# Runtime Error 21 at 00DC49D2 (ncsjapi43.exe)



## !cweb5! (Aug 7, 2008)

I think I acquired a virus from facebook. I clicked on a link posted on my wall and it redirected me to a Web site with an animation. I left the site and two dialogue boxes popped up, both reading "Runtime Error 21 at 00DC49D2." The 00...... changes. When I click "ok," another dialogue box flashes in the top left corner. It reads, PERSONAL SETTINGS - C:\ Windows\system32\splm\ncsjapi32.exe. All of the icons temporarily disappear and the runtime error dialogue boxes reappear. I appreciate any help. Thanks.


----------



## Blue Zee (May 18, 2007)

Start in Safe Mode and try System Restore.

You can also try running your anti-virus and anti-malware scanners in Safe Mode.


----------



## mabuza (Aug 7, 2008)

Not that I am any help, still trying to deal with it myself because I just got the exact same error this morning. It's driving me crazy. Well let me play with it for a little while


----------



## dancoppock (Aug 7, 2008)

Hi,

I also noticed this problem this morning. The virus installs several startup entries, pretending to be 'IntelliMouse' etc; you can check this by using a tool like Autoruns. I couldn't find a way of uninstalling it with Windows running - it even runs in Safe mode; it isn't picked up by virus scanners; and it disables you from being able to view hidden files and folders. 
It seems to install several programs to the C:\WINDOWS\system32\splm folder: ncsjapi32.exe, kbdsapi.dll, lmfunit32.dll

I managed to get rid of it by booting windows into "Safe Mode + Command Prompt" - and then when you've got a command prompt running type:
CD "C:\WINDOWS\system32"
RMDIR splm /S


----------



## Took the Elder (Aug 7, 2008)

Just quickly wanted to say cheers to Mr. dancoppock, your solution appears to have worked  

hope no-one minds, but i made a group on facebook about this whole thing and put a link to this page.......someone'll tell me if'n i done wrong, right?


----------



## JJJ999 (Aug 7, 2008)

I have the exact same virus, I've tried going to the safe mode + command prompt and got it to the C:\WINDOWS\system32 but when I type in the RMDIR splm /S it asks if I want to make the change and I said Y and then it says that the file can't be found. Am I doing something wrong?


----------



## TAliyev (Aug 7, 2008)

I have the same problem. RMDIR splm cannot find directory.... Also it seems that computer no longer can browse anti virus related web sites like McAfee, Norton, TrendMicro.. All those sites seem to be inaccesible.... My McAfee did not detect it, and when I tried to update it, system cannot find their web server....


----------



## JJJ999 (Aug 7, 2008)

I can access the virus servers, but the virus also hasn't done any apparent damage yet as spybot has been blocking it all day!


----------



## TAliyev (Aug 7, 2008)

Well, I cannot find this damn thing. In safe mode it is invisible..... Windows registry no longer shows this 'Intelli mouse' entry, before I could not get rid of it... now it is gone by itself... Still cannot see antivirus web sites. By the way, I did do system restore and now I do not have those error 21 pop-ups, but this virus is still here...... I wonder what is going to happen next....


----------



## !cweb5! (Aug 7, 2008)

In Safe Mode + command Prompt I typed in C:\WINDOWS\system.....
It asks me if I'm sure and I type "Y"... then 

splm,\kbdsapi.dll - Access is denied.
splm\lmfunit32.dll - Access is denied ... shows up.

Also, when I try system restore, it won't let me hit the next button to confirm. The error 21 at .... pops up again.

Any suggestions? Thanks.


----------



## kittyfluff (Aug 8, 2008)

I picked this up yesterday and have been trying to get rid of it since. I've tried scanning in Safe Mode with my antivirus and malware software. It picked up some of the components installed (imfunit32.dll, kbdsapi.dll) and removed them, but couldn't remove ncsjapi32.exe

I tried System Restore and this failed to work.

I tried going into Safe Mode + Command Prompt and typing in
C:\WINDOWS\system32
RMDIR splm /S 

but it won't recognise the command or locate the file.

I would love to just reformat and reinstall, but my XP disk is stupidly back in the UK and I am currently in Ireland.

Anything else I can try?


