Re: System 32 folder opens at Start up

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Mary (Mary_at_discussions.microsoft.com)
Date: 06/10/04 

Date: Thu, 10 Jun 2004 08:14:03 -0700

Thank you for responding. I tried that from your original response of 6/4/04. Unfortunately, it didn't work either. I don't know what to do. What could it be?

"Rick "Nutcase" Rogers" wrote:

> Hi Mary,
>
> Ok, do this now:
>
> Control Panel/Folder Options/View tab, uncheck the line "restore previous
> folder windows at logon". Click apply/ok, do not reboot yet.
>
> Start/run msconfig, on the general tab select the diagnostic mode. Click
> apply/ok and reboot at prompted.
>
> The folder should not show up now. Rerun msconfig, put the system back in
> normal mode. Click apply/ok and reboot once more. Does this help?
>
> For most users, this will resolve the issue. The other stuff may be a
> leftover from perhaps a locked down store display model? Really odd - I'd
> probably remove it to see what happens, but that's just me. If the system is
> working fine otherwise, and unless you are adventurous (and I mean really
> adventurous, 'cause messing with the system in this manner can really be
> dangerous) I would suggest leaving it alone at this point. I do see some
> references to parts of that code and Norton's Internet Security, perhaps you
> are using that?
> --
> Best of Luck,
>
> Rick Rogers aka "Nutcase" MS-MVP - Windows
> Windows isn't rocket science! That's my other hobby!
> http://mvp.support.microsoft.com/
> Associate Expert - WinXP - Expert Zone
> www.microsoft.com/windowsxp/expertzone
> Win98 Help - www.rickrogers.org
>
> "Mary" <Mary@discussions.microsoft.com> wrote in message
> news:7F2EB3EC-6561-4045-9DD8-EC40221321D4@microsoft.com...
> > I deleted the trojan, but the folder still appears. The curious files
> below have the same save date 8/18/01 which is right before I bought the
> machine from Best Buy. Any ideas?
> >
> > "Rick "Nutcase" Rogers" wrote:
> >
> > > Hi,
> > >
> > > First, get rid of this trojan:
> > >
> > > > "rtfkijhp"="C:\\WINDOWS\\idbmmmnw.exe"
> > >
> > > Boot to Safe mode, delete the idbmmmnw.exe file from the C:\Windows
> folder,
> > > and delete that string in the registry before restarting normally. Then
> see
> > > if the problem still exists. I am most curious about these lines
> however:
> > >
> > > > "} el"="c:\\WINDOWS\\System32\\} else {""window.onload =
> > > SymOnL"="c:\\WINDOWS\\System32\\window.onload = SymOnLoad;"
> > > > "var SymRealOnUnl"="c:\\WINDOWS\\System32\\var SymRealOnUnload;"
> > > > "var SymRealOnL"="c:\\WINDOWS\\System32\\var SymRealOnLoad;"
> > > > "SymRealOnLoad = window.onl"="c:\\WINDOWS\\System32\\SymRealOnLoad =
> > > window.onload;"
> > >
> > > this:
> > >
> > > > "if (screen.widt"="c:\\WINDOWS\\System32\\if (screen.width) {"
> > > > "if (location.hos"="c:\\WINDOWS\\System32\\if (location.host) {"
> > >
> > > this:
> > >
> > > > "function SymWinOpen(url, name,
> attribu"="c:\\WINDOWS\\System32\\function
> > > SymWinOpen(url, name, attributes)"
> > >
> > > and these:
> > >
> > > > " window.open = SymWinO"="c:\\WINDOWS\\System32\\window.open =
> > > SymWinOpen;"
> > > > " window.onunload = SymOnUnl"="c:\\WINDOWS\\System32\\window.onunload
> =
> > > SymOnUnload;" " return t"="c:\\WINDOWS\\System32\\ return true;"
> > > > " return (new Object"="c:\\WINDOWS\\System32\\ return (new
> Object());" "
> > > if(SymRealOnUnload != n"="c:\\WINDOWS\\System32\\ if (SymRealOnUnload
> !=
> > > null)"
> > > > " SymRealOnUnloa"="c:\\WINDOWS\\System32\\SymRealOnUnload();"
> > >
> > > That's a lot of JS, and this is an unusual place for it. Do you have any
> > > idea where any of it comes from?
> > >
> > > --
> > > Best of Luck,
> > >
> > > Rick Rogers aka "Nutcase" MS-MVP - Windows
> > > Windows isn't rocket science! That's my other hobby!
> > > http://mvp.support.microsoft.com/
> > > Associate Expert - WinXP - Expert Zone
> > > www.microsoft.com/windowsxp/expertzone
> > > Win98 Help - www.rickrogers.org
> > >
> > > <anonymous@discussions.microsoft.com> wrote in message
> > > news:17b4c01c449df$320fafc0$a601280a@phx.gbl...
> > > > The first option did not work. Here are the registry
> > > > keys:
> > > >
> > > > Windows Registry Editor Version 5.00
> > > >
> > > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
> > > > ion\Run]
