Registry Edit Troubles

Hello, I'm having a bit of a nightmare at the mo'.

When I start my machine, I get a balck desktop background, no icons, now task bar, no start button. I do get my documents opening though!

So, I've managed to identify that I need to change a regsitry entry which has been modded, I guess by some spyware or virus or something. The regsirty entry needing chnaged is HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon and the Shell entry currently reads explorer.exe rundll32.exe gcyc.luo ahagn. I need to chnage this to simpy explorer.exe and this should fix my problem. Trouble is, when I try to do this then click OK, I get a message saying - cannot edit shell: error writing the value's new contents

So, I can't do this on the hard drive in the laptop, is there a way I can get this to work by connecting the hard drive to another fully working computer and edit the regostry on the hard drive that way?

I'm at a loss now and it's really quite frustrating for me, hopefully someone will have an idea of the best way forward

I should also say that I've had the HDD out and completed virus removal and spyware removal already so the drive should be pretty clean. Used NOD32, Malware Bytes and Super Anti SPyware

Thank you to all

Could it be a permissions problem? R click Winlogon key and select Permissions; check you have Full Control for your user.

Also try deleting Shell entry and recreating it.

Hi and thank you for the advice. I've tried these and I do have permission and have tried to delete it, I can't do that either

Thanks again Xray, much appreciated, nayone any other thoughts I can try. I really hope not to have to reformat, my worst nightmare at the moment with exams and stuff, d'oh.....

Have you tried booting into Safe Mode and attempting to edit the registry?? There might be something (the 'thing' that changed the registry in the first place) running in the background preventing this change..

since you know the key that needs to be changed you may want to give this a try: http://pogostick.net/~pnh/ntpasswd/ - it's a boot disk that will give you a basic reg editor, since it runs outside of windows it will avoid any interference from malware / viruses.

a few more suggestions...


Not one i'm familiar with but SAS have it listed on this page:
http://www.superantispyware.com/malwaredailyfiles/20...

Text
1 23 45 67 89 1011 12	filename:  E.TMP    Related Files:  1.TMP283.TMP GCYC.LUO13C5.TMP 8.TMP

worth doing a file search for any of those files (including E.TMP ) and trying to delete them if found,
be sure to set the file search options to look in all hidden files and folders etc


As a temp workaround, you could try re-naming Shell in the registry to something like Shell2
if it allows that, then click on Edit, New, String Value and name it Shell
right click on it to modify and put Explorer.exe in the box
Explorer should then be running, but if not reboot, or you could try opening Windows Task Manager with Ctrl-Alt-Delete keys, click on File, New Task(Run), type Explorer.exe in the window

just modifying the registry may not be the real answer to the problem. You really need to locate the source, if you can, with file searches.


if your file search does find GCYC.LUO but you can't delete, then you could try opening up a command prompt window by going to Start, Run, type in cmd
then Copy and Paste this in
regsvr32 /u gcyc.luo

if it finds it there and says successful, then just delete the file in the normal way, reboot, then try to modify the Shell registry item.

if it doesn't find it then you may need to change the location in the cmd prompt window to the one indicated by your previous file search or easiest to type in the full filepath,
for example, (making sure you have a space before and after /u

regsvr32 /u C:\WINDOWS\system32\gcyc.luo