Desktop display problem, but solutions not working

[Guest]

I have what seems to be a common problem where my desktop display was
hijacked (noticed after severe virus attack). The display wallpaper cannot
be changed (though the color can be changed and the change takes place after
reboot). The problem is only with one user account; others are fine. A
desktop wallpaper that said I had an infected computer was traced to a file
desktop.html and this file was deleted (it also shows on the end of the
wallpaper list). I have tried to follow suggestions (e.g. by Dave Lipman)
and have used Multi_AV as well as current Symantec scans. Current MacAfee
and Symantec report shows no viruses. Still the problem exists. I am
stumped. Any suggestions?

 

[bathgate]

Use this tool

AntiPuper v1.1 by secured2k
http://secured2k.home.comcast.net/tools/AntiPuper.exe

This tool unlocks the ability to change or disable the desktop background
image or active web desktop background. You will need to manually change
your desktop background.

Go to Control Panel > Display > Desktop Tab > Customize Desktop > Web Tab.
If you see any entries that are checked, uncheck them. Click OK.

 

[Guest]

if what bathgate gave you doesn't work i'd just axe the account and recreate it

 

[David H. Lipman]

From: "Atlas" <[email protected]>

| I have what seems to be a common problem where my desktop display was
| hijacked (noticed after severe virus attack). The display wallpaper cannot
| be changed (though the color can be changed and the change takes place after
| reboot). The problem is only with one user account; others are fine. A
| desktop wallpaper that said I had an infected computer was traced to a file
| desktop.html and this file was deleted (it also shows on the end of the
| wallpaper list). I have tried to follow suggestions (e.g. by Dave Lipman)
| and have used Multi_AV as well as current Symantec scans. Current MacAfee
| and Symantec report shows no viruses. Still the problem exists. I am
| stumped. Any suggestions?

The Multi AV Scanning Tol may find some associated Trojans, but it won't fix the changes
made to the DeskTop...


Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.

If you are using any version of Sun Java that is prior to JRE Version 5.0,
then you are strongly urged to remove any/all versions that are prior to JRE
Version 5.0. There are vulnerabilities in them and they are actively being exploited.
It is possible that is how you got infected with malware.

Therefore, it is highly suggested that if there are any prior versions of Sun Java
to Version 5 on the PC that they be removed and Sun Java JRE Version 5.0 Update 6
be installed ASAP.

http://www.java.com/en/download/manual.jsp



Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

ALTERNATE:

Part 1
-----------

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


Please Copy and Paste the contents of the HTML Log file; C:\mcafee\ScanReport.HTML in your
reply.

* * * Please report back your results * * *

 

[WTC]

I have what seems to be a common problem where my desktop display was
hijacked (noticed after severe virus attack). The display wallpaper
cannot
be changed (though the color can be changed and the change takes place
after
reboot). The problem is only with one user account; others are fine. A
desktop wallpaper that said I had an infected computer was traced to a
file
desktop.html and this file was deleted (it also shows on the end of the
wallpaper list). I have tried to follow suggestions (e.g. by Dave Lipman)
and have used Multi_AV as well as current Symantec scans. Current MacAfee
and Symantec report shows no viruses. Still the problem exists. I am
stumped. Any suggestions?

Edit the Registry.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
Value Name: NoChangingWallPaper
Data type: REG_DWORD
Value Data: (0 = Unrestricted, 1 = Restricted)

Or delete "NoChangingWallpaper"

 

[David H. Lipman]

From: "WTC" <bcrawfordjr(remove)@hotmail.com>


|
| Edit the Registry.
|
| [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
| Value Name: NoChangingWallPaper
| Data type: REG_DWORD
| Value Data: (0 = Unrestricted, 1 = Restricted)
|
| Or delete "NoChangingWallpaper"
|

That's built into the Multi AV Scanning Tool already so that's not it.
That is unless malware is active and it protects that key.

 

[WTC]

From: "WTC" <bcrawfordjr(remove)@hotmail.com>


|
| Edit the Registry.
|
|
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
| Value Name: NoChangingWallPaper
| Data type: REG_DWORD
| Value Data: (0 = Unrestricted, 1 = Restricted)
|
| Or delete "NoChangingWallpaper"
|

That's built into the Multi AV Scanning Tool already so that's not it.

OK thanks Dave.
Does the Multi AV Tools look for this value?

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

Value Name: NoChangingWallPaper

If their is a Group Policy Refresh rate, then the reg entry in my first post
would recreate itself after the set time in this key.

