0

Hey, I've looked through this forum and haven't found any thread about my situation, so i decided to post a new one.
One day last week I opened up Internet explorer, and wanted to goto one of my favorite links. When I clicked on favorites though, instead of having my favorite links come up, it was replaced with my C:/Windows file! I've tried everything to try to get it back to normal.. I went to regedit even to look through my files and see, but I've found nothing. I dont know how it got like this, and i need help to try and get it back to normal. My regular favorites are still saved in my C:/documents and settings/me/favorites though. just the folder on IE is replaced.

I was trying to think of things that might have caused this, and the only things I could think of was either maybe a virus, or by a spyware remover. I've found loads of spyware on my computer lately, so I've been scanning my computer with many programs and removing all that it finds. Maybe it removed the file that sends my favorties to IE? Im not sure!

I've included my Hijackthis log, maybe it could help?:

Logfile of HijackThis v1.99.1
Scan saved at 12:57:57 PM, on 4/30/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM+\AIM+.exe
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\securitysuite.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Documents and Settings\Katie\My Documents\zip downloads\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

3
Contributors
5
Replies
6
Views
12 Years
Discussion Span
Last Post by DMR
0

Hello beauchicox3, welcome to the site. :)

1.
Your log does still indicate at least one infection, but you need to take care of one thing before we proceed:

C:\Program Files\Internet Explorer\iexplore.exe

The log entry above indicates that you had at least 1 instance of Internet Explorer running when you ran HijackThis.
Before fixing problems with HijackThis, you must make sure to close/quit ALL instances of your web browser. HijackThis cannot fully perform its fixes while browsers are running.


2. Once you've taken care of the above, reboot into Safe Mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up) and:

a) In your Start menu, click the "Run..." option, type the following command in the "Open:" box, and click OK:
services.msc

When the Services console opens, locate "System Startup Service",
right-click on it, and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services console.

b) Run HJT and have it fix the following (don't close HJT after the fixes are done though):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)

O23 - Service: System Startup Service - Unknown - C:\WINDOWS\svcproc.exe

Once HJT completes the fixes:

- Click on the "Config" button in the lower right corner. In the next window click on the "Misc Tools" button at the top then click the "Delete an NT service" button. Type the following in the box and click OK:

svcproc


- Again in the "Misc Tools" window, click on "Delete a file on reboot". In the Explorer windows that opens, navigate to C:\WINDOWS\Nail.exe and double-click on it. Click "Yes" in the resulting reboot confirmation dialog box and allow the system to reboot normally.


3. Run HJT and post a fresh log.


4. Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

The above log entries indicate that your system is somewhat out-of-date. You need to use the Windows Update feature to download and install all of the most current critical fixes and program updates from Microsoft's website.

0

you could try reinstalling ie, i think it will save your favorites
or try mozilla and import your favorites

0

you could try reinstalling ie, i think it will save your favorites
or try mozilla and import your favorites

Yes perhaps, but we need to get rid of the existing infections first, as "reinstalling" IE over a currently-infected version isn't advised.

0

Hey, thanks for the welcome :cheesy:

Did all that you said to, had no problems. Here is my new log file:
Logfile of HijackThis v1.99.1
Scan saved at 1:01:15 PM, on 5/1/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM+\AIM+.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Documents and Settings\Katie\My Documents\zip downloads\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] "C:\Program Files\AIM+\AIM+.exe" -cnetwait.odl
O4 - HKCU\..\Run: [Desktop Weather 3] C:\PROGRA~1\THEWEA~1\THEWEA~1.EXE
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


My favorites are not switched back to normal, yet. I was thinking about some other stuff that could have caused this, and I was thinking that lately i've been having "aurora" popups and "xxxeye.com" and "xclusivexxoffers.info" porno popups. Never being to a porn website, i've tried to get rid of it, but have failed. So, i just keep X-ing these out. Do you think this might have caused it?

Thanks.

0

1. Did you get all of the Windows updates as I suggested? If you did, I would have expected to see some change in the Windows/IE version information in your log's header.


2. The problem with your Favorites may or may not have been caused by the infections; I can't honestly say, as I've never seen that exact symptom before. I don't know if it will do the trick, but you can try running the IEFix tool.

