[s'mores]

Environment paths?

Most of them only have a General, Version, and Summary tab. General pretty much says the same thing on all of them, Version has a bunch of information like file version, and Summary is blank on all of them. A few have a Compatibility tab. None have a Shortcut tab, so I'm inclined to believe they aren't shortcuts.

I wanted you to fix the O4: Gobal Startup entries, this should get rid of the popups everytime you boot.

Are you saying you want me to?

Edited by s'mores, 11 August 2008 - 09:32 AM.

[Advertisements]

Hold on with that, I'm inclined to say yes but then again I can't be sure if it would cause even more damage to your PC. I want to look into this a bit first.
in the meanwhile maybe someone with some more knowledge on can share some advice.

[Mike]

Hold on with that, I'm inclined to say yes but then again I can't be sure if it would cause even more damage to your PC. I want to look into this a bit first.
in the meanwhile maybe someone with some more knowledge on can share some advice.

[Artellos]

Let me ask you a quick question for my (possible) next post.
What is the name of your user account?

Then can you please follow the instructions below.

Open your start menu and select "Run..."
In the runbox type notepad
then in the notepad, copy and paste the below codebox.

dir "C:\Documents and Settings\All Users\Menu Start\All Programs\Startup" >> C:\result.txt
notepad C:\result.txt
del dirstartup.bat

Go to File then save as "All files"
Please name the file dirstartup.bat
Please save the program to C:\
When you run it, a notepad should appear. Please copy and paste the content of that notepad into your next reply.

Regards,
Olrik

Edited by Artellos, 11 August 2008 - 10:46 AM.

[s'mores]

The name of my user account is "user". My friend had a guy at work set this computer up with Windows for me and that was the username he put on it.

I did exactly what you said, saved it to C:\ and ran it. It opened a file in Notepad called "result.txt" and it was blank.

[Mike]

I've managed to re-create your problem thanks to the help of my mentor Metallica.

I want to get some information first though so please do this for me..

Open notepad by going to START > RUN and type notepad.exe in the box that appears. In the window that pops up please copy and paste the following

@echo off
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Common Startup"> looksee.txt
reg query "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders" /v "Startup">> looksee.txt
start notepad looksee.txt
del %0

In Notepad click on the "File" menu > Save As... Under "File name" type fix.bat and Change "Save as type" to All Files, save it to a place you will remember.



Double click on fix.bat. Looksee.txt will appear, please post the contents of that.

Edited by Mike, 11 August 2008 - 12:40 PM.

[s'mores]

Okay, here is what was in the text file:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Common Startup REG_EXPAND_SZ %windir%\system32


! REG.EXE VERSION 3.0

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Startup REG_EXPAND_SZ %USERPROFILE%\Start Menu\Programs\Startup

[Mike]

At least we have the culprit.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Common Startup REG_EXPAND_SZ %windir%\system32

You see that the global startup is pointing to the system32 folder, it should be pointing to %USERPROFILE%\Start Menu\Programs\Startup

Please do this for me...

We are going to make some changes to your registry. To make sure that if something happened while doing this fix we have a backup of your registry available, I will need you to follow these instructions::Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.
[/list]Please open Notepad by going to Start > Run and typing Notepad.exe in the window that pops up. Press enter and in the notepad window that appears Copy (Ctrl+C) and Paste (Ctrl+P) the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Startup"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,\
  4c,00,45,00,25,00,5c,00,53,00,74,00,61,00,72,00,74,00,20,00,4d,00,65,00,6e,\
  00,75,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,00,73,00,5c,00,53,00,\
  74,00,61,00,72,00,74,00,75,00,70,00,00,00

Note: it is important to copy this with the spacing left as it is, also make sure "Windows Registry Editor Version 5.00" is the first thing in Notepad (No spaces ahead or anything).

In Notepad click on the "File" menu > Save As... Under "File name" type Fix.reg and Change "Save as type" to All Files

Now double click Fix.reg. A pop-up will appear asking you if you want to import this to your registry click yes.

Reboot your PC, then re-scan with Hijack This - attach the log here please. (take a note if the O4s are gone)

Also could you take a screenshot of your desktop so I can see what is going on there? If you have things you don't want to show either hide them or PM me the screenshot please

Edited by Mike, 11 August 2008 - 01:28 PM.

[s'mores]

Okay, I did that. When Windows came up, none of those windows came up! The icons area all still there, but now at least I can reboot without having to close out of hundreds of windows everytime!

Attached Files

•  desktop.zip   146.05KB   78 downloads
•  hijackthis.zip   1.52KB   70 downloads

Edited by s'mores, 11 August 2008 - 02:51 PM.

