• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5583
  • Last Modified:

Adware, Spyware? Red Desktop with Ad

Hi Techs,

I must have picked up some adware or who knows what. The system seems to be running, but my desktop is not my desktop. It has been taken over with a red background with a black box in the center. In big red letters it says DANGER SPYWARE and they want me to buy their solution for $59...I don't think so. The link is to smart-security.com

I have run Adaware several times, Norton Antivirus with updated definitions several times. I found a "UCMore" and followed the instructions on Symantecs site, but that was of no help. Even removed entries in registry as instructed and under program files etc.

I cannot right click on the desktop. It ALMOST appears that this is covering my desktop. If I go into DISPLAY thru the way of the control panel, it will not allow me to change the image. So it seems to be attacking that too.

Any idea how to get rid of this and get me back to normal?

Thanks,

Wayne

0
wjo
Asked:
wjo
  • 23
  • 23
  • 7
  • +3
1 Solution
 
gemchestCommented:
Hi wjo,

firstly, turn off your system restore.

try running housecall to detect virus and spyware first:
http://housecall.trendmicro.com

then run the folowing:
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot  ==> http://www.spychecker.com/program/spybot.html
SpywareBlaster ==> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html 

use hijack this and their analyser as well:
http://www.hijackthis.de

hope this will help

Cheers,
Luis
0
 
-dev-Commented:
Try this:
Right click at the very top of the screen, click on properties....go to desktop, click on customize desktop. Find the web tab... it should have something checked that says security. Press delete and remove it then press ok and apply.
0
 
FalconHawkCommented:
Microsoft Antispyware is probally best:
http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en

You kinda got a funny spyware.... i never saw those using a desktop before ^^. O well...
Also download a Firewall www.Zonealarm.com (zonelanbs is one of the best free ones). They help in blocking various irritating program tactics.

On the desktop part, what exactly do you see? are there still pictograms on it, and do they work? or is it just a red screen with spyware? In the last case, it might be as well a normal windows, wich has the right mouse disabled, and is just over your normal desktop
0
The Lifecycle Approach to Managing Security Policy

Managing application connectivity and security policies can be achieved more effectively when following a framework that automates repeatable processes and ensures that the right activities are performed in the right order.

 
TolomirAdministratorCommented:
I guess this is just a fake, they have managed to activate "active desktop" to show you some web content.

Any spywarekiller like spybot search & destroy should find nothing, at least nothing it can remove.

Delete all html files in the folder: C:\WINDOWS\Web

Now: Start -> Settings-> System configuration -> Display properties

Desktop: "Change Desktop" - Select Tab WEB -> Delete all entries.

Download Firefox from Mozilla and stop messing with IE ;-)

Tolomir
0
 
TolomirAdministratorCommented:
oh well

expert -dev-

found the right solution already.

Tolomir
0
 
wjoAuthor Commented:
Tokomir,

I deleted the files under C:\windows\web

But, when I go to START, there is no SETTINGS. What I have tried was to go to CONTROL PANEL->DISPLAY ->DESKTOP Tab -> CUSTOMIZE DESKTOP ->WEB   The only thing left is MY CURRENT HOME PAGE and it cannot be checked for removal.

Am I on the right track ???

What next ???

Thanks,

Wayne
0
 
TolomirAdministratorCommented:
Yep you are on the right track.

After a reboot, does the "Danger spyware" appear again?

It should be gone.


Do you maybe have hidden files in your c:\windows\web directory?
0
 
wjoAuthor Commented:

It is still there after reboot. I have hidden files showing. So that shouldn't be the issue.

I am not at that system now, but I guess I need to d/l Firefox. Think that will help?

Is this something to do with Active Desktop?

The first time I ran the MS Antispyware it found a ton of stuff. I ran it again this morning and it did not find anything.
0
 
TolomirAdministratorCommented:
What version of windows do you use btw?

