Bullguard Free Antivirus Forum

The original version of this page can be found at : http://forum.bullguard.com/forum/12/Cant-change-wallpaper-after-sp_22825.html

Posted By : lenc - 11-9-2005 10:41

Hello, recently my computer got infected with spysherrif. The usual blue screen with the "INFECTED COMPUTER" wallpaper was on my screen and there was no way to change the wallpaper. I used Spy Sweeper to get rid of spysherrif but I still can't change my wallpaper. When I go to Display properties -> Desktop, the background window is grey.

I ran a hijackthis scan and here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 22:49:06, on 9.11.2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\QUICKT~1\qttask.exe
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\mysql\bin\winmysqladmin.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\mysql\bin\mysqld.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\GetRight\GETRIGHT.EXE
C:\Program Files\GetRight\GETRIGHT.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neti.ee/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 217.180.83.133:8000
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O1 - Hosts: 127.0.0.5 topcash.biz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRA~1\QUICKT~1\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [EstEID AIP switch] C:\Program Files\IT Arendus\ID-kaart\\aipswitch 1
O4 - HKLM\..\Run: [Home Theater SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [WINCINEMAMGR] "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe"
O4 - HKLM\..\Run: [TotalRecorderScheduler] "C:\Program Files\HighCriteria\TotalRecorder\TotRecSched.exe"
O4 - HKLM\..\Run: [ntsysl] C:\WINDOWS\System32\ntsysl.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [CrashNetCluster] C:\Program Files\Crash.Net Desktop Race Babe\skinkers.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ProxyWay] C:\Program Files\ProxyWay\proxyway.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: SharpReader.lnk = C:\Program Files\SharpReader\SharpReader.exe
O4 - Startup: WinMySQLadmin.lnk = C:\mysql\bin\winmysqladmin.exe
O4 - Global Startup: GetRight - Tray Icon.lnk = C:\Program Files\GetRight\getright.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Google AdSense Preview Tool - http://pagead2.googlesyndication.com/pagead/preview/en/preview.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Subscribe in default RSS reader - C:\Documents and Settings\Kasutaja\Application Data\RssBandit\iecontext_subscribefeed.htm
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0C8DD11D-D1E5-409F-A021-D66065F412A5} (QCapsule Class) - https://www.valimised.ee/evotein.cab
O16 - DPF: {20CA0570-6E5D-4A0F-A9FF-A2227F2C4543} (algorithm Class) - https://www.hanza.net/scripts/dsigLite2.cab
O16 - DPF: {27DE8550-C471-4378-87E3-EFE4CDA22174} (Installer Class) - http://www.id.ee/installer/InstallerExec.cab
O16 - DPF: {2BD3E3A2-8D92-4438-B335-C1F3F75F83D6} (diskFile Class) - http://www.id.ee/installer/fileInfoUtil.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_44.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.google.com/data/xx-elmer/big/1.1.62-big/GoogleNav.cab
O16 - DPF: {7C360B4D-3C03-44CA-9C05-A5AB6E029887} (Detect Class) - http://www.id.ee/installer/IDInstaller.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://gw.tallinnlv.ee:11082/activex/AxisCamControl.cab
O16 - DPF: {9FD4887A-0B1A-41FF-9816-4F27ABADCB9E} (UpdateCerts Class) - http://www.sk.ee/id-kontroll/certupdated.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697517} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_aac.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_aac.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup152.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{27248B80-2150-4EF8-8506-AA934A956F64}: NameServer = 194.126.115.18,194.126.101.34
O20 - Winlogon Notify: msctl32.dll - C:\WINDOWS\System32\msctl32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySql - Unknown owner - C:/mysql/bin/mysqld.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Posted By : dhonam - 11-19-2005 8:37

then tell me how you know the problem inbe is that to remove tell me

Posted By : silentmute - 11-19-2005 6:08

I had the same problem. I ran spysweeper and still couldn't change the wallpaper. Then I opened up redit and navigated to the following entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"Wallpaper"=SZ:C:\WINDOWS\desktop.html

I deleted this key(I suggest backing it up first), everything seems fine now.

Hope that helps.

Posted By : Shadow1100 - 12-3-2005 6:23

I went here: http://www.hijackthis.de/index.php?langselect=english
I did a scan with Hijack, had it analized, and had my desk top back in just a couple of minutes.
Hope it helps,
Shadow

Posted By : loen - 12-8-2005 7:57

Someone metioned getting rid of spysherrif's spell using a program called redit, I'm having this problem also and I was wondering where I could download this redit program.

