I deleted the trojan, but the file still opens up. The
curious files (see below) have the same save date
8/18/01, right before we bought the machine from Best
Buy. This is a relatively new problem. Any ideas how to
stop this start up folder from popping up?
----- Rick "Nutcase" Rogers wrote: -----
Hi,
First, get rid of this trojan:
"rtfkijhp"="C:\\WINDOWS\\idbmmmnw.exe"
Boot to Safe mode, delete the idbmmmnw.exe file from
the C:\Windows folder,
and delete that string in the registry before
restarting normally. Then see
if the problem still exists. I am most curious about
these lines however:
"} el"="c:\\WINDOWS\\System32\\} else
{""window.onload =
SymOnL"="c:\\WINDOWS\\System32\\window.onload =
SymOnLoad;"
"var SymRealOnUnl"="c:\\WINDOWS\\System32\\var SymRealOnUnload;"
"var SymRealOnL"="c:\\WINDOWS\\System32\\var SymRealOnLoad;"
"SymRealOnLoad =
window.onl"="c:\\WINDOWS\\System32
\\SymRealOnLoad =
window.onload;"
this:
"if (screen.widt"="c:\\WINDOWS\\System32\\if (screen.width) {"
"if (location.hos"="c:\\WINDOWS\\System32\\if
(location.host) {"
this:
"function SymWinOpen(url, name,
attribu"="c:\\WINDOWS\\System32\\function
SymWinOpen(url, name, attributes)"
and these:
" window.open = SymWinO"="c:\\WINDOWS\\System32
\\window.open =
SymWinOpen;"
SymOnUnl"="c:\\WINDOWS\\System32\\window.onunload =
SymOnUnload;" " return t"="c:\\WINDOWS\\System32\\
return true;"
" return (new Object"="c:\\WINDOWS\\System32\\
return (new Object());" "
if(SymRealOnUnload != n"="c:\\WINDOWS\\System32\\
if (SymRealOnUnload !=
null)"
" SymRealOnUnloa"="c:\\WINDOWS\\System32
\\SymRealOnUnload();"
That's a lot of JS, and this is an unusual place for
it. Do you have any
idea where any of it comes from?
--
Best of Luck,
Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!
Associate Expert - WinXP - Expert Zone
message
The first option did not work. Here are the registry
keys:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run]
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet
Security Professional\\UrlLstCk.exe"
"SymRealOnLoad = window.onl"="c:\\WINDOWS\\System32
\\SymRealOnLoad = window.onload;"
"rtfkijhp"="C:\\WINDOWS\\idbmmmnw.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"QuickTime Task"="\"C:\\Program
Files\\QuickTime\\qttask.exe\" -atboottime"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32
\\NvCpl.dll,NvStartup"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec
Shared\\ccApp.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~2 \\NORTON~1
And the Current user registry keys:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
on\Run]
"Symantec NetDriver Monitor"="C:\\PROGRA~1
\\Symantec\\LIVEUP~1\\SNDMon.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32
\\NVMCTRAY.DLL,NvTaskbarInit"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1
\\plugin\\bin\\PCHButton.exe"
Thanks for any help.
-----Original Message-----
Hi Mary,
This can be caused by leftovers from cleaning up spyware
as well. Try this:
Control Panel/Folder Options/View tab, uncheck the
line "restore previous
folder windows at logon". Click apply/ok, do not reboot
yet.
Start/run msconfig, on the general tab select the
diagnostic mode. Click
apply/ok and reboot at prompted.
The folder should not show up now. Rerun msconfig, put
the system back in
normal mode. Click apply/ok and reboot once
more.
Does
this help?
For most users, this will resolve the issue. For some
that still have
registry damage it will not. If this is the
case,
could
you please export
and post the contents of these keys in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run
To do this, start/run regedit, expand the branches to
each key (do this one
at a time). Click on the key, then on file/export. Give
it any name, then
save to the desktop. Once you have saved both keys,
close the registry
editor. Right-click one of the saved files on the
desktop, choose edit, it
should open in notepad. Click edit/select all/edit/copy.
Open a response to
this post and click in the message text area.
Hit
ctrl+v
to paste the
contents. Repeat for the other saved key, then send the
post for
examination.
--
Best of Luck,
Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!
Associate Expert - WinXP - Expert Zone
message
When I start Windows XP the system folder pops up. I
downloaded Kelly's Korner #260 but I get the
message "the
script cannot repair your issue, the expected registery
value was not found." I also tried 170086 from
Microsoft
and followed the instructions, but can't find any
values
with single quotes. I have Norton Internet Security
2004/NAV, Ad-Aware and run Spybot Search and Destroy
daily. HELP!!!
.
