C:\Windows\system32\%programfiles% directory gets recreated on reboot

By ChaosMom ยท 7 replies
Jan 4, 2008
  1. Hi,

    My son clicked on something vicious, and we have been inundated with trojans, spyware, you name it. I've followed the basic removal instructions, plus ran scans with super anti-spyware, drweb-cureit and a couple of other tools. Most of the tools found and cured several issues, but I am left with two problems:

    1. Despite deleting it in safe mode, c:\windows\system32\%programfiles% directory regenerates when I reboot into normal mode, and I can't delete it. The error message says that "connection wizard is being used by another program or user" - connection wizard is a subdirectory under %programfiles%\Internet explorer. By the way, there are no files in any of the folders in the %programfiles% directory.

    2. Internet Explorer was moved from the default directory to c:\windows\Internet Explorer. I tried uninstalling and reinstalling IE, but it stays in the same custom directory. This is a huge problem because we can't get Quick Books up and need to do billing for the month asap.

    If anyone has suggestions, I'd be grateful!

    Attached are HJT, AVG and Combofix logs.

    Thanks in advance,

  2. wii-ste

    wii-ste TS Rookie Posts: 163

    %PROGRAMFILES% should point to your default 'Program Files' directory. i.e. C:\Program Files usually.

    I'm not sure if this will help, but you can try:
    * Open 'Registry Editor' (you can select run and enter 'regedit').
    * Navigate to 'Computer\HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion' on the left-hand side.
    * On the right hand side, there should be some items. These should be things like 'CommonFilesDir', 'DevicePath' etc
    * One of these items should be 'ProgramFilesDir'. Make sure that this points to your REAL program files folder - i.e. usually C:\Program Files
    * If it does not exist, right-click on the left hand side, select New > String Value. Call it ProgramFilesDir and enter the path to your Program Files folder.

    Not guaranteeing this will work but it's the first thing I'd check.
  3. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

    Actually wii-ste your post makes sense. But also prompted me to think that this may be in "Enviroment Variables" in System (in Control Panel) selecting "Advanced" tab too.

    Please look at that area as well, you can edit directly from there as well
    I'm thinking it might say set %ProgramFiles%=%System%\ or something like that.
  4. wii-ste

    wii-ste TS Rookie Posts: 163

    hi kimsland, that was the first place I looked (I thought I remembered it there) but I can't find it now. I am however using Vista now, so perhaps it was there on XP.
  5. kimsland

    kimsland Ex-TechSpotter Posts: 14,523


    Ok system variables in vista can be found by going to the control panel, hitting "system and maintenance" then clicking "system" and "advanced system settings" then on the system properties click the advanced tab and then the big button "environment variables" bottom left....

    Now why didn't I think of that ! (in Vista everything is big)
  6. wii-ste

    wii-ste TS Rookie Posts: 163

    lol I know where to find them. But Vista has no ProgramFilesDir.

    Sytem Variables:

    User Variables:

    EDIT: Have just looked on my Server 2003 machine - not in there either
  7. kimsland

    kimsland Ex-TechSpotter Posts: 14,523

  8. wii-ste

    wii-ste TS Rookie Posts: 163

    Whatever its called lol. It's not there - that is the full list on my Vista machine.

    Anyway, it might have changed in Vista. I haven't got an XP machine to look on at the moment. If it is in there on XP, then that is one way to change it.
Topic Status:
Not open for further replies.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...