Posted By : ZippoLag - 12-15-2005 7:56

loen said...
Someone metioned getting rid of spysherrif's spell using a program called redit, I'm having this problem also and I was wondering where I could download this redit program.

I believe you mean "smitrem", you can get it from

http://noahdfear.geekstogo.com/click%20counter/click.php?id=1

once you've downloaded it, you must extract it (on your desktop for making it easier to find), then reboot in safe mode, and between he extracted files execute "RunThis.bat" that should clean most of stuff, but still you should scan your computer with some softs as ewido, or others, just take a look in others spy sheriff posts, some of them should work for your case.

Envio editado por (ZippoLag) : 12/15/2005 7:02:17 PM GMT

Posted By : liam1 - 12-19-2005 7:18

loen said...
Someone metioned getting rid of spysherrif's spell using a program called redit, I'm having this problem also and I was wondering where I could download this redit program.

he means REGEDIT a windows program which can be run by typing "regedit" in Start>Run box.
spysheriff is spyware itself and creates its own key in the registry disabling any access to the wallpaper, etc. the only way to fix the problem is deleting the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System.

Posted By : CarlisleMark - 12-19-2005 8:01

Silentmute's solution for the gray wallpaper works great! Note the key that I deleted just said "wallpaper Reg_Sz (data not set)" . I got my wallpaper back after the next reboot. My system's running great!!! One annoying "Advertisement" window still pops up, but infreqently. One of the things that it keeps advertising is a registry cleaner, but I will NEVER buy anything from an ad-ware hustler.

Posted By : arachnidae - 12-27-2005 6:06

Thanks silentmute, I had been having the same problem as you and spent many hours trying to get rid of the locked desktop wallpaper problem. Following your advice, I got the wallpaper activity back...

Posted By : JA$H Vs. SPYSHERIFF - 12-27-2005 11:14

silentmute said:
I had the same problem. I ran spysweeper and still couldn't change the wallpaper. Then I opened up redit and navigated to the following entry:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"Wallpaper"=SZ:C:\WINDOWS\desktop.html
I deleted this key(I suggest backing it up first), everything seems fine now.

Sry, but that only restores your original desktop settings but you might still have SpySheriff which you HAVE TO get rid of (it's dificult and I don't know how to do it) because it uses all your information (email, passwords and credit card information). SpySheriff is your main problem, not the desktop. Anyone know how to get rid of SpySheriff?

Posted By : dungorg - 12-27-2005 12:26

I had same problem and fixed

look at this thread :
http://www.bullguard.com/forum/5/Cannot-change-desktop-settings_25247.html

you to also remove registry key using regedit (Start -> Run and type 'Regedit')
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"Wallpaper"=SZ:C:\WINDOWS\desktop.html

.. be careful how to use regedit if you are still a novice in computer .. ASK FOR DIRECT HELP!

.. download and run windows µsoft antispy software from:
http://www.microsoft.com/athome/security/downloads/default.mspx

hope this helps

Posted By : nevermindthat - 12-29-2005 9:55

Hey guys, I am a network admin and I just thought I would chime in with my 2 cents. I had a user get this nasty little scumbag and all I did to get rid of the spysherriff was to go into the control panel and remove the program using add/remove programs .. however, the bigger problem is that this spysherriff thing is used inconjunction with a new strain of CoolWebSearch (aka home search assistent, aka: Shopping Buddy, aka: shopping assistant .... and the list goes on. What I ended up doing was using the program "about:buster" to get rid of it, then going to that reg. key and deleting it to get rid of the wallpaper problem. Hope that helps ... feel free to email me if you have any Q's

Posted By : julzpogi - 4-12-2006 5:25

hi all!

ive encountered the same problem, and i panic freaked

i though the way to get rid of it is to reformat my pc.....

but instead i try so many ways to det rid of it...

and its s failure, so if you cant defeat them... join them!

ive download a serial number for that spysheriff then i use it....

its a good software im telling you...

but they must not attack users like that to sell their thing nono

julz

Posted By : PhreddyPfander - 6-20-2006 2:37

Go to the following key...

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

If this key contains anything OTHER THAN "Explorer" Back them up and delete them. Had a laptop brought to me that had picked up "Spy Sherif". You couldn't change the desktop background on it either and doing the above fixed it.

