Solved Unwanted picture at Startup and Shutdown

[Resolved] Unwanted picture at Startup and Shutdown

Hi - This is my 1st post here. I'm hoping someone can help with
the problem I'm having.

There is a picture that comes up on my screen during Bootup,
just before the desktop wallpaper and icons are loaded,
and again just before the shut down process is complete.
This is a picture of a Black Mercury Marauder (Grand Marquis),
and appears to be one that I remember looking at briefly on e-Bay,
about 6 weeks ago. I think it initially showed up as my wallpaper.
I ddn't think much about it - just changed it back to what it was.
(I didn't think to see what the name of it was, and I cannot find any
new unknown jpg or bmp files).
I have Norton - keep up to date, and run full scans at least once/week.
Yesterday I downloaded,i nstalled, and ran SpyBot Search & Destroy,
which found (and I deleted) about 55 occurrences of ad/tracking cookies.
Rebooted - picture still there.
Then downloaded, installed, ran Adaware - it found 3 things,
I deleted them - rebooted - still there.
Someone suggested Hijackthis, which I did download,
but documentation cautions about not using without
first having someone very knowledgeable examine the log file,
and make recommendations.

Anyone experience this before, and/or have solution ?

Thanks very much Rich W. - mrshine

 

Hi Rich,

I have seen this before, and we just need to identify the entry related to the picture. Lets get an export of a couple registry keys. Highlight and copy the contents of the code box below.

Code:

reg query  "HKEY_CURRENT_USER\Control Panel\Desktop "> "%userprofile%\desktop\wallp.txt "
reg query  "HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components" /s>> "%userprofile%\desktop\wallp.txt "
exit
cls

Now click Start>Run and type cmd then hit enter to open a command window. Right click in the command window and select paste. The command window should close on it's own and a log file named wallp.txt will be created on the desktop. Please post the contents of that log here.

 

Unwanted picture at startup and shutdown

The logfile from HJT follows.

Thank you - Rich


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:02 AM, on 2/25/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\WINNT\system32\lxctcoms.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\WFXSVC.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\M270NT\RMTSTOCK.EXE
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\M270NT\KBOSDCTL.EXE
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\PROGRA~1\M270NT\CDMng32.EXE
C:\WINNT\system32\wfxsnt40.exe
C:\PROGRA~1\M270NT\RmtConvt.EXE
C:\Program Files\Lexmark 5400 Series\lxctmon.exe
C:\PROGRA~1\M270NT\BKGRD32.EXE
C:\Program Files\Lexmark 5400 Series\ezprint.exe
C:\PROGRA~1\M270NT\RMTSPECL.EXE
C:\PROGRA~1\M270NT\KBRmt32.Exe
C:\PROGRA~1\M270NT\CALCMNG.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\M270NT\DKeyBEx.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\M270NT\MxrCtl32.EXE
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe
C:\Program Files\Network Associates\PGPNT\PGPTray.exe
C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\MSIMN.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mr-shine.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [MultimediaKey] C:\PROGRA~1\M270NT\DriBat32.EXE DKBoot.INI
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINNT\system32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [lxctmon.exe] "C:\Program Files\Lexmark 5400 Series\lxctmon.exe "
O4 - HKLM\..\Run: [Lexmark 5400 Series Fax Server] "C:\Program Files\Lexmark 5400 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 5400 Series\ezprint.exe "
O4 - HKLM\..\Run: [LXCTCATS] rundll32 C:\WINNT\system32\spool\DRIVERS\W32X86\3\LXCTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: WinFax PRO Message Manager.lnk = C:\Program Files\Symantec\WinFax\FAXMNG32.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: ExpressServices 2000.lnk = C:\Program Files\Day-Timer Organizer SHARP Edition\xserv2k.exe
O4 - Global Startup: PGPtray.lnk = C:\Program Files\Network Associates\PGPNT\PGPTray.exe
O4 - Global Startup: QuickBooks 2001 Delivery Agent.lnk = C:\Program Files\Intuit\QuickBooks Pro\Components\QBAgent\qbdagent2001.exe
O4 - Global Startup: UPS Online PLD Reminder Utility.lnk = C:\UPS\UOWS\PldReminder.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O15 - Trusted Zone: www.tollbrothers.com
O15 - Trusted Zone: http://www.tollbrothers.com
O16 - DPF: {3C648A72-C49A-48EF-9F90-68EF13293F97} (Cacher Class) - http://www.midhudsonmls.com/XMLSearch/XMLCache.CAB
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxct_device - - C:\WINNT\system32\lxctcoms.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINNT\system32\WFXSVC.EXE

