[milehighguy]

Greetings,

Since my computer scans clean of malware, I'm wondering if this is a W2K reconfiguration issue now.

I'm running Windows 2000 on a laptop which I use with a wireless hub at home, then bring to the office to connect to an ISP/LAN which browses via a DSL.

I recently cleaned out some viruses and Trojans, and now find my desktop wallpaper locked up with desktops icons against a black background. (Wallpaper is visible during boot-up, but once the desktop icons appear, the desktop goes black). Certain other changes have taken place as well - such as the removal of my PopUpCop toolbar button, and toolbar lockup - upon reinstall of PopUpCop, I'm not allowed to have it add its toolbar button.

My post clean-up scans are running clean, so I'm wondering if I was a little too zealous in deleting files and screwed up my registry targets.

Recent experience with a disabled Task Manager has taught me malware can lock features. As a result, I've become familiar with registry settings such as NoChangingWallpaper. It seems to be in normal (not disabled) setting:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper = 0

However, when I click Start/Settings/Control Panel/Display/Background, I'm unable to activate any choices, and wallpaper is locked to an IE icon with the word "desktop". Elsewhere in these forums I've read about "desktop.html"
and in fact found the following registry setting:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System Wallpaper REG_SZ C:\WINDOWS\desktop.html

... although there is no such file "desktop.html" on the machine.

So I'm wondering - if this System Wallpaper setting is the source of the wallpaper lockup, what should this entry actually read? Are there other wallpaper settings elsewhere in the registry I should check? And what about registry settings that have locked the toolbar from adding buttons?

Unfortunately, I have no pre-cleanup backups. Is there a way to reacquire the original W2K install defaults for desktop and toolbar permissions?

Thanks,

Milehighguy

[Advertisements]

hello and welcome to geeks to go,

• Right-click desktop, then Properties
• Under Desktop Tabs, click Customize Desktop
• Under the Web Tab, uncheck all the boxes My Current Home Page box and Lock up

[kool808]

hello and welcome to geeks to go,

• Right-click desktop, then Properties
• Under Desktop Tabs, click Customize Desktop
• Under the Web Tab, uncheck all the boxes My Current Home Page box and Lock up

[milehighguy]

Hi,

I unclicked the jpg chosen under Web ... "Lock Desktop Items" was not selected, so I left it alone.

No change.

[kool808]

Have you tried an online virus scan at this sites: Trend Micro or Panda Scan.

This might help too Win 2000

[milehighguy]

Yes, I've done the full roster of virus scans - all say the machine is clean. I'm finding more and more references in malware forums to locked up wallpapers post-cleanup - seems to be a new phenom.

Anyway, at this point I'm pretty confident its a registry and/or permissions settings issue.

[kool808]

ok, just to be sure that you are malware free download HijackThis 1.99.1, Save it to C:\HJT. Read this short tutorial HERE. Close all windows, disconnect from the internet, open HijackThis then press SCAN. Save a Log, then post it here. If the Log verifies that you have a malware then I need you to post at the HijackThis Forum.

[milehighguy]

Here's the scan I did last night - nothing has changed.

Logfile of HijackThis v1.99.1
Scan saved at 8:51:25 PM, on 6/4/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\gearsec.exe
C:\WINDOWS\system32\regsvc.exe
C:\WINDOWS\system32\MSTask.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\stisvc.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\WFXSVC.EXE
C:\WINDOWS\System32\WBEM\WinMgmt.exe
C:\Program Files\Symantec\WinFax\WFXMOD32.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\wfxsnt40.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\11Wave\WaveBuddy WLAN Card & Adapter Utility\WlanMonitor.exe
C:\Program Files\Hijackthis\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: PopUpCop - {DB43E4E6-FF8A-4018-8C8E-F68587A44A73} -
C:\PROGRA~1\PopUpCop\PopUpCop.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - Global Startup: Acrobat Assistant.lnk = Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: WLAN Configuration & Monitor Utility.lnk = 11Wave\WaveBuddy WLAN Card & Adapter
Utility\WlanMonitor.exe
O8 - Extra context menu item: Open Image in New Window - res://C:\Program
Files\PopUpCop\popupcop.dll/imagenew
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) -
http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) -
http://a840.g.akamai...all/xscan53.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{742D85CE-90EE-4A2B-B6E6-B62C03C94EB0}: NameServer =
67.97.234.4,151.164.1.8
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. -
C:\WINDOWS\System32\dmadmin.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GEARSecurity_BackUp - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: GoToMyPC - Unknown owner - \\Jesse\jesse\Program Files\Expertcity\GoToMyPC\g2svc.exe"
-service (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. -
C:\WINDOWS\wanmpsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\system32\WFXSVC.EXE

[kool808]

ok, I have found one malware from your download program files(DPF). The PopUpCop is a legitimate program file. We help you on this matter, but on my recent position as a Geek in training I do not have the full priviledge to discuss the fixes with regards to HijackThis. Please post this HJT log in the Malware Forum. If they have declared you be cleaned, please come back to this topic-forum so we can discussed the said situations.

[milehighguy]

OK. In the meantime, what is the file you found in DPF?

[kool808]

I sorry, I cannot give further information on that matter, I am binded within the limits of the guidelines.

[milehighguy]

Okay, then. Did some research at:

http://www.microsoft...entry/93252.asp

and:

http://www.microsoft...entry/93214.asp

And fixed it myself.



What I ended up doing was deleting the registry entries for:

HKCU/Software/Microsoft/Windows/Current Version/Policies/...

Active Desktop/NoChangingWallpaper ("If the value is 0 (or not in the registry) The policy is disabled or not configured. Options on the Background tab are enabled." Since Options in the Background tab were NOT enabled - I opted to delete the entry altogether.

and

System/Wallpaper ("If this entry does not appear in the registry, no wallpaper is displayed by default, but users can select the wallpaper of their choice.")

Voila. Full control restored.