Display Properties: Themes & Desktop have been disabled by antivirus 2009

Posted on 2008-11-17
Last Modified: 2013-11-22
Recently, I visited a website that tried to load the AntiVirus 2009 on my laptop.  While I did not install anything, Kaspersky failed to block it from getting to the computer.  I ran Malwarebytes immediately and it removed several threats but I had to run it a few times to get them all.  I also deleted some .exe files that were in either C: or C:/windows that didn't belong.

However, when going to display properties from the desktop (or CP), the first two tabs are disabled to the point I can't click any background image nor browse the folders.  The browse button and slide bar are greyed out and so are the images in the Background field under the Desktop tab.  I can click the "Customize Desktop" bar but not change or view other images.

I have gone to start - run - regedit and HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\ActiveDesktop and added NoChangingWallPaper w/value of (0) zero.

I've run SDFix, Malwarebytes Full Scan, in normal and safe modes, and I can't figure out where else to go to change whatever settings were changed on me.

The computer is a Dell Laptop with XP Pro SP3.  

Thank you for your help.

Question by:wgrogers
    LVL 23

    Assisted Solution

    Smitfraudfix gets rid of the desktop images associated with Antivirus 2009 and resets your desktop background to the default Windows blue screen. Maybe that can help:

    Run option 2 in safe mode. Say Yes to Registry Cleaning.

    Good luck!!!
    LVL 27

    Expert Comment

    Malwarebytes is very good against the 2009 AV malware as well.
    I recommend downloading and updating it.
    You can get it free from
    Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
    You should do this with your current antivirus product as well.
    You may also need to download and run HiJackThis from
    Once you run the utility save the log file.
    You can post it for free analysis here or at
    You are primarily looking for items marked with red X's.
    You can get a brief overview of Hijackthis here:
    LVL 60

    Expert Comment

    You may want to check out this site as well for total removal

    See below for extracted ways tried successfully by others:

    Make sure you shut down the antivirus 2009 before you try to delete the file from you system.
    I was able to remote it by doing:
    - Killed the av2009.exe process using Task Manager
    - Took a look at where the Antivirus 2009 shortcut pointed (they put one in the desktop)
    - Took a note on the date and time of the av2009.exe file
    - Searched the Registry to see if they were any references to av2009.exe. Did not find any.
    - Removed the C:\Program Files\Antivirus 2009 directory and all files
    - Removed the desktop shortcut
    - Removed the shortcut in the Start Menu (be aware they put it in the upper area, where Windows Update is located)
    - Rebooted, but then discovered that IE was still infected, in particular when I tried to navigate to Sysinternals. Also discovered that the Security Center applet in Control Panel was not working
    - Went to Windows\System32 and found 3 files from about the same time of the infection:
    - Again before removing the files I searched the registry and deleted references to ieupdates.exe (register to start automatically) and winsrc.dll (registered as a COM file)
    - Reboot again and tried IE and Security Center, both are working now

    Author Comment


    Thank you, I ran the smitfraudfix and it removed the remaining background.  When I go to the Desktop Display Properties now though, I cannot select a new background or Browse the options for a background.  Is there a way to restore that function?


    Thank you, I ran Malwarebytes right after seeing it.  This was the 3rd time I'd gotten it, the other two times were the 2008 version which was no problem to remove.  I believe I made a mistake though when I started running Malwarebytes by running the full scan rather than the quick scan.  It never did finish and I had to shut down and start over with the quick scan.  I think that could have been part of the problem.  HJT is clean, the problem with the background did not show anywhere.  I ran Malwarebytes, SDFix, spybot, AVG as well as kaspersky which is on all the time.  (I d/l the free AVG, disabled kaspersky, ran AVG and it removed a few threats, then I uninstalled it).  But this time, Malwarebytes took 3 passes before it showed clean and the desktop was still infected.


    Thanks for the input, I too manually scanned the registry for any reference to av2009 I could find.  I also went to the registry and added to ActiveDesktop the DWord entry: NoChangingWallPaper with a value of 0.  It made no difference with the background.

    Author Comment

    By the way, as I have been searching for a fix on the greyed out display properties for the background, I have tried the following:

    1)  Find an image on the web and save as background.  (Does not work, that option is also greyed out)
    2)  Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System and remove item called Wallpaper.htm.  No such item as Wallpaper.htm exists in registry.

    Thank you

    Accepted Solution

    Okay, I kept looking and found it.  Here is what I did after using phototropic's SFfix.  I had been in the registry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop and had added the DWORD, NoChangingWallpaper with a value of 0.  It was not in there when I first looked.  But, adding the DWORD had no effect on the problem.  After searching the web I found an entry where someone was telling the user how to go to the registry and remove the Wallpaper.htm file but he said to check two HKEY's.  I thought I would see if there was a similar value for the DWORD in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop and there was.

    In the Local Machine, the DWORD NoChangingWallpaper was set to 1 (0x00000001).  I changed the value to 0 and bingo!  All is right and as it should be in the world!

    Thank you for the input and assistance.  I will award phototropic for his smitfraud fix suggestion.  
    LVL 23

    Expert Comment

    Glad to hear you got it sorted.

    Good job.


    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
    Sub-Titled: “My Way” (with apologies to Francis Albert Sinatra) Let me start by stating emphatically that I am one of those Experts who prefer doing things “My Way”. It’s kind of a no-brainer. “The following procedure works for me, so here is …
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now