Author Topic: Problem in opening C and D drives after removing antirootkits  (Read 9267 times)

0 Members and 1 Guest are viewing this topic.

yourdoktor

  • Guest
Hi,

I'm a new member here, and I'm facing a problem. 

I work on Win XP SP3 and recently got infected with Win32 Vanti CB and Kavos, from a flash disc (even though I had updated Avast home), which I removed with Avast, super antispyware and Drwebcureit.

Unfortunately after doing it I found that on double clicking on C or D drives in mycomputer I get a window which asks me to select from the list of programs to open these drives.

Drwebcureit has quarantined autorun.inf files of C and D drives and on opening the quarentined files (autorun and autorun0) I get the following same information in both these notepad files

[AutoRun]
open=6phx.com
shell\open\Command=6phx.com

So I would really appreciate some help in solving this problem.

Thanks.

micky77

  • Guest
Re: Problem in opening C and D drives after removing antirootkits
« Reply #1 on: June 18, 2009, 04:53:27 PM »
Try running Autorun eater first,to see if there are any bad autorun.inf files,you can insert your flash drive in too,once the program is running http://download.cnet.com/Autorun-Eater/3000-2239_4-10752777.html

Why are  you opening the quarantined files ?

[AutoRun]
open=6phx.com
shell\open\Command=6phx.com

http://www.prevx.com/filenames/X1457085484952379262-X1/6PHX.COM.html
« Last Edit: June 18, 2009, 04:57:02 PM by micky77 »

yourdoktor

  • Guest
Re: Problem in opening C and D drives after removing with antirootkits
« Reply #2 on: June 18, 2009, 05:46:09 PM »
Thanks for the prompt reply.

There were no bad autorun.inf files and prevx scan did not show any error.

I forgot to tell that when scanning archives with Avast boot sector scan there were 3 or 4 corrupted archive files - cab and some other files.

Anything else I can do?

micky77

  • Guest
Re: Problem in opening C and D drives after removing antirootkits
« Reply #3 on: June 18, 2009, 06:07:05 PM »
Sorry I did not mean you to run Prevx

Post a HijackThis log,choose ' scan and save a log file ' copy/paste the txt log here,you may have to split your log into several posts.
Also run a quick scan with MBAM, (update first and post the log here

http://filehippo.com/download_hijackthis/

http://filehippo.com/download_malwarebytes_anti_malware/

Also I have just been reading about a program called Disc Heal, i  know nothing about it,but its worth a look. Post the above logs first

http://www.raymond.cc/blog/archives/2008/01/28/double-click-c-drive-at-my-computer-and-not-opening-fix/
« Last Edit: June 18, 2009, 06:33:06 PM by micky77 »

Spiritsongs

  • Guest
"Flash Disinfector"
« Reply #4 on: June 18, 2009, 09:14:47 PM »
 :)  Hi :

 I recommend you look into using the FREE "Flash Disinfector", with very good


 Info available at  :


http://experi3nc3.wordpress.com/2007/05/10/flash-disinfector-by-subs .

yourdoktor

  • Guest
Re: Problem in opening C and D drives after removing with antirootkits
« Reply #5 on: June 19, 2009, 03:03:29 PM »
Hi,
Thanks.
Here's the log from Hijakthis Part 1

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:08:18 PM, on 6/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\Rajiv\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Palm\HOTSYNC.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mqsvc.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


yourdoktor

  • Guest
Re: Problem in opening C and D drives after removing antirootkits
« Reply #6 on: June 19, 2009, 03:04:28 PM »
This is Part 2 of Hijackthis

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rnd009.googlepages.com/google.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rnd009.googlepages.com/google.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rnd009.googlepages.com/google.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rnd009.googlepages.com/google.html
R3 - URLSearchHook: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: Shell=Explorer.exe gphone.exe
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! ¤u¨ã¦C - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nxpclient] C:\Program Files\Airtel\NetXpert\bin\sprtcmd.exe /P nxpclient
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Rajiv\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {106E49CF-797A-11D2-81A2-00E02C015623} (AlternaTIFF ActiveX) - http://alternatiff.com/install/00/alttiff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1232026925579
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{66D6CB6D-230D-4A3A-B4A1-F50F48653996}: NameServer = 202.56.215.55,202.56.215.54
O17 - HKLM\System\CCS\Services\Tcpip\..\{C85C40D4-D8B7-4403-991E-A0536CCE338F}: NameServer = 202.56.215.41 202.56.215.54
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Update Service (gupdate1c9baa3ac5f35a0) (gupdate1c9baa3ac5f35a0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SupportSoft Sprocket Service (nxpclient) (sprtsvc_nxpclient) - SupportSoft, Inc. - C:\Program Files\Airtel\NetXpert\bin\sprtsvc.exe
O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\SupportSoft\bin\ssrc.exe

--
End of file - 9590 bytes

yourdoktor

  • Guest
Re: Problem in opening C and D drives after removing antirootkits
« Reply #7 on: June 19, 2009, 03:06:48 PM »
Hi,

This is log from Malwarebytes

Malwarebytes' Anti-Malware 1.38
Database version: 2307
Windows 5.1.2600 Service Pack 3

6/19/2009 6:28:10 PM
mbam-log-2009-06-19 (18-27-56).txt

Scan type: Quick Scan
Objects scanned: 87489
Time elapsed: 7 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6fd31ed6-7c94-4bbc-8e95-f927f4d3a949} (Adware.180Solutions) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe gphone.exe) Good: (Explorer.exe) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



yourdoktor

  • Guest
Re: Problem in opening C and D drives after removing antirootkits
« Reply #8 on: June 19, 2009, 03:13:16 PM »
Hi,

What shall do about these 6 infections found in Malwarebytes' scan?


Offline .: L' arc :.

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1780
  • Thinking with Portals
Re: Problem in opening C and D drives after removing antirootkits
« Reply #9 on: June 19, 2009, 03:46:29 PM »
-= I found these on your HJT Log:

(1) Firewall
      You are using Windows XP Firewall which lacks Outbound protection.. You may enhance your protection by downloading a firewall with outbound protection features.. Examples are:

         Agnitum Outpost, PCTools, Online Armor

(2) Deactivated Entries

       Unnecessary since already deactivated & can be a remnant of uninstalled programs.. This entries can be fixed [by HJT or can be automated by CCleaner]..

       O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
       O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
       O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
       O9 - Extra button: (no name) - {53F6FCCD-9E22-4d71-86EA-6E43136192AB} - (no file)
       O9 - Extra button: (no name) - {925DAB62-F9AC-4221-806A-057BFB1014AA} - (no file)

(3) Suspicious Entries
       I recommend that you submit these files to VirusTotal for better analysis..

      F2 - REG:system.ini: Shell=Explorer.exe gphone.exe
                -= Please submit gphone.exe to VT for a better analysis, majority of findings report this as a worm..
Windows 7 (64-bit) Home Premium SP1
avast! 9 RC1

yourdoktor

  • Guest
Re: Problem in opening C and D drives after removing antirootkits
« Reply #10 on: June 19, 2009, 04:12:44 PM »
Thanks for a swift analysis of HJT log

You're right about gphone being a worm as it had infected my system earlier and now with the help of Malwarebytes I've removed this from the registry.

yourdoktor

  • Guest
Re: Problem in opening C and D drives after removing antirootkits
« Reply #11 on: June 19, 2009, 04:22:14 PM »
Well something wonderful has happened - both the C and D drives are now being opened on double clicking. This happened after I formatted my flash disc and now the big question is this (not for me as I have very little computer knowledge) How did this happen??

There is only one problem left that the window of mycomputer shows all the drives and folders such as my documents, C and D drives, DVD drive,etc  together; earlier there were demarcations with the top row showing my documents, etc and then the middle row showing local drives and then the bottom row showing DVD drive,etc.. Now how to solve this?

Thanks for your help.   

micky77

  • Guest
Re: Problem in opening C and D drives after removing antirootkits
« Reply #12 on: June 19, 2009, 05:01:40 PM »
Thats good. I advise you still to run SAS. http://filehippo.com/download_superantispyware/
Also can you navigate to C:\WINDOWS\system32, copy and paste these two files to your desktop ( so they are easy to find.Then go to virus total,click browse, go to desktop and upload one file at a time,and post back  the results if they are found to be malicious ( I doubt very much they are )

http://www.virustotal.com/

C:\WINDOWS\system32\mqtgsvc.exe

C:\WINDOWS\system32\mqsvc.exe

If you cannot find them,you may need to enable ' show hidden files '
« Last Edit: June 19, 2009, 05:09:07 PM by micky77 »

yourdoktor

  • Guest
Re: Problem in opening C and D drives after removing antirootkits
« Reply #13 on: June 19, 2009, 06:10:11 PM »

Ran SAS - no threats detected

Sent files to virustotal - no problems there (0%)

 I had already scanned with SAS before writting in this forum and it could not detect anything at that time also, but Malwarebytes' did. Maybe Malwarebytes is a better program.

micky77

  • Guest
Re: Problem in opening C and D drives after removing antirootkits
« Reply #14 on: June 19, 2009, 06:16:04 PM »
Maybe Malwarebytes is a better program.

They compliment each other.One finds things,the other misses, and vice versa

Regarding the ' my computer issue ' you could try the disc heal program I suggested earlier
« Last Edit: June 19, 2009, 06:21:18 PM by micky77 »