This is for windows 98:
http://support.microsoft.com/?scid=kb%3Ben-us%3B190228&x=15&y=9

0
 
TolomirAdministratorCommented:
And this is for all versions...

http://www.computerhope.com/issues/ch000593.htm

You can get firefox right here:

http://www.mozilla.org/products/firefox/

Usefull extentions are right here:
https://addons.update.mozilla.org/extensions/?os=Windows&application=firefox

Nice themes like noia are here:
https://addons.update.mozilla.org/themes/?os=Windows&application=firefox


And here is some kind of afterburner:
What does FireTune do?
According to your specific computer speed and internet connection speed, FireTune will optimize several internal settings of Firefox for better performance. FireTune does NOT modify the Firefox executable, or any other Firefox binary file. Everything can be undone easily provided you saved your original profile configuration file with FireTune's profile backup feature.
http://www.totalidea.com/freestuff4.htm

Tolomir
0
 
rossfingalCommented:
Hi!

Check these places where background images are loaded from:
Look for "unusual" files - "desktop.html", for instance.
%Systemroot%\Web\Wallpaper
%USERPROFILE%\My Documents\My Pictures (& sub-folders)
%AppData%\Microsoft\Internet Explorer
%ProgramFiles%\Plus!\Themes (& sub-folders)

Your OS may ignore a folder with a lot of images in it.

Yes, it might have to do with Active Desktop.

RF
0
 
wjoAuthor Commented:
I stumbled onto a bunch of image files that were the red desktop with the ad. I trashed a bunch of those.

I ran hijack and created a log. A buddy of mine looked it over and advised me what to remove. I also ran CW Shredder, MS Antispyware, Adware. Norton Antivirus etc etc etc

So the red screen is now gone, but the system still isn't the norm. I cannot right click. If I go to RUN and type DESKTOP, I can see the files and folders that reside on my desktop. BUT, in reality I cannot see them. So I still say something is hiding my actual desktop. I am getting close to a format, but really don't feel like going thru that.

I am going to bump up another 50 points.  Come on techs, I know you can do it!

Wayne

P.S. I did most of what you have all suggested. BTW, I am running Win XP Pro.
0
 
TolomirAdministratorCommented:
You could create a new account, and check if this might help.

Taken from http://support.hubris.net/knowledge_base/018.html

Adding User Accounts in Windows XP

   1. Open the “User Accounts” Control Panel:
         1. Click the “Start” menu.
         2. Click “Control Panel.”
         3. Double-click the icon labeled “User Accounts.”
   2. An account called “Administrator” should already exist. It is generally recommended that you do not use the Administrator account for general daily computing. Therefore, you should create a new “Standard User” account for each person:
         1. Click the button labeled “Add.”
         2. Type in the person’s username and full name. Entering a description is optional. You can create whatever username you desire.
         3. Click “Next.”
         4. Set the account type to “Limited.”
         5. Click the button labeled “Create Account.”
         6. Repeat these steps to create all the user accounts you need.
         7. In the toolbar, click the button labled “Home.” You should see all the accounts you created listed in this window. For each account:
               1. Click the account name.
               2. In the window that appears, click the button labeled “Create a password.“
               3. Enter your desired password. You must not lose this password! The only record is stored on your computer. If you lose it, there will be no way to recover it.
               4. You can also enter a sentence or phrase as a password hint which will help you remember your password in case you forget.
               5. Click the button labeled “Create Password.”
   3. When you are finished, log off of Windows XP.
   
--
Now you can log on as administrator and move all files from your old account to the new created account, since the new one doesn't have access to your old account since he is not in the administrator group.

Or you could temporarly give the new account administrator rights to access all old files you should find them in c:\documents and settings\old username  

If you are not using windows with an administrator account, most spyware and stuff isn't able to install itself and mess with your system. So it's best to have an administrator account for software installation and a normal user account for surfing the internet etc.

E.g. c:\windows\web can only be written to, if you are using an administrator account and use a web browser like internet explorer there are so many bugs check http://secunia.com/product/11/ one of them allows websites to write to any directory on your hard disk. With simple user rights even the most nasty spyware has no write access to c:\windows and it's subfolders.

Tolomir




Tolomir
0
 
wjoAuthor Commented:
Tolomir,

Tried what you mentioned above, I created the new user account. I still cannot modify desktop. When I run all of the above spyware checkers, Norton antivirus etc, I still get a ton of stuff. I went thru the hijack log and removed files as someone instructed me. Norton finds a ton of spyware, but even in safe mode it cannot remove everything.