Just to be clear about it though- you are saying that when you click on the Favorites menu item, it displays the contents of your C:\Windows folder instead of your Favorites folder, right? If that's not exactly what's happening, please give us better description of what is happening.


3. Your latest log shows no signs of infections, but that doesn't mean that your system is clean yet. If you're still getting porn popups, you've obviously still got problems. Let's do some general clean-up to see if we can get rid of anything that's lingering:


A) Run a full anti-virus scan, making sure that your anti-virus program is using the most current virus definition updates. Also do the free online virus scans at these sites:

http://housecall.trendmicro.com/
http://www.kaspersky.com/scanforvirus.html
http://www.ravantivirus.com/scan/
http://www.pandasoftware.com/activescan/com/activescan_principal.htm


B) Download and run Ad Aware (download link are in my sig below).

Follow these directions for configuring Ad Aware (directions courtesy of our member "crunchie"):

1. When you first run Ad Aware, some of the settings will need to be changed before you scan

2.Close ALL windows except Ad-Aware SE

3. Click on the‘world’ icon at the top right of the Ad-Aware SE window and let AdAware SE update the reference list for the adware and malware.

4. Once the update is finished click on the ‘Gear’ icon (second from the left at the top of the window) to access the preferences/settings window

1) In the ‘General’ window make sure the following are selected in green:
*Automatically save log-file
*Automatically quarantine objects prior to removal
*Safe Mode (always request confirmation)

Under Definitions:
*Prompt to udate outdated definitions - set the number of days


2) Click on the ‘Scanning’ button on the left and select in green :

Under Driver, Folders & Files:
*Scan Within Archives

Under Select drives & folders to scan -
*choose all hard drives

Under Memory & Registry: all green
*Scan Active Processes
*Scan Registry
*Deep Scan Registry
*Scan my IE favorites for banned URL’s
*Scan my Hosts file


3) Click on the ‘Advanced’ button on the left and select in green:

Under Shell Integration:
*Move deleted files to recycle bin

Under Logfile Detail Level: (all green)
*include addtional object information
*DESELECT - include negligible objects information
*include environment information

Under Alternate Data Streams:
*Don't log streams smaller than 0 bytes
*Don't log ADS with the following names: CA_INOCULATEIT


4) Click the ‘Tweak’ button and select in green:

Under the ‘Scanning Engine’:
*Unload recognized processes during scanning
*Scan registry for all users instead of current user only


Under the ‘Cleaning Engine’:
*Let Windows remove files in use at next reboot


Under the Log Files:
*Include basic Ad-aware SE settings in logfile
*Include additional Ad-aware SE settings in logfile
*Please do not check or make green: Include Module list in logfile


5. Click on ‘Proceed’ to save the settings.

6. Click ‘Start’

*Choose:'Perform Full System Scan'
*DESELECT "Search for negligible risk entries", as negligible risk entries (MRU's) are not considered to be a threat.

7. Click ‘Next’ and Ad-Aware SE will scan your hard drive(s) with the options you have selected and clean automatically.

8. If Ad-Aware SE finds bad entries, you will receive a list of what it found in the window. Select all of the items in the list.

9. Save the log file when it asks and then click ‘finish’

10. REBOOT to complete the removal of what Ad-Aware SE found


* Run SpyBot.

1. Get the most current updates for the program.
2. Run the program. Once it completes, have it fix everything it finds.
3. Reboot.


C) Boot into Safe Mode (do this by hitting the F8 key as the computer is booting) and:

- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files".

- For every user account listed under C:\Documents and Settings, delete everything inside the following folders (don't delete the folders themselves though):

1. Local Settings\Temp
2. Cookies
3. History
4. Local Settings\Temporary Internet Files\Content.IE5

- Delete the entire content of your C:\Windows\Temp folder.

(If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed.)

- Empty your Recycle Bin.

- Reboot normally.


C) Download and run SpywareBlaster (link in my sig). Download the latest updates for the program and click "Enable all protection". Once it applies the protections you can close the program.


D) Let us know the results of doing the above and tell us if you're still getting the popups.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.