One of my machines got hit with a nasty bit of spyware (NTOS.EXE / wnspoem.)
The box is now running clean, but there is one annoying symptom of the infection that I can’t figure out how to get rid of - the desktop background was changed to one of those brilliant “OMFG, YOU’VE GOT SPYWARE! GET OUT YOUR CREDIT CARD NOW OR ELSE” messages, and after removing all the spyware, this wallpaper is still displayed at log-off, until someone logs in again. Benign, but annoying – and I can’t figure out where this setting is stored, to save my life. (The OS is XP Pro, SP2.)
I remember having a similar thing back with Windows Me - that was related to Active Desktop. (Not here.)
I thought it might be in the Default User Profile - but no, I copied another profile over to it and still have the same thing.
Any ideas?
Thanks.
I think this article might be what you’re looking for. On my XP Pro SP2 machine, the reg value referenced here is “(None)” Do you have something different there?
There’s some curious behavior with Windows NT line starting with (I think) Windows 2000 when they added JPEG support for background images. The path to a BMP background is stored here:
HKEY_CURRENT_USER\Control Panel\Desktop\Wallpaper
The path to a JPEG background is stored here instead:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\Wallpaper
It’s possible for both registry keys to have a value. If so, the JPEG background is actually layered (in a sense) on top of the BMP image. The most common way for this to happen is to select a BMP background image, and then replace it with a JPEG background image. When you log on or off (or shut down/start up the system), you will usually see the most recent BMP background you used briefly displayed before it is replaced with your current JPEG background.
For the more technically inclined, JPEG backgrounds are handled by “Active Desktop”, which is still implicitly present in Windows XP, even though it no longer shows up as a discrete option as it did in Windows 95/98. During logoff, the Active Desktop feature of explorer shuts down just before explorer.exe itself is terminated. The result is that your old non-Active Desktop BMP background is momentarily displayed until explorer is terminated. At logon, the inverse occurs.
The solution is probably as simple as setting your background to (None) in the display control panel and then setting it to your desired background. Setting it to (None) should clear both the BMP background and the JPEG background. If it persists after this, you probably still have some aspect of the spyware still running and monitoring that registry change.
Bayard, that’s the spot - thanks very much.
That’s actually a handy registry value. I think I will park the company logo there for the XP workstations at work. Okay, that’s not exactly “handy” for anything, but it’ll look kind of cool.
…and thanks, Stathol - that’s what I was remembering from ages ago.