Start Menu shortcuts to EXE mysteriously changed to network drive

[benoitm]

Several times in the last weeks/months, I noticed that many/most shortcuts to
EXE programs in All Users / Start Menu have mysteriously changed from
C:\program files\.. to Z:\program files\...(target field of the shortcut's
properties), and that XP (SP3) has automagically created a network mapping of
Z: to \\[my PC IP address]\c$ !!!

One of the side effects is that each time I start one of these programs,
Windows warns me about a possible security issue (Digital signature could not
be verified) etc.

Restarting the system doesn't help; only a manual reset of all the shortcuts
(tedious work !) or a restore from backup fixes the problem...until it
appears again!

I have no clue why this happens.

The system is a relatively recent installation (a full reinstall from
scratch with XP Pro SP3 last year) and carefully protected (up-to-date AV,
regular scan, anti-spam, registry monitor, etc...)

Where should I start looking to t'shoot this ?

 

[benoitm]

BTW, how can I reliable scan all the shortcuts in the start menu (all users
and my account) for a string such as "Z:\program files")

 

[benoitm]

Help, anyone ??

 

[Pegasus]

BTW, how can I reliable scan all the shortcuts in the start menu (all
users
and my account) for a string such as "Z:\program files")

Several times in the last weeks/months, I noticed that many/most
shortcuts to
EXE programs in All Users / Start Menu have mysteriously changed from
C:\program files\.. to Z:\program files\...(target field of the
shortcut's
properties), and that XP (SP3) has automagically created a network
mapping of
Z: to \\[my PC IP address]\c$ !!!

One of the side effects is that each time I start one of these programs,
Windows warns me about a possible security issue (Digital signature could
not
be verified) etc.

Restarting the system doesn't help; only a manual reset of all the
shortcuts
(tedious work !) or a restore from backup fixes the problem...until it
appears again!

I have no clue why this happens.

The system is a relatively recent installation (a full reinstall from
scratch with XP Pro SP3 last year) and carefully protected (up-to-date
AV,
regular scan, anti-spam, registry monitor, etc...)

Where should I start looking to t'shoot this ?

I don't know why this should happen on your machine. In such cases the first
step often consists of finding out WHEN it appens.

Some time ago I wrote some command line tools that can be used to search any
file for any string or change any string in any file. You might be able to
use them to repair the damage (which, of course, dos not solve the
underlying problem). Send a note to pegasus_fnlATyahooDOTcom if you're
interested.

 

[Jim]

Help, anyone ??

Several times in the last weeks/months, I noticed that many/most shortcuts to
EXE programs in All Users / Start Menu have mysteriously changed from
C:\program files\.. to Z:\program files\...(target field of the shortcut's
properties), and that XP (SP3) has automagically created a network mapping of
Z: to \\[my PC IP address]\c$ !!!

One of the side effects is that each time I start one of these programs,
Windows warns me about a possible security issue (Digital signature could not
be verified) etc.

Restarting the system doesn't help; only a manual reset of all the shortcuts
(tedious work !) or a restore from backup fixes the problem...until it
appears again!

I have no clue why this happens.

The system is a relatively recent installation (a full reinstall from
scratch with XP Pro SP3 last year) and carefully protected (up-to-date AV,
regular scan, anti-spam, registry monitor, etc...)

Where should I start looking to t'shoot this ?

Run antivirus ?

 

[benoitm]

Done this several times, with different local and online AV products....

Help, anyone ??

Several times in the last weeks/months, I noticed that many/most shortcuts to
EXE programs in All Users / Start Menu have mysteriously changed from
C:\program files\.. to Z:\program files\...(target field of the shortcut's
properties), and that XP (SP3) has automagically created a network mapping of
Z: to \\[my PC IP address]\c$ !!!

One of the side effects is that each time I start one of these programs,
Windows warns me about a possible security issue (Digital signature could not
be verified) etc.

Restarting the system doesn't help; only a manual reset of all the shortcuts
(tedious work !) or a restore from backup fixes the problem...until it
appears again!

I have no clue why this happens.

The system is a relatively recent installation (a full reinstall from
scratch with XP Pro SP3 last year) and carefully protected (up-to-date AV,
regular scan, anti-spam, registry monitor, etc...)

Where should I start looking to t'shoot this ?

Run antivirus ?

 

[benoitm]

BTW, how can I reliable scan all the shortcuts in the start menu (all
users
and my account) for a string such as "Z:\program files")

Several times in the last weeks/months, I noticed that many/most
shortcuts to
EXE programs in All Users / Start Menu have mysteriously changed from
C:\program files\.. to Z:\program files\...(target field of the
shortcut's
properties), and that XP (SP3) has automagically created a network
mapping of
Z: to \\[my PC IP address]\c$ !!!

One of the side effects is that each time I start one of these programs,
Windows warns me about a possible security issue (Digital signature could
not
be verified) etc.

Restarting the system doesn't help; only a manual reset of all the
shortcuts
(tedious work !) or a restore from backup fixes the problem...until it
appears again!

I have no clue why this happens.

The system is a relatively recent installation (a full reinstall from
scratch with XP Pro SP3 last year) and carefully protected (up-to-date
AV,
regular scan, anti-spam, registry monitor, etc...)

Where should I start looking to t'shoot this ?

I don't know why this should happen on your machine. In such cases the first
step often consists of finding out WHEN it appens.

That's the difficult part, as I notice the change from C:\program files to
Z:\program files and the silent remapping of Z: to c$ only by accident. No
way to monitor this in realtime...

 

[Pegasus]

BTW, how can I reliable scan all the shortcuts in the start menu (all
users
and my account) for a string such as "Z:\program files")

:

Several times in the last weeks/months, I noticed that many/most
shortcuts to
EXE programs in All Users / Start Menu have mysteriously changed from
C:\program files\.. to Z:\program files\...(target field of the
shortcut's
properties), and that XP (SP3) has automagically created a network
mapping of
Z: to \\[my PC IP address]\c$ !!!

One of the side effects is that each time I start one of these
programs,
Windows warns me about a possible security issue (Digital signature
could
not
be verified) etc.

Restarting the system doesn't help; only a manual reset of all the
shortcuts
(tedious work !) or a restore from backup fixes the problem...until it
appears again!

I have no clue why this happens.

The system is a relatively recent installation (a full reinstall from
scratch with XP Pro SP3 last year) and carefully protected (up-to-date
AV,
regular scan, anti-spam, registry monitor, etc...)

Where should I start looking to t'shoot this ?

I don't know why this should happen on your machine. In such cases the
first
step often consists of finding out WHEN it appens.

That's the difficult part, as I notice the change from C:\program files to
Z:\program files and the silent remapping of Z: to c$ only by accident. No
way to monitor this in realtime...

You underestimate the power of scripting. It can monitor just about anything
in realtime. However, this may not be necessary. It may be sufficient to
examine the date stamp of the shortcuts - have a look at the three stamps:
created, last access, last written.

 

[benoitm]

You underestimate the power of scripting. It can monitor just about anything
in realtime. However, this may not be necessary. It may be sufficient to
examine the date stamp of the shortcuts - have a look at the three stamps:
created, last access, last written.

Actually the hard part is to try to remember what (else) exactly happened on
the system at the time of "Date modified"...(nothing in the event log so far)

Interestingly, it seems that the menu shortcuts are changed only for "All
users", not for my own account....
FWIW, among utility programs running with "high" priviledges: Avira Antivir
Personal, Spybot S&D resident (Tea Timer), Norton Ghost 9...

 

[Pegasus]

Actually the hard part is to try to remember what (else) exactly happened
on
the system at the time of "Date modified"...(nothing in the event log so
far)

Interestingly, it seems that the menu shortcuts are changed only for "All
users", not for my own account....
FWIW, among utility programs running with "high" priviledges: Avira
Antivir
Personal, Spybot S&D resident (Tea Timer), Norton Ghost 9...

It seems we're getting off the track. Your original complaint went like so:
- You configured the shortcuts so that they would point to the correct
drive.
- Presumably you remember when you did this.
- Some time later the shortcuts pointed at a different drive.

When did the change happen? The shortcut's date stamp will tell you! You
won't find any entry in the event logger for this sort of thing. All it
takes is for you to keep notes.

 

[benoitm]

- You configured the shortcuts so that they would point to the correct
drive.
- Presumably you remember when you did this.
- Some time later the shortcuts pointed at a different drive.

When did the change happen? The shortcut's date stamp will tell you!
Agree

You won't find any entry in the event logger for this sort of thing.

Well, one could have hoped that the "responsible" for the change is a
"remarkable" event leaving tracks in the Event Log. Just wanted to say that
it is not the case, unfortunately.

All it takes is for you to keep notes.

Agree, but chances are that I won't notice the change immediately and hence,
it may be difficult to correlate the datestamp of a changed shortcut to a
particular event (user action, etc..) having occurred at the same time.

 

[Pegasus]

*** See below.

Well, one could have hoped that the "responsible" for the change is a
"remarkable" event leaving tracks in the Event Log. Just wanted to say
that
it is not the case, unfortunately.

*** The event log collects the following events:
*** - Records sent to it by programs, e.g. Windows updates.
*** - Certain error messages.
*** If the changes you observe are caused by malware, by a virus
*** or by a poorly written program then you certainly won't see
*** a mention in the event log!

Agree, but chances are that I won't notice the change immediately and
hence,
it may be difficult to correlate the datestamp of a changed shortcut to a
particular event (user action, etc..) having occurred at the same time.

*** Let's see a couple of examples:
*** - Name and location of shortcut.
*** - Date/time when you restored a shortcut to its correct setting.
*** - Date/time when you noticed that it had changed back.
*** - Its date stamp.
*** - If the date stamp relates to a boot-up event. Boot-up events
*** are visible as Event No. 6009 in the System log.
***
*** Depending on what you report, I might post a script that
*** tells you instantly when a shortcut is modified.

 

[benoitm]

You won't find any entry in the event logger for this sort of thing.

*** The event log collects the following events:
*** - Records sent to it by programs, e.g. Windows updates.
*** - Certain error messages.
*** If the changes you observe are caused by malware, by a virus
*** or by a poorly written program then you certainly won't see
*** a mention in the event log!

Agree, but another possibility would be an exotic side effect of a
legitimate program (while it's doing something that triggers an event, e.g.
an AV or image backup program); but again, I agree this possibility seems
indeed very remote

***
*** Depending on what you report, I might post a script that
*** tells you instantly when a shortcut is modified.

I will monitor my system and come back when I see a shortcut changed. But it
seems very random, so I can't tell when it will happen again !

 

[benoitm]

Agree, but another possibility would be an exotic side effect of a
legitimate program (while it's doing something that triggers an event, e.g.
an AV or image backup program); but again, I agree this possibility seems
indeed very remote

I will monitor my system and come back when I see a shortcut changed. But it
seems very random, so I can't tell when it will happen again !

From now on, I will keep an explorer window open on "My computer", so I will
quickly notice when mapped drive Z: appears without reason (indicating that I
have used a shortcut that has been changed from C:\prgram files to Z:\program
files)

 

[benoitm]

I found an additional element that might lead us to the root cause:


Steps to repro (on my system, at least)
1) Open a remote desktop connection session to the "problematic" computer
from another XP machine, using the credentials of the usual user (has admin
privileges)
2) On that same computer, map a network drive (e.g. Z to the C$ share (C:
is where WinXP is installed) of the "problematic" machine, using the same
credentials as above
3) as soon as I open the mapped drive from the remote computer (while RDC
still runs in a window), it takes a while before the items appear in this
explorer window, and the HDD of the problematic PC shows heavy activity
during several seconds. THIS IS EXACTLY WHEN MANY SHORTCUTS UNDER ALL
USERS\START MENU\PROGRAMS GET CHANGED FROM C:\program files to Z:\program
files.

I have no idea why some shortcuts get changed and some other no; there are
affected shortcuts in several levels below Start Menu\Programs...

 

[Jon Wallace]

Hi,

Try disabling a feature called 'link tracking' to see if it helps...

See - http://support.microsoft.com/kb/299780 and
http://www.insidetheregistry.com/database/viewvalue.asp?valueid=2020

Hope this helps,
Jon

www.insidetheregistry.com