> > > > "URLLSTCK.exe"="C:\\Program Files\\Norton Internet
> > > > Security Professional\\UrlLstCk.exe"
> > > > "SymRealOnLoad = window.onl"="c:\\WINDOWS\\System32
> > > > \\SymRealOnLoad = window.onload;"
> > > > "rtfkijhp"="C:\\WINDOWS\\idbmmmnw.exe"
> > > > "Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
> > > > "QuickTime Task"="\"C:\\Program
> > > > Files\\QuickTime\\qttask.exe\" -atboottime"
> > > > "PS2"="C:\\WINDOWS\\system32\\ps2.exe"
> > > > "nwiz"="nwiz.exe /install"
> > > > "NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32
> > > > \\NvCpl.dll,NvStartup"
> > > > "IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
> > > > "hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
> > > > "HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
> > > > "ccApp"="\"C:\\Program Files\\Common Files\\Symantec
> > > > Shared\\ccApp.exe\""
> > > > "Advanced Tools Check"="C:\\PROGRA~1\\NORTON~2\\NORTON~1
> > > > \\AdvTools\\ADVCHK.EXE"
> > >
> > > >
> > > > And the Current user registry keys:
> > > > Windows Registry Editor Version 5.00
> > > >
> > > > [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersi
> > > > on\Run]
> > > > "Symantec NetDriver Monitor"="C:\\PROGRA~1
> > > > \\Symantec\\LIVEUP~1\\SNDMon.EXE"
> > > > "NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\System32
> > > > \\NVMCTRAY.DLL,NvTaskbarInit"
> > > > "ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
> > > > "Acme.PCHButton"="C:\\PROGRA~1\\HPINST~1
> > > > \\plugin\\bin\\PCHButton.exe"
> > > >
> > > > Thanks for any help.
> > > >
> > > > >-----Original Message-----
> > > > >Hi Mary,
> > > > >
> > > > >This can be caused by leftovers from cleaning up spyware
> > > > as well. Try this:
> > > > >
> > > > >Control Panel/Folder Options/View tab, uncheck the
> > > > line "restore previous
> > > > >folder windows at logon". Click apply/ok, do not reboot
> > > > yet.
> > > > >
> > > > >Start/run msconfig, on the general tab select the
> > > > diagnostic mode. Click
> > > > >apply/ok and reboot at prompted.
> > > > >
> > > > >The folder should not show up now. Rerun msconfig, put
> > > > the system back in
> > > > >normal mode. Click apply/ok and reboot once more. Does
> > > > this help?
> > > > >
> > > > >For most users, this will resolve the issue. For some
> > > > that still have
> > > > >registry damage it will not. If this is the case, could
> > > > you please export
> > > > >and post the contents of these keys in the registry:
> > > > >
> > > > >HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVers
> > > > ion\Run
> > > > >HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersi
> > > > on\Run
> > > > >
> > > > >To do this, start/run regedit, expand the branches to
> > > > each key (do this one
> > > > >at a time). Click on the key, then on file/export. Give
> > > > it any name, then
> > > > >save to the desktop. Once you have saved both keys,
> > > > close the registry
> > > > >editor. Right-click one of the saved files on the
> > > > desktop, choose edit, it
> > > > >should open in notepad. Click edit/select all/edit/copy.
> > > > Open a response to
> > > > >this post and click in the message text area. Hit ctrl+v
> > > > to paste the
> > > > >contents. Repeat for the other saved key, then send the
> > > > post for
> > > > >examination.
> > > > >
> > > > >--
> > > > >Best of Luck,
> > > > >
> > > > >Rick Rogers aka "Nutcase" MS-MVP - Windows
> > > > >Windows isn't rocket science! That's my other hobby!
> > > > >http://mvp.support.microsoft.com/
> > > > >Associate Expert - WinXP - Expert Zone
> > > > >www.microsoft.com/windowsxp/expertzone
> > > > >Win98 Help - www.rickrogers.org
> > > > >
> > > > >"Mary" <anonymous@discussions.microsoft.com> wrote in
> > > > message
> > > > >news:17f6b01c449d8$6e481d80$a401280a@phx.gbl...
> > > > >> When I start Windows XP the system folder pops up. I
> > > > >> downloaded Kelly's Korner #260 but I get the
> > > > message "the
> > > > >> script cannot repair your issue, the expected registery
> > > > >> value was not found." I also tried 170086 from
> > > > Microsoft
> > > > >> and followed the instructions, but can't find any
> > > > values
> > > > >> with single quotes. I have Norton Internet Security
> > > > >> 2004/NAV, Ad-Aware and run Spybot Search and Destroy
> > > > >> daily. HELP!!!
> > > > >
> > > > >
> > > > >.
> > > > >
> > >
> > >
> > >
>
>
>

Relevant Pages