0

When I got to change my desktop with a pic I do it then click on apply but it wont change so from what i have read on forums I must have some sort of virus I just dont know type and what it is called I have done a hijack this and just looked at it but dont know what I can delete and what I cant is there a list of things you delete and things you keep
Many
thanks
Justlookin

5
Contributors
30
Replies
31
Views
10 Years
Discussion Span
Last Post by Chaky
0

You should copy-paste hijackthis log here and let me (and others) take a look.

It doesn't need to be a virus. Maybe your account on that PC doesn't have permission to change it. Maybe that pic you are trying to set is corrupted.... but first, hijackthis log would do.

0

Try this first - it may give a hint:
Reg keys/batch file text
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies >C:\showkey.txt
reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop >>C:\showkey.txt
__________________________________________________________

0

You should copy-paste hijackthis log here and let me (and others) take a look.

It doesn't need to be a virus. Maybe your account on that PC doesn't have permission to change it. Maybe that pic you are trying to set is corrupted.... but first, hijackthis log would do.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:59:56 PM, on 9/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\IncrediMail\bin\IncMail.exe
C:\PROGRA~1\INCRED~1\bin\IMApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\HJT\Analyse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\pchealth\helpctr\System\panels\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [D-Link AirPlus G] "C:\Program Files\D-Link\AirPlus G\AirGCFG.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-21-329068152-1645522239-1801674531-1003\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{BF96D66C-BF1B-48ED-BAC2-C03A73F50D1E}: NameServer = 203.134.64.66,203.134.65.66
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 5491 bytes
I hope I did this in the right place
Thanks Karen and Connie

0

No viruses.


Lots of softwares can set some pic as desktop wallpaper. Even Internet Explorer, when you rightclick on some pic and click on "set as background".

0

It also always goes back to the blue desktop even if I change the colour it will change but when I do a restart it goes straight back to the blue screen and Connie and I dont like it LOL
Karen and Connie( the computer)

0

Ok I have been playing around and I have discovered that when I go into desktop I try to change my theme just to xp or something it always goes back to modified theme so I dont know why that is
Many thanks
Karen and Connie

0

Here's a fix for your trouble.
It is a self-extracting .reg file that will delete "wallpaper" value in
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
registry key.

All you need to do is unpack that small exe file and doubleclick it. Click "yes" if prompted. It will either help or do nothing.

Attachments
0

if it wont work try taking a look if ur background inteligence service is on!

0

if it wont work try taking a look if ur background inteligence service is on!

That has nothing to do with backgrounds. Its for windows update

0

Here's the description for Background Intelligent Transfer Service:

Transfers files in the background using idle network bandwidth. If the service is stopped, features such as Windows Update, and MSN Explorer will be unable to automatically download programs and other information. If this service is disabled, any services that explicitly depend on it may fail to transfer files if they do not have a fail safe mechanism to transfer files directly through IE in case BITS has been disabled.

... nothing to do with wallpapers, though.

0

I am unsure of what to do I might need some guidance how do I check these things
Karen and Connie

0

Disregard the Background Intelligent Transfer Service part of this thread. It has nothing to do with your problem. Did the fix I posted here work?

0

justlookin, if you run that batchfile I posted way earlier we will be able to see the settings which most likely are blocking you; the script only reads, it does not change or damage anything...
Or instead, you can run this line which will give a more complete listing...
Go Start, run, type cmd -press Enter, and paste this line into the black cmd window that opens and press Enter; close the window:

reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies /s > C:\showkey.txt

...and post that file, C:\showkey.txt

0

I dont know how to post that page I have done that but not sure how to post the page sorry
Karen and Connie

0

You can either attach the file here (go advanced, manage attachments) or open that text file, press ctrl+a (select all) and copy-paste it here

0

finallyI got it it took some reading and re reading to understand sorry Connie can be so daft sometimes
Karen and Connie ( the computer)

Attachments
! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
0

Came clean....

Try this:

In Start/Run type

GPUPDATE

Then, again in Start/Run type

GPEDIT.MSC

Group Policy window should come up now.

Under "User Configuration" locate this branch
"Administrative Templates/Control Panel/Display"

There is "Prevent changing wallpaper" setting that should be "Not configured". If it is "Enabled" then it is preventing you from changing wallpaper.

Hmmm... That is, if you are using XP Proffesional... Home edition has no Group Policy.

0

ok I looked it says not configured so that is ok I had a virus and some online computer guy run this kaspersky thing and it got rid of all my contacts changed my desktop and since then nothing runs as it use to
Thanks again
Karen and Connie

0

ok done that no infection
maybe this is just going to be my fate
LOL
Karen and connie

0

It is obvious that kaspersky didn't remove all of the damage from Vundo. Your desktop being locked is part of that damage... there is a manual way to fix this.

Hold on... I'm making the fix.

0

justlookin, while Chaky is working on that, run this line as you did the other and post the new C:\showkey.txt ...:
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Policies /s > C:\showkey.txt

0

...and this one [its result will add to the showkey file produced by the command in the above post..]:
reg query "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop" /s >> C:\showkey.txt

Actually, I'm not sure why I am following this path, because it is possible that you also had a Smitfraud infection of some sort which changed settings, and there is a superb detection/fix tool for that:
==Download SmitfraudFix (by S!Ri) from http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the content (a folder named SmitfraudFix) to your Desktop.
- Open the SmitfraudFix folder and double-click smitfraudfix.cmd, select option #1 - Search [type 1 and Enter]; a text file will appear which lists infected files (if present). It will also create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ .. Please paste the report in your next reply. DO NOT RUN OPTION 2 YET!!!

0

... grrrr ...

Can't make the fix. The guy that posted the procedure for manual removal, failed to put the backslashes between the registry keys and subkeys... impossible to guess from MACHINESOFTWAREClassesATLEvents.ATLEventsCLSID is it MACHINESOFTWARE\Classes\ATLEvents.ATL\Events\CLSID
or MACHINESOFTWARE\Classes\ATL\Events.ATL\EventsCLSID without being at Connie myself.

You will have to see your registry yourself. The whole procedure, minus \'s is there.

Point of all this is to find a leftover from that trojan that is keeping you from changing the wallpaper. Just go step by step as shown, and skip missing parts until you find something that kaspersky left behind.

0

ok I have read and think I understand now do I run my hijack this or no not sure what to run or do I run that vundo thing
sorry
Karen and Connie

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.