Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Choose A Program To Open With The Following File: C:\


  • Please log in to reply
6 replies to this topic

#1 Juha

Juha

  • Members
  • 512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:03:02 AM

Posted 25 February 2008 - 11:11 AM

Hi,

Last night when I double clicked on my C Drive it asked me to "Choose a program to open with the following file: C:\"! First time seen this here. It was the same for the D Drive as well. I tried googling for this problem and found that few people were also complaining about it, and blaming it on viruses/corrupt system.

Anyway, I scanned with my Anti-Virus, Avast Home Edition on boot and found few viruses and deleted:

C:\Windows\System32\SocksA.exe infected by Win 32:VB-BBA [Trj]
C:\Windows\System32\abgsvc.exe with Win32:Trojan-gen {other}
C:\Windows\System32\wykmjhic.dll with Win32:Trojan-gen {other}
C:\Windows\System32\akgfsdvv.dll
C:\Windows\System32\Kan.exe

C:\Windows\svchost.exe
C:\Windows\session.exe

C:\Program file\VideoAddon\isfmm.exe with Win32:Zlob-AIK [Trj]
C:\Program file\VideoAddon\ctmdl.dll with Win32:Trojan-gen {other}

C:\System Volume Information...

I also scanned with Bit Defender and Kaspersky Online Scanners. Kaspersky Online said 'Object is locked... skipped'. I don't know what that means but I uninstalled Avast and downloaded and installed Kaspersky trial version. I Scanned with it and it detected and deleted:

Status Object
------ ------
deleted: virus Worm.Win32.AutoRun.sb File: C:\System Volume Information\_restore{3B5EBD63-0BA3-4CB6-8D46-0666EE4E44F9}\RP92\A0036053.inf
deleted: virus Worm.Win32.AutoRun.sb File: D:\System Volume Information\_restore{3B5EBD63-0BA3-4CB6-8D46-0666EE4E44F9}\RP92\A0036055.INF
deleted: virus Worm.Win32.AutoRun.sb File: C:\WINDOWS\BACKINF.TAB
deleted: Trojan program Trojan-Downloader.Win32.Zlob.eeh File: C:\Program Files\Video Add-on\isfmdl.dll//PE_Patch
deleted: Trojan program Backdoor.Win32.Rbot.hvj File: C:\Program Files\BitTorrent\bittorrent.exe
deleted: Trojan program Trojan-Downloader.Win32.Zlob.eeh File: C:\System Volume Information\_restore{3B5EBD63-0BA3-4CB6-8D46-0666EE4E44F9}\RP93\A0036481.dll//PE_Patch
deleted: Trojan program Backdoor.Win32.Rbot.hvj File: C:\System Volume Information\_restore{3B5EBD63-0BA3-4CB6-8D46-0666EE4E44F9}\RP93\A0036482.exe
deleted: Trojan program Backdoor.Win32.Rbot.hvj File: C:\My Downloads\BitTorrent-6.0.exe//data0007


My problem seems solved. I can now access both C and D Drives... but should I be satisfied? I want to be completely sure nothing is left on the system.

Thanks,
Juha

Edited by Juha, 25 February 2008 - 11:13 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 25 February 2008 - 02:59 PM

Having had an IRC Bot infection, Backdoor.Win32.Rbot,here is something you must consider. Possibly the safest thing you can do is a full format and reinstall of the OS.

Win32.Rbot is an IRC controlled backdoor (or "bot") that can be used to gain unauthorized access to a victim's machine. It can also exhibit worm-like functionality by exploiting weak passwords on administrative shares and by exploiting many different software vulnerabilities, as well as backdoors created by other malware. There are many variants of Rbot, and more are discovered regularly. Rbot is highly configurable, and is being very actively developed, however the core functionality is quite consistent between variants.

Rbot's main function is to act as an IRC controlled backdoor. It attempts to connect to a predefined IRC server and join a specific channel so that the victim's computer can be controlled. The IRC server, port number, channel and password differ with each variant.

Rbot also listens on TCP port 113 to provide ident services, which are required by some IRC servers.

Once the victim's computer is under control, the overseer is able to instruct Win32.Rbot to attempt to perform malicious operations such as spreading via administrative shares with weak passwords or the DCOM RPC exploit. The backdoor can also be instructed to:

download and execute files from the Internet
retrieve system information such as Operating System details
retrieve CD keys for certain computer games, if present
start a SOCKS proxy
perform denial of service (DoS) attacks
start several other servers: rlogin, http, tftp. The ports used for these are configurable.
log keystrokes
capture video from a webcam, if present
send e-mail

CA antivirus

From.. Reformatting the computer or troubleshooting; determining which is best

If your scans detect the presence of a rootkit on your computer, then you should seriously consider reformatting the hard drive and installing the operating system fresh. A rootkit on your personal computer means you are no longer in control of what information or processes are actually on your computer. You may no longer be able to trust the displays of system information or of active processes running. A rootkit by definition hides programs and files from your view. Only if you install the rootkit yourself ( and know what it is really doing ) should you trust your computer, and then only so far. If a malicious rootkit is discovered on the computer, then it may be too late to repair the problem. Microsoft computer experts have advised that reformatting the drive and reinstalling the operating system may be the best response in these cases.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 Juha

Juha
  • Topic Starter

  • Members
  • 512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:03:02 AM

Posted 25 February 2008 - 03:58 PM

Hi,

Thanks for the response.

I am a bit reluctant to do a complete re-installation. How dangerous is this infection and can it not be done solely through Anti-spyware/Anti-virus tools etc, and using programs to check all running files/processes. The reason I don't want to re-install the OS system completely is because my laptop came pre-installed and I don't have a CD. If the only way to completely be sure is to to format and re-install, I guess I have to get a CD then...

I also have few files on the hard drive. I will have to move them somewhere, but how can I be sure they haven't got the infection as well?

Also, I am not sure how I got the infection in the first place. I suspect through my mp3/USB... Is there a way of identifying if it is the cause/removing it? I have tried scanning with Anti-Virus (Kaspersky). Nothing detected. I have also used 'Flash Disinfector'; I don't know if it worked.

Edited by Juha, 25 February 2008 - 04:09 PM.


#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,040 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:10:02 PM

Posted 25 February 2008 - 04:25 PM

I would then say to post an HJT log and tell them you would like to have at least all traces that are possible to be removed after an IRC Bot infection.
Here is the Log Prep Guide link
http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:02 PM

Posted 02 March 2008 - 08:59 AM

In regards to your RKR log posted in your duplicate topic which I closed.

RKR scans the HKLM\Security\Policy hive which contains SAC* and SAI* hidden keys with embedded (trailing) nulls. This is normal and not a cause for alarm. The presence of some keys with nulls may be pertinent to the correct operation of related applications. See RKR 1.71 and HKLM\Security\Policy\Secrets. Also see "Info on common log entries" such as:

SoftwareDistribution\DataStore
WinGenerics
ODBCINST Entries
Data Mismatches
InprocServer32/embedded nulls
Zero Bytes
Daemon Tools and Alcohol software entries
Cryptography\RNG\Seed\
System Volume Information\_restore
Prefetch

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system. You should not be alarmed if you see any hidden entries created by these software programs after performing a scan.

If your unsure how to use RKR or read its logs, use AVG Anti-Rootkit or Panda AntiRootkit.zip instead.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Juha

Juha
  • Topic Starter

  • Members
  • 512 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:England
  • Local time:03:02 AM

Posted 02 March 2008 - 06:50 PM

Sorry for the duplicate posting- I thought because of the RootkitRevealer log, I might need to produce a new thread. Thanks for all the information. I'll check up on those links. It is my first time using this tool, and had no idea what the logs meant.

Anyway many thanks again.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:02 PM

Posted 03 March 2008 - 09:14 AM

Not a problem Juha. That's how we learn. RKR logs are not always easy to understand for those not familiar with them. That's why the folks at Sysinternals create topics relating to common log entries and FAQs.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users