Still puzzled,

Getting close to a format. (but still trying to avoid)

Wayne
0
 
TolomirAdministratorCommented:
Can you give me the link of the highjack log (you should get that after pasting the result of the scan on that website) so I get an idea what you are dealing with, please.

I'm using spybot search & destroy - seems quite reliable.

http://www.safer-networking.org/en/index.html

The problem is, after a format you will be back here real soon , as long as you or we don't find out, what happend to your computer.

Tolomir
0
 
rossfingalCommented:
Hi!

Yes, please do as Tolomir suggests - one of the things that this "Desktop Hijacker"
does; it writes a lot of changes to the Registry (among other things).
Give us a LINK to your HijackThis log.
We may be able to help you deal with it through HiajckThis.
Also, check to see if "Active Desktop" is enabled - if it is - uncheck it.

RF
0
 
wjoAuthor Commented:
http://www.hijackthis.de/logfiles/9331b19935184136fc93c9650ef9d06c.html

I have tried search and destroy, still no luck!
0
 
TolomirAdministratorCommented:
C:\Program Files\Internet Explorer\IEXPLORE.EXE

Internet Explorer - Wir empfehlen einen sichereren alternativen Browser zu verwenden. (z.B. Firefox)

What could that mean <biggrin>

checkout ---> www.getfirefox.com

alright:

There are some not so nice programs in your c:\windows and c:\windows\system32 folder.

Use this http://www.sysinternals.com/files/autoruns.zip (use autoruns.exe)

...to prevent them from starting, don't remove all entries some of them are needed like userinit.exe and explorer are need to start windows, so be carefull.

But disabling all files below autostart and run should be no problem.

Reboot, now use spybot again (have you updated it, btw?)

Tolomir
0
 
rossfingalCommented:
To start with -
Move HijackThis into a folder of it's own - something like C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
You're running it from a "temp" folder - not a good idea!!

Search your computer for all off the following "exe's"
Make sure you check the dllcache, Prefetch, and "temp" folders
Delete all that you find.

        O4 - HKCU\..\Run: [Dee] C:\WINDOWS\System32\Fma.exe                 Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Hve] C:\WINDOWS\Gbe.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Cfg] C:\WINDOWS\Cph.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Faj] C:\WINDOWS\System32\Ecl.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Gbd] C:\WINDOWS\System32\Psj.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Rjb] C:\WINDOWS\System32\Goo.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Nik] C:\WINDOWS\System32\Ddq.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Ldh] C:\WINDOWS\System32\Kcg.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Vjb] C:\WINDOWS\Gff.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Nrr] C:\WINDOWS\Egq.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Len] C:\WINDOWS\Rou.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Qns] C:\WINDOWS\Had.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Rdr] C:\WINDOWS\Aeo.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Dgq] C:\WINDOWS\System32\Ich.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Bqc] C:\WINDOWS\System32\Aam.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Htj] C:\WINDOWS\System32\Mnn.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Kbl] C:\WINDOWS\System32\Lae.exe               Unknown
Unknown               
Hit rate: -1 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Cnu] C:\WINDOWS\Pja.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Joa] C:\WINDOWS\Cts.exe               Unknown
Unknown               
Hit rate: 13 % (result)               Unknown application.
        O4 - HKCU\..\Run: [Lja] C:\WINDOWS\Ole.exe

Here's some interesting info on the last entry -"ole.exe" -
http://vil.nai.com/vil/content/v_10537.htm

Check the 016 entries - do you know what all of them are - did you add all of them?

RF
0
 
TolomirAdministratorCommented:
@ rossfingal:

these programs look like malware to me. These are random filenames to cover traces.

The "autoruns" program I mentioned above, is a first start to stop them from autorunning after startup.

A programm not in use can easily be deleted a program in use only with tricks...

Tolomir
0
 
rossfingalCommented:
>Tolomir
"these programs look like malware to me. These are random filenames to cover traces."
I agree!  :)
I only listed them out so that wjo could see exactly what to look for.
No problem with "Autoruns" - I use it!
Also, I would like to see that; if after removing these and a reboot -
do they "regenerate" with or without different names.
I Like "tricks"!  :)

Regards!

RF
0
 
wjoAuthor Commented:


      Y   I   K   E   S   !!!!!!!

Looks like I have my work cut out for me.

Just curious, if I was to zero out my hard drive how would these come back. Again, I prefer not to format at this time. So I will work on this tomorrow (Monday). I am on my laptop, so hopefully tomorrow I can try your updated suggestions.

Thanks,

Wayne
0
 
rossfingalCommented:
Hi1

If by "zero out" you mean a "low-level" format using the utility specific to the make of your hard drive -
No - they probably wouldn't come back (fingers crossed :)

If you do attempt to remove them -
Make sure "Show all Files and Folders", including hidden and system is enabled.
Disable "System Restore" - some of this "stuff" likes to hide in there
Check in Task Manager to see if they (or anything else suspicious) are running -
stop them, then disable them.
Remember to check dllcache, Prefetch, temp folders

After you have removed them clean out all your "temp" files ( Hope you've moved HijackThis !!!)  :)

# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
  <=This will delete all your cached internet content including cookies.
  This is recommended and strongly suggested!
    However, if you delete all your cookies - this can affect your stored Internet passwords
    and your ability to logon automatically to various sites.
    So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)

Empty your "Recycle Bin".

You may want to do this in "safe" mode, as well as "normal" mode.

Good luck!
RF
0
 
wjoAuthor Commented:
I have tried removing files from folders as instructed, running all the spyware programs reccommended, etc.

I ran Norton antivirus in safe mode and it showed these files. I can not find my recycle bin except Norton Protected Bin. That shows to be emptied.

It says DELETE FAIL for these files listed below.

The file C:\RECYCLER\NPROTECT\00007294 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007295 is a Adware threat
The file C:\RECYCLER\NPROTECT\00007296 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007297 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007306 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007307 is a Adware threat.
The compressed file C:/WINDOWS/System32/exdl.exe within C:\RECYCLER\NPROTECT\00005725 is a Adware threat.
The compressed file C:/WINDOWS/System32/exul.exe within C:\RECYCLER\NPROTECT\00005725 is a Adware threat.
The compressed file C:/WINDOWS/System32/javexulm.vxd within C:\RECYCLER\NPROTECT\00005725 is a Adware threat.
The compressed file C:/WINDOWS/System32/mqexdlm.srg within C:\RECYCLER\NPROTECT\00005725 is a Adware threat.
The compressed file C:/WINDOWS/System32/msexreg.exe within C:\RECYCLER\NPROTECT\00005725 is a Adware threat.

What now ? ? ?

0
 
wjoAuthor Commented:
Also, I assume Firefox is a browser that would replace IE.

The browser doesn't seem to be the issue.....or is it?

0
 
wjoAuthor Commented:
another question:   What is MSOCache ?

Is it supposed to be loaded with CAB files?
0
 
TolomirAdministratorCommented:
Firefox is a decend browser a good replacement for IE:

just check http://secunia.com/product/11/

There a a lot of ways, how spyware can install itself even without user interaction, but just by surfing the net with IE.

---
The norton protected bin replaces the normal recycle bin, so this is no problem.

Please Use this http://www.sysinternals.com/files/autoruns.zip (use autoruns.exe)

...to prevent them from starting, don't remove all entries some of them are needed like userinit.exe and explorer are need to start windows, so be carefull.

But disabling all files below autostart and run should be no problem.

Reboot, now use spybot if possible in windows save mode again (have you updated it, btw?)
0
 
wjoAuthor Commented:
I did update spybot.

I did do the autoruns  and disabled all but IE & userinit. I left those running.

My system is running. Seems to be running fairly normal, but I still can't get rid of everything. If I run spybot it says there is files in memory and can it run again after reboot. I say yes. I reboot it runs and does the same loop.

The main thing I still notice is, not my normal desktop, and the mouse will still not work on the right click.

(so sad)   :(

0
 
TolomirAdministratorCommented:
What about spybot in safe mode?

Can you locate those files in memory, are they named?

You should prepare a backup to safe all important files (no exe of cause;-)

Well I'm a bit running out of options, you could give us an update on highjackthis, what files are still detected.