--
End of file - 10635 bytes

 

Seen before - identify picture

Dave,

I copied/pasted per your directions, ended up with what appears to
be an empty txt file. I opened it with Notepad, and nothing there.

The window that opened, had at the top:

C:\WINTT\system32\cmd.exe

As soon as I right clicked, the window closed - I did not have
the ability to "paste" the strings you specified.

Did I do something wrong, or is that a possible result ?

Thanks - Rich

 

Ahh .... you have Windows 2000, not XP. The reg export won't work the same way. Are you familiar with the registry? Can you open the registry editor, navigate to the following 2 keys and export them to a text file, then post the contents of each?

HKEY_CURRENT_USER\Control Panel\Desktop
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components

If not, I'll put together a batch for you to run that will get the export(s). It won't be till tomorrow evening though ........ I need sleep now.

 

registry entries

Dave,

Sorry - I don't know how to do that.
I tried but was unable to save as a txt file.

Rich

 

Registry entries

Pete,

I tried that - no "txt" option on my Win2000 systems.
Only "Registration Files" - unless I'm missing something...

Rich

 

RegFile entries

Pete,

Thanks - I was thinking in that same direction, but I guess I wasn't
thinking clearly this morning (too many other things on my mind...).

Thanks - Rich

Here's the info:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Desktop]
"ActiveWndTrkTimeout "=dword:00000000
"AutoEndTasks "= "0 "
"CaretWidth "=dword:00000001
"CoolSwitch "= "1 "
"CoolSwitchColumns "= "7 "
"CoolSwitchRows "= "3 "
"CursorBlinkRate "= "530 "
"DragFullWindows "= "0 "
"DragHeight "= "4 "
"DragWidth "= "4 "
"FontSmoothing "= "0 "
"ForegroundFlashCount "=dword:00000003
"ForegroundLockTimeout "=dword:00030d40
"GridGranularity "= "0 "
"HungAppTimeout "= "5000 "
"LowPowerActive "= "0 "
"LowPowerTimeOut "= "0 "
"MenuShowDelay "= "400 "
"PaintDesktopVersion "=dword:00000000
"Pattern "= "(None) "
"PowerOffActive "= "0 "
"PowerOffTimeOut "= "0 "
"ScreenSaveActive "= "1 "
"ScreenSaverIsSecure "= "0 "
"ScreenSaveTimeOut "= "900 "
"SCRNSAVE.EXE "= "C:\\WINNT\\CLASSI~1.SCR "
"TileWallpaper "= "1 "
"UserPreferencesMask "=hex:9c,3e,00,80
"WaitToKillAppTimeout "= "20000 "
"Wallpaper "= "C:\\Documents and Settings\\Administrator\\Application Data\\Microsoft\\Internet Explorer\\Internet Explorer Wallpaper.bmp "
"WheelScrollLines "= "3 "
"WallpaperStyle "= "0 "

[HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics]
"BorderWidth "= "1 "
"CaptionFont "=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,\
00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CaptionHeight "= "-270 "
"CaptionWidth "= "-270 "
"IconFont "=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,\
00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"IconSpacing "= "75 "
"IconTitleWrap "= "1 "
"IconVerticalspacing "= "-1125 "
"MenuFont "=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,\
00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"MenuHeight "= "-270 "
"MenuWidth "= "-270 "
"MessageFont "=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,\
00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"ScrollHeight "= "-240 "
"ScrollWidth "= "-240 "
"Shell Icon BPP "= "16 "
"SmCaptionFont "=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,\
00,00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"SmCaptionHeight "= "-180 "
"SmCaptionWidth "= "-180 "
"StatusFont "=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,\
00,00,00,00,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000003
"Settings "=dword:00000001
"GeneralFlags "=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "
"Flags "=dword:00000002
"Position "=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3c,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState "=dword:40000004
"OriginalStateInfo "=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo "=hex:18,00,00,00,f0,01,00,00,1f,00,00,00,80,00,00,00,76,00,\
00,00,01,00,00,00

 

Thanks Pete!

