Windows "My Computer" is... "broken"

sagramore

sagramore

sagramore

Associate
Joined
20 Oct 2002
Posts
500
Hey guys.
Now this is going to sound like an obvious problem. I play wow (please don't flame me for it, it's boring and i've heard it all before). Recently my account was "hacked" - a phrase that until now I have hated & not believed. However I came back from not using my wow account for a few days and found it had been permanently closed because of dodgy activity, etc.
Basically, somehow a keylogger / trojan has ended up on my PC. I found it with an AVG scan and I'm 99% sure it's gone and I'm clean again. It seemed to find (and remove) "kvosoft.exe" in the system32 folder. Nothing comes up on a full scan any more and I've always been fairly intimate with the processes I have running, the services I have enabled / disabled, and my startup routine. In fact, the most shocking thing for me about the whole thing is how I got infected in the first place - I literally have no idea having not installed anything new recently or opened any dodgy email attachments, etc, etc.

Anyway - time to cut to the point.

Since I "fixed" this problem, "My Computer" is kinda broken. Basically when I click on a hard disk in there it comes up with the "Open with..." window rather than actually browsing the drive. You can select "Windows Explorer" to open it with and it will open the drive in a new window. All the files appear to be there and are fine. Trendmicro Housecall found something dodgy in the "autorun.ini" of my three partitions but was unable to specify the problem or fix it. Could this be related?

I just wondered if anyone had ever had anything like this before or if anyone had any idea how to fix it? I really want to avoid a format if possible.

Also, possibly related, possibly not - I can't get explorer to display hidden files or system files. I go to the "Tools" -> "Folder options" as per usual and select the two options to display hidden files & to display "protected system files", then hit OK but nothing shows up.

See below for a paste of my Hijackthis log just in case it helps. The rainlendar, KHALMNPR.EXE and SetPoint.exe are all normal and have been used for years. They aren't new basically. Am I missing anything obvious in it?

Thanks in advance!


Logfile of HijackThis v1.99.1
Scan saved at 21:35:28, on 15/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Rainlendar\Rainlendar.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\LVComsX.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: IEHlprObj Class - {CE7C3CF0-4B15-11D1-ABED-709549C10000} - C:\WINDOWS\system32\hgkjghg0.dll (file missing)
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - Startup: Rainlendar.lnk = C:\Program Files\Rainlendar\Rainlendar.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1229330651671
O16 - DPF: {784797A8-342D-4072-9486-03C8D0F2F0A1} (Battlefield Heroes Installer) - http://t1.battlefield-heroes.com/patcher/westpatcher.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Program Files\TVersity\Media Server\MediaServer.exe
 
Last edited:
I've found pretty much all of the free virus scanners to be crap tbh.
The fact it found something was impressive as it is. Perhaps I'll try some of those you suggested as well to be sure.

But you're missing the point a little.... I am fairly sure the infection is dealt with - it's the residual problem with My Computer that I am posting about. Any ideas?
 
Okay. Thank you & point taken.
I will try all of the above.

But I still have the problem of the disk drives not opening properly (and being unable to view any hidden files), which is the main reason for this thread.
 
Last edited:
Try typing "sfc /scannow" from a command prompt. That will scan your Windows files and see if any are invalid.

<off-topic> I also live in Leighton Buzzard! When I saw your location, I went to your website, only to find that you went to Oxford and so do I! Also saw that you went to Cedars - I'm a Vandyke kid :p Where roughly in Leighton do you live, and which college did you go to? </off-topic>
 
Last edited:
Hi Mattus :)
Yeah I lived in Linslade technically but have since moved to Brisbane, Australia to do my PhD. I was at Univ doing Chemistry from 2003 - 2007 :) Nice to meet you.

Thanks for your idea as well. I'm at work at the moment but I will try it when I get home. Just a question though - it needs the XP CD to run that command apparently, does it replace files that have been updated by windows update with ones from the CD? If so, is it going to cause problems?

Thanks for the help so far people. I have done some googling as well and will be trying a few registry changes to try and allow myself to view hidden files when I get in.
 
The best way to get rid of infections is a fresh install of windows after formatting your drive. Invariably, silly problems in windows that aren't fixed with the system file checker and often caused by infections, are not worth messing around with, it's just a waste of your time imo.
 
bledd. said:
ditch avg, it's crap
Click to expand...

:p Couldn't have put it better myself.

Use Avast & make sure you switch of System restore prior to scanning & switch it back on after you have cleaned/scanned.

Also use Super antispyware Free edition, Ad-Aware & Ccleaner.
 
sagramore said:
Hey guys.
Since I "fixed" this problem, "My Computer" is kinda broken. Basically when I click on a hard disk in there it comes up with the "Open with..." window rather than actually browsing the drive. You can select "Windows Explorer" to open it with and it will open the drive in a new window. All the files appear to be there and are fine.
Click to expand...

I recall a problem I faced before like this on a friends machine quite some time ago, the particular virus altered the registry so that rather than the windows shell being called to open such things it ran the virus exe first, that way the virus itself never had to appear anywhere in startup entries as the user would trigger it themselves almost right away.

Unfortunately I don't recall the exact registry entry but you should be able to locate it yourself, you say the virus found was called "kvosoft.exe", confirm this with the antivirus scan logs and then search for this filename using the registry editor. If you find this entry do not delete it, post details of the entry location and details as you will need to edit it back to what it was before, we should be able to check this against our own machines and give you the correct details.

Good luck :)
 
Hi Guys.
Thanks again for all the help so far.

I have had some progress.

The first thing I did was leave an AVG full scan overnight. This happened to find an infected .com file in the root directory on my external hard disk. It removed this file and found it nowhere else on the PC.

Next I got into the registry and manually set the key that shows all hidden files. This worked perfectly and also allowed me to "show hidden system files" too.

Now I had a feeling (from a trendmicro housecall scan a couple of days ago) that there was something dodgy in the autorun.inf of each of my partitions, so (with my new ability to see this file) I opened them up and saw that each one was trying to point windows at the infected .com file mentioned above. As I said before, the file itself wasn't there any more, but the bad autorun.inf files still were. So I simply removed them and voila.... the problem with the drives no opening properly went away.

I have also now uninstalled AVG and installed avast and am proceeding to perform a full scan with that. It did find some files in my application data/TEMP directory that looked like they were infected with the same trojan keylogger i was originally infected with but it removed them with no issues. Does this point to an infection via IE? It found nothing else on the windows partition and is now searching the other two partitions to be sure I've caught it all.

I'm changing all my passwords for websites etc just in case, but I think (from reading the virus definitions descriptions) that this trojan specifically targets WOW accounts for hacking so hopefully I'm okay on that front.


The final problem (assuming that I am now clean, which this scan should hopefully tell me) is an odd one that isn't terrible in itself but annoying all the same. When I now click to open a drive (or partition) in My Computer, it opens it in a new window rather than in the same one. I've made sure that I don't have the option in the folder settings for "open in a new window" activated but it still does it..... Any ideas? I'm wondering if it's broken because I set the file type "Drive" to "Open" using explorer.exe to try and fix the previous problem - unfortunately that isn't a change I am able to undo (the option to remove it is grayed out). So any ideas??

Also, just to confirm - this problem only happens with hard disks (and optical disk drives) in My Computer, not for the "[User]'s Documents" or "Shared Folder". These open in the same window as per usual.

I will also be sure to run a multitude of anti-spyware type scans over the next few days just to be safe but I think I'm over the worst of it.


EDIT:
Fore completeness here is the autorun.inf I have been finding on all my disks & USB sticks, etc

Code: 
;k4wkoALLLlD20Z5Kww5q531S7irLka3Aal5L9S3aik0k3qD7A3ijslk02qj7aow2oaam2Ca7fww8oL11sJjwal2a0KHrdKAasUdksO9rJd08ke
[AutoRun]
;kwO7oALS4lswsa0A72adklJ4DSsH13wUq3859LpKd455wimki49q3Xok
open=cvcmpxm.com
;7kraKdiaC4kqAiK4s
shell\open\Command=cvcmpxm.com
;44iaD2Uksj29D4eqie30kaa3l2aZXlaa33sialK1rak3SdLFKw7i3LLi55ssmKC1LLJSwwr7r05eKqKksDLkiJKwaiLeDo
shell\open\Default=1
;qwLA3w2K2742K3JOiDr03ra3wjw0r4KU
shell\explore\Command=cvcmpxm.com
;oDk0krjd3solA3DlaSrsrwsq2

I have also just found that in the following registry keys:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\*DRIVELETTER*\Shell\AutoRun\command
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\*DRIVELETTER*\Shell\explore\Command
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\*DRIVELETTER*\Shell\open\Command

There is a key with the value "*DRIVELETTER*\cvcmpxm.com"

A quick google suggests I can just remove this whole key (from "MountPoints2" down) and it will be auto regenerated by windows next time I log on.
 
Last edited:
bledd. said:
/headsmash on desk
Click to expand...

Sigh. Chill out mate? I ran it because when you posted your originally "helpful" post it was midnight and i had to go to bed anyway - why not leave it on overnight? It could hardly hurt and it turned out that it found something I've managed to use to clean most of the mess up with.

If you would care to read the rest of that post you'd see I then moved on & did "ditch" avg as you suggest.
 
sagramore said:
Sigh. Chill out mate? I ran it because when you posted your originally "helpful" post it was midnight and i had to go to bed anyway - why not leave it on overnight? It could hardly hurt and it turned out that it found something I've managed to use to clean most of the mess up with.

If you would care to read the rest of that post you'd see I then moved on & did "ditch" avg as you suggest.
Click to expand...

Becareful, bledd. is on his period for this month.
 
:) Yes, it does seem he's going for the "copypasta" option in his responses. I am not ignoring his original post though, I will be running those programs to make sure I have removed the infection entirely.

As for the problem with "My Computer" opening a new window for drives though - I've managed to fix it :) I think it must have been related to the "open with explorer.exe" I spoke about in a previous post above. I managed to find where this reg key is ("HKEY_CLASSES_ROOT\Drive\shell\Open") and after deleting that key it works like normal again.

So I *think* that's all of the main problems I was facing fixed. Apart from, obviously, making sure 100% that the infected files are all gone and not coming back.......

So thank you very much to those who have helped! Hopefully if anyone else has any similar problems they'll see this thread and it'll help them back too.
 
Last edited:
usually i do quote my old posts, but i wrote that one out freshly, with links in it

i did read the rest of your thread, just seems pointless to stab about in the dark when running the proper tools for the job will sort it out quickly

-don't install viruses in the first place and you won't get these problems

optitech-uk said:
It's software, it goes on an opinion if it's crap. However yes, the op did ignore you.
Click to expand...

everyone's opinion = it's crap

optitech-uk said:
Becareful, bledd. is on his period for this month.
Click to expand...

i'm always on my period
 
Well as I said before Bledd, I do thank you for your original post. I did not ignore it, I was just taking some time to act upon it.

For anyone who's interested, the following link (which I wish I had found earlier) describes exactly what I appear to have been infected with:

http://www.threatexpert.com/report.aspx?md5=9e2e7ca538680d2e1dd50c1bbe759446

It lists all the autorun.inf, .com file & kvosoft.exe, and the DLL files that popped up in one of the anti-virus scans. It also shows that the "hidden files" registry key is altered so that hidden files don't show up. I've manually been through all of the registry keys that it created and deleted them too.
 
You must log in or register to reply here.
Back
Top Bottom