 97 110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 17 0 0 0 17 0 0 0 243 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 188 2 0 0 0 0 0 1 0 0 0 0 84 105 109 101 115 32 78 101 119 32 82 111 109 97 110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 18 0 0 0 18 0 0 0 243 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 1 0 0 0 0 84 105 109 101 115 32 78 101 119 32 82 111 109 97 110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 243 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 1 0 0 0 0 84 105 109 101 115 32 78 101 119 32 82 111 109 97 110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 243 255 255 255 0 0 0 0 0 0 0 0 0 0 0 0 144 1 0 0 0 0 0 1 0 0 0 0 84 105 109 101 115 32 78 101 119 32 82 111 109 97 110 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

[boot]
SCRNSAVE.EXE=%WinDir%system32\logon.scr


[MasterThemeSelector]
MTSM=DABJDKT
ThemeColorBPP=4


[AppEvents\Schemes\Apps\.Default\.Default\.Current]
DefaultValue=%WinDir%media\Windows XP Ding.wav
[AppEvents\Schemes\Apps\.Default\AppGPFault\.Curren t]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\Close\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\DeviceConnect\.Cur rent]
DefaultValue=%WinDir%media\Windows XP Hardware Insert.wav
[AppEvents\Schemes\Apps\.Default\DeviceDisconnect\. Current]
DefaultValue=%WinDir%media\Windows XP Hardware Remove.wav
[AppEvents\Schemes\Apps\.Default\DeviceFail\.Curren t]
DefaultValue=%WinDir%media\Windows XP Hardware Fail.wav
[AppEvents\Schemes\Apps\.Default\LowBatteryAlarm\.C urrent]
DefaultValue=%WinDir%media\Windows XP Battery Low.wav
[AppEvents\Schemes\Apps\.Default\MailBeep\.Current]
DefaultValue=%WinDir%media\Windows XP Notify.wav
[AppEvents\Schemes\Apps\.Default\Maximize\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\MenuCommand\.Curre nt]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\MenuPopup\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\Minimize\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\Open\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\PrintComplete\.Cur rent]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\RestoreDown\.Curre nt]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\RestoreUp\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\RingIn\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\Ringout\.Current]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\SystemAsterisk\.Cu rrent]
DefaultValue=%WinDir%media\Windows XP Error.wav
[AppEvents\Schemes\Apps\.Default\SystemExclamation\ .Current]
DefaultValue=%WinDir%media\Windows XP Exclamation.wav
[AppEvents\Schemes\Apps\.Default\SystemExit\.Curren t]
DefaultValue=%WinDir%media\Windows XP Shutdown.wav
[AppEvents\Schemes\Apps\.Default\SystemHand\.Curren t]
DefaultValue=%WinDir%media\Windows XP Critical Stop.wav
[AppEvents\Schemes\Apps\.Default\SystemNotification \.Current]
DefaultValue=%WinDir%media\Windows XP Balloon.wav
[AppEvents\Schemes\Apps\.Default\SystemQuestion\.Cu rrent]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\SystemStart\.Curre nt]
DefaultValue=%WinDir%media\Windows XP Startup.wav
[AppEvents\Schemes\Apps\.Default\SystemStartMenu\.C urrent]
DefaultValue=
[AppEvents\Schemes\Apps\.Default\WindowsLogoff\.Cur rent]
DefaultValue=%WinDir%media\Windows XP Logoff Sound.wav
[AppEvents\Schemes\Apps\.Default\WindowsLogon\.Curr ent]
DefaultValue=%WinDir%media\Windows XP Logon Sound.wav
[AppEvents\Schemes\Apps\Explorer\EmptyRecycleBin\.C urrent]
DefaultValue=%WinDir%media\Windows XP Recycle.wav
[AppEvents\Schemes\Apps\Explorer\Navigating\.Curren t]
DefaultValue=%WinDir%media\Windows XP Start.wav



ctrl-alt-del, I have started reading through the info from the PM you sent. Much of that I have already tried, and not helped yet. I also did thorough AV and spyware scans again, all clean. I will continue to read through what you sent me. Let me know if you need anything.

Thank you.

PangingJr

check again that the "Themes" service is set to Automatic or Manual and is Started,
then you should be able to see the theme named "Windows XP" (Luna theme) in themes tab of the Display Properties. No?