----------



## Took the Elder (Aug 7, 2008)

Sorry that dancoppock's solution doesn't seem to be working for everyone else!:down:

However, if it has worked for anyone, but the show hidden files and folders option is still not working, i have found a possible solution at:

http://www.technize.com/2007/05/13/show-hidden-files-and-folders-not-working/

the second option appears to have worked for me.....


----------



## dancoppock (Aug 7, 2008)

Sorry to hear that this has been causing people so many problems.

Before I booted into Safe Mode + Command Prompt, while I was logged into Windows normally I ran Autoruns [http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx] from a USB drive, clicked on the 'Everything' tab, and searched for and disabled all entries called 'ncsjapi32.exe'.

I didn't think this would be a necessary step but if you can download and run Autoruns it will allow you to edit the registry items which start ncsjapi32.exe.

You should then be able to boot into Safe Mode + Command Prompt and remove the offending items.

Hope that helps.


----------



## Shark01 (Aug 8, 2008)

*Long post, important stuff in bold.

Got infected yesterday when my bro clicked a link posted on his Facebook wall.*

A friend of ours account apparently got hacked, or someone got their password, and was being used to post on a lot of the walls of people on their friends list, again using their account and making people more willing to click. A bunch of their friends got infected.

*We got the "Error 21" messages popping up (we got two. Learned if we leave them, we can't do anything, close both and computer freaks out and we can't do anything, close only ONE and leave ONE open and we could still do everything normally.) They are gone now!* But those messages were the only prob we were seeing except for the also new crashing of a WMP300N.exe (used for our wireless net card) when logging off (which I got fixed).

My bro looked for "Error 21" help and found it is "Something with the registry" and DLed a few "Guarinteed" fixing programs that did not help.

*I searched and searched for "Error 21" with no help, then I looked at currecntly running things with task manager and startup entreis with CCleaner and Windows Defender. Found a "ncsjapi32.exe" (saying it was "Intelli Mouse 2.08" or something) and searched google, this page was the ONE result.*

*I read about not being able to see hidden files, update antivirus, or view antivirus sites. I checked these. I could use and view hidden files, update my antivirs, and view mentioned antivirus sites (I use Firefox). I then thought "Maybe they meant Internet Explorere", and sure enough said sites wouldn't work there.*

I didn't want to jump right into using safe mode and command promt before looking at some other stuff.

I removed and deleted the startup entries using multiple programs, but they always made new ones. I then updated Spybot and scanned, it found the program and some of the changes it made, fixed them! Stoped the virus from running and the startup entry for only a short time (then it made new ones) but did fix the antivirus sites in IE.

*Eventually I did what dancoppock said with safe mode and command promt. Typed exactly what he said, only took a few seconds, confirmed the action, rebooted, no more Error 21 messages! No more ncsjapi32.exe or the other dlls and crap! Everything runs perfect! Just removed the startup entries to clean the registry and everything is perfect again!

Thanks for helping me fix the "Facebook Virus" **dancoppock! You Rock!*

I am now sending infected friends this way and will be telling me friend who's account was sending links to this virus to send her friends this way.

Also, I want to point out that I think Facebook might be catching onto this, at least with my friend's account. All the posts that her account made (that she didn't delte after finding out it was a link to a virus) Facebook apparently came through and deleted themselves. So maybe Facebook will help their users by stoping further spreading of this.


----------



## JJJ999 (Aug 7, 2008)

I ran the autoruns and got rid of the ncsjapi43's and then went back and tried to do the Safe Mode + command prompt again. When I bring it up it says C:\mycomputer/mydocuments and then I type in the C:\system 32 then on the next line the C: stays at my computer and I type in the RMDIR splm /S and do the Y and it says the file can't be found. Should it be changing to C:\system 32 before I type in the RMDIR... ? Could this be the problem, and if so, how do I change this? Thanks, sorry don't know much!


----------



## Shark01 (Aug 8, 2008)

JJJ999, you said you typed in: C:\system 32

You need to type in: CD "C:\WINDOWS\system32"

You left out the "CD" the "WINDOWS\" the "quotes ("")" and added a uneeded "Space" in between "system" and "32" if you really typed what you said you typed. 