[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Policies\Microsoft\Windows\System]

Name: GroupPolicyRefreshTime

 

[Guest]

I tried Part 1, 2 and alternate. No luck with solving the problem. Tried
AntiPuper.exe also, but it couldn't find a backup WININT.dll or a McAfee
file, so this need file needs to be cleaned manually, but I have no idea how
to do that! Ditto with editing the registry. Any more suggestions would be
appreciated.

As requested, a copy of McAfee report follows:
Virus Scan Report File
Virus Scan Information

McAfee VirusScan for Win32 v4.40.0
Copyright (c) 1992-2004 Networks Associates Technology Inc. All rights
reserved.
(408) 988-3832 LICENSED COPY - Sep 23 2004

Scan engine v4.4.00 for Win32.
Virus data file v4669 created Jan 06 2006
Scanning for 169582 viruses, trojans and variants.

Virus Scan Results



01/06/2006 22:09:45


Options:
/ADL /UNZIP /WINMEM /SUB /ANALYZE /PANALYZE /STREAMS /CLEAN /ALL /DEL
/PROGRAM /EXCLUDE C:\MCAFEE\EXCLIST.TXT /HTML "C:\MCAFEE\SCANREPORT.HTML"

Scanning C: []
Scanning C:\*.*

Summary report on C:\*.*
File(s)
Total files: ........... 297572
Clean: ................. 297257
Possibly Infected: ..... 0
Cleaned: ............... 0
Non-critical Error(s): 2
Master Boot Record(s): ......... 1
Possibly Infected: ..... 0
Boot Sector(s): ................ 1
Possibly Infected: ..... 0


Time: 02:16.48

 

[David H. Lipman]

From: "WTC" <bcrawfordjr(remove)@hotmail.com>

|>> Edit the Registry.
|>>

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

|>> Value Name: NoChangingWallPaper
|>> Data type: REG_DWORD
|>> Value Data: (0 = Unrestricted, 1 = Restricted)
|>>
|>> Or delete "NoChangingWallpaper"
|>>|
| OK thanks Dave.
| Does the Multi AV Tools look for this value?
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
| Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Microsoft\Windows\CurrentVersi
| on\Policies\ActiveDesktop]
|
| Value Name: NoChangingWallPaper
|
| If their is a Group Policy Refresh rate, then the reg entry in my first post
| would recreate itself after the set time in this key.
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
| Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Policies\Microsoft\Windows\Sys
| tem]
|
| Name: GroupPolicyRefreshTime
|

Yes. It removes all Group Policy Objects by default...

And removes all of the following in ...\Policies\ActiveDesktop

"NoChangingWallPaper"
"NoHTMLWallPaper"
"NoEditingComponents"
"NoDeletingComponents"
"NoAddingComponents"

 

[Guest]

David, I am having the same problem with my desktop as Atlas. I think I was
able to remove the viruses, but I am not positive. I am not really cmputer
savy. Should I still run those anti-virus programs you suggested?
--
R. Rivera

From: "WTC" <bcrawfordjr(remove)@hotmail.com>

|>> Edit the Registry.
|>>

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

|>> Value Name: NoChangingWallPaper
|>> Data type: REG_DWORD
|>> Value Data: (0 = Unrestricted, 1 = Restricted)
|>>
|>> Or delete "NoChangingWallpaper"
|>>|
| OK thanks Dave.
| Does the Multi AV Tools look for this value?
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
| Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Microsoft\Windows\CurrentVersi
| on\Policies\ActiveDesktop]
|
| Value Name: NoChangingWallPaper
|
| If their is a Group Policy Refresh rate, then the reg entry in my first post
| would recreate itself after the set time in this key.
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
| Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Policies\Microsoft\Windows\Sys
| tem]
|
| Name: GroupPolicyRefreshTime
|

Yes. It removes all Group Policy Objects by default...

And removes all of the following in ...\Policies\ActiveDesktop

"NoChangingWallPaper"
"NoHTMLWallPaper"
"NoEditingComponents"
"NoDeletingComponents"
"NoAddingComponents"

 

[David H. Lipman]

From: "rosy" <[email protected]>

| David, I am having the same problem with my desktop as Atlas. I think I was
| able to remove the viruses, but I am not positive. I am not really cmputer
| savy. Should I still run those anti-virus programs you suggested?

Yes... I would suggest running those utilities.

 

[WTC]

From: "WTC" <bcrawfordjr(remove)@hotmail.com>

|>> Edit the Registry.
|>>

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

|>> Value Name: NoChangingWallPaper
|>> Data type: REG_DWORD
|>> Value Data: (0 = Unrestricted, 1 = Restricted)
|>>
|>> Or delete "NoChangingWallpaper"
|>>|
| OK thanks Dave.
| Does the Multi AV Tools look for this value?
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
|
Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Microsoft\Windows\CurrentVersi
| on\Policies\ActiveDesktop]
|
| Value Name: NoChangingWallPaper
|
| If their is a Group Policy Refresh rate, then the reg entry in my first
post
| would recreate itself after the set time in this key.
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
|
Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Policies\Microsoft\Windows\Sys
| tem]
|
| Name: GroupPolicyRefreshTime
|

Yes. It removes all Group Policy Objects by default...

And removes all of the following in ...\Policies\ActiveDesktop

"NoChangingWallPaper"
"NoHTMLWallPaper"
"NoEditingComponents"
"NoDeletingComponents"
"NoAddingComponents"

Thanks Dave.

 

[David H. Lipman]

| Thanks Dave.
|

YW

I have tried to include Registry fixes in the Multi AV Scanning Tool for Local and group
policies known to be used by malware to to limit a user's functionality. Often done by
malware as a "self preservation" act.

If you know any, I'd be happy to entertain them if they are not already included in the
tool. I am always looking for good feedback to improve the tool.

 

[Guest]

From: "WTC" <bcrawfordjr(remove)@hotmail.com>

|>> Edit the Registry.
|>>

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

|>> Value Name: NoChangingWallPaper
|>> Data type: REG_DWORD
|>> Value Data: (0 = Unrestricted, 1 = Restricted)
|>>
|>> Or delete "NoChangingWallpaper"
|>>|
| OK thanks Dave.
| Does the Multi AV Tools look for this value?
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
| Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Microsoft\Windows\CurrentVersi
| on\Policies\ActiveDesktop]
|
| Value Name: NoChangingWallPaper
|
| If their is a Group Policy Refresh rate, then the reg entry in my first post
| would recreate itself after the set time in this key.
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
| Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Policies\Microsoft\Windows\Sys
| tem]
|
| Name: GroupPolicyRefreshTime
|

Yes. It removes all Group Policy Objects by default...

And removes all of the following in ...\Policies\ActiveDesktop

"NoChangingWallPaper"
"NoHTMLWallPaper"
"NoEditingComponents"
"NoDeletingComponents"
"NoAddingComponents"

 

[Guest]

Hey I'm having the same problem with my wallpaper- I came home from running
errands one afternoon and found my computer blinking a blue screen saying i
was infected. That I needed to buy spy sheriff software. I tried to clear
out of it by turning off the computer it would not let me have access to my
computer unless I purchased the software after 2 hrs of trying to get this
screen off my computer I was able to regain use of my computer and was stuck
with a program I did not want. I tried a couple of days ago to change the
wall paper and the computer won't let me do it I've tried to restore but it
won't let me go back to the point before the blue screen, I tried to delete
the spy sheriff and it still didn' t work. I am not a programmer nor a tech
but I need someone to tell me what the heck to do to fix this problem I read
the post from David H Lipm but it's all too complicated for someone who
doesn't understand all the computer terms. I'm just a person who has a
freaky problem. can you guys help me

From: "WTC" <bcrawfordjr(remove)@hotmail.com>

|>> Edit the Registry.
|>>

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

|>> Value Name: NoChangingWallPaper
|>> Data type: REG_DWORD
|>> Value Data: (0 = Unrestricted, 1 = Restricted)
|>>
|>> Or delete "NoChangingWallpaper"
|>>|
| OK thanks Dave.
| Does the Multi AV Tools look for this value?
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
| Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Microsoft\Windows\CurrentVersi
| on\Policies\ActiveDesktop]
|
| Value Name: NoChangingWallPaper
|
| If their is a Group Policy Refresh rate, then the reg entry in my first post
| would recreate itself after the set time in this key.
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
| Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Policies\Microsoft\Windows\Sys
| tem]
|
| Name: GroupPolicyRefreshTime
|

Yes. It removes all Group Policy Objects by default...

And removes all of the following in ...\Policies\ActiveDesktop

"NoChangingWallPaper"
"NoHTMLWallPaper"
"NoEditingComponents"
"NoDeletingComponents"
"NoAddingComponents"

 

[David H. Lipman]

From: "breezie" <[email protected]>

| Hey I'm having the same problem with my wallpaper- I came home from running
| errands one afternoon and found my computer blinking a blue screen saying i
| was infected. That I needed to buy spy sheriff software. I tried to clear
| out of it by turning off the computer it would not let me have access to my
| computer unless I purchased the software after 2 hrs of trying to get this
| screen off my computer I was able to regain use of my computer and was stuck
| with a program I did not want. I tried a couple of days ago to change the
| wall paper and the computer won't let me do it I've tried to restore but it
| won't let me go back to the point before the blue screen, I tried to delete
| the spy sheriff and it still didn' t work. I am not a programmer nor a tech
| but I need someone to tell me what the heck to do to fix this problem I read
| the post from David H Lipm but it's all too complicated for someone who
| doesn't understand all the computer terms. I'm just a person who has a
| freaky problem. can you guys help me
|

You are goin to just have to learn. Otherwise you'll be up agaist problems all the time
like this one.