Johnny Chimpo

Themes service is set to automatic and running. I can see "Windows XP" theme, but if I select and apply, nothing changes. Still classic.

PangingJr

so, at this point there is no other problem with Windows but this desktop B/G problem ?
i'll look around in other newsgroups and let you know when i find anything.

-------

Make a registry edit (backup each registry key before deleting each value)

Delete the value named "NoChangingWallPaper" from these two registry keys
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop
and/or
HKLM\Software\Microsoft\Windows\CurrentVersion\Pol icies\ActiveDesktop

Delete any default wallpaper value set in this key (if it does already exist)
HKCU\Software\Policies\Microsoft\Windows\System

HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\System
Delete these two values named "Wallpaper" and "WallpaperStyle" (if it does exist)

HKEY_USERS\.DEFAULT\Control Panel\Desktop
Modify the value data of the value named "Wallpaper"
from whatever value you're now having to "(None)"
(if it does exist)

i'll continue to add more info when i can find more...

PangingJr

this is what i've found for now about the "desktop.html"
it may not be same virus but check all the keys and values...
if they do exists, let me know which ones because some of them will need to be removed (mostly). but some of them will need to be replaced with/using atleast Windows default values.

Beg4Mercy

Hi I am new to this forum and I believe I found the answer to your question since I had the same problem. A key in your registry is probably pointing to a deleted file refered to as desktop.html

If you go into your regedit and follow this path: HKEY_CURRENT USER/SOFTWARE/MICROSOFT/WINDOWS/CURRENTVERSION/POLICIES/SYSTEM

In there you may see a key that points to the C:\Windows\Web\desktop.html

If you see that key DELETE IT. Your virus software probably found this hijack desktop viruz and deleted the infected file already.

This took me 2 days to figure out and it was this forum that helped me figure it out. THANKS and I hope this helps!

bunk

Excellent this worked I use regcool and search desktop.html and deleted all keys ( after backing up) and presto I'm FREEEEEEEEEEEEEE. Spy sheriff is the culprit for me. That company should be tarred and feathered for that POS hijack!!!!

thanks Beg4!!!

Bunk

The_Neon_Cowboy

Always use spybot, ad-aware and spyware blaster!

But I to be safe format and reinstall becouse after the system is seriouly compramised you
will never be able to 100% reverse the damage done. Alot of them adjust security settings
replace windows os files etc...

e v o

i 2nd those three. Those are the only ones that i use. More and i feel like im over doing it. I've also found that those three have the least problems working with each other...

Ben

theavenger

hey i am not sure if i should back up the C:\WINDOWS\desktop.html then delete it.. or should i just delete right away. Also if i have to back up then delete.. how do i back up..? thank you

PangingJr

that file (desktop.html) itself might not be an virus infection file or a malicious file but it is belong to a computer virus. no reason to keep it. but if you're not sure you can just zip/rar it.

but for registry... there is always a good idea for you to make a backup of your registry info before modifying it in case the original of the good values in the same registry keys/subkeys was accidentally damaged or erased during the modification process.

slashpine

Unfortunately I also got this virus which disables the background setting. I was able to undo the changes thanks to the information made public on this forum! Thank you again!

I also found out that SVCHOST.EXE in WINDOWS\SYSTEM32 was part of the virus itself.
Also, a file named KERNEL32.EXE ABC.EXE and several others are all part of the same package!!! Also, you may find a file called SYS35*.* -- these are also parts of the virus.
And another which is called VR_SYS.DLL - I think this is also part of the virus. And there was another called USER32M.EXE or something like that.

These files must be essential part of the virus, because I checked the file creation date and time. These files were created exactly at the moment when I clicked on a bad link and my computer was infected. When I discovered this, I restarted my computer from a Win98 boot disk, and I manually deleted these files. After I deleted them, the virus was gone! Actually, SpySheriff is a spyware itself. It says that your computer is infected, and you need to purchase it in order to get rid of it.


SpySheriff also adds a bunch of bad websites to your list of trusted sites! Make sure that you remove all of them! Go to Internet Options >> Security >> Trusted Sites. And click on the Sites button. You will see what I'm talking about...

swimtech

Agreed, but I can get away with using spybot manually, the others in the backround...

Honey

I found this thread doing a search on google and thanks to Beg4Mercy, my problem is also fixed! This site is great. Thanks everyone!