Hi Mary,
Ok, do this now:
Control Panel/Folder Options/View tab, uncheck the line "restore previous
folder windows at logon". Click apply/ok, do not reboot yet.
Start/run msconfig, on the general tab select the diagnostic mode. Click
apply/ok and reboot at prompted.
The folder should not show up now. Rerun msconfig, put the system back in
normal mode. Click apply/ok and reboot once more. Does this help?
For most users, this will resolve the issue. The other stuff may be a
leftover from perhaps a locked down store display model? Really odd - I'd
probably remove it to see what happens, but that's just me. If the system is
working fine otherwise, and unless you are adventurous (and I mean really
adventurous, 'cause messing with the system in this manner can really be
dangerous) I would suggest leaving it alone at this point. I do see some
references to parts of that code and Norton's Internet Security, perhaps you
are using that?
--
Best of Luck,
Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!
Associate Expert - WinXP - Expert Zone
Mary said:
I deleted the trojan, but the folder still appears. The curious files
below have the same save date 8/18/01 which is right before I bought the
machine from Best Buy. Any ideas?
:
Hi,
First, get rid of this trojan:
"rtfkijhp"="C:\\WINDOWS\\idbmmmnw.exe"
Boot to Safe mode, delete the idbmmmnw.exe file from the C:\Windows folder,
and delete that string in the registry before restarting normally.
Then
see
if the problem still exists. I am most curious about these lines however:
"} el"="c:\\WINDOWS\\System32\\} else {""window.onload =
SymOnL"="c:\\WINDOWS\\System32\\window.onload = SymOnLoad;"
"var SymRealOnUnl"="c:\\WINDOWS\\System32\\var SymRealOnUnload;"
"var SymRealOnL"="c:\\WINDOWS\\System32\\var SymRealOnLoad;"
"SymRealOnLoad = window.onl"="c:\\WINDOWS\\System32\\SymRealOnLoad =
window.onload;"
this:
"if (screen.widt"="c:\\WINDOWS\\System32\\if (screen.width) {"
"if (location.hos"="c:\\WINDOWS\\System32\\if (location.host) {"
this:
"function SymWinOpen(url, name, attribu"="c:\\WINDOWS\\System32\\function
SymWinOpen(url, name, attributes)"
and these:
" window.open = SymWinO"="c:\\WINDOWS\\System32\\window.open =
SymWinOpen;"
" window.onunload =
SymOnUnl"="c:\\WINDOWS\\System32\\window.onunload
=
SymOnUnload;" " return t"="c:\\WINDOWS\\System32\\ return true;"
" return (new Object"="c:\\WINDOWS\\System32\\ return (new Object());" "
if(SymRealOnUnload != n"="c:\\WINDOWS\\System32\\ if
(SymRealOnUnload
!=
null)"
" SymRealOnUnloa"="c:\\WINDOWS\\System32\\SymRealOnUnload();"
That's a lot of JS, and this is an unusual place for it. Do you have any
idea where any of it comes from?
--
Best of Luck,
Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!
Associate Expert - WinXP - Expert Zone
The first option did not work. Here are the registry
keys:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run]
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet
Security Professional\\UrlLstCk.exe"
"SymRealOnLoad = window.onl"="c:\\WINDOWS\\System32
\\SymRealOnLoad = window.onload;"
"rtfkijhp"="C:\\WINDOWS\\idbmmmnw.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"QuickTime Task"="\"C:\\Program
Files\\QuickTime\\qttask.exe\" -atboottime"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32
\\NvCpl.dll,NvStartup"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec
Shared\\ccApp.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~2\\NORTON~1
\\AdvTools\\ADVCHK.EXE"
And the Current user registry keys:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
on\Run]
"Symantec NetDriver Monitor"="C:\\PROGRA~1
\\Symantec\\LIVEUP~1\\SNDMon.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32
\\NVMCTRAY.DLL,NvTaskbarInit"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1
\\plugin\\bin\\PCHButton.exe"
Thanks for any help.
-----Original Message-----
Hi Mary,
This can be caused by leftovers from cleaning up spyware
as well. Try this:
Control Panel/Folder Options/View tab, uncheck the
line "restore previous
folder windows at logon". Click apply/ok, do not reboot
yet.
Start/run msconfig, on the general tab select the
diagnostic mode. Click
apply/ok and reboot at prompted.
The folder should not show up now. Rerun msconfig, put
the system back in
normal mode. Click apply/ok and reboot once more. Does
this help?
For most users, this will resolve the issue. For some
that still have
registry damage it will not. If this is the case, could
you please export
and post the contents of these keys in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run
To do this, start/run regedit, expand the branches to
each key (do this one
at a time). Click on the key, then on file/export. Give
it any name, then
save to the desktop. Once you have saved both keys,
close the registry
editor. Right-click one of the saved files on the
desktop, choose edit, it
should open in notepad. Click edit/select all/edit/copy.
Open a response to
this post and click in the message text area. Hit ctrl+v
to paste the
contents. Repeat for the other saved key, then send the
post for
examination.
--
Best of Luck,
Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!
Associate Expert - WinXP - Expert Zone
message
When I start Windows XP the system folder pops up. I
downloaded Kelly's Korner #260 but I get the
message "the
script cannot repair your issue, the expected registery
value was not found." I also tried 170086 from
Microsoft
and followed the instructions, but can't find any
values
with single quotes. I have Norton Internet Security
2004/NAV, Ad-Aware and run Spybot Search and Destroy
daily. HELP!!!
.
)