Typed it EXACTLY as dancoppock typed it.

It worked for me.


----------



## JJJ999 (Aug 7, 2008)

Sorry about the errors in my fast typing shark, I did type exactly what dan typed, spaces, quotes, and all. After the C: it says it doesn't match internally or externally, and after the RMDIR it says that the file can't be found.


----------



## JMG777 (Aug 8, 2008)

The system restore worked for me and I'm not much of a technical person. You can follow the instructions at the following link: http://support.microsoft.com/kb/304449 to restore your system to a date before the runtime error 21 issue occurred.

I was also able to do this by booting up in the "safe mode" (meant to boot up in safe mode - command prompt) and then was given the option to restore the system so I just tried it and it seems to have worked. The annoying windows are gone. Good luck.


----------



## djmellowfellow (Aug 9, 2008)

Hey, I've tried using HijackThis as suggested by some peops. In normal mode it shows up some files which end with the virus (ncsjapi32.exe). However, I've no idea how to use HJT in Safe/Command Prompt mode.

I've also tried Dancoppock's method but in fact I'm stumped when it gets to Safe/Command Prompt mode. I have no idea how to locate the file I want. I tried typing in many varieties of the following: CD"C:\WINDOWS\system32"
RMDIR splm /s

but every time I get a reply saying that ...is not recognized as an internal or external command... OR a reply saying that the system cannot find the path specified.

Can anyone help please?


----------



## momneedshelp (Aug 10, 2008)

Just a quick thanks to dancoppock - My son picked up this runtime error 21 on facebook, I thought the error was related to McAfee since it wasn't working. Spent way too long working with them without results. Thanks for sharing you knowledge and skill.


----------



## kongkong (Aug 11, 2008)

JJJ999, djmellowfellow

You can try doing this...
Make sure you are on safemode with command prompt
type *cd/* 
then *cd %systemroot%\system32*
then type *RMDIR splm /S*


----------



## danjo11 (Aug 11, 2008)

Thanks everyone for the help. The command and safe mode worked for the error boxes. But I still cannot access certain antivirus sites like symantec. what should i do?

Thanks,

Danny


----------



## Shark01 (Aug 8, 2008)

danjo11

The virus changed some settings in the host files stored on your computer for Internet Explorer and just removing the virus does not fix that and therefore you still can not access those sites until the problem caused by the virus is fixed.

A few things to help you.

First, why the hell are you still using Internet Explorer? It is stupid, slow, and the least safe browser there is (well, actually, there are many with worse protection, but MOST viruses, malware, and other attacks specifically go for IE if any internet browser, so overall, it is the worst). Use Firefox. Better, faster, safer.

(BTW, When I saw people saying this virus was stopping them from accessing said antivirus sites, I tried them and they all loaded for me, but again, I use Firefox. I then thought "Maybe these are some stupid IE users", so I tried IE, and sure enough, those sites didn't work.)

Secondly, use Spybot Search & Destroy. It will fix things so IE can access those sites again. If you don't have Spybot, it is freeware, go get it. Update and check for errors, it will fix things. Also use the Immunization feature to better protect your computer from malware and other problems.


----------



## djmellowfellow (Aug 9, 2008)

Thank you Kongkong. I tried it as you suggested. When I typed in the RMDIR bit I was asked to confirm with a Y or N. I typed Y and nothing seemed to happen except a new line came up saying C:\WINDOWS\system32>

I tried it again and this time it said "The system cannot find the file specified". However, when I restarted the computer in normal mode the error boxes are no longer coming up so I think this may have fixed it! Yippee!

There are still some files on the computer according to Hijackthis - d'yu think I can safely delete these? I'll be keeping a close eye on this over the next few days. Thanks again - How did you work out how to do it?


----------



## NACW (Aug 11, 2008)

In my case the folder and files were Attrib +H and +S. This will hide the files and set them to SYSTEM FILE status. System files can not be deleted. cd c:\windows\system32\splm then type attrib -h -s *.*
this will allow you to see the files and delete them. My problem is that 
the trojan blocked virus websites in IE and Firefox. I can not get to bitdefender.com for example ... Any Ideas????


----------



## Shark01 (Aug 8, 2008)

NACW

At one point this was blocking sites in IE for me. Before I completely removed the virus, I was able to (temporarily (then I did this again after removing the virus)) fix this and get the sites back in IE by using Spybot Search & Destroy. Just do a Check for Problems scan and let it fix things. (This never affected Firefox and blocked sites in Firefox for me, but Spybot also checks for Firefox problems and stuff as well as IE).

Also, you can use Spybot to Immunize your system from many things to better protect yourself from more malware (but update and immunize often).


----------



## djmellowfellow (Aug 9, 2008)

Some people say that if you disable system restore it removes one of the dodgey files. Then you can get the rest in safe mode with Hijackthis, MSCONFIG and REGEDIT. (see the forum at http://www.fixya.com/support/t886930-runtime_error_21_xp_sp2)

I'm worried about disabling System Restore in case I do something wrong. But has system resore failed to work for most people anyway?

Does anyone know if this virus is dangerous?


----------



## NACW (Aug 11, 2008)

Thought about it for a while ..... HOSTS file could be redirected to 127.0.0.1 or even 0.0.0.0 ... that is exactly what it does. It redirects any request for most antivirus web sites including bitdefender and trend micro. 
THe two most needed for because of the ability to remove the virus after scan (FREE) 
Search for "Host"
Edit in notepad to remove any entries like these below
( if you have spybot installed pay attention to the 127.0.0.1 they list 
sites that have been found to have viruses hosted)

0.0.0.0 trendmicro.com
0.0.0.0 www.trendmicro.com
#
0.0.0.0 norton.com
0.0.0.0 www.norton.com
#


----------



## Shark01 (Aug 8, 2008)

NACW, again, Spybot does all of that for you.

So, for people that don't want to do everything by hand, use Spybot.


----------



## NACW (Aug 11, 2008)

I tried spybot to see what it would find. It did see and list the entry for 
the web site redirect. The only problem was it only saw and removed the 
first line which was the IE. www.bitdefender.com the next line was bitdefender.com. spybot decided to ignore the second entry in the host file.

I never used spybot untill today so I might have missed a setting. It asked me if I wanted to fix all checkmarked items I said yes...

>>> Try to Learn somthing new everyday <<<


----------



## Shark01 (Aug 8, 2008)

Well, guess I am just really lucky, or really smart.

A lot of people say dancoppock's stuff didn't work, just it did for me. And Spybot fixed all the host file stuff for me, no probs. I personally went through with the help of CCleaner and Windows Defender afterwords to make sure that there were no left over startup registry entries, and then I cleaned everything else up.

I don't know why this stuff isn't working for others. This was a real easy fix for me after seeing what dancoppock said.


----------



## NACW (Aug 11, 2008)

I am now a fan of spybot..... it is a great tool. I like the fact it lets u see what it has found and lets u select what you want to remove or keep. I just posted the manual info because SOME people were not as lucky as others including me.

PS. I had another machine with the same virus this morning and dancoppock's instruction worked without a porblem 

Thanks all!

<< ignorance is just laziness>>


----------



## Joshanks (Aug 14, 2008)

Ok, I have managed to get rid of the virus without booting into safe mode, here is how to do it.

1. Turn off system restore
2. Kill the process ncsjapi32.exe
3. Reboot the machine, but DONT log on

4. From another pc/server browse to


----------



## Joshanks (Aug 14, 2008)

Ok, I have managed to get rid of the virus without booting into safe mode, here is how to do it.

1. Turn off system restore
2. Kill the process ncsjapi32.exe
3. Reboot the machine, but DONT log on
4. From another pc/server browse to "\\computername\c$\windows\system32\" this will show the folder splm, right click and properties, the security tab, then advanced, remove the tick box at the bottom of the page and then select 'remove' from the pop up box. 
5. Click 'Add' and type in "everyone" then select check name. In the tick boxes select the full control DENY. A warning will come up click ok and then reboot.
6. Browse to location again and delete the entire folder. 
7. Log on to the PC and delete the following registry keys:

The following registry keys are added:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: "%WinDir% \System32\splm\ncsjapi32.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: "2"
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: "%WinDir% \System32\splm\ncsjapi32.exe"
HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: "%WinDir% \System32\splm\ncsjapi32.exe"
HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: "14\8\2008
8. Edit the host file in c:\windows\system32\drivers\etc\hosts (open with notepad) and delete everything below the local host entry. If you have sybot installed that will be alot. (You want to do this otherwise your AV may not update) 
9. Run Regedit, Navigate to:
HKCU\Software\Microsoft\Internet Explorer\Desktop\SafeMode\Components
Change the DeskHTMLVersion key from 272 to 0 

10. Reboot the last time and it should be gone.


----------



## jonyboy (Aug 15, 2008)

hey so i get the virus through face book that you are all talking about and i followed the instructions to turn it of and back in safe mood onl wheni did the it never started it just keeps circling between startup screen and that menue

pleas help


----------



## el_nacho (Aug 16, 2008)

Hey guys, stupidest issue of them all, but I'm using an HP PC with Windows XP and when it starts up, i can't find the option for Safe mode. All I see are Boot menu, Setup, and System Recovery, none of which offer a safe mode option. Is there any other way to possibly get to it? It's the only tihng stopping me from following dancoppock's method.


EDIT: I've found safe mode, but using the command prompt, i was unable to put the CD in front of dancoppock's command. Spybot is suppressing it right now. Can someone help me get rid of it for good?


----------



## Canucksfan01 (Aug 16, 2008)

Ok, I thank you all for getting rid of the virus. When the virus was in place it hid almost all of my files, when the virus was removed, the files are still hidden. How can I get them unhidden? I tried in file options in the control panel but the "show hidden files" radio button resets itself to "dont show hidden files" everytime I exit out of the screen.


----------



## NACW (Aug 11, 2008)

*Method 1:*

Go to registry editor by running regedit in the run box.
Go to this key:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced

In the right hand area, double click hidden and change the value to 1.
Now you're all set to go. Check it in your tools menu if the changes have taken effect.
*Method 2: (By Random Hajile)*

1. Click "Start" -> "Run…" (or press Windows key + R)
2. Type "regedit" and click "Ok".
3. Find the key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\
Advanced\Folder\Hidden\SHOWALL
4. Look at the "CheckedValue" key… This should be a DWORD key. If it isn't, delete the key.
5. Create a new key called "CheckedValue" as a DWORD (hexadecimal) with a value of 1.
6. The "Show hidden files & folders" check box should now work normally.


----------



## ScottTD (Aug 23, 2008)

My brother's computer has contracted this virus, and we've been working on trying to fix it since last night.

We tried deleting the startup entries using Autoruns on a USB drive, and then (running in safe mode) pulling up the command prompt and trying to delete the files in the splm directory. It gave us "access is denied" on each file. We then tried typing "attrib -h -s *.*" as recommended by NACW. Then we tried deleting again, and still access denied. Then we tried to gain ownership of the files as shown here (howtogeek.com article) ("takeown /f *" and then "cacls * /G username:F"). This appeared to work until we tried deleting again, and it still gave us access denied. At this point, we tried a system restore from over a week ago, and it changed nothing.

We can see the files listed in the folder when in the command prompt in safe mode, however we can't seem to delete them. Any other ideas?
EDIT: The problem seems to be resolved. We tried a few things: downloading SpyBot and letting it stop registry changes, and also deleting any Itellimouse related registry entries. After that, we were able to delete splm using the command prompt in safe mode. Thanks to everyone for their help!


----------



## Canucksfan01 (Aug 16, 2008)

NACW said:


> *Method 1:*
> 
> Go to registry editor by running regedit in the run box.
> Go to this key:
> ...


I did both and it still doesn't work, any other ideas? I wouldn't mind if it was useless files but it is hiding all the windows related stuff.
I can get the values to stay at 1 now, where I couldn't before, but it still wont save the show hidden files and folders option, it just resets itself.


----------



## curryjg44 (Aug 31, 2008)

I have a solution...I don't claim to know anything about any of this stuff. I typed RMDIR splm/s. Notice there's no space? Well that worked just fine!! Maybe that'll work for you.


