help msdirectx.sys

ive got lots of probs going off … and every time i reboot avast says im infected with
msdirectx.sys it just keeps coming back … when i try hijack this or task manager they just instantly shut down so cant use them … i presume whatever has infected me is doing this …
ive tried adaware spybot and microsoft spyware prog and all cant get rid …

i found this about it on google …

"W32/Sdbot-PK is a member of the W32/Sdbot family of internet worms that spread by scanning for and exploiting known vulnerabilities and weakly protected accounts.
The worm connects to a remote IRC server and enables a malicious user to remotely control an infected machine.
W32/Sdbot-PK drops Troj/NtRootK-F as the file msdirectx.sys which it employs to hide its process. "

If your using XP schedule a boot time scan set to scan within archives (Open avast > Menu (top left hand corner) > Boot time scan).

–lee

did bootscan it found nothing … file was there again though about 5 seconds after desktop loaded .
did scan with another spy prog and it said i was infected with “mugly

Hi,

have you tried a Scan with avast in SAFEMODE (F8-Boot) ? Results ?
or does Hijackthis work in SafeMode? if so, please post the log here:

you can also try removing according to these instructions:
http://www.virusbtn.com/perlbin/vgrep/vgrep.cgi?terms=NtRootK-F&product=0
http://www.virusbtn.com/perlbin/vgrep/vgrep.cgi?terms=Sdbot-PK&product=0
(follow the red links, e.g. to Trendmicro, symantec)

or try a RootKit-Scanner:
http://forum.avast.com/index.php?topic=12142.0

or KAV-Tool:
ESCAN: http://www.mwti.net/antivirus/free_utilities.asp
Set the options as shown in this ->Screenshot<-

All the above tools should work better in SafeMode

:wink:

Hijackthis work in SafeMode? if so, please post the log here:

Actuary running hijackthis in safe mode is not such a good idea, as the Malware most likely won’t of started up yet, hijackthis is best in normal boot.

However all the other tools you suggested should work in safe mode.

–lee

Hi lee,

of course, but usually this only concerns the processes, not the startup-entries, right ?

:wink:

of course, but usually this only concerns the processes, not the startup-entries, right ?

hmm, good point, ok your right ‘Whocares’ :wink:

–lee

hijack this worked in safe mode … this is the log …

Logfile of HijackThis v1.97.7
Scan saved at 11:56:13, on 26/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [Norton Updater] navupdtr.exe
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM..\RunServices: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\RunServices: [Norton Updater] navupdtr.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Norton Updater] navupdtr.exe
O4 - HKCU..\RunServices: [Norton Updater] navupdtr.exe
O4 - HKLM..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1111615260608
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111614934515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Hi lightboy,

Your using a very out of date hijackthis, therefore its most likley missing stuff, please use the most up to date one (1.99.9): http://members.home.nl/edeijl/download/hijackthis.exe

–lee

Logfile of HijackThis v1.99.1
Scan saved at 12:37:56, on 26/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Dave\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [Norton Updater] navupdtr.exe
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM..\RunServices: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\RunServices: [Norton Updater] navupdtr.exe
O4 - HKLM..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Norton Updater] navupdtr.exe
O4 - HKCU..\RunServices: [Norton Updater] navupdtr.exe
O4 - HKCU..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111614934515
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

This malware may use Rootkit technique to hide itself, you can
use F-Secure BlackLight Beta to scan and if it finds some thing like these

msdirectx.sys
mssl32.exe
Mqsq132.exe
SSL32Dr.exe

then rename them and reboot the system so the hidden files should be visible.

http://www.f-secure.com/blacklight/try.shtml

I just installed and ran kapersky AV and it seems to have sorted it …

Hi

About your log, remove these:

O4 - HKLM..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\RunServices: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111614934515

Also a see more then one Anti-virus on your system, this is a bad idea as they will conflict.

Also i see no firewall on that system, Zonealarm (free) is a good start: http://download.zonelabs.com/bin/free/1012_zl/zlsSetup_55_062_011.exe

–lee

Hi Lee & lightboy,

these:
O4 - HKLM..\Run: [Norton Updater] navupdtr.exe
O4 - HKLM..\RunServices: [Norton Updater] navupdtr.exe
O4 - HKCU..\Run: [Norton Updater] navupdtr.exe
O4 - HKCU..\RunServices: [Norton Updater] navupdtr.exe

are most probably not from NORTON, but rather from the SDBOT-Worm, which dropped the RootKit:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.AXV&VSect=T

I’d advise flattening the system and setting up from scratch, as it’s compromised, not secure anymore:

  • data backup

  • format C:

  • reinstall Windows WITHOUT going online

  • Apply XP-ServicePack2 before EVER going online, or behind a properly configured firewall (which needs to be installed OFFline, too)

  • take some more care to secure your system

  • change all your passwords, PINs, Online-banking/-shopping data

read the 2nd part in link “VirusRemoval” below for more info :wink: