Visited a friend last night and whilst telling him about our problem (another thread), he mentioned how a friend of his sorted a similar problem but now he cannot choose a wallpaper for xp (the background is plain white). Also when right clicking on the desktop and selecting properties it shows the details of a file - not the display box.

Apparantly the problem started with a change of wallpaper which acted as a link to a site selling spyware removal applications. The wallpaper was black with graphics and showed his usual desktop icons - which apparantly worked OK.

I don't think his friend knew what he was doing. I ran about:Buster in safe mode with no problems listed, also ad-aware in normal mode and removed the resultant red entries (they were all red) and ran HJT. I now post the results in the hope you might be able to narrow down the problem for him.

Logfile of HijackThis v1.98.1
Scan saved at 9:39:53 PM, on 8/5/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Microsoft Money\System\Money Express.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV0 2.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O14 - IERESET.INF: START_PAGE_URL=http://www.tesco.net
O15 - Trusted Zone: http://register-tesco.qa.business.ntl.com
O15 - Trusted Zone: http://memberservices.tesco.net

Thats a clean log. The cause must be related to something else. Whats the name of the file thats properties appear when you right click the desktop and click properties?

Hi Owen

details as requested:

file://C:\WINDOWS\Web\desktop.html

I received this info by phone and have constructed the above in the case it appears on the PC.

If I'm not mistaken, it sounds like something has set the computer to show an Active Desktop.

The computer has been set to show a certain webpage as the Desktop and when you right click and select properties, you are showing the Properties of that webpage. So we need to delete that webpage. So go to C:\WINDOWS\Web\ and delete desktop.html

Then go to the Control Panel and double click Display. Go to the Desktop tab and at the bottom click Customise Desktop. Then go to the Web tab. There should be a box with a list of Active Desktops. Remove the checkmark from next to all of them and delete each one except My Current Home Page which cannot be removed. Then reset your Desktop Wallpaper.

Hi Owen

That fixed it. Thanks once again for all your help.

Please mark as resolved.

You are very welcome indeed. They may want some protection. I can't see any firewall or spyware protection. All the information is contained in the Hijack This Logs post.

Will mark as resolved now

Tell me about it

He is on a dial up connection, but I have told him to download and install critical updates as a matter of urgency. I am also going to visit him again shortly and install zonealarm.

Then, no doubt, he will need some pointers.

Such is life