M
Mary
I deleted the trojan, but the file still opens up. The
curious files (see below) have the same save date
8/18/01, right before we bought the machine from Best
Buy. This is a relatively new problem. Any ideas how to
stop this start up folder from popping up?
----- Rick "Nutcase" Rogers wrote: -----
Hi,
First, get rid of this trojan:
Boot to Safe mode, delete the idbmmmnw.exe file from
the C:\Windows folder,
and delete that string in the registry before
restarting normally. Then see
if the problem still exists. I am most curious about
these lines however:
SymOnL"="c:\\WINDOWS\\System32\\window.onload =
SymOnLoad;"
window.onload;"
this:
this:
SymWinOpen(url, name, attributes)"
and these:
SymWinOpen;"
SymOnUnload;" " return t"="c:\\WINDOWS\\System32\\
return true;"
if(SymRealOnUnload != n"="c:\\WINDOWS\\System32\\
if (SymRealOnUnload !=
null)"
That's a lot of JS, and this is an unusual place for
it. Do you have any
idea where any of it comes from?
--
Best of Luck,
Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!
Associate Expert - WinXP - Expert Zone
message
curious files (see below) have the same save date
8/18/01, right before we bought the machine from Best
Buy. This is a relatively new problem. Any ideas how to
stop this start up folder from popping up?
----- Rick "Nutcase" Rogers wrote: -----
Hi,
First, get rid of this trojan:
"rtfkijhp"="C:\\WINDOWS\\idbmmmnw.exe"
Boot to Safe mode, delete the idbmmmnw.exe file from
the C:\Windows folder,
and delete that string in the registry before
restarting normally. Then see
if the problem still exists. I am most curious about
these lines however:
{""window.onload ="} el"="c:\\WINDOWS\\System32\\} else
SymOnL"="c:\\WINDOWS\\System32\\window.onload =
SymOnLoad;"
\\SymRealOnLoad ="var SymRealOnUnl"="c:\\WINDOWS\\System32\\var SymRealOnUnload;"
"var SymRealOnL"="c:\\WINDOWS\\System32\\var SymRealOnLoad;"
"SymRealOnLoad = window.onl"="c:\\WINDOWS\\System32
window.onload;"
this:
(location.host) {""if (screen.widt"="c:\\WINDOWS\\System32\\if (screen.width) {"
"if (location.hos"="c:\\WINDOWS\\System32\\if
this:
attribu"="c:\\WINDOWS\\System32\\function"function SymWinOpen(url, name,
SymWinOpen(url, name, attributes)"
and these:
\\window.open =" window.open = SymWinO"="c:\\WINDOWS\\System32
SymWinOpen;"
SymOnUnl"="c:\\WINDOWS\\System32\\window.onunload =" window.onunload =
SymOnUnload;" " return t"="c:\\WINDOWS\\System32\\
return true;"
return (new Object());" "" return (new Object"="c:\\WINDOWS\\System32\\
if(SymRealOnUnload != n"="c:\\WINDOWS\\System32\\
if (SymRealOnUnload !=
null)"
\\SymRealOnUnload();"" SymRealOnUnloa"="c:\\WINDOWS\\System32
That's a lot of JS, and this is an unusual place for
it. Do you have any
idea where any of it comes from?
--
Best of Luck,
Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!
Associate Expert - WinXP - Expert Zone
message
The first option did not work. Here are the registry
keys:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run]
"URLLSTCK.exe"="C:\\Program Files\\Norton Internet
Security Professional\\UrlLstCk.exe"
"SymRealOnLoad = window.onl"="c:\\WINDOWS\\System32
\\SymRealOnLoad = window.onload;"
"rtfkijhp"="C:\\WINDOWS\\idbmmmnw.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"QuickTime Task"="\"C:\\Program
Files\\QuickTime\\qttask.exe\" -atboottime"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32
\\NvCpl.dll,NvStartup"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec
Shared\\ccApp.exe\""
"Advanced Tools Check"="C:\\PROGRA~1\\NORTON~2 \\NORTON~1\\AdvTools\\ADVCHK.EXE"
And the Current user registry keys:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
on\Run]
"Symantec NetDriver Monitor"="C:\\PROGRA~1
\\Symantec\\LIVEUP~1\\SNDMon.EXE"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32
\\NVMCTRAY.DLL,NvTaskbarInit"
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1
\\plugin\\bin\\PCHButton.exe"
Thanks for any help.
spyware-----Original Message-----
Hi Mary,
This can be caused by leftovers from cleaning up
as well. Try this:rebootControl Panel/Folder Options/View tab, uncheck the line "restore previous
folder windows at logon". Click apply/ok, do notmsconfig, putyet.
Start/run msconfig, on the general tab select the diagnostic mode. Click
apply/ok and reboot at prompted.
The folder should not show up now. Rerun
the system back inDoesnormal mode. Click apply/ok and reboot once more.
this help?someFor most users, this will resolve the issue. For
that still havecouldregistry damage it will not. If this is the case,
you please exportbranches toand post the contents of these keys in the registry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
ion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersi
on\Run
To do this, start/run regedit, expand the
each key (do this onefile/export. Giveat a time). Click on the key, then on
it any name, thenkeys,save to the desktop. Once you have saved both
close the registryall/edit/copy.editor. Right-click one of the saved files on the desktop, choose edit, it
should open in notepad. Click edit/select
Open a response toctrl+vthis post and click in the message text area. Hit
to paste thesend thecontents. Repeat for the other saved key, then
post forwrote inexamination.
--
Best of Luck,
Rick Rogers aka "Nutcase" MS-MVP - Windows
Windows isn't rocket science! That's my other hobby!
Associate Expert - WinXP - Expert Zone
"Mary" <[email protected]>
message anyvalues
.