wjo
asked on
Adware, Spyware? Red Desktop with Ad
Hi Techs,
I must have picked up some adware or who knows what. The system seems to be running, but my desktop is not my desktop. It has been taken over with a red background with a black box in the center. In big red letters it says DANGER SPYWARE and they want me to buy their solution for $59...I don't think so. The link is to smart-security.com
I have run Adaware several times, Norton Antivirus with updated definitions several times. I found a "UCMore" and followed the instructions on Symantecs site, but that was of no help. Even removed entries in registry as instructed and under program files etc.
I cannot right click on the desktop. It ALMOST appears that this is covering my desktop. If I go into DISPLAY thru the way of the control panel, it will not allow me to change the image. So it seems to be attacking that too.
Any idea how to get rid of this and get me back to normal?
Thanks,
Wayne
I must have picked up some adware or who knows what. The system seems to be running, but my desktop is not my desktop. It has been taken over with a red background with a black box in the center. In big red letters it says DANGER SPYWARE and they want me to buy their solution for $59...I don't think so. The link is to smart-security.com
I have run Adaware several times, Norton Antivirus with updated definitions several times. I found a "UCMore" and followed the instructions on Symantecs site, but that was of no help. Even removed entries in registry as instructed and under program files etc.
I cannot right click on the desktop. It ALMOST appears that this is covering my desktop. If I go into DISPLAY thru the way of the control panel, it will not allow me to change the image. So it seems to be attacking that too.
Any idea how to get rid of this and get me back to normal?
Thanks,
Wayne
Try this:
Right click at the very top of the screen, click on properties....go to desktop, click on customize desktop. Find the web tab... it should have something checked that says security. Press delete and remove it then press ok and apply.
Right click at the very top of the screen, click on properties....go to desktop, click on customize desktop. Find the web tab... it should have something checked that says security. Press delete and remove it then press ok and apply.
Microsoft Antispyware is probally best:
http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
You kinda got a funny spyware.... i never saw those using a desktop before ^^. O well...
Also download a Firewall www.Zonealarm.com (zonelanbs is one of the best free ones). They help in blocking various irritating program tactics.
On the desktop part, what exactly do you see? are there still pictograms on it, and do they work? or is it just a red screen with spyware? In the last case, it might be as well a normal windows, wich has the right mouse disabled, and is just over your normal desktop
http://www.microsoft.com/downloads/details.aspx?FamilyID=321cd7a2-6a57-4c57-a8bd-dbf62eda9671&displaylang=en
You kinda got a funny spyware.... i never saw those using a desktop before ^^. O well...
Also download a Firewall www.Zonealarm.com (zonelanbs is one of the best free ones). They help in blocking various irritating program tactics.
On the desktop part, what exactly do you see? are there still pictograms on it, and do they work? or is it just a red screen with spyware? In the last case, it might be as well a normal windows, wich has the right mouse disabled, and is just over your normal desktop
I guess this is just a fake, they have managed to activate "active desktop" to show you some web content.
Any spywarekiller like spybot search & destroy should find nothing, at least nothing it can remove.
Delete all html files in the folder: C:\WINDOWS\Web
Now: Start -> Settings-> System configuration -> Display properties
Desktop: "Change Desktop" - Select Tab WEB -> Delete all entries.
Download Firefox from Mozilla and stop messing with IE ;-)
Tolomir
Any spywarekiller like spybot search & destroy should find nothing, at least nothing it can remove.
Delete all html files in the folder: C:\WINDOWS\Web
Now: Start -> Settings-> System configuration -> Display properties
Desktop: "Change Desktop" - Select Tab WEB -> Delete all entries.
Download Firefox from Mozilla and stop messing with IE ;-)
Tolomir
oh well
expert -dev-
found the right solution already.
Tolomir
expert -dev-
found the right solution already.
Tolomir
ASKER
Tokomir,
I deleted the files under C:\windows\web
But, when I go to START, there is no SETTINGS. What I have tried was to go to CONTROL PANEL->DISPLAY ->DESKTOP Tab -> CUSTOMIZE DESKTOP ->WEB The only thing left is MY CURRENT HOME PAGE and it cannot be checked for removal.
Am I on the right track ???
What next ???
Thanks,
Wayne
I deleted the files under C:\windows\web
But, when I go to START, there is no SETTINGS. What I have tried was to go to CONTROL PANEL->DISPLAY ->DESKTOP Tab -> CUSTOMIZE DESKTOP ->WEB The only thing left is MY CURRENT HOME PAGE and it cannot be checked for removal.
Am I on the right track ???
What next ???
Thanks,
Wayne
Yep you are on the right track.
After a reboot, does the "Danger spyware" appear again?
It should be gone.
Do you maybe have hidden files in your c:\windows\web directory?
After a reboot, does the "Danger spyware" appear again?
It should be gone.
Do you maybe have hidden files in your c:\windows\web directory?
ASKER
It is still there after reboot. I have hidden files showing. So that shouldn't be the issue.
I am not at that system now, but I guess I need to d/l Firefox. Think that will help?
Is this something to do with Active Desktop?
The first time I ran the MS Antispyware it found a ton of stuff. I ran it again this morning and it did not find anything.
What version of windows do you use btw?
This is for windows 98:
http://support.microsoft.com/?scid=kb%3Ben-us%3B190228&x=15&y=9
This is for windows 98:
http://support.microsoft.com/?scid=kb%3Ben-us%3B190228&x=15&y=9
And this is for all versions...
http://www.computerhope.com/issues/ch000593.htm
You can get firefox right here:
http://www.mozilla.org/products/firefox/
Usefull extentions are right here:
https://addons.update.mozilla.org/extensions/?os=Windows&application=firefox
Nice themes like noia are here:
https://addons.update.mozilla.org/themes/?os=Windows&application=firefox
And here is some kind of afterburner:
What does FireTune do?
According to your specific computer speed and internet connection speed, FireTune will optimize several internal settings of Firefox for better performance. FireTune does NOT modify the Firefox executable, or any other Firefox binary file. Everything can be undone easily provided you saved your original profile configuration file with FireTune's profile backup feature.
http://www.totalidea.com/freestuff4.htm
Tolomir
http://www.computerhope.com/issues/ch000593.htm
You can get firefox right here:
http://www.mozilla.org/products/firefox/
Usefull extentions are right here:
https://addons.update.mozilla.org/extensions/?os=Windows&application=firefox
Nice themes like noia are here:
https://addons.update.mozilla.org/themes/?os=Windows&application=firefox
And here is some kind of afterburner:
What does FireTune do?
According to your specific computer speed and internet connection speed, FireTune will optimize several internal settings of Firefox for better performance. FireTune does NOT modify the Firefox executable, or any other Firefox binary file. Everything can be undone easily provided you saved your original profile configuration file with FireTune's profile backup feature.
http://www.totalidea.com/freestuff4.htm
Tolomir
Hi!
Check these places where background images are loaded from:
Look for "unusual" files - "desktop.html", for instance.
%Systemroot%\Web\Wallpaper
%USERPROFILE%\My Documents\My Pictures (& sub-folders)
%AppData%\Microsoft\Intern et Explorer
%ProgramFiles%\Plus!\Theme s (& sub-folders)
Your OS may ignore a folder with a lot of images in it.
Yes, it might have to do with Active Desktop.
RF
Check these places where background images are loaded from:
Look for "unusual" files - "desktop.html", for instance.
%Systemroot%\Web\Wallpaper
%USERPROFILE%\My Documents\My Pictures (& sub-folders)
%AppData%\Microsoft\Intern
%ProgramFiles%\Plus!\Theme
Your OS may ignore a folder with a lot of images in it.
Yes, it might have to do with Active Desktop.
RF
ASKER
I stumbled onto a bunch of image files that were the red desktop with the ad. I trashed a bunch of those.
I ran hijack and created a log. A buddy of mine looked it over and advised me what to remove. I also ran CW Shredder, MS Antispyware, Adware. Norton Antivirus etc etc etc
So the red screen is now gone, but the system still isn't the norm. I cannot right click. If I go to RUN and type DESKTOP, I can see the files and folders that reside on my desktop. BUT, in reality I cannot see them. So I still say something is hiding my actual desktop. I am getting close to a format, but really don't feel like going thru that.
I am going to bump up another 50 points. Come on techs, I know you can do it!
Wayne
P.S. I did most of what you have all suggested. BTW, I am running Win XP Pro.
I ran hijack and created a log. A buddy of mine looked it over and advised me what to remove. I also ran CW Shredder, MS Antispyware, Adware. Norton Antivirus etc etc etc
So the red screen is now gone, but the system still isn't the norm. I cannot right click. If I go to RUN and type DESKTOP, I can see the files and folders that reside on my desktop. BUT, in reality I cannot see them. So I still say something is hiding my actual desktop. I am getting close to a format, but really don't feel like going thru that.
I am going to bump up another 50 points. Come on techs, I know you can do it!
Wayne
P.S. I did most of what you have all suggested. BTW, I am running Win XP Pro.
You could create a new account, and check if this might help.
Taken from http://support.hubris.net/knowledge_base/018.html
Adding User Accounts in Windows XP
1. Open the “User Accounts” Control Panel:
1. Click the “Start” menu.
2. Click “Control Panel.”
3. Double-click the icon labeled “User Accounts.”
2. An account called “Administrator” should already exist. It is generally recommended that you do not use the Administrator account for general daily computing. Therefore, you should create a new “Standard User” account for each person:
1. Click the button labeled “Add.”
2. Type in the person’s username and full name. Entering a description is optional. You can create whatever username you desire.
3. Click “Next.”
4. Set the account type to “Limited.”
5. Click the button labeled “Create Account.”
6. Repeat these steps to create all the user accounts you need.
7. In the toolbar, click the button labled “Home.” You should see all the accounts you created listed in this window. For each account:
1. Click the account name.
2. In the window that appears, click the button labeled “Create a password.“
3. Enter your desired password. You must not lose this password! The only record is stored on your computer. If you lose it, there will be no way to recover it.
4. You can also enter a sentence or phrase as a password hint which will help you remember your password in case you forget.
5. Click the button labeled “Create Password.”
3. When you are finished, log off of Windows XP.
--
Now you can log on as administrator and move all files from your old account to the new created account, since the new one doesn't have access to your old account since he is not in the administrator group.
Or you could temporarly give the new account administrator rights to access all old files you should find them in c:\documents and settings\old username
If you are not using windows with an administrator account, most spyware and stuff isn't able to install itself and mess with your system. So it's best to have an administrator account for software installation and a normal user account for surfing the internet etc.
E.g. c:\windows\web can only be written to, if you are using an administrator account and use a web browser like internet explorer there are so many bugs check http://secunia.com/product/11/ one of them allows websites to write to any directory on your hard disk. With simple user rights even the most nasty spyware has no write access to c:\windows and it's subfolders.
Tolomir
Tolomir
Taken from http://support.hubris.net/knowledge_base/018.html
Adding User Accounts in Windows XP
1. Open the “User Accounts” Control Panel:
1. Click the “Start” menu.
2. Click “Control Panel.”
3. Double-click the icon labeled “User Accounts.”
2. An account called “Administrator” should already exist. It is generally recommended that you do not use the Administrator account for general daily computing. Therefore, you should create a new “Standard User” account for each person:
1. Click the button labeled “Add.”
2. Type in the person’s username and full name. Entering a description is optional. You can create whatever username you desire.
3. Click “Next.”
4. Set the account type to “Limited.”
5. Click the button labeled “Create Account.”
6. Repeat these steps to create all the user accounts you need.
7. In the toolbar, click the button labled “Home.” You should see all the accounts you created listed in this window. For each account:
1. Click the account name.
2. In the window that appears, click the button labeled “Create a password.“
3. Enter your desired password. You must not lose this password! The only record is stored on your computer. If you lose it, there will be no way to recover it.
4. You can also enter a sentence or phrase as a password hint which will help you remember your password in case you forget.
5. Click the button labeled “Create Password.”
3. When you are finished, log off of Windows XP.
--
Now you can log on as administrator and move all files from your old account to the new created account, since the new one doesn't have access to your old account since he is not in the administrator group.
Or you could temporarly give the new account administrator rights to access all old files you should find them in c:\documents and settings\old username
If you are not using windows with an administrator account, most spyware and stuff isn't able to install itself and mess with your system. So it's best to have an administrator account for software installation and a normal user account for surfing the internet etc.
E.g. c:\windows\web can only be written to, if you are using an administrator account and use a web browser like internet explorer there are so many bugs check http://secunia.com/product/11/ one of them allows websites to write to any directory on your hard disk. With simple user rights even the most nasty spyware has no write access to c:\windows and it's subfolders.
Tolomir
Tolomir
ASKER
Tolomir,
Tried what you mentioned above, I created the new user account. I still cannot modify desktop. When I run all of the above spyware checkers, Norton antivirus etc, I still get a ton of stuff. I went thru the hijack log and removed files as someone instructed me. Norton finds a ton of spyware, but even in safe mode it cannot remove everything.
Still puzzled,
Getting close to a format. (but still trying to avoid)
Wayne
Tried what you mentioned above, I created the new user account. I still cannot modify desktop. When I run all of the above spyware checkers, Norton antivirus etc, I still get a ton of stuff. I went thru the hijack log and removed files as someone instructed me. Norton finds a ton of spyware, but even in safe mode it cannot remove everything.
Still puzzled,
Getting close to a format. (but still trying to avoid)
Wayne
Can you give me the link of the highjack log (you should get that after pasting the result of the scan on that website) so I get an idea what you are dealing with, please.
I'm using spybot search & destroy - seems quite reliable.
http://www.safer-networking.org/en/index.html
The problem is, after a format you will be back here real soon , as long as you or we don't find out, what happend to your computer.
Tolomir
I'm using spybot search & destroy - seems quite reliable.
http://www.safer-networking.org/en/index.html
The problem is, after a format you will be back here real soon , as long as you or we don't find out, what happend to your computer.
Tolomir
Hi!
Yes, please do as Tolomir suggests - one of the things that this "Desktop Hijacker"
does; it writes a lot of changes to the Registry (among other things).
Give us a LINK to your HijackThis log.
We may be able to help you deal with it through HiajckThis.
Also, check to see if "Active Desktop" is enabled - if it is - uncheck it.
RF
Yes, please do as Tolomir suggests - one of the things that this "Desktop Hijacker"
does; it writes a lot of changes to the Registry (among other things).
Give us a LINK to your HijackThis log.
We may be able to help you deal with it through HiajckThis.
Also, check to see if "Active Desktop" is enabled - if it is - uncheck it.
RF
ASKER
http://www.hijackthis.de/logfiles/9331b19935184136fc93c9650ef9d06c.html
I have tried search and destroy, still no luck!
I have tried search and destroy, still no luck!
C:\Program Files\Internet Explorer\IEXPLORE.EXE
Internet Explorer - Wir empfehlen einen sichereren alternativen Browser zu verwenden. (z.B. Firefox)
What could that mean <biggrin>
checkout ---> www.getfirefox.com
alright:
There are some not so nice programs in your c:\windows and c:\windows\system32 folder.
Use this http://www.sysinternals.com/files/autoruns.zip (use autoruns.exe)
...to prevent them from starting, don't remove all entries some of them are needed like userinit.exe and explorer are need to start windows, so be carefull.
But disabling all files below autostart and run should be no problem.
Reboot, now use spybot again (have you updated it, btw?)
Tolomir
Internet Explorer - Wir empfehlen einen sichereren alternativen Browser zu verwenden. (z.B. Firefox)
What could that mean <biggrin>
checkout ---> www.getfirefox.com
alright:
There are some not so nice programs in your c:\windows and c:\windows\system32 folder.
Use this http://www.sysinternals.com/files/autoruns.zip (use autoruns.exe)
...to prevent them from starting, don't remove all entries some of them are needed like userinit.exe and explorer are need to start windows, so be carefull.
But disabling all files below autostart and run should be no problem.
Reboot, now use spybot again (have you updated it, btw?)
Tolomir
To start with -
Move HijackThis into a folder of it's own - something like C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
You're running it from a "temp" folder - not a good idea!!
Search your computer for all off the following "exe's"
Make sure you check the dllcache, Prefetch, and "temp" folders
Delete all that you find.
O4 - HKCU\..\Run: [Dee] C:\WINDOWS\System32\Fma.ex e Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Hve] C:\WINDOWS\Gbe.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Cfg] C:\WINDOWS\Cph.exe Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Faj] C:\WINDOWS\System32\Ecl.ex e Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Gbd] C:\WINDOWS\System32\Psj.ex e Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Rjb] C:\WINDOWS\System32\Goo.ex e Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Nik] C:\WINDOWS\System32\Ddq.ex e Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Ldh] C:\WINDOWS\System32\Kcg.ex e Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Vjb] C:\WINDOWS\Gff.exe Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Nrr] C:\WINDOWS\Egq.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Len] C:\WINDOWS\Rou.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Qns] C:\WINDOWS\Had.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Rdr] C:\WINDOWS\Aeo.exe Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Dgq] C:\WINDOWS\System32\Ich.ex e Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Bqc] C:\WINDOWS\System32\Aam.ex e Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Htj] C:\WINDOWS\System32\Mnn.ex e Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Kbl] C:\WINDOWS\System32\Lae.ex e Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Cnu] C:\WINDOWS\Pja.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Joa] C:\WINDOWS\Cts.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Lja] C:\WINDOWS\Ole.exe
Here's some interesting info on the last entry -"ole.exe" -
http://vil.nai.com/vil/content/v_10537.htm
Check the 016 entries - do you know what all of them are - did you add all of them?
RF
Move HijackThis into a folder of it's own - something like C:\HJT\hijackthis.exe or C:\Program Files\HJT\hijackthis.exe
You're running it from a "temp" folder - not a good idea!!
Search your computer for all off the following "exe's"
Make sure you check the dllcache, Prefetch, and "temp" folders
Delete all that you find.
O4 - HKCU\..\Run: [Dee] C:\WINDOWS\System32\Fma.ex
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Hve] C:\WINDOWS\Gbe.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Cfg] C:\WINDOWS\Cph.exe Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Faj] C:\WINDOWS\System32\Ecl.ex
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Gbd] C:\WINDOWS\System32\Psj.ex
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Rjb] C:\WINDOWS\System32\Goo.ex
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Nik] C:\WINDOWS\System32\Ddq.ex
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Ldh] C:\WINDOWS\System32\Kcg.ex
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Vjb] C:\WINDOWS\Gff.exe Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Nrr] C:\WINDOWS\Egq.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Len] C:\WINDOWS\Rou.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Qns] C:\WINDOWS\Had.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Rdr] C:\WINDOWS\Aeo.exe Unknown
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Dgq] C:\WINDOWS\System32\Ich.ex
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Bqc] C:\WINDOWS\System32\Aam.ex
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Htj] C:\WINDOWS\System32\Mnn.ex
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Kbl] C:\WINDOWS\System32\Lae.ex
Unknown
Hit rate: -1 % (result) Unknown application.
O4 - HKCU\..\Run: [Cnu] C:\WINDOWS\Pja.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Joa] C:\WINDOWS\Cts.exe Unknown
Unknown
Hit rate: 13 % (result) Unknown application.
O4 - HKCU\..\Run: [Lja] C:\WINDOWS\Ole.exe
Here's some interesting info on the last entry -"ole.exe" -
http://vil.nai.com/vil/content/v_10537.htm
Check the 016 entries - do you know what all of them are - did you add all of them?
RF
@ rossfingal:
these programs look like malware to me. These are random filenames to cover traces.
The "autoruns" program I mentioned above, is a first start to stop them from autorunning after startup.
A programm not in use can easily be deleted a program in use only with tricks...
Tolomir
these programs look like malware to me. These are random filenames to cover traces.
The "autoruns" program I mentioned above, is a first start to stop them from autorunning after startup.
A programm not in use can easily be deleted a program in use only with tricks...
Tolomir
>Tolomir
"these programs look like malware to me. These are random filenames to cover traces."
I agree! :)
I only listed them out so that wjo could see exactly what to look for.
No problem with "Autoruns" - I use it!
Also, I would like to see that; if after removing these and a reboot -
do they "regenerate" with or without different names.
I Like "tricks"! :)
Regards!
RF
"these programs look like malware to me. These are random filenames to cover traces."
I agree! :)
I only listed them out so that wjo could see exactly what to look for.
No problem with "Autoruns" - I use it!
Also, I would like to see that; if after removing these and a reboot -
do they "regenerate" with or without different names.
I Like "tricks"! :)
Regards!
RF
ASKER
Y I K E S !!!!!!!
Looks like I have my work cut out for me.
Just curious, if I was to zero out my hard drive how would these come back. Again, I prefer not to format at this time. So I will work on this tomorrow (Monday). I am on my laptop, so hopefully tomorrow I can try your updated suggestions.
Thanks,
Wayne
Hi1
If by "zero out" you mean a "low-level" format using the utility specific to the make of your hard drive -
No - they probably wouldn't come back (fingers crossed :)
If you do attempt to remove them -
Make sure "Show all Files and Folders", including hidden and system is enabled.
Disable "System Restore" - some of this "stuff" likes to hide in there
Check in Task Manager to see if they (or anything else suspicious) are running -
stop them, then disable them.
Remember to check dllcache, Prefetch, temp folders
After you have removed them clean out all your "temp" files ( Hope you've moved HijackThis !!!) :)
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
<=This will delete all your cached internet content including cookies.
This is recommended and strongly suggested!
However, if you delete all your cookies - this can affect your stored Internet passwords
and your ability to logon automatically to various sites.
So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
Empty your "Recycle Bin".
You may want to do this in "safe" mode, as well as "normal" mode.
Good luck!
RF
If by "zero out" you mean a "low-level" format using the utility specific to the make of your hard drive -
No - they probably wouldn't come back (fingers crossed :)
If you do attempt to remove them -
Make sure "Show all Files and Folders", including hidden and system is enabled.
Disable "System Restore" - some of this "stuff" likes to hide in there
Check in Task Manager to see if they (or anything else suspicious) are running -
stop them, then disable them.
Remember to check dllcache, Prefetch, temp folders
After you have removed them clean out all your "temp" files ( Hope you've moved HijackThis !!!) :)
# C:\Windows\Temp - delete ALL of the CONTENTS of the folder - Not the "temp" folder itself!
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files (all contents)
<=This will delete all your cached internet content including cookies.
This is recommended and strongly suggested!
However, if you delete all your cookies - this can affect your stored Internet passwords
and your ability to logon automatically to various sites.
So, consider deleting all your cookies - optional
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files (all contents)
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp (all contents)
Empty your "Recycle Bin".
You may want to do this in "safe" mode, as well as "normal" mode.
Good luck!
RF
ASKER
I have tried removing files from folders as instructed, running all the spyware programs reccommended, etc.
I ran Norton antivirus in safe mode and it showed these files. I can not find my recycle bin except Norton Protected Bin. That shows to be emptied.
It says DELETE FAIL for these files listed below.
The file C:\RECYCLER\NPROTECT\00007 294 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007 295 is a Adware threat
The file C:\RECYCLER\NPROTECT\00007 296 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007 297 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007 306 is a Adware threat.
The file C:\RECYCLER\NPROTECT\00007 307 is a Adware threat.
The compressed file C:/WINDOWS/System32/exdl.e xe within C:\RECYCLER\NPROTECT\00005 725 is a Adware threat.
The compressed file C:/WINDOWS/System32/exul.e xe within C:\RECYCLER\NPROTECT\00005 725 is a Adware threat.
The compressed file C:/WINDOWS/System32/javexu lm.vxd within C:\RECYCLER\NPROTECT\00005 725 is a Adware threat.
The compressed file C:/WINDOWS/System32/mqexdl m.srg within C:\RECYCLER\NPROTECT\00005 725 is a Adware threat.
The compressed file C:/WINDOWS/System32/msexre g.exe within C:\RECYCLER\NPROTECT\00005 725 is a Adware threat.
What now ? ? ?
I ran Norton antivirus in safe mode and it showed these files. I can not find my recycle bin except Norton Protected Bin. That shows to be emptied.
It says DELETE FAIL for these files listed below.
The file C:\RECYCLER\NPROTECT\00007
The file C:\RECYCLER\NPROTECT\00007
The file C:\RECYCLER\NPROTECT\00007
The file C:\RECYCLER\NPROTECT\00007
The file C:\RECYCLER\NPROTECT\00007
The file C:\RECYCLER\NPROTECT\00007
The compressed file C:/WINDOWS/System32/exdl.e
The compressed file C:/WINDOWS/System32/exul.e
The compressed file C:/WINDOWS/System32/javexu
The compressed file C:/WINDOWS/System32/mqexdl
The compressed file C:/WINDOWS/System32/msexre
What now ? ? ?
ASKER
Also, I assume Firefox is a browser that would replace IE.
The browser doesn't seem to be the issue.....or is it?
The browser doesn't seem to be the issue.....or is it?
ASKER
another question: What is MSOCache ?
Is it supposed to be loaded with CAB files?
Is it supposed to be loaded with CAB files?
Firefox is a decend browser a good replacement for IE:
just check http://secunia.com/product/11/
There a a lot of ways, how spyware can install itself even without user interaction, but just by surfing the net with IE.
---
The norton protected bin replaces the normal recycle bin, so this is no problem.
Please Use this http://www.sysinternals.com/files/autoruns.zip (use autoruns.exe)
...to prevent them from starting, don't remove all entries some of them are needed like userinit.exe and explorer are need to start windows, so be carefull.
But disabling all files below autostart and run should be no problem.
Reboot, now use spybot if possible in windows save mode again (have you updated it, btw?)
just check http://secunia.com/product/11/
There a a lot of ways, how spyware can install itself even without user interaction, but just by surfing the net with IE.
---
The norton protected bin replaces the normal recycle bin, so this is no problem.
Please Use this http://www.sysinternals.com/files/autoruns.zip (use autoruns.exe)
...to prevent them from starting, don't remove all entries some of them are needed like userinit.exe and explorer are need to start windows, so be carefull.
But disabling all files below autostart and run should be no problem.
Reboot, now use spybot if possible in windows save mode again (have you updated it, btw?)
ASKER
I did update spybot.
I did do the autoruns and disabled all but IE & userinit. I left those running.
My system is running. Seems to be running fairly normal, but I still can't get rid of everything. If I run spybot it says there is files in memory and can it run again after reboot. I say yes. I reboot it runs and does the same loop.
The main thing I still notice is, not my normal desktop, and the mouse will still not work on the right click.
(so sad) :(
I did do the autoruns and disabled all but IE & userinit. I left those running.
My system is running. Seems to be running fairly normal, but I still can't get rid of everything. If I run spybot it says there is files in memory and can it run again after reboot. I say yes. I reboot it runs and does the same loop.
The main thing I still notice is, not my normal desktop, and the mouse will still not work on the right click.
(so sad) :(
What about spybot in safe mode?
Can you locate those files in memory, are they named?
You should prepare a backup to safe all important files (no exe of cause;-)
Well I'm a bit running out of options, you could give us an update on highjackthis, what files are still detected.
Tolomir
Can you locate those files in memory, are they named?
You should prepare a backup to safe all important files (no exe of cause;-)
Well I'm a bit running out of options, you could give us an update on highjackthis, what files are still detected.
Tolomir
ASKER
Search & Destroy keeps finding these two entries. It cannot delete them even if I OK it to run on next startup and also in safe mode.
Can I delete the WinTools folder in the registry (or even the files listed under it?)
HuntBar: Settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-18\Softwa re\WinTool s
HuntBar: Settings (Registry key, fixing failed)
HKEY_USERS\.DEFAULT\Softwa re\WinTool s
--- Spybot - Search && Destroy version: 1.3 ---
2005-03-03 Includes\Cookies.sbi
2005-04-07 Includes\Dialer.sbi
2005-04-07 Includes\Hijackers.sbi
2005-03-22 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-04-07 Includes\Malware.sbi
2005-03-17 Includes\PUPS.sbi
2005-03-17 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-04-07 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-04-07 Includes\Trojans.sbi
Can I delete the WinTools folder in the registry (or even the files listed under it?)
HuntBar: Settings (Registry key, fixing failed)
HKEY_USERS\S-1-5-18\Softwa
HuntBar: Settings (Registry key, fixing failed)
HKEY_USERS\.DEFAULT\Softwa
--- Spybot - Search && Destroy version: 1.3 ---
2005-03-03 Includes\Cookies.sbi
2005-04-07 Includes\Dialer.sbi
2005-04-07 Includes\Hijackers.sbi
2005-03-22 Includes\Keyloggers.sbi
2004-11-29 Includes\LSP.sbi
2005-04-07 Includes\Malware.sbi
2005-03-17 Includes\PUPS.sbi
2005-03-17 Includes\Revision.sbi
2005-02-09 Includes\Security.sbi
2005-04-07 Includes\Spybots.sbi
2005-02-17 Includes\Tracks.uti
2005-04-07 Includes\Trojans.sbi
You could start regedit
go to these key entries.
Select the 1st, click on the right mouse button
Below "Export" there should be "Permissions" remove all permissions (for any users)
Same procedure with 2nd key.
This way those keys are blocked, windows is not able to get access by itself. You could delete them later or simply forget them.
Tolomir
go to these key entries.
Select the 1st, click on the right mouse button
Below "Export" there should be "Permissions" remove all permissions (for any users)
Same procedure with 2nd key.
This way those keys are blocked, windows is not able to get access by itself. You could delete them later or simply forget them.
Tolomir
when it says, those permission cannot be deleted because there taken from parent (something like that)
go to Advanced and UNCHECK the mark in the box: Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.
It will ask you if it should copy or remove the inhertited permissions.
Select remove.
Do this for both keys.
Tolomir
go to Advanced and UNCHECK the mark in the box: Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here.
It will ask you if it should copy or remove the inhertited permissions.
Select remove.
Do this for both keys.
Tolomir
ASKER
Tolomir,
Sorry, I do not understand your last comment. I DO see the Parent and the child listings. I tried to remove each one seperatly, but it will not allow me to remove. I might be doing something incorrectly here ???????????????????
let me add this.....
If I go to RUN and type DESKTOP I can see the original icons on my desktop
If I go thru Windows Explorer I can only see new icons that have been added.
Wayne
Sorry, I do not understand your last comment. I DO see the Parent and the child listings. I tried to remove each one seperatly, but it will not allow me to remove. I might be doing something incorrectly here ???????????????????
let me add this.....
If I go to RUN and type DESKTOP I can see the original icons on my desktop
If I go thru Windows Explorer I can only see new icons that have been added.
Wayne
Please check this page:
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418&sd=tech
How inheritance affects file and folder permissions
After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit these permissions. If you do not want the files and folders to inherit permissions, click This folder only in the Apply onto box when you set up special permissions for the parent folder. If you want to prevent only certain files or subfolders from inheriting permissions, follow these steps:
1. Right-click the file or subfolder.
2. Click Properties.
3. Click the Security tab.
4. Click Advanced.
5. Clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box.
http://support.microsoft.com/default.aspx?scid=kb;en-us;308418&sd=tech
How inheritance affects file and folder permissions
After you set permissions on a parent folder, new files and subfolders that are created in the folder inherit these permissions. If you do not want the files and folders to inherit permissions, click This folder only in the Apply onto box when you set up special permissions for the parent folder. If you want to prevent only certain files or subfolders from inheriting permissions, follow these steps:
1. Right-click the file or subfolder.
2. Click Properties.
3. Click the Security tab.
4. Click Advanced.
5. Clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box.
ASKER
I removed the two entries that Search & Destroy showed.
After I removed the files, I ran the following.
Search & Destroy
CWShredder
MS Antispyware
They all come up clean. I could leave things as is, but it is difficult sometimes when I need to use the RIGHT-CLICK and it will not allow me. I know my old desktop exists somewhere. As I mentioned, if I go RUN -> DESKTOP all my desktop items appear. But I cannot see these items on my actual desktop. (Sorry...I keep repeating myself)
Any advice to that?
Thanks,
Wayne
After I removed the files, I ran the following.
Search & Destroy
CWShredder
MS Antispyware
They all come up clean. I could leave things as is, but it is difficult sometimes when I need to use the RIGHT-CLICK and it will not allow me. I know my old desktop exists somewhere. As I mentioned, if I go RUN -> DESKTOP all my desktop items appear. But I cannot see these items on my actual desktop. (Sorry...I keep repeating myself)
Any advice to that?
Thanks,
Wayne
Sorry I had no idea how to enable your desktop items, but now I found something:
Please check if this is set in the registry:
HKEY_CURRENT_USER\Software \Microsoft \Windows\C urrentVers ion\Polici es\Explore r\NoDeskto p REG_DWORD:1
If possible set it to 0
---
You might also try this:
If you want to unhide desktop items in XP, right click on the desktop and select Arrange Icons By | Show Items on desktop.
---
Tolomir
Please check if this is set in the registry:
HKEY_CURRENT_USER\Software
If possible set it to 0
---
You might also try this:
If you want to unhide desktop items in XP, right click on the desktop and select Arrange Icons By | Show Items on desktop.
---
Tolomir
ASKER
I had these srtrings:
HKEY_CURRENT_USER\Software \Microsoft \Windows\C urrentVers ion\Polici es\Explore r\
with these listings: ForceActiveDesktopOn and NoActiveDesktop I changed them to zero. But no help.
The second comment you suggested I cannot due...no right click .....<so sad> :(
Seems we have reached a dead end. It appears the spyware has been cleaned up, but have not resolved the desktop issue. I will give you the points Tolomir for sticking with me thru this. Do you suggest I try the OS or Windows area of EE to see if I can resolve the desktop issue?
Wayne
HKEY_CURRENT_USER\Software
with these listings: ForceActiveDesktopOn and NoActiveDesktop I changed them to zero. But no help.
The second comment you suggested I cannot due...no right click .....<so sad> :(
Seems we have reached a dead end. It appears the spyware has been cleaned up, but have not resolved the desktop issue. I will give you the points Tolomir for sticking with me thru this. Do you suggest I try the OS or Windows area of EE to see if I can resolve the desktop issue?
Wayne
I never had an idea how anoying that spyware was.
Here I have found a solution for you mouse problem:
http://www.geekstogo.com/forum/Desktop_Spyware_Danger_Warning-t15165-s15.html
(don't have much time right now, sorry)
You should download microsoft antispyware, it stays resistent in memory and protects you.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Tolomir
Here I have found a solution for you mouse problem:
http://www.geekstogo.com/forum/Desktop_Spyware_Danger_Warning-t15165-s15.html
(don't have much time right now, sorry)
You should download microsoft antispyware, it stays resistent in memory and protects you.
http://www.microsoft.com/athome/security/spyware/software/default.mspx
Tolomir
ASKER
Tolomir,
I downloaded the file you suggested. But it would not merge.
Another thing is, when I d/l to my desktop, duplicate icons get created.
Wayne
I downloaded the file you suggested. But it would not merge.
Another thing is, when I d/l to my desktop, duplicate icons get created.
Wayne
That There are 2 files.
1. is background.zip, it must be unpacked before use and contains this file: background.reg
here is the content:
----(you could copy & paste it to a textfile,save it, rename it to yourchoice.reg, double click on it, see no reason why it should not merge.)
You can open regedit.exe, can't you?----
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTW ARE\Micros oft\Intern et Explorer\Desktop]
[-HKEY_LOCAL_MACHINE\SOFTW ARE\Micros oft\Intern et Explorer\Desktop\General]
[-HKEY_LOCAL_MACHINE\SOFTW ARE\Micros oft\Window s\CurrentV ersion\pol icies\Acti veDesktop]
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\Explor er]
"ClassicShell"=-
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\Explor er]
"ForceActiveDesktopOn"=-
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\Explor er]
"NoViewContextMenu"=-
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\System ]
"Wallpaper"=-
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\poli cies\Explo rer]
"NoViewContextMenu"=-
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\Explor er]
"NoActiveDesktop"=-
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Explo rer\Shell Folders]
"Desktop"="%USERPROFILE%\\ Desktop"
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Explo rer\User Shell Folders]
"Custom Desktop"=-
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Explo rer\User Shell Folders]
"Desktop"=hex(2):25,55,53, 45,52,50,5 2,4f,46,49 ,4c,45,25, 5c,44,65,7 3,6b,74,6f ,\
70,00
[HKEY_CURRENT_USER\Control Panel\desktop]
"ConvertedWallpaper"="C:\\ WINDOWS\\W eb\\Wallpa per\\Windo ws XP.jpg"
"ConvertedWallpaper Last WriteTime"=hex:00,88,40,84 ,d3,2b,c1, 01
"OriginalWallpaper"="%USER PROFILE%\\ Applicatio n Data\\Microsoft\\Wallpaper 1.bmp"
"Wallpaper"="%USERPROFILE% \\Applicat ion Data\\Microsoft\\Wallpaper 1.bmp"
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\Expl orer\User Shell Folders]
"Common Desktop"=hex(2):25,00,41,0 0,4c,00,4c ,00,55,00, 53,00,45,0 0,52,00,53 ,00,\
50,00,52,00,4f,00,46,00,49 ,00,4c,00, 45,00,25,0 0,5c,00,44 ,00,65,00, 73,00,6b,\
00,74,00,6f,00,70,00,00,00
[HKEY_USERS\S-1-5-18\Softw are\Micros oft\Window s\CurrentV ersion\Exp lorer\User Shell Folders]
"Desktop"=hex(2):25,55,53, 45,52,50,5 2,4f,46,49 ,4c,45,25, 5c,44,65,7 3,6b,74,6f ,\
70,00
[HKEY_USERS\.DEFAULT\Softw are\Micros oft\Window s\CurrentV ersion\Exp lorer\User Shell Folders]
"Desktop"=hex(2):25,00,55, 00,53,00,4 5,00,52,00 ,50,00,52, 00,4f,00,4 6,00,49,00 ,\
4c,00,45,00,25,00,5c,00,44 ,00,65,00, 73,00,6b,0 0,74,00,6f ,00,70,00, 00,00
[HKEY_CURRENT_USER\Softwar e\Microsof t\Internet Explorer\Desktop\General]
"ComponentsPositioned"=dwo rd:0000000 1
"TileWallpaper"="0"
"WallpaperStyle"="2"
"Wallpaper"=hex(2):25,41,5 0,50,44,41 ,54,41,25, 5c,4d,69,6 3,72,6f,73 ,6f,66,74, 5c,\
57,61,6c,6c,70,61,70,65,72 ,31,2e,62, 6d,70,00
"BackupWallpaper"=hex(2):2 5,41,50,50 ,44,41,54, 41,25,5c,4 d,69,63,72 ,6f,73,6f, 66,\
74,5c,57,61,6c,6c,70,61,70 ,65,72,31, 2e,62,6d,7 0,00
"WallpaperFileTime"=hex:00 ,77,28,0a, 07,2e,c5,0 1
"WallpaperLocalFileTime"=h ex:00,37,0 5,fc,c3,2d ,c5,01
[HKEY_CURRENT_USER\Softwar e\Microsof t\Internet Explorer\Desktop\SafeMode\ General]
"Wallpaper"="C:\\WINDOWS\\ Web\\SafeM ode.htt"
"VisitGallery"=dword:00000 000
----
Here is the right mouse button problem: same procedure, copy& paste it to an empty textfile, save it, rename it to your2ndchoice.reg, double click on it voila:---
---
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWA RE\Microso ft\Windows \CurrentVe rsion\poli cies\Explo rer]
"NoViewContextMenu"=dword: 00000000
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\Explor er]
"NoViewContextMenu"=dword: 00000000
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\Explor er]
"NoSetTaskbar"=dword:00000 000
[HKEY_CURRENT_USER\Softwar e\Microsof t\Windows\ CurrentVer sion\Polic ies\Explor er]
"NoSaveSettings"=dword:000 00000
---
You could monitor with http://www.sysinternals.com/ntw2k/source/regmon.shtml
...Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. ...
http://www.sysinternals.com/files/ntregmon.zip
what happens to your registry while merging the settings.
Hope that helps.
Tolomir
1. is background.zip, it must be unpacked before use and contains this file: background.reg
here is the content:
----(you could copy & paste it to a textfile,save it, rename it to yourchoice.reg, double click on it, see no reason why it should not merge.)
You can open regedit.exe, can't you?----
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTW
[-HKEY_LOCAL_MACHINE\SOFTW
[-HKEY_LOCAL_MACHINE\SOFTW
[HKEY_CURRENT_USER\Softwar
"ClassicShell"=-
[HKEY_CURRENT_USER\Softwar
"ForceActiveDesktopOn"=-
[HKEY_CURRENT_USER\Softwar
"NoViewContextMenu"=-
[HKEY_CURRENT_USER\Softwar
"Wallpaper"=-
[HKEY_LOCAL_MACHINE\SOFTWA
"NoViewContextMenu"=-
[HKEY_CURRENT_USER\Softwar
"NoActiveDesktop"=-
[HKEY_CURRENT_USER\Softwar
"Desktop"="%USERPROFILE%\\
[HKEY_CURRENT_USER\Softwar
"Custom Desktop"=-
[HKEY_CURRENT_USER\Softwar
"Desktop"=hex(2):25,55,53,
70,00
[HKEY_CURRENT_USER\Control
"ConvertedWallpaper"="C:\\
"ConvertedWallpaper Last WriteTime"=hex:00,88,40,84
"OriginalWallpaper"="%USER
"Wallpaper"="%USERPROFILE%
[HKEY_LOCAL_MACHINE\SOFTWA
"Common Desktop"=hex(2):25,00,41,0
50,00,52,00,4f,00,46,00,49
00,74,00,6f,00,70,00,00,00
[HKEY_USERS\S-1-5-18\Softw
"Desktop"=hex(2):25,55,53,
70,00
[HKEY_USERS\.DEFAULT\Softw
"Desktop"=hex(2):25,00,55,
4c,00,45,00,25,00,5c,00,44
[HKEY_CURRENT_USER\Softwar
"ComponentsPositioned"=dwo
"TileWallpaper"="0"
"WallpaperStyle"="2"
"Wallpaper"=hex(2):25,41,5
57,61,6c,6c,70,61,70,65,72
"BackupWallpaper"=hex(2):2
74,5c,57,61,6c,6c,70,61,70
"WallpaperFileTime"=hex:00
"WallpaperLocalFileTime"=h
[HKEY_CURRENT_USER\Softwar
"Wallpaper"="C:\\WINDOWS\\
"VisitGallery"=dword:00000
----
Here is the right mouse button problem: same procedure, copy& paste it to an empty textfile, save it, rename it to your2ndchoice.reg, double click on it voila:---
---
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWA
"NoViewContextMenu"=dword:
[HKEY_CURRENT_USER\Softwar
"NoViewContextMenu"=dword:
[HKEY_CURRENT_USER\Softwar
"NoSetTaskbar"=dword:00000
[HKEY_CURRENT_USER\Softwar
"NoSaveSettings"=dword:000
---
You could monitor with http://www.sysinternals.com/ntw2k/source/regmon.shtml
...Regmon is a Registry monitoring utility that will show you which applications are accessing your Registry, which keys they are accessing, and the Registry data that they are reading and writing - all in real-time. ...
http://www.sysinternals.com/files/ntregmon.zip
what happens to your registry while merging the settings.
Hope that helps.
Tolomir
ASKER
I did as you suggested, I saved into notepad, saved as regtest.reg and saved to desktop. The icon is a registry icon on desktop. When I double click I get error something to this effect ..........The file does not have program associtaed with it for performing the action. Create an association in the Folders Option control panel
So I checked the folder options and the reg extension is associated with registration files
Yes I can open regedit. If I were to open REGEDIT and IMPORT this file would that delete my registry?
Wayne
So I checked the folder options and the reg extension is associated with registration files
Yes I can open regedit. If I were to open REGEDIT and IMPORT this file would that delete my registry?
Wayne
No, it will not delete your "Registry" -
Tolomir is just trying to give you a registry fix to use -
and it might work.
Right-click on it and choose "Merge" -
don't think it will hurt anything -
Back up your "Registry" if you're concerned.
RfF
Tolomir is just trying to give you a registry fix to use -
and it might work.
Right-click on it and choose "Merge" -
don't think it will hurt anything -
Back up your "Registry" if you're concerned.
RfF
ASKER
PLEEEEEASE note. Right-click does not work. That is one of the issues
Thanks,
Wayne
Thanks,
Wayne
A simple doubleclick should be ok, since Merge is the default action.
Tolomir
Tolomir
ASKER
Double-click gives this error msg:
The file does not have program associtaed with it for performing the action. Create an association in the Folders Option control panel
So I checked the folder options and the reg extension is associated with registration files
The file does not have program associtaed with it for performing the action. Create an association in the Folders Option control panel
So I checked the folder options and the reg extension is associated with registration files
Can you start regedit?
Maybe here is the problem...
Maybe here is the problem...
ah, ok:
Do exactly this, with regtest.reg:
Yes I can open regedit. If I were to open REGEDIT and IMPORT this file ....
Tolomir
Do exactly this, with regtest.reg:
Yes I can open regedit. If I were to open REGEDIT and IMPORT this file ....
Tolomir
Hi!
Sorry about the right-click confusion above! (my computer default is edit) :)
If Regedit is not working - try this:
http://www.dougknox.com/xp/utils/xp_emerutils.htm
RF
Sorry about the right-click confusion above! (my computer default is edit) :)
If Regedit is not working - try this:
http://www.dougknox.com/xp/utils/xp_emerutils.htm
RF
ASKER
Tolomir,
Can you repeat your last comment I do not understand
Ross,
My regedit seems to be working. I can access regedit
Can you repeat your last comment I do not understand
Ross,
My regedit seems to be working. I can access regedit
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Tolomir,
Guess what.....that seemed to do the trick. Looks like my desktop is back, I CAN again right click. I have to run now...off to work, but I will check in with you tomorrow. Let me see if all else is working properly.
Thank you,
Wayne
Guess what.....that seemed to do the trick. Looks like my desktop is back, I CAN again right click. I have to run now...off to work, but I will check in with you tomorrow. Let me see if all else is working properly.
Thank you,
Wayne
ASKER
Tolomir,
I haven't spent too much time on my system since your last submission. But it appears to be working fine(maybe I shouldn't say that so loud). Anyway, you have spent a lot of time on this with me and I am going to give you 225 points. I also want to say "Thank You Very Much". It looks like that last comment from you did the trick and brought my desktop back to normal and my right click is now again in working order.
It saved me a format, probably a low level one, and all the hassle of reinstalling software.
Again, Thank you,
Wayne
P.S. Thanks to all the other Experts who tried to assist.
I haven't spent too much time on my system since your last submission. But it appears to be working fine(maybe I shouldn't say that so loud). Anyway, you have spent a lot of time on this with me and I am going to give you 225 points. I also want to say "Thank You Very Much". It looks like that last comment from you did the trick and brought my desktop back to normal and my right click is now again in working order.
It saved me a format, probably a low level one, and all the hassle of reinstalling software.
Again, Thank you,
Wayne
P.S. Thanks to all the other Experts who tried to assist.
ASKER
Tolomir,
Please let me know if you got the 225 points. If not, let me know how I can add the addition points.
Thanks,
Wayne
Please let me know if you got the 225 points. If not, let me know how I can add the addition points.
Thanks,
Wayne
Thank you,
Actually I got 700 points, since a mark of A quadruples the given points.
I suggest you install this microsoft antispyware tool : http://www.microsoft.com/athome/security/spyware/software/default.mspx
and might consider using a different web browser like firefox.
www.getfirefox.com
This helps a lot to keep your system clean.
Tolomir
Actually I got 700 points, since a mark of A quadruples the given points.
I suggest you install this microsoft antispyware tool : http://www.microsoft.com/athome/security/spyware/software/default.mspx
and might consider using a different web browser like firefox.
www.getfirefox.com
This helps a lot to keep your system clean.
Tolomir
ASKER
TOlomir,
Actually I had installed MS Anti Spyware when we first started with this issue.
I will d/l firefox now that the system seems to be in order.
As I mentioned, I was trying to increase the points, but it seems like you got 175 instead of 225. If you can tell me how to transfer the other 50 points, I guess that will give you 200 more (50 quadtrupled)
Let me know,
Thanks, Wayne
P.S. Off to d/l firefox!
Actually I had installed MS Anti Spyware when we first started with this issue.
I will d/l firefox now that the system seems to be in order.
As I mentioned, I was trying to increase the points, but it seems like you got 175 instead of 225. If you can tell me how to transfer the other 50 points, I guess that will give you 200 more (50 quadtrupled)
Let me know,
Thanks, Wayne
P.S. Off to d/l firefox!
Alright, here are some usefull extentions:
https://addons.update.mozilla.org/extensions/?application=firefox
You can try a lot, but don't expect firefox to run fast after that...
Great is:
Adblock (right mouse click on image, choose "Adblock Image", you won't see it again...)
Flashblock (play flash on demand, it's no complete block)
FlashGot (An extention to use up to 20 different download managers even in firefox, I use net transport from http://www.xi-soft.com/default.htm )
Linkification: doubleclick on any texturl, https://addons.update.mozilla.org/extensions/moreinfo.php?id=190
Googlebar (Special firefox version) https://addons.update.mozilla.org/extensions/moreinfo.php?id=190
For help (especially after using IE -> click on the Help menuentry in firefox)
To speedup firefox a bit use firetune: http://www.totalidea.com/freestuff4.htm
According to your specific computer speed and internet connection speed, FireTune will optimize several internal settings of Firefox for better performance. FireTune does NOT modify the Firefox executable, or any other Firefox binary file. Everything can be undone easily provided you saved your original profile configuration file with FireTune's profile backup feature before.
Tolomir
https://addons.update.mozilla.org/extensions/?application=firefox
You can try a lot, but don't expect firefox to run fast after that...
Great is:
Adblock (right mouse click on image, choose "Adblock Image", you won't see it again...)
Flashblock (play flash on demand, it's no complete block)
FlashGot (An extention to use up to 20 different download managers even in firefox, I use net transport from http://www.xi-soft.com/default.htm )
Linkification: doubleclick on any texturl, https://addons.update.mozilla.org/extensions/moreinfo.php?id=190
Googlebar (Special firefox version) https://addons.update.mozilla.org/extensions/moreinfo.php?id=190
For help (especially after using IE -> click on the Help menuentry in firefox)
To speedup firefox a bit use firetune: http://www.totalidea.com/freestuff4.htm
According to your specific computer speed and internet connection speed, FireTune will optimize several internal settings of Firefox for better performance. FireTune does NOT modify the Firefox executable, or any other Firefox binary file. Everything can be undone easily provided you saved your original profile configuration file with FireTune's profile backup feature before.
Tolomir
firstly, turn off your system restore.
try running housecall to detect virus and spyware first:
http://housecall.trendmicro.com
then run the folowing:
AdAware ==> http://www.spychecker.com/program/adaware.html
SpyBot ==> http://www.spychecker.com/program/spybot.html
SpywareBlaster ==> http://www.spychecker.com/program/spywareblaster.html
CoolWebShredder ==> http://www.spychecker.com/program/coolwebshredder.html
use hijack this and their analyser as well:
http://www.hijackthis.de
hope this will help
Cheers,
Luis