Also see the following web page: http://spywarewarrior.com/rogue_anti-spyware.htm which provides a comprehensive list of phoney, crappy, fraudulent antispyware products which are not worth the powder to blow them to h*ll much less even two cents of your hard earned cash. This list includes Spy Sherif and says nothing good about the paid version. The entry for Spy Sherif also has links to lavasoft and systinerals' excellent discussion of the fraudulent practices of some antispyware authors. Well worth your time to read this. Especially unerving is the link to another page on spywarewarriors' site detailing the similarities between Spy Sherif and Brave Sentry, PestTrap, PestWiper, SpyDemolisher, SpyTrooper, SpywareNo, & Spyware-Stop. A look at the screens that each of these app display as they do their magic will leave you convinced as to the real value of these applications. Lying to your potential customers and trashing their desktops is not a good way to win them over. Also changing the name of your product every once in a while in an attempt to prevent your reputation from preceding you does not strike me as a model for building a successful software business. Hmmm?

Do your homework, make an informed choice. These days anything that voluteers itself while you're surfing the web is best automatically ignored. PERIOD.

Have a pleasantly productive day...

Posted By : twitchy - 7-9-2006 8:07

I had the same problem with a different spyware, I deleted the registry key and it fixed my desktop image, however now all my desktop icons have a shadow like they are highlighted, I go to display properties, desktop tab, and where it says color on the bottom right, when i change that it also changes the color of the shadow around my icons. Is there a way to fix that without pulling wires out and throwing things around? freaked

Posted By : Krait - 7-16-2006 1:20

Hello Guys,

i dont seem to have the "wallpaper" reg file, but still i cant change my background and modify my desktop icons

Posted By : Krait - 7-16-2006 2:04

oh wait, i fixed it. thanks guys. but i got another problem, i cant seem to select any options from "arrange icon by" its like being disabled like the browse icon.

Posted By : RT-58 - 7-21-2006 4:40

Hi, i´m new and i had that problem too, i follow the instructions of delete de wallpaper file and that works, but i have one before that, i found some files on my c: hard drive named nj.exe, wintall.exe and adj.exe, i scan my pc with the symantec antivirus and with ad-adware se, some files was founded, i deleted twice from and i hope dont apear again, but when the files was on my pc the antivirus and the adware scan dont detect the files, i need to said that one message apear on my task bar that said windows detected spyware on you computed the icon was a red circle with a withe x on the center, and a internet explorer pop-up window still apearing on my screen that said waring, spyware and bla bla bla so i dont know how to fix my pc?

Posted By : iiaziinxboi - 8-6-2006 11:14

i just deleted the virus but then my desktop settings were grayed out and i deleted the reg key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System

then now there is a black box around my icons and i need help to get it back to be transparent...so if someone knows how to do this please help me...or if someone still have the registry key that they can export and then send to me. thatll be very helpful!

email: xvietstyle@gmail.com
AIM sn: iiaziinxboi

thank you!

Posted By : ndall - 8-10-2006 7:29

I've had this problem. Located the wallpaper key in the registry mentioned above, but get a "Error deleting values, unable to delete all specified values" message when I attempt to delete it. It's not an admin account, is that why? Do I have to do it via the admin account, and where will I find the Key?

Thanks in advance for any help.

Posted By : Cosmo - 8-18-2006 6:07

To get rid of the black box around icons, try delete all items under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer but "NoDriveTypeAutoRun". Windows is a blackbox to me. I have no idea why it worked for me. Wish you luck.

Posted By : silentmute - 8-20-2006 6:59

silentmute said...
I had the same problem. I ran spysweeper and still couldn't change the wallpaper. Then I opened up regedit and navigated to the following entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"Wallpaper"=SZ:C:\WINDOWS\desktop.html

I deleted this key(I suggest backing it up first), everything seems fine now.

Hope that helps.

Posted By : Southpaul - 9-30-2006 5:49

I just battled with the same problem all morning. I was infected with brave sentry and spy sheriff. It took away my desktop and erased all my restore dates. I had to run Adaware twice, and this helped a lot. But this annoying little popup from my system tray every 40 seconds telling my I was infected kept popping up. I used ctrl+alt+del, then clicked on process and found 'xupdate.exe' , I ended this process and all is fine now. I just rebooted and my desktop returned back to normal, although all my restore dates are still erased.