----------



## Amthea (Feb 19, 2008)

Canucksfan01 said:


> I did both and it still doesn't work, any other ideas? I wouldn't mind if it was useless files but it is hiding all the windows related stuff.
> I can get the values to stay at 1 now, where I couldn't before, but it still wont save the show hidden files and folders option, it just resets itself.


You need to delete the "Folder" key under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced.


----------



## djmellowfellow (Aug 9, 2008)

Help!

My Antivirus has stopped working properly since having this virus. I got rid (so I thought) of the virus by the advice on this forum (using CCleaner/HJT/MsConfig/Regedit)...BUT now the AV won't update. I tried re-installing it but I can't connect to the AV site. I'm now without AV and the one I've got I'm paying a subscription for so I'm not too happy.

JOSHANKS...I tried looking for the reg keys you mention. Most are already gone - can I delete the whole folder:
HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B

Also I can't see my hidden folders either. I tried out NACW's advice and AMTHEA's advice...NOW when I open up tools/folder options/view I get an empty box!!!!!!! and it still doesn't work! Please help me out.

Thanks for all your advice.


----------



## djmellowfellow (Aug 9, 2008)

Well my antivirus has managed to reinstall now: the internet seems to work again.

BUT!!!! My Tools>Folder Options>View box is still empty and on my area I can see all the hidden files. Is there anything I can do to solve this???


----------



## baldbiker (Sep 5, 2008)

One other note on this, I think I found how the file was being recreated. in regedit, do a search for "PendingFileRenameOperations". In my system, I found an entry that renamed "c:\windows\temp\015574~1.exe" to "c:\windows\system32\splm\kbdsapi.dll". Once that was removed, (along with the steps above), and the system rebooted, the system began functioning normally again. Hope this helps....


----------



## baldbiker (Sep 5, 2008)

Oh, and I forgot one other thing. The reason your antivirus wasn't getting updated is the virus was adding a whole bunch of entries the the hosts file. It seems that it was trying to cover all of the known antivirus programs, by adding an entry for each of their urls to point to 0.0.0.0.


----------



## manly_man (Sep 15, 2008)

hey all. i safely removed this off my desktop computer thanks to DAN's suggestions... then i had to remove it off my laptop after i transfered files from my USB to my laptop... therefore, it is obvious to me that this virus or whatever is on my USB. How do i clean it off my USB without reformatting it? I cant afford to reformat my USB, it has all my grad school stuff on it. pretty much my whole life is on there... lol


----------



## Louis B (Sep 16, 2008)

I ran autoruns as well, but didn't find the ncsjapi32.exe or any of the other virus programs. This was after trying to run the RMDIR splm /S and the computer not being able to find it. Is the virus completely invisible? Because I know it's still there. One of the symptoms is when I run a google search and click on a search result, a popup opens in a new tab and it's just an search ad.


----------



## EO0830 (Sep 25, 2008)

Thanks dancoppock and Shark 01. I did exactly what you guys said and it eliminated the problem. The spybot rocks!


----------



## Sarah01 (Oct 2, 2008)

We discovered that when we plugged in a flash drive that had antimalware software on it, the virus jumped onto the drive, and then onto the other computer we plugged it into. Could be a coincidence but I don't think it is. 

We were affected by the hosts redirect- but were able to access AVG's website in Internet Explorer even with the redirect. But we did remove the offensive entries, and I think we're all cured. 

It looks like Facebook really is the cause; the computer we got the virus from was a frequent Facebook browser.

Has the flash drive jump affected anyone else?


----------



## Sarah01 (Oct 2, 2008)

OK, having some trouble getting rid of 2 of the Backdoor.Bots that were installed. We found them on Malwarebytes, but on the last computer we tried to remove them on, it totally blew the hard drive. Their file paths are C:\WINDOWS/system32/nScan and C:\WINDOWS/system32/splm . Any suggestions? We're backing up our data right now and then we're going to try and delete them (so we're prepared if our hard drive goes out)... is there anything else we can do to reduce the risk?


----------



## blues_harp28 (Jan 9, 2005)

Hi guys and girls.
Welcome to those who may be new here.

Best policy is to start your own thread and post your separate problems.
Looking through this thread it is impossible to know who is who and who has had their problem solved or not.

Not to mention that some maybe all should be posted in the Xp forum.

Good luck to you all.


----------

