[Dorian-Blue]

After rebooting my laptop yesterday my IE browser went crazy, spawning multiple windows and attempting to go to www.idolsonline.com (I'm greatful my home page was persistent). There was an executable called idolonline.exe that was maxing out my processor. I rebooted in safe mode and deleted idolonline.exe allowing myself to regain control of my computer when booting normally, but the browser would still launch itself for a single session (although I would not go online). I found and deleted the following files and their parent directories:

Directory C:\Documents and Setting\%USERNAME%\Application Data\EncArmySite
File: C:\Documents and Setting\%USERNAME%\Application Data\EncArmySite\wdnssnhj.exe
File: C:\Documents and Setting\%USERNAME%\Application Data\EncArmySite\PopBashFlap.exe
File: C:\Documents and Setting\%USERNAME%\Application Data\EncArmySite\idiogiqf.exe
File: C:\Documents and Setting\%USERNAME%\Application Data\EncArmySite\RdrListRef.exe

Directory C:\Program Files\EncArmySite
No files in this directory.

After deleting these files the browswer no longer came up without being prompted. I tried to reinstall my TrendMicro AntiVirus software but got the error "Cannot create directory system32" (or something close to that). I looked in the Windows directory using Windows Explorer as well as a DOS Shell and indeed could not see the system32 directory. However, in the DOS Shell I can cd into the system32 directory and see that all of the files are in there. Notepad and Word cannot navigate into the system32 directory by clicking since they cannot see the directory, but if I move a file into the system32 directory (using the copy command in the DOS Shell) and enter the explicit path to the file along with the file name I can read it in Notepad and Word.

Can anyone help me make the system32 directory visible again? I'm reluctant to go online again until I've reloaded TrendMicro with its latest definitions. Once I have things going semi-normal again where I can go online I will then go through the process of identifying and eliminating malware as described at the top of this site.

Dorian

Edited by Dorian-Blue, 04 January 2006 - 05:26 PM.

[Advertisements]

Click start then run, type sfc /scannow then press enter to replace the system files, you need the XP CD.

System File Check will show an on screen blue progress bar, reboot when the bar goes

[Retired Tech]

Click start then run, type sfc /scannow then press enter to replace the system files, you need the XP CD.

System File Check will show an on screen blue progress bar, reboot when the bar goes

[Dorian-Blue]

Thanks for the tip, Keith. Before I start this procedure.... I use the computer for a server and have several applications installed. Will this force me to have to reload all of the applications so that their drivers in the system32 directory will be recognized or does this procedure only affect Windows files (leaving the registry alone and existing files in place)?

[Retired Tech]

Here's the details, it is only concerned with checking the system files and replacing any which it needs to. You could visit Microsoft Update afterwards as it could overwrite hotfixes, but I haven't seen that yet

System File Checker gives an administrator the ability to scan all protected files to verify their versions. If System File Checker discovers that a protected file has been overwritten, it retrieves the correct version of the file from the cache folder (%Systemroot%\System32\Dllcache) or the Windows installation source files, and then replaces the incorrect file. System File Checker also checks and repopulates the cache folder. You must be logged on as an administrator or as a member of the Administrators group to run System File Checker. If the cache folder becomes damaged or unusable, you can use the sfc /scannow, the sfc /scanonce, or the sfc /scanboot commands to repair its contents.

http://support.micro...kb/310747/en-us