MSCONFIG questions 2

[RobertT687]

On a multi-user laptop running Windows XP Home Edition.
Are the settings selected for Startup using Start -> Run -> MSCONFIG specific to a user or are they set for all users? If they are specific to a user, where are the settings/selections stored? On a laptop heavily infected with spyware, after a cleanup attempt, during which MSCONFIG was used to stop a lot of suspicious items from starting, the desktop icons are gone and windows explorer do not start. When trying to boot in Safe Mode the effected user does not appear in the list of users but does show up when trying to boot normally.
Any advice will be most welcome.

 

[skaajie]

Hi there,



1- as far as I know, 'MSCONFIG' is partly for the current user, and for all users. These settings are all stored in the registry (start -> run -> msconfig)

Global selected items are here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Global unselected items are here:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
&
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

User specific selected items are here (IF you are logged on with the infected account): HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

User specific unselected items are here (IF you are logged on with the infected account):
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
&
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg


LOOK OUT: If you DELETE the keys from the unselected items, you won't be able to see them anymore in MSCONFIG



2- If you are unable to see the account when you boot into safe-mode, but is visible into normal-mode, then you're account is a 'limited account'. If you change it to 'computer administrator' in 'control panel\users accounts', you wil be able to see the account when you boot into safe-mode at your loginscreen.



3- If your explorer does not start when you log in with the infected user, you should check your registry. The specific key you should check is: "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\". At your rightside you will find "shell" and it's value should be "Explorer.exe". If not, change it.



Hope this helped you. If not or unclear, don't be affraid to ask further.

 

[linney]

310353 - How to Perform a Clean Boot in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;310353&FR=1&PA=1&SD=HSCH

316434 - HOW TO: Perform Advanced Clean-Boot Troubleshooting in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;316434&FR=1&PA=1&SD=HSCH

310560 - How to Troubleshoot By Using the Msconfig Utility in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;310560&FR=1&PA=1&SD=HSCH

When in Safe Mode access to a Limited User account is not possible via the Welcome Screen. At the first Welcome Screen press Ctrl+Alt+Del twice to bring up the Classic Logon Box and manually type in the user's name and password.

Removing adware & spyware
faq608-4650

Try the free version of "Ewido" now called "AVG Anti-Spyware 7.5"

http://www.ewido.net/

Windows Defender

http://www.microsoft.com/athome/security/spyware/software/default.mspx

Run the System File Checker program from the Run Box by typing.....Sfc /Scannow in it and have your XP CD handy.

You may be able to run Explorer by typing Explorer in the Start Run box, on the Start Menu or from Task Manager or from a Command Prompt.

 

[RobertT687]

My thanks to skaajie and linney. Both tips were very useful. Hopefully I can get this thing cleaned and updated now.
Again Thanks Very Much!!!