Cookies, History and TIFs moved ......

Hello all!

Suddenly there was some disc activity when the computer was idling. I thought nothing of it but when I continued using it I noticed this:

I had to log in to all sites where I usually stay logged in. This has happened before on one site at a time but not all sites at the same time.

The history had been cleared. On certain boards a thread that has been read changes colour but now all had the unread colour.

I opened Windows Explorer to check the folders in my account and found out that things had happened:

C:\Documents and Settings\My Name\Local Settings\Temp all of a sudden had Cookies, History and TIF subfolders.

The "original" folders were still there but with a contents that doesn´t seem normal.

In Internet Explorer > Tools > Internet Options > TIF-settings the location of the TIF folder and its maximum size had been altered and I think it is possible/probable that the Cookies and History also have been redirected.



Has anyone else had the same experience?



The only "new" site I visited was *www*.*stupidvideos*.*com* and it is possible that there is a connection. (remove the *s if You want to go there ...... ......)

I have scanned for malware using DO YOU HAVE PARASITES? but it found nothing.

I have yet to install spybot and ad-aware and run them.

Thanks for Your time,
Christer

 

So far I´ve done this:

Restart #1

In Internet Explorer > Tools > Internet Options > TIF-settings were back to normal.

The TIF folder had been cleared but was back to normal.

I once again had to log in to all sites which means that all cookies had been cleared.

History was back to normal with contents as prior to the event.

C:\Documents and Settings\My Name\Local Settings\Temp could be cleared of its contents except one file in use (no connection to this issue).

Restart #2

Everything back to normal except this:

A history folder with a subfolder being created in C:\Documents and Settings\Christer Engdahl\Lokala inställningar\Temp\Tidigare\History.IE5\MSHist012003092520030926

There is a reference to this path in the registry but it´s the "short" version, e.g. Docume~1 instead of Documents and Settings:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012003092520030926

and

HKEY_USERS\S-1-5-21-1757981266-1078145449-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012003092520030926

There are six similar subfolders in "Extensible Cache" but they all have the %USERPROFILE% type of path.

That history folder is similar to the one in C:\WINDOWS\system32\config\systemprofile\Lokala inställningar\Tidigare\History.IE5\MSHist012003060420030605.

There is a reference to this path in the registry:

HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012003060420030605

and

HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012003060420030605

This is the only subfolder in "Extensible Cache" and it has the %USERPROFILE% type of path.

I believe that something edited the registry which makes that folder appear and if deleted to be recreated in C:\Documents and Settings\Christer Engdahl\Lokala inställningar\Temp.

Now it´s 3 o´clock in the morning and I´ve got to get some sleep.

Christer

 

The Cookies, History and TIF folders that are supposed to be there had not been removed. They had been copied (?) to the temp folder and the contents tossed around between the repective folders.

E.g. the TIF folder that is supposed to be there, its properties said 2 folders and 50 files but it actually contained hundreds or thousands of files.

Christer

 

I have taken these actions:

Norton Anti Virus scan = clean

Trend Micro HouseCall = clean

SpyBot (easy mode) found 7 red problems, 1 Alexa related *.htm, 4 DSO Exploit registry changes and 2 Windows Media Player registry changes.
All problems fixed and rescan = clean.

Ad-aware found 2 problems, 1 Alexa regkey and one tracking cookie (bravenet).
All problems fixed and rescan = clean.



It seems to me like *www*.*stupidvideos*.*com* isn´t the culprit.

The only application on my system, that I know of, which use the "short" version of folder and file names is Norton Ghost.
In TaskManager an instance "GHOSTS~2.EXE" is running.

From "Answers that work - Task list programs ":

I will find out what this is about.

Christer

 

Nope, the only purging utility I have is Norton File Protection which is set to protect deleted files that didn´t go to the recycle Bin.
After 7 days they are automatically purged but if I wish I can do it manually. I did that a month ago when I created my latest Ghost Image.

I don´t even know what it is ...... ......



Two days ago we had a power failure which lasted for 5 hours. It was a "clean" power cut and the computer started without problem when the power came back.
I don´t think there´s a connection since this issue appeared 36 hours later.

Christer

 

brett,
thanks for the link "Custom XML "!

I have come to the same conclusion and will report back if it happens again.

I have removed the two regkeys with the abnormal path and the offending folder is no longer recreated in the temp folder.

However, can I be sure that no other registry key(s) have been added/altered?

I will wait a week or so to see if it reoccurs but then I will restore my system with my latest Ghost Image.

I have sent a question to Symantec Support regarding the GhostStartService.exe and it normally takes a day to get a reply.

Christer

 

Thanks brett!

I believe that I would be up to my chin in trouble using that application ...... ...... I would have to learn much more to know what to allow and what not to.

Some other useful applications too, on that site.

Christer

 

Thanks for the informative confidence booster ...... ......
I think that I´ll try it ...... ......

Christer

 

Lonny,

You probably hit the nail on the head. I´m not sure about flash or macromedia but there were a lot of stupidvideos that were too stupid to watch. I interrupted quite a few of them.

Your comment made me remember a thread about unfinished streaming media which went to a super hidden part of the TIF folder. I even took part in that discussion, see Temporary Internet Files

Wow, is my memory short or what ...... ...... but I didn´t realize that the cash could be completely messed up!

Thanks,
Christer

 

In an earlier post I told that I was going to find out what GhostStartService, a Service running in the background on Windows XP, is about.
I asked Symantec Support and for any interested user of Norton Ghost 2003, this is their answer:

Regards,
Christer