Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Weird login screen behavior from Windows 10

windows 10 password login fake login screen

  • Please log in to reply

#46
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 260 posts

I should add that the menu thing was nowhere to be seen this morning. Gone. (That was before the fixlog). Thank you.


  • 0

Advertisements


#47
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,473 posts
  • MVP

That's good to hear.  What I think happened is when it saw the path to Opera Browser Assistant

 

HKU\S-1-5-21-2490165305-1638453623-257508744-1001\...\Run: [Opera Browser Assistant] => C:\Users\David Jackson\AppData\Local\Programs\Opera\assistant\browser_assistant.exe [3024920 2020-03-12] (Opera Software AS -> Opera Software)

 

 

 

it got as far as C:\Users\David  and then thought it was at the end of the line so looked for a file named David.   I'm not sure where it found the data that it showed you - possibly some temp cache.  Did this start happening after installing Oracle?

Best practice when writing a path to the registry is to put quotes around the whole path just in case there are spaces (like in your user name) and it is possible they forgot to do it.  I checked the equivalent section in my registry and some of them have quotes and some don't.  But my user name is Ron so there aren't any gaps so it doesn't matter.  This used to be a big problem back in Win 2000 days but somewhere along the line Windows got a bit smarter and stopped interpreting a space as a new line most of the time but there are still some instances where it reverts back to its old behavior.

 

I don't know what happened to your f.lux entry but the following fixlist should put it back so that it will show up next time you reboot.  This fixlist will just make one change then read it back to make sure it took.  No reboot required.  Just post the fixlog.

 

Attached File  fixlist.txt   678bytes   11 downloads

 

 


  • 0

#48
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 260 posts

Hello again. Thank you very much. To the best of my knowledge, I haven't installed Oracle unless I did so unwittingly at some point (not impossible, hehe). Thank you for sharing the bit of revision history: I guess you've been involved with computers since their inception, right? Seen a lot of changes and breakthroughs. I appreciate your expertise and help. Thank you very much. Here's the fixlog:

 

Fix result of Farbar Recovery Scan Tool (x64) Version: 22-03-2020
Ran by David Jackson (24-03-2020 22:43:26) Run:5
Running from C:\Users\David Jackson\Desktop
Loaded Profiles: David Jackson (Available Profiles: defaultuser0 & David Jackson)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
REG: reg add "HKEY_USERS\S-1-5-21-2490165305-1638453623-257508744-1001\Software\Microsoft\Windows\CurrentVersion\Run" /v "f.lux" /t REG_DWORD /d "C:\Users\David Jackson\AppData\Local\FluxSoftware\Flux\flux.exe"
REG: reg query "HKEY_USERS\S-1-5-21-2490165305-1638453623-257508744-1001\Software\Microsoft\Windows\CurrentVersion\Run" /s
 
 
*****************
 
 
========= reg add "HKEY_USERS\S-1-5-21-2490165305-1638453623-257508744-1001\Software\Microsoft\Windows\CurrentVersion\Run" /v "f.lux" /t REG_DWORD /d "C:\Users\David Jackson\AppData\Local\FluxSoftware\Flux\flux.exe" =========
 
ERROR: Invalid syntax. Specify valid numeric value for '/d'.
Type "REG ADD /?" for usage.
 
 
========= End of Reg: =========
 
 
========= reg query "HKEY_USERS\S-1-5-21-2490165305-1638453623-257508744-1001\Software\Microsoft\Windows\CurrentVersion\Run" /s =========
 
 
HKEY_USERS\S-1-5-21-2490165305-1638453623-257508744-1001\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled
    Opera Browser Assistant    REG_SZ    C:\Users\David Jackson\AppData\Local\Programs\Opera\assistant\browser_assistant.exe
 
 
 
========= End of Reg: =========
 
 
==== End of Fixlog 22:43:26 ====

  • 0

#49
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,473 posts
  • MVP

That didn't work for some reason.  Thought I had it right but I used REG_DWORD instead of REG_SZ.  My mistake.  Let's try again:

 

Attached File  fixlist.txt   672bytes   11 downloads


  • 0

#50
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 260 posts

Hello and thank you for your help. Log is below:

Fix result of Farbar Recovery Scan Tool (x64) Version: 26-03-2020
Ran by David Jackson (27-03-2020 09:53:48) Run:6
Running from C:\Users\David Jackson\Desktop
Loaded Profiles: David Jackson (Available Profiles: defaultuser0 & David Jackson)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
REG: reg add "HKEY_USERS\S-1-5-21-2490165305-1638453623-257508744-1001\Software\Microsoft\Windows\CurrentVersion\Run" /v "f.lux" /t REG_SZ /d "C:\Users\David Jackson\AppData\Local\FluxSoftware\Flux\flux.exe"
REG: reg query "HKEY_USERS\S-1-5-21-2490165305-1638453623-257508744-1001\Software\Microsoft\Windows\CurrentVersion\Run" /s
 
 
*****************
 
 
========= reg add "HKEY_USERS\S-1-5-21-2490165305-1638453623-257508744-1001\Software\Microsoft\Windows\CurrentVersion\Run" /v "f.lux" /t REG_SZ /d "C:\Users\David Jackson\AppData\Local\FluxSoftware\Flux\flux.exe" =========
 
The operation completed successfully.
 
 
 
========= End of Reg: =========
 
 
========= reg query "HKEY_USERS\S-1-5-21-2490165305-1638453623-257508744-1001\Software\Microsoft\Windows\CurrentVersion\Run" /s =========
 
 
HKEY_USERS\S-1-5-21-2490165305-1638453623-257508744-1001\Software\Microsoft\Windows\CurrentVersion\Run
    f.lux    REG_SZ    C:\Users\David Jackson\AppData\Local\FluxSoftware\Flux\flux.exe
 
HKEY_USERS\S-1-5-21-2490165305-1638453623-257508744-1001\Software\Microsoft\Windows\CurrentVersion\Run\AutorunsDisabled
    Opera Browser Assistant    REG_SZ    C:\Users\David Jackson\AppData\Local\Programs\Opera\assistant\browser_assistant.exe
 
 
 
========= End of Reg: =========
 
 
==== End of Fixlog 09:53:49 ====

  • 0

#51
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,473 posts
  • MVP

Appears to have worked.  Did your f.lux come back after a reboot?


  • 0

#52
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 260 posts

Hi. Thank you. Some weirdness. Before seeing your message, there was a quick Opera notification which flashed up in the bottom right corner of the screen (I apologise but I don't recall what it said). Anyway, after that happened I noticed that an Opera icon had mysteriously appeared in the hidden icon box and then when I saw your message, I realised that f.lux wasn't automatically running (what I mean is it wasn't dimming the blue light) but I unpinned it from the taskbar and somehow managed to make its icon also appear in the hidden icons area where it always used to live. Then I rebooted, as per your message. What took me by surprise was that the Menu with the question: How do you want to open this file? had reappeared again. I hadn't seen that on reboot for a good few days. Could it be connected to the Opera message? I can start f.lux manually from the Start thing, but it used to auto-start before. Thank you very much.


  • 0

#53
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,473 posts
  • MVP

Opera has a task that checks for updates.  Expect it wanted to update.  If you don't use Opera I would suggest you uninstall it. 

 

If the file is back we can easily undo the f.lux registry entry or you can just use Autoruns to uncheck it.


  • 0

#54
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 260 posts

Hello. Thank you. I uninstalled Opera. I found f.lux in pink listed as users/david so I unchecked that. I was unsure whether I should uncheck all the yellow stuff in the Autoruns as you suggested to do previously, so I didn't do that. I'm unsure if I have completed the instruction correctly. Thank you.


  • 0

#55
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,473 posts
  • MVP

Yellow items indicate files are not there so it doesn't hurt to uncheck them.

 

Sounds like my attempt at replacing the f.lux didn't work.  Probably needed extra quote marks.  Oh well you say you have a work around so I guess we won't worry about it.

 

Do we have any problems left?


  • 0

Advertisements


#56
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 260 posts

Hi. Menu's gone. I can manually start f.lux. All good, thank you very much. Take care.


  • 0

#57
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 260 posts

Hello - again. I feel a bit bad jumping back on this thread yet again; however, for some reason that I can't fathom my fan is going a bit crazy. I remember the last time it happened you recommended running process explorer and repairing avast so I just ran it but I couldn't see an avast replication - lots of open brave stuff which didn't correlate to the actual open tabs (don't know if they should). Today's a warm day so it's not firing because there's ambient cold (again, don't know if it ever would). So here I am again seeking your help. You've already given me an enormous amount of your time and help and so if you feel I've already reached my limit, then I quite understand. If, on the other hand, there's still a bit of good-will left, I would very much appreciate your expertise in resolving this. As a particularly sound-sensitive soul (unlike my ex-wife who could sleep through anything), it's doing my head in a bit. Hope you're safe and well. Thank you very much. 

 

Attached Thumbnails

  • Screenshot (7).png

  • 0

#58
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 260 posts

Disregard last post. After I posted that, I thought I'd run an Avast scan and so opened it's icon. I was met with an upgrade alert which I ran and it updated some apps (don't know which). Then I remembered that over the past couple of weeks, sporadically, I'd seen not an Avast, but a Dell alert which said there were 3 updates and to click the box to update. Weird thing is that each time I clicked the box to action the update, NOTHING happened so I was left thinking it was a glitch. What the relationship is between the Avast and Dell update, I don't know - maybe totally independent. Anyway, I thought it had fixed the fan noise but it just kicked in again, and now stopped again (normally it's always pretty quiet, like it is now). Don't want to waste your time. Thank you.


  • 0

#59
daba

daba

    Member

  • Topic Starter
  • Member
  • PipPipPip
  • 260 posts

Just to be clear: it's all good now. I don't currently require your help. Thank you. Have a great day.


  • 0

#60
RKinner

RKinner

    Malware Expert

  • Expert
  • 22,473 posts
  • MVP

No problems with coming back.  Glad to have something to do.

 

Next time please make a process Explorer log as we did before.  The Screenshot doesn't tell me anything.

 

View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures


Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  

Wait a full minute then:

File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.


 


  • 0






Similar Topics


Also tagged with one or more of these keywords: windows 10, password login, fake login screen

2 user(s) are reading this topic

0 members, 2 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP