Jump to content

Build Theme!
  • Infected?


Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 92045 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Recent bad juju - please help...

  • Please log in to reply
36 replies to this topic

#31 Metallica


    Spyware Veteran

  • Classroom Teacher
  • 2,145 posts

Posted 12 June 2008 - 10:12 PM

Hi Mig,

Here is one that might work.

Download this file and doubleclick it.
If it says Active Desktop is now Disabled then check if all works properly.
If it says Enabled, check as well, but don't get your hopes up. :)

Should an antivirus give you a warning, because of the vbs extension, you can ignore that.



Register to Remove

#32 Mig


    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 13 June 2008 - 06:56 AM

That did'nt work. Still, Thanks for working with me on this so far. I'd like to compare desktop reg keys from my geust acct to mine. If somebody could only give me directions to where the actual desktop settings\keys are in the registry for me (hkey current user?) and for my guest acct (hkey users?). Maybe I can print them out and compare side by side. :blush: Sounds like a plan to me. Or do I seriously sound like I don't know what I'm talking about? What do you guys think? :thumbup: or :smack: ?

#33 Metallica


    Spyware Veteran

  • Classroom Teacher
  • 2,145 posts

Posted 13 June 2008 - 12:29 PM

First, I'd like you to to backup your registry:
Please go to Start > Run
Paste in the following line:regedit /e c:\registrybackup.reg
Click OK.
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

First key you will want to look at:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\Wallpaper
Then the value "NoActiveDesktop" under the key

The account you are logged in as will have its settings in HKCU

The guest account under HKEY_USERS S-1-5-21-<number>-<number>-<number>-501

#34 Mig


    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 13 June 2008 - 02:50 PM

Thanks Metallica! I'll need the weekend to snoop around the registry. Thank you for your time, help and patience so far. I'll be back (for sure) to ask questions when I get stumped. Reg backups are in place. Wish me luck! :thumbup:

#35 Metallica


    Spyware Veteran

  • Classroom Teacher
  • 2,145 posts

Posted 14 June 2008 - 03:13 AM

Wish me luck! :thumbup:

Good luck and be careful. :)

#36 Mig


    New Member

  • Authentic Member
  • Pip
  • 18 posts

Posted 17 June 2008 - 04:29 AM

Howdy! How was the weekend for you guys?
Ok, so here's where I'm at - the key to this mystery seems to lie here >> HKEY_CURRENT_USER\Software\Microsoft\Windows\
This is where I noticed a great deal of difference between registries plus some suspicious
named entries. I cleaned it out but it didn't do the trick. There is one thing that keeps getting re-written back in after I delete it though.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\System >> "System" seems
to keep popping back in. It has entries like: DisableRegistryTools, NoDispBackgroundPage, NoDispSettingsPage, RunLogonScriptSync,
etc... There are 14 things that either start with "Disable", "Hide" or "No". But only RunLogonScriptSync has a (1) value. Something keeps
re-writing these back in. Just wondering if this is normal or something more.

The problem with my desktop not showing the wallpaper when icons are hidden is somewhat solved. I tried re-starting with icons hidden
and active desktop enabled and as soon as I logged in the wallpaper alone was visible with no icons in site! :woot: - this was purely by
accident but it got me what I've been wanting. This will do for now. :thumbup: Check out the pic attached.

If either of you have any comments about what I described above about the registry, please do so before we wrap things up. Again, I'm very
grateful with the time and help you have given me.

Attached Thumbnails

  • CDT.png

#37 Metallica


    Spyware Veteran

  • Classroom Teacher
  • 2,145 posts

Posted 17 June 2008 - 08:15 AM

Thinking out loud:

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | RunLogonScriptSync
The policy is enabled. Windows Explorer does not start until the logon scripts have finished running. This setting assures that logon scripts finish processing before the user starts working, but it can delay the appearance of the desktop.

This entry appears in both the HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER subtrees. The entry in the HKEY_LOCAL_MACHINE subtree takes precedence over the entry in the HKEY_CURRENT_USER subtree.

So option 1 could be to set the HKLM value to zero and it will override HKCU


The default location for local logon scripts is the %SystemRoot%\System32\Repl\Import\Scripts folder.
This folder will probably not exist on a standalone XP Home computer, but see what shows up if you Search for netlogon
Do NOT delete any of the files you find. Most of them are very important.
But do tell me if you find any with the .bat or .cmd extension.

Related Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users