Posted By : sbpruitt - 12-7-2006 11:26

Hey guys, here's a new twist. I took care of the registry entry a couple of weeks ago, but had the problem with the blue background in my icon text. After going into system properties today and trying to deselect and then reselect the "drop shadow for icon", I went to my desktop and found all my icons GONE and when I went to try to redo it, the title of the windows box had changed to (approximately) "desktop icons have been taken by Pest Trap" I went back and checked the registry, but it does not have the bad entry in it. Any ideas?

Thanks

Posted By : bigdave1 - 12-29-2006 7:36

I can't delete the registry HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
"Wallpaper"=SZ:C:\WINDOWS\desktop.html

Every time I try I get a message saying "Unable to delete all specified values." I would really like some help with this. I'm also a complete noob so please make it as easy to follow as possible.

Thanks!

Posted By : Jintan - 12-30-2006 7:48

Looking back through the many entries here, I see some posts indicating infection that is not SmitFraud (SpySheriff etc.), and often a big reason you cannot change the active desktop component is that there are still active parts of the infection itself remaining. I do not recommend going into regedit and deleting the necessary desktop key, as this will leave you without the ability to set an active desktop.

I would recommend each of you consider posting a new request of your own, either in this forum, or due to some set forum time constraints on responses that limit the amount of work those assisting can provide, choose one of
these forums listed on the site of HijackThis' creator Merijn. Although it is a good thing to be able to fix our own issues, those who create scumware like SmitFraud put every barrier they can in the path of successfully completing that.

Posted By : BluEuro - 1-8-2007 3:24

I am having the same problem with my laptop except when I got to
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
I only have Wallpaper REG_SZ show up, is that the one I should erase?

Posted By : JustinJustinGates - 3-4-2007 8:50

I had the same problem, I went to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System and didnt see the wallpaper registry key, all i saw was REG_SZ. I looked around and deleted HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop/

NoChanging wall paper. Also another file that was at the bottom, restarted and everything was fine. hop

Im a noob at this stuff. confused

I was wondering if the NoDeleingComponents and all the other no reg keys are suposse to be in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop confused

Or is the activedesktop is suppose to be there.

Posted By : NiTeCr4Lr - 3-8-2007 9:04

For the iritating color in an icon's name i solved it by doing the following:
In the windows Display Properties > Appearance tab i choose advanced then choose icons.. and resized them from 32 to 31.. aplied, changed it back to size 32 and gone, hope this works well for you guys :)

Posted By : 56 ace - 11-18-2007 2:21

im having the same problem but i dont want to deleat something i might need cuz i dont realy know that much about computers so if someone can please help me it wout be great....

Posted By : CSIfanatic5875 - 7-21-2008 4:48

Okay, I deleted the files and nothing happened! HELP!

Posted By : Jovin - 9-1-2008 1:21

liam1 said...
loen said...
Someone metioned getting rid of spysherrif's spell using a program called redit, I'm having this problem also and I was wondering where I could download this redit program.

he means REGEDIT a windows program which can be run by typing "regedit" in Start>Run box.
spysheriff is spyware itself and creates its own key in the registry disabling any access to the wallpaper, etc. the only way to fix the problem is deleting the key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System.

What do you do when you get down to the last item "System" and there's nothing more there? I'm trying to get this same problem solved for a friend of mine, and I've been following these help solutions and can't find anything similar to what others have.

She has Win XP Professional. Any ideas?

Posted By : Jovin - 9-3-2008 6:06

I solved it by googling the problem. After three days of trying things, I got it fixed by just disabling the active desktop:

Is Active Desktop Turned Off?

The inability to change your desktop wallpaper or background, can many times be traced to Active Desktop. Follow the steps below to remove any web objects from displaying on your background.

1) Click on Start, Control Panel
2) Double-click on Display
3) Click on the Desktop tab
4) Click on the Customize Desktop button
5) Click on the Web tab
6) Uncheck any items listed under Web pages
7) Click Ok and then click Ok one more time to close the window.

Your Active Desktop wallpaper should be removed, now try to change your background wallpaper. If you still can't change your wallpaper background, proceed to the next section.

Posted By : wartibet - 12-18-2008 9:26

Brass air fittings
Now that is a lot of brass air fittings http://www.liangdianup.com/subpages/airfitting_1.htm there is just about every type
of air fitting that you could want. Wholesale prices too. I guess these could be used as small water pipe fitting also. I
used some of the parts to make my babington wvo burner.

Need Support? Write to:

| Forum Help Manual

Download free trial version of Bullguard