Two part reply..

Perform Part 1 then perform Part 2.

If the first two parts don't work, perform the alternate utility.

It is suggested that you execute each tool in Normal Mode then in Safe Mode.


Part 1
-----------

Use noahdfear's SmitFraud and SpyAxe removal tool -- SmitRem.exe
http://noahdfear.geekstogo.com/click counter/click.php?id=1

http://www.bleepingcomputer.com/forums/topic36868.html


Part 2
-----------

Download SmitFraud.exe from the URL --
http://www.ik-cs.com/programs/virtools/SmitFraud.exe

Execute; SmitFraud.exe { Note: You must accept the default of C:\McAfee }
Choose; Unzip
Choose; Close

NOTE: You may have to disable your software FireWall or allow WGET.EXE to go through your
FireWall to enable WGET.EXE to download the needed McAfee related files.

Execute; c:\mcafee\clean.bat
{ or Double-click on 'Clean Link' in c:\mcafee }

A final report in HTML format called C:\mcafee\ScanReport.HTML will be generated. At the
end of the scan, it will be displayed in your browser (Opera, FireFox or Internet Explorer).
It is suggested that you move the report out of c:\mcafee before performing another scan.

ALTERNATE:

Secured2K's SpyAxe, PSGuard, Smitfraud, Sinnaka and Alemod removal tool.

http://secured2k.home.comcast.net/tools/AntiPuper.exe

http://forums.mcafeehelp.com/viewtopic.php?t=65072


* * * Please report back your results * * *

 

[Robert Jordan]

Simple easy and quick, takes less then 5 minutes not 2 hours. Use this tool

AntiPuper v1.1 by secured2k
http://secured2k.home.comcast.net/tools/AntiPuper.exe

This tool unlocks the ability to change or disable the desktop background
image or active web desktop background. You will need to manually change
your desktop background.

Go to Control Panel > Display > Desktop Tab > Customize Desktop > Web Tab.
If you see any entries that are checked, uncheck them. Click OK.

Hey I'm having the same problem with my wallpaper- I came home from
running
errands one afternoon and found my computer blinking a blue screen saying
i
was infected. That I needed to buy spy sheriff software. I tried to
clear
out of it by turning off the computer it would not let me have access to
my
computer unless I purchased the software after 2 hrs of trying to get this
screen off my computer I was able to regain use of my computer and was
stuck
with a program I did not want. I tried a couple of days ago to change the
wall paper and the computer won't let me do it I've tried to restore but
it
won't let me go back to the point before the blue screen, I tried to
delete
the spy sheriff and it still didn' t work. I am not a programmer nor a
tech
but I need someone to tell me what the heck to do to fix this problem I
read
the post from David H Lipm but it's all too complicated for someone who
doesn't understand all the computer terms. I'm just a person who has a
freaky problem. can you guys help me

From: "WTC" <bcrawfordjr(remove)@hotmail.com>

From: "WTC" <bcrawfordjr(remove)@hotmail.com>

|>> Edit the Registry.
|>>

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]

|>> Value Name: NoChangingWallPaper
|>> Data type: REG_DWORD
|>> Value Data: (0 = Unrestricted, 1 = Restricted)
|>>
|>> Or delete "NoChangingWallpaper"
|>>

That's built into the Multi AV Scanning Tool already so that's not it.

|
| OK thanks Dave.
| Does the Multi AV Tools look for this value?
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
|
Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Microsoft\Windows\CurrentVersi
| on\Policies\ActiveDesktop]
|
| Value Name: NoChangingWallPaper
|
| If their is a Group Policy Refresh rate, then the reg entry in my first
post
| would recreate itself after the set time in this key.
|
| [HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy
|
Objects\{576BA32B-A346-443E-9ECA-C232398B416E}User\Software\Policies\Microsoft\Windows\Sys
| tem]
|
| Name: GroupPolicyRefreshTime
|

Yes. It removes all Group Policy Objects by default...

And removes all of the following in ...\Policies\ActiveDesktop

"NoChangingWallPaper"
"NoHTMLWallPaper"
"NoEditingComponents"
"NoDeletingComponents"
"NoAddingComponents"