system
March 25, 2005, 4:19pm
1
ive got lots of probs going off … and every time i reboot avast says im infected with
msdirectx.sys it just keeps coming back … when i try hijack this or task manager they just instantly shut down so cant use them … i presume whatever has infected me is doing this …
ive tried adaware spybot and microsoft spyware prog and all cant get rid …
i found this about it on google …
"W32/Sdbot-PK is a member of the W32/Sdbot family of internet worms that spread by scanning for and exploiting known vulnerabilities and weakly protected accounts.
The worm connects to a remote IRC server and enables a malicious user to remotely control an infected machine.
W32/Sdbot-PK drops Troj/NtRootK-F as the file msdirectx.sys which it employs to hide its process. "
system
March 25, 2005, 4:59pm
2
If your using XP schedule a boot time scan set to scan within archives (Open avast > Menu (top left hand corner) > Boot time scan).
–lee
system
March 25, 2005, 5:26pm
3
did bootscan it found nothing … file was there again though about 5 seconds after desktop loaded .
did scan with another spy prog and it said i was infected with “mugly ”
system
March 25, 2005, 7:43pm
4
Hi,
have you tried a Scan with avast in SAFEMODE (F8-Boot) ? Results ?
or does Hijackthis work in SafeMode? if so, please post the log here:
you can also try removing according to these instructions:
http://www.virusbtn.com/perlbin/vgrep/vgrep.cgi?terms=NtRootK-F&product=0
http://www.virusbtn.com/perlbin/vgrep/vgrep.cgi?terms=Sdbot-PK&product=0
(follow the red links, e.g. to Trendmicro, symantec)
or try a RootKit-Scanner:
http://forum.avast.com/index.php?topic=12142.0
or KAV-Tool:
ESCAN : http://www.mwti.net/antivirus/free_utilities.asp
Set the options as shown in this ->Screenshot<-
All the above tools should work better in SafeMode
system
March 25, 2005, 7:52pm
5
Hijackthis work in SafeMode? if so, please post the log here:
Actuary running hijackthis in safe mode is not such a good idea, as the Malware most likely won’t of started up yet, hijackthis is best in normal boot.
However all the other tools you suggested should work in safe mode.
–lee
system
March 25, 2005, 7:54pm
6
Hi lee,
of course, but usually this only concerns the processes, not the startup-entries, right ?
system
March 25, 2005, 7:58pm
7
of course, but usually this only concerns the processes, not the startup-entries, right ?
hmm, good point, ok your right ‘Whocares’
–lee
system
March 26, 2005, 11:58am
8
hijack this worked in safe mode … this is the log …
Logfile of HijackThis v1.97.7
Scan saved at 11:56:13, on 26/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Dave\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [Norton Updater] navupdtr.exe
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM..\RunServices: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\RunServices: [Norton Updater] navupdtr.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Norton Updater] navupdtr.exe
O4 - HKCU..\RunServices: [Norton Updater] navupdtr.exe
O4 - HKLM..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {19E28AFC-EAE3-4CE5-AC83-2407B42F57C9} (MSSecurityAdvisor Class) - http://protect.microsoft.com/security/protect/wsa/shared/CAB/x86/msSecAdv.cab?1111615260608
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111614934515
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
system
March 26, 2005, 12:26pm
9
Hi lightboy,
Your using a very out of date hijackthis, therefore its most likley missing stuff, please use the most up to date one (1.99.9): http://members.home.nl/edeijl/download/hijackthis.exe
–lee
system
March 26, 2005, 12:39pm
10
Logfile of HijackThis v1.99.1
Scan saved at 12:37:56, on 26/03/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Dave\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM..\Run: [Norton Updater] navupdtr.exe
O4 - HKLM..\Run: [gcasServ] “C:\Program Files\Microsoft AntiSpyware\gcasServ.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM..\RunServices: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\RunServices: [Norton Updater] navupdtr.exe
O4 - HKLM..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Norton Updater] navupdtr.exe
O4 - HKCU..\RunServices: [Norton Updater] navupdtr.exe
O4 - HKCU..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111614934515
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Hardware Clock Driver (hwclock) - Unknown owner - C:\WINDOWS\System32\hwclock.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
system
March 26, 2005, 1:00pm
11
This malware may use Rootkit technique to hide itself, you can
use F-Secure BlackLight Beta to scan and if it finds some thing like these
msdirectx.sys
mssl32.exe
Mqsq132.exe
SSL32Dr.exe
then rename them and reboot the system so the hidden files should be visible.
http://www.f-secure.com/blacklight/try.shtml
system
March 26, 2005, 1:36pm
12
I just installed and ran kapersky AV and it seems to have sorted it …
system
March 26, 2005, 2:02pm
13
Hi
About your log, remove these:
O4 - HKLM..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\RunServices: [Microsoft Windows Update] scvvhost.exe
O4 - HKLM..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\Run: [Microsoft Windows Update] scvvhost.exe
O4 - HKCU..\RunOnce: [Microsoft Windows Update] scvvhost.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1111614934515
Also a see more then one Anti-virus on your system, this is a bad idea as they will conflict.
Also i see no firewall on that system, Zonealarm (free) is a good start: http://download.zonelabs.com/bin/free/1012_zl/zlsSetup_55_062_011.exe
–lee
system
March 26, 2005, 6:49pm
14
Hi Lee & lightboy,
these:
O4 - HKLM..\Run: [Norton Updater] navupdtr.exe
O4 - HKLM..\RunServices: [Norton Updater] navupdtr.exe
O4 - HKCU..\Run: [Norton Updater] navupdtr.exe
O4 - HKCU..\RunServices: [Norton Updater] navupdtr.exe
are most probably not from NORTON, but rather from the SDBOT-Worm, which dropped the RootKit:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SDBOT.AXV&VSect=T
I’d advise flattening the system and setting up from scratch, as it’s compromised, not secure anymore:
data backup
format C:
reinstall Windows WITHOUT going online
Apply XP-ServicePack2 before EVER going online, or behind a properly configured firewall (which needs to be installed OFFline, too)
take some more care to secure your system
change all your passwords, PINs, Online-banking/-shopping data
read the 2nd part in link “VirusRemoval” below for more info