i'm having a prob now..ermz..msdiretx.sys keeps popping up on my avg nti virus software.what should i do about it?i deleted it,n it comes back.i've tried to search for the .exe file(msnt.exe,sdkcore.exe)..but i can find nothing!!this is driving me nuts..n i cant clear the viruses from my com.they keep comin back!!n sometimes,i will be disconnected from the internet automatically!!is there any way to slove my prob?i use lavasoft ad-aware n spybot S&D.but they cud search nothing.n yes,i update them everytime but they still can solve the prob.is msdirectx.sys the cause of all this probs?i found other malware/adwares(50cent.exe,unvise32qt.exe,mmwho.exe) in com n deleted it manually.and can anyone tell me what is xpjava.exe?
yikyang 0 Light Poster
yikyang 0 Light Poster
Logfile of HijackThis v1.99.1
Scan saved at 9:59:01 PM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\xpjava.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\rune.pif
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Documents and Settings\yik yang.ITWISE\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.passport.com/resetpw.srf?lc=1033
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Regmgr] scvhost.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Regmgr] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContDLL] rune.pif
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
anything wrong with this??
dlh6213 27 Posting Maven Team Colleague
Hi yikyang, welcome to DaniWeb :D
Is that a complete log scanned while in 'normal' mode (not Safe Mode)? It looks very short.
Right-click in an empty area of your desktop and select New, Folder; give the folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.
Xpjava.exe is part of a worm, scan with hijackthis and have it fix this entry:
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
Close any open windows, other then hijackthis, and hit Fix checked.
Do a search for xpjava.exe and delete any entries found.
Msdiretx.sys is probably a malacious driver, but I don't see it in your log.
Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in your next reply.
Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post the entire log along with the Silent Runners log.
yikyang 0 Light Poster
what's this??
Moderator's edit: yikyang, you posted the actual Silent Runners program code instead of the log file. :o
I've deleted the code from this post for readability; it made the post about 4 pages long. :cheesy:
DMR 152 Wombat At Large Team Colleague
1. dlh6213 is right- your log does look a bit short. If you did run the HijackThis scan in Safe Mode, please run HJT while booted into Windows normally and give us that log.
2. In terms of the Silent Runners program, you need to right-click on the download link and then choose the "Save target as..." menu option to save the file into a folder on your computer.
Once you've done that, double-click on the Silent Runners.vbs file to run it. The script will take a little while to run, and you won't see anything happening while it does. When it finishes running, it will display a message telling you where it saved the log file. You need to then open that log file in Windows Notepad and copy-n-paste the full text of the log file into a post here.
3. Your log shows signs of at least three worm infections:
- A W32/Sdbot variant, which is responsible for msdirectx.sys and friends.
- A W32/Agobot variant, indicated by the O4 - HKLM\..\RunServices: [Regmgr] scvhost.exe log entry.
- A W32/Rbot variant, indicated by the runm.pif and rune.pif log entries.
Since AVG isn't able to remove those infections, I suggest you run these free online anti-virus/anti-spyware scans and see if they can clean things up a bit:
http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php
For the msdirectx.sys infection, you can also try Microsoft's removal instructions here:
http://support.microsoft.com/?scid=kb;en-us;897079
4. Once you do the above, give us a new HijackThis log, the Silent Runners log, and any report logs that the online scanners might have generated.
dlh6213 27 Posting Maven Team Colleague
Thanks DMR, a lot of good info there :)
But unless yikyang mistyped, he doesn't have msdirectx.sys, he has msdiretx.sys; do you know if it's related or if the MS fix will work for it?
yikyang 0 Light Poster
Thanks DMR, a lot of good info there :)
But unless yikyang mistyped, he doesn't have msdirectx.sys, he has msdiretx.sys; do you know if it's related or if the MS fix will work for it?
haha..i mistype it really..its msdirectx.sys not msdiretx.sys!!sorry..haha..ok..thanks guys..i'll try..but the microsoft removal doesn't fix my prob.
yikyang 0 Light Poster
"Silent Runners.vbs", revision 39, [url]http://www.silentrunners.org/[/url]
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Spyware Doctor" = ""D:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]
"Yahoo! Pager" = "D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"Windows Media Player" = "mcafe32.exe" [file not found]
"Regmgr" = "scvhost.exe" [file not found]
"Norton Personal Firewall" = "lah.exe" [file not found]
"NAV Auto Protect" = "navprotect.exe" [file not found]
"MsnMsgr" = ""D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"MSMSGS" = ""D:\Program Files\Messenger\msmsgs.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Regmgr" = "scvhost.exe" [file not found]
"Microsoftf DDEs ContDLL" = "rune.pif" [null data]
"AVG7_EMC" = "D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"Yahoo Messenger" = "YPager.EXE" [null data]
"PPPOEOE" = "winlite.exe" [file not found]
"NeroCheck" = "D:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Microsoftf DDEs ContrDL" = "runm.pif" [null data]
"McAfee Windows Protection" = "mcafee32.exe" [null data]
"InCD" = "D:\Program Files\Ahead\InCD\InCD.exe" [null data]
"HPDJ Taskbar Utility" = "D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]
"Compaq32 Service Drivers" = "msconfig32.exe" [null data]
"AVG7_CC" = "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"msci" = "D:\DOCUME~1\YIKYAN~1.ITW\LOCALS~1\Temp\200562817262_mcinfo.exe /insfin" ["McAfee, Inc"]
HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""D:\WINDOWS\System32\rundll32.exe" "D:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll" ["PC Tools"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Trend Micro\PC-cillin 2002\VBProp.dll" ["Trend Micro Inc."]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "Shell" = "Explorer.exe mcafee32.exe" [MS], [null data]
INFECTION WARNING! "Userinit" = "userinit.exe,xpjava.exe" [MS], [null data]
HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\yik yang.ITWISE\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG7 Alert Manager Server, Avg7Alrt, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 100 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 31 seconds.
---------- (total run time: 219 seconds)
Edited by mike_2000_17 because: Fixed formatting
yikyang 0 Light Poster
Logfile of HijackThis v1.99.1
Scan saved at 5:37:28 PM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\xpjava.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\rune.pif
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\YPager.EXE
D:\WINDOWS\System32\runm.pif
D:\WINDOWS\System32\mcafee32.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\DOCUME~1\YIKYAN~1.ITW\LOCALS~1\Temp\200562817262_mcinfo.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Documents and Settings\yik yang.ITWISE\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.passport.com/resetpw.srf?lc=1033
F2 - REG:system.ini: Shell=Explorer.exe mcafee32.exe
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Regmgr] scvhost.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Yahoo Messenger] YPager.EXE
O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msci] D:\DOCUME~1\YIKYAN~1.ITW\LOCALS~1\Temp\200562817262_mcinfo.exe /insfin
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKLM\..\RunServices: [Yahoo Messenger] YPager.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKCU\..\Run: [Regmgr] scvhost.exe
O4 - HKCU\..\Run: [Norton Personal Firewall] lah.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
yikyang 0 Light Poster
i enable all startup process n scanned wit HJT again...thats the result..i dunno how to get rid of most of the WARES there..help me pls!!online scanner din fix my prob.HELP!!thanks in advance!
yikyang 0 Light Poster
oh ya..another problem..when i enable all the process,i cant go online..my computer will restart whenever it detects any connection.is it the work of those trojans/worms/wares?this really freaks me out!!and i need to disable them b4 i can go online now.thanks
DMR 152 Wombat At Large Team Colleague
The Internet connection problems could definitely be the work of the infections.
You will need to disconnect from the Internet for the following fixes (I'd suggest physically unplugging the cable), so you should either print out these instructions or save them into a text file using Notepad.
1. Run HijackThis again, put a check in the boxes next to the following entries, and click the "Fix checked" button:
F2 - REG:system.ini: Shell=Explorer.exe mcafee32.exe
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O4 - HKLM\..\Run: [Regmgr] scvhost.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [msci] D:\DOCUME~1\YIKYAN~1.ITW\LOCALS~1\Temp\200562817262_mcinfo.exe /insfin
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKCU\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKCU\..\Run: [Regmgr] scvhost.exe
O4 - HKCU\..\Run: [Norton Personal Firewall] lah.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
2. Reboot into safe mode (you get to the safe mode boot option by hitting the F8 key as your computer is starting up)
- Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".
- Locate and delete the following files:
mcafee32.exe
xpjava.exe
scvhost.exe <-There is a valid Windows file named svchost.exe; only delete the file named scvhost.exe!
rune.pif
runm.pif
winlite.exe
mcafee32.exe
msconfig32.exe
lah.exe
navprotect.exe
- For every user account listed under C:\Documents and Settings\, delete the entire contents of the following folders (but not the folders themselves):
(Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!)
1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files
- Delete the entire content of your C:\Windows\Temp folder.
- Delete the entire content of your C:\Windows\Prefetch folder.
Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.
- Empty your Recycle Bin.
3. Reboot normally, run HJT again, and post the new log.
yikyang 0 Light Poster
thanks!!i'll try..and post my reply ASAP ok?i'l be away for few days.thanks man!
DMR 152 Wombat At Large Team Colleague
Go through the instructions I posted fully and carefully, and respond when you can. It doesn't matter if it takes a few days; we won't lose track off you (this forum will automatically notify me when you make your next post).
yikyang 0 Light Poster
Logfile of HijackThis v1.99.1
Scan saved at 12:14:08 AM, on 6/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
D:\WINDOWS\System32\YPager.EXE
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\WINDOWS\System32\WScript.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\WINDOWS\System32\wbem\wmiprvse.exe
D:\Documents and Settings\yik yang.ITWISE\Desktop\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.passport.com/resetpw.srf?lc=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Yahoo Messenger] YPager.EXE
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunServices: [Yahoo Messenger] YPager.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
yikyang 0 Light Poster
thanks DMR!!it worked!msdirectx.sys didn't return anymore!!during the process,i found another suspicious file,userinit32.exe.is it one of the infections?what can i do to prevent myself from getting infected again?any advice??
And there's a prob with my windows media player,and im not sure is it the work of those infections.my media player cant play audio files with its first start-up.it'll shut down and display the error message.what can i do about it?
DMR 152 Wombat At Large Team Colleague
Sorry for the late response.
A) userinit32.exe is a component of a malicious infection. You can find more info and removal instructions in some of the links here:
http://www.google.com/search?hl=en&q=userinit32.exe&btnG=Google+Search
B) Media Player can get corrupted by viruses/spyware, but it can also break for other reasons. Uninstall and reinstall it and see if that clears thing up.
C) Some general things you can/should do to minimize your chances of future virus/malware infections:
1. Enable Windows Automatic Update function to keep your system as up-to-date as possible with the most current Microsoft security and bug fixes.
2. Stop using Internet Explorer as your web browser. Because IE is so closely tied into the Windows operating system itself and contains so many security flaws, switching to another browser such as Netscape, Firefox, or Opera will reduce the avenues through which spyware/adware/hijackers/etc. can infect your computer.
3. Install preventative utilities such as SpywareBlaster and SpywareGuard (links are in my sig below), especially if you absolutely have to continue using Internet Exploder. These utilities protect areas of your system known to be vulnerable to malicious attacks. IE-SPYAD is another helpful tool; it can be downloaded here:
https://netfiles.uiuc.edu/ehowes/www/resource.htm
4. Tighten up some of Internet Explorer's existing, default settings to make it more secure. Some info on that can be found here: http://tomcoyote.org/ieoe.php
5. Obviously-install a good anti-virus program and enable its "auto-protect" and email-scanning features.
6. Install a stand-alone firewall program such as Zone Alarm or Kerio Personal Firewall, or purchase the "Internet Security" packages offered by Symantec and McAfee.
7. None of your utilities are of much good if you don't check for updates frequently; updates for anti-spyware/anti-virus programs can be released as often as every two or three days.
yikyang 0 Light Poster
thanks alot!!alot of info there!i re-install my media player before..but its still the same..and i dont use IE.i uses firefox..thanks alot!!
DMR 152 Wombat At Large Team Colleague
You're welcome. :)
For the Media Player problem:
- What is the exact error that it gives you?
- Open the Event Viewer utility in your Administrative Tools control panel and look through the System and Application logs to see if there are any error messages there which might contain more information on the problem.
yikyang 0 Light Poster
ok.thanks again.anyway,this is the description:
faulting application wmplayer.exe,version 9.0.0.2980,faulting module unknown,version 0.0.0.0,fault address 0x45c7c033.
0000: 41 70 70 6c 69 63 61 74 Applicat
0008: 69 6f 6e 20 46 61 69 6c ion Fail
0010: 75 72 65 20 20 77 6d 70 ure wmp
0018: 6c 61 79 65 72 2e 65 78 layer.ex
0020: 65 20 39 2e 30 2e 30 2e e 9.0.0.
0028: 32 39 38 30 20 69 6e 20 2980 in
0030: 75 6e 6b 6e 6f 77 6e 20 unknown
0038: 30 2e 30 2e 30 2e 30 20 0.0.0.0
0040: 61 74 20 6f 66 66 73 65 at offse
0048: 74 20 34 35 63 37 63 30 t 45c7c0
0050: 33 33 0d 0a 33..
Another problem im facing is---
1.My pc sometimes restart by itself for no reasons.Any way to find out why?
thanks in advance
dlh6213 27 Posting Maven Team Colleague
I can't help with this, just giving it a 'bump' so DMR doesn't overlook it :)
(I know how much he needs more to do)
yikyang 0 Light Poster
looks my com is attack by worms again!!i might need help again..sorry guys!
i will post HJT log again soon.thanks
dlh6213 27 Posting Maven Team Colleague
Before posting a new log, please follow the suggestions in these threads:
DMR 152 Wombat At Large Team Colleague
I can't help with this, just giving it a 'bump' so DMR doesn't overlook it :)
(I know how much he needs more to do)
Uh, yeah...thanks. I'll just ignore those 14 auto-notifications that piled up in my mailbox after only 6 hours offline and wait for you to throw me more fresh fish... :mrgreen:
yikyang,
Unfortunately, I was hoping that the Media Player error message might tell us exactly which module/file was causing the problem, but it only gives "faulting module unknown", which doesn't give us anything specific to go on. The cause of hte problem could be in a number of places, and since Media Player still crashes after you reinstalled it, I really don't have any suggestions right now. :(
For the possible reinfections, post a new log as dlh6213 suggested.
yikyang 0 Light Poster
Logfile of HijackThis v1.99.1
Scan saved at 12:33:36 PM, on 7/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\WINDOWS\System32\YPager.EXE
D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Windows Media Player\wmplayer.exe
D:\DOCUME~1\YIKYAN~1.ITW\LOCALS~1\Temp\Rar$EX01.387\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.passport.com/resetpw.srf?lc=1033
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Yahoo Messenger] YPager.EXE
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\RunServices: [Yahoo Messenger] YPager.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
yikyang 0 Light Poster
any problem with the log?
DMR 152 Wombat At Large Team Colleague
No, the log is very clean.
What specific signs or messages did you get that make you think that you've been reinfected?
yikyang 0 Light Poster
my explorer will close suddenly and will not give any error messages..my com will restart itself sometimes without warnings..
everytime i run lavasoft ad-aware,my AVG will show the virus detected messages in the D:/System Volume Information folder.
the names of the viruses are A0039652.sys,A0059575.sys,and alot more of different numbers.i must disable AVG at that moment cause it wont stop giving me the warning messages.There is also an .exe file called A0059569.exe in the same folder.Is this an infection?
dlh6213 27 Posting Maven Team Colleague
The recommendations here should resolve the problem with System Volume Information:
http://www.daniweb.com/techtalkforums/thread13362.html
You should have A0059569.exe scanned here:
yikyang 0 Light Poster
thanks so much!!but i still cant get rid of A0059569.exe..it doesn't matter right?what does this virus do?it will appear during the ad-adware scan.Only the exe file.thanks alot!!
Be a part of the DaniWeb community
We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.