hijackthis log analysis

[Byteman]

can you please download and run Startup List, it makes a list. Post the list.
http://www.spywareinfo.com/~merijn/downloads.html

Edit: sorry buzz you must have posted same time. Go with buzzes instructions.

 

[sizk]

startup list (i let have a look while i try buzz's solution ):

StartupList report, 20/05/2005, 20:20:38
StartupList version: 1.52
Started from : I:\# PROGRAMS\# PROGRAMS\Setups\StartupList.EXE
Detected: Windows 2000 SP4 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
==================================================

Running processes:

E:\WINNT\System32\smss.exe
E:\WINNT\system32\csrss.exe
E:\WINNT\system32\winlogon.exe
E:\WINNT\system32\services.exe
E:\WINNT\system32\lsass.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\system32\spoolsv.exe
E:\WINNT\System32\Ati2evxx.exe
E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
E:\WINNT\System32\svchost.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
E:\WINNT\system32\regsvc.exe
E:\WINNT\system32\MSTask.exe
E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
E:\WINNT\System32\WBEM\WinMgmt.exe
E:\WINNT\system32\svchost.exe
E:\WINNT\Explorer.EXE
E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
E:\WINNT\system32\rundll32.exe
E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
E:\Program Files\Analog Devices\SoundMAX\Smax4.exe
E:\WINNT\System32\hphmon05.exe
E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
E:\Program Files\Olitec\USB ADSL\CnxDslTb.exe
E:\Program Files\Common Files\Real\Update_OB\realsched.exe
E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe
E:\PROGRA~1\Grisoft\AVG7\avgcc.exe
E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
I:\# PROGRAMS\# PROGRAMS\Setups\# UTILS\hijackthis\hijackthis_199\HijackThis.exe
E:\WINNT\System32\HPZipm12.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
I:\# PROGRAMS\# PROGRAMS\Setups\StartupList.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[E:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = E:\WINNT\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
ATIPTA = E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
AdslTaskBar = rundll32.exe stmctrl.dll,TaskBar
SoundMAXPnP = E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
SoundMAX = "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
NeroFilterCheck = E:\WINNT\system32\NeroCheck.exe
HPHUPD05 = E:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HP Software Update = "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HPHmon05 = E:\WINNT\System32\hphmon05.exe
HPDJ Taskbar Utility = E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
CnxDslTaskBar = E:\Program Files\Olitec\USB ADSL\CnxDslTb.exe
TkBellExe = "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
KAV50 = "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
AVG7_CC = E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
AVG7_EMC = E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
THGuard = "E:\Program Files\TrojanHunter 4.2\THGuard.exe"
WindowsUpdate = E:\WINNT\System\svchost.exe /s

--------------------------------------------------

Shell & screensaver key from E:\WINNT\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - E:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}
(no name) - e:\program files\google\googletoolbar1.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

HP Usg Daily.job

--------------------------------------------------

Enumerating Download Program Files:

[HouseCall Control]
InProcServer32 = E:\WINNT\DOWNLO~1\xscan53.ocx
CODEBASE = http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

[Update Class]
InProcServer32 = E:\WINNT\System32\iuctl.dll
CODEBASE = http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38491.9471064815

[Shockwave Flash Object]
InProcServer32 = E:\WINNT\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

Network.ConnectionTray: E:\WINNT\system32\NETSHELL.dll
WebCheck: E:\WINNT\System32\webcheck.dll
SysTray: stobject.dll

--------------------------------------------------
End of report, 5*983 bytes
Report generated in 0,047 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[Byteman]

Not needed, thanks anyway. Buzz hit the nail on the head (svchost.exe not being in System32, [i looked right over it at first...]).

 

[sizk]

ok, kinda weird... i could finally get rid off svchost.exe but 1st, i couldn't see it in e:/winnt/system, only hijackthis found it there, and 2nd it still have that GODDAMN MESSAGE AS A BACKGROUND!!!

here is the log i got with hijackthis. anyway, www.hijackthis.de suggests there's nothing wrong about it but the display properties are still grayed out...

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.fr/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - e:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - E:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - e:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] E:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [SoundMAXPnP] E:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "E:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [NeroFilterCheck] E:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPHUPD05] E:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HP Software Update] "E:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHmon05] E:\WINNT\System32\hphmon05.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] E:\WINNT\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [CnxDslTaskBar] E:\Program Files\Olitec\USB ADSL\CnxDslTb.exe
O4 - HKLM\..\Run: [TkBellExe] "E:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KAV50] "E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kav.exe" -run -n PersonalPro -v 5.0.0.0
O4 - HKLM\..\Run: [AVG7_CC] E:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] E:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "E:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = E:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = E:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://e:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://e:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://e:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://e:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://e:\program files\google\GoogleToolbar1.dll/cmtrans.html
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O23 - Service: Adobe LM Service - Unknown owner - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - E:\WINNT\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINNT\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - E:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - E:\WINNT\System32\dmadmin.exe
O23 - Service: KLBLMain - Kaspersky Lab - E:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro 5\kavmm.exe
O23 - Service: Pml Driver HPZ12 - HP - E:\WINNT\System32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - E:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

 

[Buzz1927]

I saw the same thing earlier, but i've forgotten how it was fixed. Give me a while and i'll get back to you (unless Byteman comes along and knows).

 

[Byteman]

ok, you still haven't told me what color the background is? And how comfortable are you in editing the registry if i give instructions?

 

[double-dragon]

Can someone analyse my hijack this list. If i need to make a new thread for this then just say.
This is my my mates comp so its just a favour.

Logfile of HijackThis v1.99.1
Scan saved at 20:19:11, on 20/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\system32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Christopher\My Documents\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=SEARCH
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\uk.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: InstaFinderK - {4E7BD74F-2B8D-469E-90F0-F66AB581A933} - C:\PROGRA~1\INSTAF~1\INSTAF~1.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - (no file)
O3 - Toolbar: My &Search Bar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [bcmwltry] bcmwltry.exe
O4 - HKLM\..\Run: [removecpl] RemoveCpl.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitewrx32.exe
O4 - HKLM\..\RunServices: [Anti] C:\WINDOWS\system32\Isass.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O15 - Trusted Zone: *.od2.com
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AE784ED7-BBC2-4F2F-8A61-5B9E222761B9}: NameServer = 192.168.2.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

Cheers for any help

 

[Buzz1927]

Best to start a new thread and state what the problems are.

 

[sizk]

I saw the same thing earlier, but i've forgotten how it was fixed. Give me a while and i'll get back to you (unless Byteman comes along and knows).

ok, hope i/we find out before then anyway

ok, you still haven't told me what color the background is? And how comfortable are you in editing the registry if i give instructions?

well, background is blue, the text frame is black, the title "windows error" is red and the text is white.
about editing the registry i hate to do that but... seems we don't have much choice, do we? at the same time, could you remember me how to back it up before crashing it down

anyway, thx muchly both of you guys for giving it so much time

double dragon: what the f*** is that avatar????

 

[sizk]

Best to start a new thread and state what the problems are.

fair enough...
thx again!!

 

[Buzz1927]

Best to start a new thread and state what the problems are.

sizk, this was for double-dragon, not you.

 

[Byteman]

sizk first this:

Click MyComputer,Tools menu, Folder options, view tab, make SURE to put a check so you can see all hidden files and folder, and UNCHECK hide operating system files and also file extensions.

Then tell me if you can see any of the following files:

C:\wp.exe
C:\wp.bmp
C:\bsw.exe
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\Windows\System32\hhk.dll
C:\Windows\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\shnlog.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\system32\msole32.exe
C:\Windows\System32\ole32vbs.exe

 

[sizk]

hey, good morning!
no i can't see any of them. the only one that's close match is a file named help.exe in system32...

 

[Byteman]

sorry it took so long, you case is puzzzling, the only reference i find for you case indicates a smitfraud trojan/hijack, but you have none of the files or programs accosiated with it. However, there are some registry keys that most of the desktop hijackers use, so along those lines look at the registry values below and verify that they are correct, if not then change them according to the instructions.

Oh, and to backup the registry before you do this... click here for backup instructions

EDIT: your help.exe file is a valid file, it's for your help & support in control panel.

Now for the reg changes:

1. Click Start > Run > type in regedit

Navigate to and modify the registry entries below:

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Select "Desktop" and change the value to %USERPROFILE%\Desktop



HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Select "Desktop" and change the value to %USERPROFILE%\Desktop



HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Select "Desktop" and change the value to %USERPROFILE%\Desktop



HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Select "Desktop" and change the value to %USERPROFILE%\Desktop



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders

Select "Desktop" and change the value to %ALLUSERSPROFILE%\Desktop



HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Select "Common Desktop" and change the value to C:\Documents and Settings\All Users\Desktop




HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Select "Desktop" and change the value to %USERPROFILE%\Desktop



HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Select "Desktop" and change the value to C:\Documents and Settings\LocalService\Desktop



HKEY_USERS\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Select "Desktop" and change the value to C:\Documents and Settings\NetworkService\Desktop


Also under HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
that should be set to:

C:\Documents and Settings\NetworkService\Desktop



Let me know how it goes!

 

[sizk]

finally did it!!!!!!
everything was apparently fine with the registry.
spysweeper simply did the job and after it cleaned all adwares, spywares or whatever else i still had to delete Desktop.html in the registry (HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System) to be able to change background's options in display properties.

anyway, thx a lot for your help!!
maximum respect!!!!!!!!!!

 

[Byteman]

glad to help out... there will be a desktop.html file on your computer, probably in windows or system32 directory. delete it in safemode.