Hi,my name is vaso. I ' m having the hacktool.rootkit virus, norton found msdirectx.sys in C:\Documents and Settings\pc\msdirectx.sys.

I cannot delete it,i tried to use killbox.exe but it is still there.I haven 't found msditectx.sys in system32 ,i have enabled hidden files.This is my hijackthis.log file:

Logfile of HijackThis v1.99.1
Scan saved at 4:34:02 μμ, on 1/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\el-gr\msnappau.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\el-gr\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\el-gr\msntb.dll
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_08\bin\jusched.exe
O4 - HKLM\..\Run: [MicrocomAutorun] E:\autorun.exe 1
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\el-gr\msnappau.exe"
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Έευνα - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1107106179187
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F05DE129-C236-40D0-97C5-3CA9ED9ECC0B}: NameServer = 195.170.0.1 195.170.2.2
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Apache Tomcat (Tomcat5) - Unknown owner - C:\Programs\WebServ\Tomcat 5.5\bin\tomcat5.exe" //RS//Tomcat5 (file missing)

Please help me!!! Any thoughts? I didn't find solution from the other posts.
Thank you

I didn't find solution from the other posts.
Thank you

Hi Vaso, welcome to our site. :)

To avoid having us suggest procedures that you've already tried, could you please give us more inforamtion on what steps you've already taken? Thanks.

Hi!
Norton found only msdirectx.sys in Documents and Settings\pc.Neither Norton or my can delete this file. I downloaded avg program also, and when i scanned my computer with this one ,it found trojan in system32, a file called kimo.exe. Accidentally, it deleted the file and when i restarted my computer it keeps asking me about "activation of windows in microsoft", so now i 'm not sending you for my pc because i'm still trying to fix the problem of windows....Maybe i should reinstall windows, i don't know. When i will make it, i will see if this virus thing is still in there...Anayway, generally i've tried the following things:


Ive tried to delete this file (msdirectx.sys) while being in safe mode but when i restart my pc this file is still there. I downloaded a program called killbox.exe which menages to delete this file yes, but when i restart my computer , msdirectx.sys is always there. It seems like the system creates i t ,i don't know...

I saw a post here in which there some advice about removing my websearch in add/remove selection. I saw that everybody here scanned with Hijack This (i have no idea what this thing is ,but i downloaded it too and i posted my logfile in my previous post.)

After my scanning,I didn't find anything like this:
--------------------------------
R3 - Default URLSearchHook is missing

O4 - HKLM\..\Run: [i25LLPOd] C:\WINDOWS\ptcqqwd.exe

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusear...?p=ZNxdm795YYUS

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/2742c8dcaeadd3...ip/RdxIE601.cab
-----------------------------------
so i didn'y have anything to fix,neither i found something like C:\WINDOWS\ptcqqwd.exe (although hidden files and their extensions are enabled). Norton always appearing this alert mesage abou hacktool.rootkit, i don't know how dangerous it is.For the time being i cannot see what's happening in there,when i have news i will let you know.

Thank you for replying that fast,too bad i could see it only today
vaso

1. The HijackThis tool scans a computer and reports information about areas of the system which are known to be targeted by infections. The log it generates is useful in helping us determine what exact infections a user has, and HJT itself can (obviously) be used to help remove some of those infections. However, it isn't a good idea to follow instructions for performing fixes with HijackThis that have been posted for someone else's problems. The contents of HJT logs are specific to the system that was scanned, and the configuration of that system will almost always differ from other systems in some ways.

In addition, the names of infected/malicious files will often differ between computers, because many infections create randomly-named files in order to make it harder to detect them. That being the case, the fact that the infected computer in the post you read had a malicious file named "ptcqqwd.exe" in no way means that you'll find a file of that name on your computer, even if you were infected with same general strain of spyware/virus/etc.


2. The infected msdirectx.sys file will return if you try to delete it; there is at least one other hidden piece of the infection which will recreate the msdirectx.sys file if it is removed.

When you get a chance, please download the free RootkitRevealer utility. Run a scan of your system with the utility (the scan will take a fair amount of itme to run), save the report file it creates, and post the contents of that report here.


3. Download and run the free trial version of the ewido Security Suite. Click on the Update button to chack for and install any available updates and then run a full scan of your computer. When the scan finishes, post the contents of the scan report that ewido generates.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.