[Mike]

lol... never saw the desktop masquerade as the system32 folder

Do you remember anything you did? Run a registry cleaner or do something that mucked around with your registry?

Do this for me please... Make a batch file as previously instructed but use the following:

@echo off
del looksee.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders"> looksee.txt
reg query "HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders">> looksee.txt
start notepad looksee.txt
del %0

Post the content of looksee.txt please.

Edited by Mike, 11 August 2008 - 02:52 PM.

[s'mores]

Yes, all the ones on my desktop are in that folder.

[Mike]

I edited my post, so if you could re-read and follow the above instructions please - glad to hear that they are though, one less headache

Edited by Mike, 11 August 2008 - 03:09 PM.

[s'mores]

Okay here it is:


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Common Desktop REG_EXPAND_SZ %windir%\system32
Common Start Menu REG_EXPAND_SZ %ALLUSERSPROFILE%\Start Menu
Common Programs REG_EXPAND_SZ %ALLUSERSPROFILE%\Start Menu\Programs
Common Startup REG_EXPAND_SZ %USERPROFILE%\Start Menu\Programs\Startup
Common AppData REG_EXPAND_SZ %ALLUSERSPROFILE%\Application Data
Common Templates REG_EXPAND_SZ %ALLUSERSPROFILE%\Templates
Common Favorites REG_EXPAND_SZ %ALLUSERSPROFILE%\Favorites
Common Documents REG_EXPAND_SZ %ALLUSERSPROFILE%\Documents

! REG.EXE VERSION 3.0

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
AppData REG_EXPAND_SZ %USERPROFILE%\Application Data
Desktop REG_EXPAND_SZ %USERPROFILE%\Desktop
Favorites REG_EXPAND_SZ %USERPROFILE%\Favorites
NetHood REG_EXPAND_SZ %USERPROFILE%\NetHood
Personal REG_EXPAND_SZ %USERPROFILE%\My Documents
PrintHood REG_EXPAND_SZ %USERPROFILE%\PrintHood
Programs REG_EXPAND_SZ %USERPROFILE%\Start Menu\Programs
Recent REG_EXPAND_SZ %USERPROFILE%\Recent
SendTo REG_EXPAND_SZ %USERPROFILE%\SendTo
Start Menu REG_EXPAND_SZ %USERPROFILE%\Start Menu
Startup REG_EXPAND_SZ %USERPROFILE%\Start Menu\Programs\Startup
Templates REG_EXPAND_SZ %USERPROFILE%\Templates
Cookies REG_EXPAND_SZ %USERPROFILE%\Cookies
My Pictures REG_EXPAND_SZ %USERPROFILE%\My Documents\My Pictures
Local Settings REG_EXPAND_SZ %USERPROFILE%\Local Settings
Local AppData REG_EXPAND_SZ %USERPROFILE%\Local Settings\Application Data
Cache REG_EXPAND_SZ %USERPROFILE%\Local Settings\Temporary Internet Files
History REG_EXPAND_SZ %USERPROFILE%\Local Settings\History

[Mike]

Same deal.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
Common Desktop REG_EXPAND_SZ %windir%\system32

Common desktop is pointing to the system32 folder.

As before please back up your registry.


Now please open Notepad by going to Start > Run and typing Notepad.exe in the window that pops up. Press enter and in the notepad window that appears Copy (Ctrl+C) and Paste (Ctrl+P) the following:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Desktop"=hex(2):25,00,41,00,4c,00,4c,00,55,00,53,00,45,00,52,00,53,00,\
  50,00,52,00,4f,00,46,00,49,00,4c,00,45,00,25,00,5c,00,44,00,65,00,73,00,6b,\
  00,74,00,6f,00,70,00,00,00

Note: it is important to copy this with the spacing left as it is, also make sure "Windows Registry Editor Version 5.00" is the first thing in Notepad (No spaces ahead or anything).

In Notepad click on the "File" menu > Save As... Under "File name" type Fix.reg and Change "Save as type" to All Files

Now double click Fix.reg. A pop-up will appear asking you if you want to import this to your registry click yes.

Reboot your PC.

[The Skeptic]

Hi Mike,

I am deeply impressed by the way you lead this thread. Chapeau.

Any idea what caused these registry changes?


Regards

The Skeptic

[Mike]

Thanks for the kind words The Skeptic, though it's too much for me

Here is my beautiful desktop, s'mores I think you will find it familiar lol..



The previous regfix http://www.geekstogo...48#entry1305448
Will remove all 'random icons'. You should be good to go after this

Edit. @The Skeptic, I'm not sure - I've never seen Malware touch this part of the registry and I'm not sure what programs would want to, but that's another mystery that we don't have to solve here lol.

Edited by Mike, 12 August 2008 - 08:03 AM.