Unwanted software installed that display silly jokes on the desktop

[cdestefani]

Hi,

I was about to send you the pics I mentioned before and found further opinions and suggestions from you on getting into the registry.

I should not have problems with editing the registry if required. I will read you answer and implemented it. I will send my reply after with findings/problems and solutions too!!

In the meantime, I send on this message the pics I just saved FYI only I think. These will give you a clear picture of what I see when I try to change the background.

Thanks,

Carlos
=

[cdestefani]

Hi,

I implemented your suggestions, downloaded the ERUNT, installed it and backed up the registry. Then I went to the regedit, opened all the keys down to policies, but not all of them are present, key1 ("Policies\System") is missing.

I saved a JPG for both present and exported the registry branches. Please, find attached all these files.

Looking at the txt files, the last lines on both should be delete it in my opinion, but I do not know what the previous two really mean. I look forward to your next one. Thanks.

Carlos
=

[oldman]

Hi Carlos

One thing I forgot to ask. On the the themes tab, is a theme selected? I  believe the xp default is "Luna".

Check that, post back.

You may as well check this key also

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

The screenshots are fine, no need for the notepads.

[cdestefani]

HI,

Thanks for your answer. Here follows the pics attached:

- Desktop Themes
- Active Desktop (sent also on my previous one)
- Registry Editor.

The last one is attached because you asked in your previous for an HKLM key that it does not exit in my PC. I searched the registry with the option "Find" but found nothing with HKLM.

The Entry HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop is found in HKEY_Current_User\.....\ActiveDesktop (picture attached)

I hope this will hep you anyway.

Looking forward to yours.

Thanks,

Carlos
=

[oldman]

Hi Carlos.

I didn't see this entry in any of the keys you have posted. I think there is at least one key pointed at it.

Use the find function in the registry editor and look for this
desktop.html

If found it will probably look like this
[/b]Wallpaper=C:\WINDOWS\desktop.html[/b]

Let me know where you find it/them. If present, is in likelyhood the cause of the problem.

Thanks

[cdestefani]

HI,

I searched in every section of the registry and also highlihted "My Computer" and searched the whole registry and the entry "Desktop.html" was not found.

It seems like this may not be the probelm according to your last sentence. I do not have any idea where the problem may be, so I can't suggest/ask anything. Can you?

Thanks,

Carlos
=

[oldman]

Hi Carlos

I'm sure this is the remnants of a desktop hiacking. It's just a matter of finding the offending entry.

That was the common filename I had you search for.
A couple of others are Wallpaper.htm and Wallpaper.html

Look at this key, anything wallpaper or desktop related?
Post a screenshot.
HKEY_CURRENT_USER\Control Panel\Desktop

[cdestefani]

HI,

Thanks for your suggestions.

I searched for both Wallpaper htm and html, but found nothing as such.

Then, I opened the HKEY entry and has a "ConvertedWallpaper Last WriteTime" and "PaintDesktopVersion" entries related to Wallpaper and Desktop. However, there are two entries with "Foreground....FlasCount and TimeOut". Are these two related to the problem?

I attach the JPG of this section. Please, have a look at this one.

I look forward to your next one.

Thanks,

Carlos
=

[oldman]

Well, don't see anyhting there.

Try this

1. Click Start - Run - type GPEDIT.MSC and press Enter
2. Expand to User Configuration - Administrative Templates - Control Panel -
Display
3. On the right-side pane double-click the entry "Prevent Changing Wallpaper"
4. If the value is set to "Not Configured" or "Enable" then set it to
"Disable

About all I have left is creating a new user account with admin rights and see if the problem still exists. I'm not sure if a scan tool will show the offending reg key.

[cdestefani]

HI,

I tried the GPEDIT option but there was no changes.

Then I kept on searching the web and found what it follows, which is a section (relevant) to my problem. I also attach a JPG for your information.
 This is part of the message

________________________________________
Windows XP: cannot change desktop background [title of the message]

http://forums.cnet.com/5208-6142_102-0.html?forumID=5&threadID=254404&messageID=2527520

The person with the problem posted the following

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000
"NoCloseDragDropBands"=dword:00000000
"NoMovingBands"=dword:00000000

The other person recommended

All those entries with "No" would be removed.

Good work!! Great sleuthing.

Bob
____________________________________________________________________________

If I look at my registry I find the JPG attached.

Do I delete those two entries below Default? What do you think? Do I try?

Thanking you in advance.

Regards,

Carlos
=

[oldman]

Hi Carlos

I found many similar ones. Anything with a data of 0 is off. It's the same thing as that value not being there. It won't hurt.

"NoChangingWallpaper"=dword:00000000 means off
"NoChangingWallpaper"=dword:00000001 means on

Every key you posted the values where set to off or missing, which as I mentioned are the same.

Here are some of the links I just came across

http://www.softwaretipsandtricks.com/forum/windows-xp/13341-cant-change-desktop-background.html

More at the bottom of that one

Read this one carefully before trying it since you did mention a problem with bootini It's possible that wininet.dll was damaged. Use ERUNT before you try anything though.

http://noahdfear.geekstogo.com/

The search words I used where can't change background and can't change desktop

[cdestefani]

Hi,

Well, I have to come back to you requesting further assistance. The problem is that whatever I fix with HijackThis last only for a very short time.

Yesterday I run it and found all the entries again, so I rebooted the PC in Safe Mode this time, disable TeaTimer and followed all your instructions. At the end I run again HJT and saved the log [in save mode].

This morning run again HJT and everything is there again, saved the log as user. Both logs are attached.

Last night also was looking at the registry and found in
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\NonEnum

In this location there are three entries with similar writing than those O2 - BHO.... that HJT finds. Besides these entries have a set value different than "0", so I presume they are active. Are those entries a problem?

Then, searching further for cleaning malware entries I came across with SAV32CLI. May this software be more reliable than HJT and remove those entries in the registry once and for all? How familiar are you with this software?

When do I reset TeaTimer? Because since I disabled it you never told me to enable it again.

Thanks for all your comments on this. Honestly this trouble is giving me more headache than I expected!!

Regards,

Carlos
=

[oldman]

Hi Carlos

Windows uses names like that in many places. I don't know if they are default or not.

What I do see is some other entries that lead me to suspect there is still some malware activity.

The BHOs with the missing files range from legitimate entries to bad ones to unidentified.

I think we should look deeper. This scanner will show us what HJT shows us and more.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
  
• When it has finished, dss will open two Notepads main.txt and extra.txt  -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt into your nxt reply.
  
  Please note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.
  

ps: please leave teatimer off, it can interfere with any fixes you may have to do. I'll give you instructions on starting it when we are done.

[cdestefani]

This is the main.txt content: I've got problems in sending it as part of the message, it gives me the following message:

"The message exceeds the maximum allowed length (10000 characters)."

So, I decided to attach the txt file instead.

Thanks,

Carlos
=

[oldman]

Hi Carlos. There's a bit showing in the log. Please attach the extra.txt. It should be at C:\DEckard.

Do you know what this folder is?
C:\Antivirus

Thanks