Tolomir
0
 
wjoAuthor Commented:
Search & Destroy keeps finding these two entries. It cannot delete them even if I OK it to run on next startup and also in safe mode.
Can I delete the WinTools folder in the registry (or even the files listed under it?)


HuntBar: Settings (Registry key, fixing failed)
  HKEY_USERS\S-1-5-18\Software\WinTools

HuntBar: Settings (Registry key, fixing failed)
  HKEY_USERS\.DEFAULT\Software\WinTools




--- Spybot - Search && Destroy version: 1.3  ---
2005-03-03 Includes\Cookies.sbi
2005-04-07 Includes\Dialer.sbi
2005-04-07 Includes\Hijackers.sbi
2005-03-22 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-04-07 Includes\Malware.sbi
2005-03-17 Includes\PUPS.sbi
2005-03-17 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-04-07 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-04-07 Includes\Trojans.sbi
0
 
TolomirAdministratorCommented:
You could start regedit

go to these key entries.

Select the 1st, click on the right mouse button

Below "Export" there should be "Permissions" remove all permissions (for any users)

Same procedure with 2nd key.

This way those keys are blocked, windows is not able to get access by itself. You could delete them later or simply forget them.

Tolomir





0
 
TolomirAdministratorCommented:
when it says, those permission cannot be deleted because there taken from parent (something like that)

go to Advanced and UNCHECK the mark in the box: Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.

It will ask you if it should copy or remove the inhertited permissions.

Select remove.

Do this for both keys.

Tolomir
0
 
wjoAuthor Commented:
Tolomir,

Sorry, I do not understand your last comment. I DO see the Parent and the child listings. I tried to remove each one seperatly, but it will not allow me to remove. I might be doing something incorrectly here ???????????????????



let me add this.....

If I go to RUN and type DESKTOP I can see the original icons on my desktop


If I go thru Windows Explorer I can only see new icons that have been added.

Wayne
0
 
TolomirAdministratorCommented:
Please check this page:

http://support.microsoft.com/default.aspx?scid=kb;en-us;308418&sd=tech

How inheritance affects file and folder permissions
After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit these permissions. If you do not want the files and folders to inherit permissions, click This folder only in the Apply onto box when you set up special permissions for the parent folder. If you want to prevent only certain files or subfolders from inheriting permissions, follow these steps:
1.      Right-click the file or subfolder.
2.      Click Properties.
3.      Click the Security tab.
4.      Click Advanced.
5.      Clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box.
0
 
wjoAuthor Commented:
I removed the two entries that Search & Destroy showed.

After I removed the files, I ran the following.
Search & Destroy
CWShredder
MS Antispyware

They all come up clean. I could leave things as is, but it is difficult sometimes when I need to use the RIGHT-CLICK and it will not allow me. I know my old desktop exists somewhere. As I mentioned, if I go RUN -> DESKTOP all my desktop items appear. But I cannot see these items on my actual desktop. (Sorry...I keep repeating myself)

Any advice to that?

Thanks,

Wayne
0
 
TolomirAdministratorCommented:
Sorry I had no idea how to enable your desktop items, but now I found something:

Please check if this is set in the registry:

 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop REG_DWORD:1

If possible set it to 0

---
You might also try this:

If you want to unhide desktop items in XP, right click on the desktop and select Arrange Icons By | Show Items on desktop.

---
Tolomir
0
 
wjoAuthor Commented:
I had these srtrings:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

with these listings:   ForceActiveDesktopOn   and NoActiveDesktop    I changed them to zero. But no help.

The second comment you suggested I cannot due...no right click  .....<so sad>   :(


Seems we have reached a dead end. It appears the spyware has been cleaned up, but have not resolved the desktop issue. I will give you the points Tolomir for sticking with me thru this. Do you suggest I try the OS or Windows area of EE to see if I can resolve the desktop issue?

Wayne
0
 
TolomirAdministratorCommented:
I never had an idea how anoying that spyware was.

Here I have found a solution for you mouse problem:

http://www.geekstogo.com/forum/Desktop_Spyware_Danger_Warning-t15165-s15.html

(don't have much time right now, sorry)

You should download microsoft antispyware, it stays resistent in memory and protects you.

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Tolomir
0
 
wjoAuthor Commented:
Tolomir,

I downloaded the file you suggested. But it would not merge.
Another thing is, when I d/l to my desktop, duplicate icons get created.

Wayne
0
 
TolomirAdministratorCommented:
That There are 2 files.

1. is background.zip, it must be unpacked before use and contains this file: background.reg

here is the content:

----(you could copy & paste it to a textfile,save it, rename it  to yourchoice.reg, double click on it, see no reason why it should not merge.)
You can open regedit.exe, can't you?----



REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ClassicShell"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"ForceActiveDesktopOn"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"Wallpaper"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoViewContextMenu"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoActiveDesktop"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop"="%USERPROFILE%\\Desktop"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Custom Desktop"=-

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Desktop"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,44,65,73,6b,74,6f,\
  70,00

[HKEY_CURRENT_USER\Control Panel\desktop]
"ConvertedWallpaper"="C:\\WINDOWS\\Web\\Wallpaper\\Windows XP.jpg"
"ConvertedWallpaper Last WriteTime"=hex:00,88,40,84,d3,2b,c1,01
"OriginalWallpaper"="%USERPROFILE%\\Application Data\\Microsoft\\Wallpaper1.bmp"
"Wallpaper"="%USERPROFILE%\\Application Data\\Microsoft\\Wallpaper1.bmp"  
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Common Desktop"=hex(2):25,00,41,00,4c,00,4c,00,55,00,53,00,45,00,52,00,53,00,\
  50,00,52,00,4f,00,46,00,49,00,4c,00,45,00,25,00,5c,00,44,00,65,00,73,00,6b,\
  00,74,00,6f,00,70,00,00,00

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Desktop"=hex(2):25,55,53,45,52,50,52,4f,46,49,4c,45,25,5c,44,65,73,6b,74,6f,\
  70,00

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders]
"Desktop"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,\
  4c,00,45,00,25,00,5c,00,44,00,65,00,73,00,6b,00,74,00,6f,00,70,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
"ComponentsPositioned"=dword:00000001
"TileWallpaper"="0"
"WallpaperStyle"="2"
"Wallpaper"=hex(2):25,41,50,50,44,41,54,41,25,5c,4d,69,63,72,6f,73,6f,66,74,5c,\
  57,61,6c,6c,70,61,70,65,72,31,2e,62,6d,70,00
"BackupWallpaper"=hex(2):25,41,50,50,44,41,54,41,25,5c,4d,69,63,72,6f,73,6f,66,\
  74,5c,57,61,6c,6c,70,61,70,65,72,31,2e,62,6d,70,00
"WallpaperFileTime"=hex:00,77,28,0a,07,2e,c5,01
"WallpaperLocalFileTime"=hex:00,37,05,fc,c3,2d,c5,01

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\General]
"Wallpaper"="C:\\WINDOWS\\Web\\SafeMode.htt"
"VisitGallery"=dword:00000000

----
Here is the right mouse button problem: same procedure, copy& paste it to an empty textfile, save it, rename it to your2ndchoice.reg, double click on it voila:---
---

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoViewContextMenu"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSetTaskbar"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
"NoSaveSettings"=dword:00000000

---

You could monitor with http://www.sysinternals.com/ntw2k/source/regmon.shtml

...Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. ...

http://www.sysinternals.com/files/ntregmon.zip

what happens to your registry while merging the settings.

Hope that helps.

Tolomir
0
 
wjoAuthor Commented:
I did as you suggested, I saved into notepad, saved as regtest.reg and saved to desktop. The icon is a registry icon on desktop. When I double click I get error  something to this effect ..........The file does not have program associtaed with it for performing the action. Create an association in the Folders Option control panel

So I checked the folder options and the reg extension is associated with registration files

Yes I can open regedit. If I were to open REGEDIT and IMPORT this file would that delete my registry?

Wayne
0
 
rossfingalCommented:
No, it will not delete your "Registry" -
Tolomir is just trying to give you a registry fix to use -
and it might work.
Right-click on it and choose "Merge" -
don't think it will hurt anything -
Back up your "Registry" if you're concerned.
RfF
0
 
wjoAuthor Commented:
PLEEEEEASE note. Right-click does not work. That is one of the issues

Thanks,

Wayne
0
 
TolomirAdministratorCommented:
A simple doubleclick should be ok, since Merge is the default action.

