Display Properties: Themes & Desktop have been disabled by antivirus 2009

Recently, I visited a website that tried to load the AntiVirus 2009 on my laptop.  While I did not install anything, Kaspersky failed to block it from getting to the computer.  I ran Malwarebytes immediately and it removed several threats but I had to run it a few times to get them all.  I also deleted some .exe files that were in either C: or C:/windows that didn't belong.

However, when going to display properties from the desktop (or CP), the first two tabs are disabled to the point I can't click any background image nor browse the folders.  The browse button and slide bar are greyed out and so are the images in the Background field under the Desktop tab.  I can click the "Customize Desktop" bar but not change or view other images.

I have gone to start - run - regedit and HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\ActiveDesktop and added NoChangingWallPaper w/value of (0) zero.

I've run SDFix, Malwarebytes Full Scan, in normal and safe modes, and I can't figure out where else to go to change whatever settings were changed on me.

The computer is a Dell Laptop with XP Pro SP3.  

Thank you for your help.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Smitfraudfix gets rid of the desktop images associated with Antivirus 2009 and resets your desktop background to the default Windows blue screen. Maybe that can help:


Run option 2 in safe mode. Say Yes to Registry Cleaning.

Good luck!!!
Malwarebytes is very good against the 2009 AV malware as well.
I recommend downloading and updating it.
You can get it free from www.malwarebytes.org
Once updated, reboot into Safe Mode (F8 at startup) and run a scan.
You should do this with your current antivirus product as well.
You may also need to download and run HiJackThis from
Once you run the utility save the log file.
You can post it for free analysis here or at
You are primarily looking for items marked with red X's.
You can get a brief overview of Hijackthis here:
btanExec ConsultantCommented:
You may want to check out this site as well for total removal

See below for extracted ways tried successfully by others:

Make sure you shut down the antivirus 2009 before you try to delete the file from you system.
I was able to remote it by doing:
- Killed the av2009.exe process using Task Manager
- Took a look at where the Antivirus 2009 shortcut pointed (they put one in the desktop)
- Took a note on the date and time of the av2009.exe file
- Searched the Registry to see if they were any references to av2009.exe. Did not find any.
- Removed the C:\Program Files\Antivirus 2009 directory and all files
- Removed the desktop shortcut
- Removed the shortcut in the Start Menu (be aware they put it in the upper area, where Windows Update is located)
- Rebooted, but then discovered that IE was still infected, in particular when I tried to navigate to Sysinternals. Also discovered that the Security Center applet in Control Panel was not working
- Went to Windows\System32 and found 3 files from about the same time of the infection:
- Again before removing the files I searched the registry and deleted references to ieupdates.exe (register to start automatically) and winsrc.dll (registered as a COM file)
- Reboot again and tried IE and Security Center, both are working now
Cloud as a Security Delivery Platform for MSSPs

Every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. View our on-demand webinar to learn more!

wgrogersAuthor Commented:

Thank you, I ran the smitfraudfix and it removed the remaining background.  When I go to the Desktop Display Properties now though, I cannot select a new background or Browse the options for a background.  Is there a way to restore that function?


Thank you, I ran Malwarebytes right after seeing it.  This was the 3rd time I'd gotten it, the other two times were the 2008 version which was no problem to remove.  I believe I made a mistake though when I started running Malwarebytes by running the full scan rather than the quick scan.  It never did finish and I had to shut down and start over with the quick scan.  I think that could have been part of the problem.  HJT is clean, the problem with the background did not show anywhere.  I ran Malwarebytes, SDFix, spybot, AVG as well as kaspersky which is on all the time.  (I d/l the free AVG, disabled kaspersky, ran AVG and it removed a few threats, then I uninstalled it).  But this time, Malwarebytes took 3 passes before it showed clean and the desktop was still infected.


Thanks for the input, I too manually scanned the registry for any reference to av2009 I could find.  I also went to the registry and added to ActiveDesktop the DWord entry: NoChangingWallPaper with a value of 0.  It made no difference with the background.
wgrogersAuthor Commented:
By the way, as I have been searching for a fix on the greyed out display properties for the background, I have tried the following:

1)  Find an image on the web and save as background.  (Does not work, that option is also greyed out)
2)  Go to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System and remove item called Wallpaper.htm.  No such item as Wallpaper.htm exists in registry.

Thank you
wgrogersAuthor Commented:
Okay, I kept looking and found it.  Here is what I did after using phototropic's SFfix.  I had been in the registry under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop and had added the DWORD, NoChangingWallpaper with a value of 0.  It was not in there when I first looked.  But, adding the DWORD had no effect on the problem.  After searching the web I found an entry where someone was telling the user how to go to the registry and remove the Wallpaper.htm file but he said to check two HKEY's.  I thought I would see if there was a similar value for the DWORD in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop and there was.

In the Local Machine, the DWORD NoChangingWallpaper was set to 1 (0x00000001).  I changed the value to 0 and bingo!  All is right and as it should be in the world!

Thank you for the input and assistance.  I will award phototropic for his smitfraud fix suggestion.  

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Glad to hear you got it sorted.

Good job.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.