Rare issues with windows explorer

[DrLuger]

Can anyone help me to solve the issue described on next issue? I posted it on
04/30/2008 and it seemed no one saw it (only my post)

I am trying to avoid reinstalling the Win XP.
Professional OS?
Was this post helpful to you?


I wonder if you have encountered something similar:

The real time analizer detected and deleted eight occurrences of a virus
identified as W32/Autorun.worm.bx, affecting the following the registry ( I
think).
The log file mentioned the elimitation of W32/Autorun.worm.bx virus from
NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.ex
HKEY_USERS\S-1-5-21-4119159155-3476068661-3289729497-1154\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
(Hidden, SuperHidden and ShowSuperHidden D-WORD values)

After that, I can not open de contents of a disk when I double clcik its
Icon directly,
showing a panel instead, with a list of available applications to associate
with. Of course I can look explore.exe and open the Icon with it , but it
can not retain the association because the square to select always to open
the disk wthe chosen program, is disabled.

 

[JF]

*Bonjour DrLuger* !

Can anyone help me to solve the issue described on next issue? I posted it on
04/30/2008 and it seemed no one saw it (only my post)

I am trying to avoid reinstalling the Win XP.
Professional OS?
Was this post helpful to you?

I wonder if you have encountered something similar:

The real time analizer detected and deleted eight occurrences of a virus
identified as W32/Autorun.worm.bx, affecting the following the registry ( I
think).
The log file mentioned the elimitation of W32/Autorun.worm.bx virus from
NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
HKEY_USERS\S-1-5-21-4119159155-3476068661-3289729497-1154\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
(Hidden, SuperHidden and ShowSuperHidden D-WORD values)

After that, I can not open de contents of a disk when I double clcik its
Icon directly,
showing a panel instead, with a list of available applications to associate
with. Of course I can look explore.exe and open the Icon with it , but it
can not retain the association because the square to select always to open
the disk wthe chosen program, is disabled.

See http://www.google.fr/search?num=100&q=W32/Autorun.worm.bx

and look for amvo.exe

This infection make an autorun.inf on your disks and USB Keys.
And also make impossible to be able to see all the folders...

To access into your disk, a workaround is WIN+E (to open Explorer),
then clic the disk in the left panel of Explorer, the default action is
the Develop (i guess) instead of Open (check with a right clic).

Check
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
DefaultValue=0 bad
DefaultValue=2 good

Make visible all the folders (hiden and system).
Rename autorun.inf you can now see on the disks.

I made explanations of the mechanism, but, sorry, this is in french,
hope not difficult to understand :
http://fspsa.free.fr/contamination-lecteurs-amovibles.htm

 

[nass]

Can anyone help me to solve the issue described on next issue? I posted it on
04/30/2008 and it seemed no one saw it (only my post)

I am trying to avoid reinstalling the Win XP.
Professional OS?
Was this post helpful to you?


I wonder if you have encountered something similar:

The real time analizer detected and deleted eight occurrences of a virus
identified as W32/Autorun.worm.bx, affecting the following the registry ( I
think).
The log file mentioned the elimitation of W32/Autorun.worm.bx virus from
NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
HKEY_USERS\S-1-5-21-4119159155-3476068661-3289729497-1154\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
(Hidden, SuperHidden and ShowSuperHidden D-WORD values)

After that, I can not open de contents of a disk when I double clcik its
Icon directly,
showing a panel instead, with a list of available applications to associate
with. Of course I can look explore.exe and open the Icon with it , but it
can not retain the association because the square to select always to open
the disk wthe chosen program, is disabled.

http://blogs.technet.com/askperf/ar...started-with-svchost-exe-troubleshooting.aspx

This worm inject itself into Explorer.exe and gain control on your system
and disable the ability to have some security control on your system.
From Mcafee:

C:\Windows\system32\amvo0.dll < remove this dll if found.

It modifies the following registry keys:

*
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue: 0x00000000
*
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden: 0x00000000

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run = Remove
this entry f found amva: "C:\WINDOWS\system32\amvo.exe"


Go through these cleaning steps:
1... Click start >> Control Panel >> Double Click Network and Internet
Connections >> Double click Internet Options, on the IE Properties window
you will see these Options:
General | Security | Privacy | Content | Connections | Programs
| Advanced .

Click on General Tab (1st Tab on the left) and you will see a Button called
[ Clear History ..] click on it to clear your History caches, then click on
[Delete Files..] to delete Internet Files created over the time, click on [
Delete Cookies...] to delete your cookies left by visiting websites.
Then click on Advanced tab and scroll down to under the Browsing Option:
[&] Browsing
[ ] Enable Third-Party browser extensions (Req Rest) uncheck this box.

= Then try to Disable the Add-Ons on your Browser somehow installed on your
browser, On how to disable the Add-ons follow this:
Click on Programs Tab and then click the Manage Add-Ons Button there Disable
the None/Not Verified Plug-ins/Add-ons ( you need to Renable them one-by-one
later and see which is the culprit .
How to manage Add-Ons:
http://support.microsoft.com/kb/883256

Scan for malware from here:
SuperAntispyware - Free
http://www.superantispyware.com/superantispywarefreevspro.html
http://onecare.live.com/site/en-gb/default.htm?s_cid=sah
http://onecare.live.com/standard/en-gb/default.htm

Can you please send me your Hijackthis log to look at or you can send it to
one of many forums specialised in hijackthis analysis.
(http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php)
Can you please send me a copy at (e-mail address removed) , remove
the obvious to email me.
HTH.
nass

 

[DrLuger]

¡Merci!

I resolved the issue. Thanks again.