Tolomir
0
 
wjoAuthor Commented:
Double-click gives this error msg:

The file does not have program associtaed with it for performing the action. Create an association in the Folders Option control panel

So I checked the folder options and the reg extension is associated with registration files
0
 
TolomirAdministratorCommented:
Can you start regedit?

Maybe here is the problem...

0
 
TolomirAdministratorCommented:
ah, ok:

Do exactly this, with regtest.reg:
Yes I can open regedit. If I were to open REGEDIT and IMPORT this file ....

Tolomir

0
 
rossfingalCommented:
Hi!

Sorry about the right-click confusion above! (my computer default is edit)  :)
If Regedit is not working - try this:
http://www.dougknox.com/xp/utils/xp_emerutils.htm

RF
0
 
wjoAuthor Commented:
Tolomir,

Can you repeat your last comment I do not understand

Ross,

My regedit seems to be working. I can access regedit

0
 
TolomirAdministratorCommented:
I said: open regedit, import the file via:

file -> import -> regtest.reg (the text file containing the suggested modifications)

Tolomir
0
 
wjoAuthor Commented:
Tolomir,

Guess what.....that seemed to do the trick. Looks like my desktop is back, I CAN again right click. I have to run now...off to work, but I will check in with you tomorrow. Let me see if all else is working properly.

Thank you,

Wayne

0
 
wjoAuthor Commented:
Tolomir,

I haven't spent too much time on my system since your last submission. But it appears to be working fine(maybe I shouldn't say that so loud). Anyway, you have spent a lot of time on this with me and I am going to give you 225 points. I also want to say "Thank You Very Much". It looks like that last comment from you did the trick and brought my desktop back to normal and my right click is now again in working order.

It saved me a format, probably a low level one, and all the hassle of reinstalling software.

Again, Thank you,

Wayne

P.S. Thanks to all the other Experts who tried to assist.
0
 
wjoAuthor Commented:
Tolomir,

Please let me know if you got the 225 points. If not, let me know how I can add the addition points.

Thanks,

Wayne
0
 
TolomirAdministratorCommented:
Thank you,

Actually I got 700 points, since a mark of A quadruples the given points.

I suggest you install this microsoft antispyware tool : http://www.microsoft.com/athome/security/spyware/software/default.mspx

and might consider using a different web browser like firefox.

www.getfirefox.com

This helps a lot to keep your system clean.

Tolomir
0
 
wjoAuthor Commented:
TOlomir,

Actually I had installed MS Anti Spyware when we first started with this issue.

I will d/l firefox now that the system seems to be in order.

As I mentioned, I was trying to increase the points, but it seems like you got 175 instead of 225. If you can tell me how to transfer the other 50 points, I guess that will give you 200 more (50 quadtrupled)

Let me know,

Thanks, Wayne

P.S. Off to d/l firefox!
0
 
TolomirAdministratorCommented:
Alright, here are some usefull extentions:

https://addons.update.mozilla.org/extensions/?application=firefox

You can try a lot, but don't expect firefox to run fast after that...

Great is:

Adblock (right mouse click on image, choose "Adblock Image", you won't see it again...)
Flashblock (play flash on demand, it's no complete block)
FlashGot (An extention to use up to 20 different download managers even in firefox, I use net transport from http://www.xi-soft.com/default.htm )
Linkification: doubleclick on any texturl,  https://addons.update.mozilla.org/extensions/moreinfo.php?id=190
Googlebar (Special firefox version) https://addons.update.mozilla.org/extensions/moreinfo.php?id=190

For help (especially after using IE -> click on the Help menuentry in firefox)

To speedup firefox a bit use firetune: http://www.totalidea.com/freestuff4.htm
According to your specific computer speed and internet connection speed, FireTune will optimize several internal settings of Firefox for better performance. FireTune does NOT modify the Firefox executable, or any other Firefox binary file. Everything can be undone easily provided you saved your original profile configuration file with FireTune's profile backup feature before.

Tolomir

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 23
  • 23
  • 7
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now