Rich, open the registry editor and navigate to the following location.

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0

Right click on the 0 key (the one located below the Components key) and select Delete. Close the registry editor and restart. Let me know if there's any change.

 

Deleted entry

Dave,

I deleted the entry per your directions.
Upon Restart computer hung up in process of building Desktop.
I then did a Ctrl/Alt/Del to see what was running.
Instead of Taskmanager coming up, the unwanted picture
filled the screen, and computer hung solid.
To free it up, I had to power down with Power button.
When I powered it up, it was slow coming up,
and the unwanted picture still came up just before the
desired Desktop wallpaper & icons were displayed.

I don't know if this means anything, but I notice that when I
do a ShutDown, I get a "pgm ending" msg for "ccApp "
I don't remember always seeing this - normal ?

Thanks - Rich

 

ccApp is a Norton component, and it's not unusual for it to be a bit slow about closing at shutdown.

See if the deleted 0 registry key was recreated please.

Normally applies to XP, but I think it may be the same for 2000 (can't remember) ......... right click the desktop and select Properties. On the Desktop tab, click Customize Desktop. Select the Web tab. Remove any entries listed. If there is a check box titled Lock desktop items, make sure it is cleared.

What is the current wallpaper set to? Click Start>Run and paste the following bolded line (including quotes) then hit enter.

"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp "

Does it open the same picture as your current wallpaper?

 

Deleted Entry

Dave,

See if the deleted 0 registry key was recreated please.
No - not recreated.

"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp "

Does it open the same picture as your current wallpaper?

No - My current (desired) desktop wallpaper is a picture
of my 1955 Chevy. This command brings up the "unknown picture"
that is causing me all the grief, and the name shown is:

Internet Explorer Wallpaper.bmp

Interesting...

So why is this displaying as it is ?
Where did it come from ?
What is it doing to my computer (is it Spyware) ?
How do we get rid of it ?

Its very late - I have to sign off for tonight.

I appreciate all your help.

Thanks - Rich

 

It's just a wallpaper hijack, and likely not infected.

What is the user name on the account you use? eg; I need the name of your user account folder located in C:\Documents and Settings

If you insert that name in place of Administrator in the following command, then paste it into the run line, is there a file named Internet Explorer Wallpaper.bmp located there? if so, open it and see what it is.

"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer "

 

Wallpaper Hijack

Dave,

I don't use a particular user name - I guess by default its Administrator.

Should I have a unique user name ?

I'm the only one using the computer (in my home, for home based
business).

If I enter the command just as you have it,
there is a file named: Internet Explorer Wallpaper,
with a file type of PhotoSuite Image,
modified Jan. 21, 2008. Probably when I picked this up ?

Should I delete this file ?
Or do you think I need to do something else ?

Thanks - Rich

 

Highlight and copy the contents of the code box below to a blank notepad. Save it to the desktop as;

Filename: fix.reg
Save as type: All Files (*.*)

Code:

REGEDIT4

[HKEY_CURRENT_USER\Control Panel\Desktop]
 "Wallpaper "=" "

Double click fix.reg and allow it to merge with the registry.

Highlight and copy the bolded command below.

del /q "C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp "

Open a command window and right click then paste the command. Hit Enter and close the command window.
Reboot.


In general, it's not recommended to use the Administrator account for general computing, though it's probably moot to change things at this point if you've been using the computer for any length of time. Creating a new user account would mean transfering your documents, pictures, etc to the new account for ease of access.

 

Getting rid of the bogus wallpaper

Dave,

First step executed fine.

Second step returned a "could not find" with the specified filename.

Could the 1st step have already deleted the file ?

I'm going to reboot and see if problem is corrected.

Thanks - Rich

 

First step would remove only the registry's path to the file, not the file itself. Just paste this into the Run dialog and hit enter, then delete the file manually.

"C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer "