i'm having a prob now..ermz..msdiretx.sys keeps popping up on my avg nti virus software.what should i do about it?i deleted it,n it comes back.i've tried to search for the .exe file(msnt.exe,sdkcore.exe)..but i can find nothing!!this is driving me nuts..n i cant clear the viruses from my com.they keep comin back!!n sometimes,i will be disconnected from the internet automatically!!is there any way to slove my prob?i use lavasoft ad-aware n spybot S&D.but they cud search nothing.n yes,i update them everytime but they still can solve the prob.is msdirectx.sys the cause of all this probs?i found other malware/adwares(50cent.exe,unvise32qt.exe,mmwho.exe) in com n deleted it manually.and can anyone tell me what is xpjava.exe?

Logfile of HijackThis v1.99.1
Scan saved at 9:59:01 PM, on 6/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\xpjava.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\rune.pif
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Documents and Settings\yik yang.ITWISE\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.passport.com/resetpw.srf?lc=1033
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Regmgr] scvhost.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Regmgr] scvhost.exe
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContDLL] rune.pif
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe



anything wrong with this??

Hi yikyang, welcome to DaniWeb

Is that a complete log scanned while in 'normal' mode (not Safe Mode)? It looks very short.

Right-click in an empty area of your desktop and select New, Folder; give the folder a name (like HJT or HijackThis), and then drag the hijackthis.exe icon that is on your desktop into the new folder.

Xpjava.exe is part of a worm, scan with hijackthis and have it fix this entry:

F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe

Close any open windows, other then hijackthis, and hit Fix checked.

Do a search for xpjava.exe and delete any entries found.

Msdiretx.sys is probably a malacious driver, but I don't see it in your log.

Download and run Silent Runners.vbs -- http://www.silentrunners.org/. Post the information from the log it generates in your next reply.

Empty your Recycle Bin, reboot, close any open browser windows, scan with hijackthis, and post the entire log along with the Silent Runners log.

what's this??


Moderator's edit: yikyang, you posted the actual Silent Runners program code instead of the log file. :o

I've deleted the code from this post for readability; it made the post about 4 pages long. :cheesy:

1. dlh6213 is right- your log does look a bit short. If you did run the HijackThis scan in Safe Mode, please run HJT while booted into Windows normally and give us that log.


2. In terms of the Silent Runners program, you need to right-click on the download link and then choose the "Save target as..." menu option to save the file into a folder on your computer.

Once you've done that, double-click on the Silent Runners.vbs file to run it. The script will take a little while to run, and you won't see anything happening while it does. When it finishes running, it will display a message telling you where it saved the log file. You need to then open that log file in Windows Notepad and copy-n-paste the full text of the log file into a post here.


3. Your log shows signs of at least three worm infections:

- A W32/Sdbot variant, which is responsible for msdirectx.sys and friends.

- A W32/Agobot variant, indicated by the O4 - HKLM\..\RunServices: [Regmgr] scvhost.exe log entry.

- A W32/Rbot variant, indicated by the runm.pif and rune.pif log entries.


Since AVG isn't able to remove those infections, I suggest you run these free online anti-virus/anti-spyware scans and see if they can clean things up a bit:

http://www.kaspersky.com/scanforvirus.html
http://housecall.trendmicro.com/
http://us.mcafee.com/root/mfs/default.asp?cid=9914
http://www.pandasoftware.com/active...n_principal.htm
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php


For the msdirectx.sys infection, you can also try Microsoft's removal instructions here:

http://support.microsoft.com/?scid=kb;en-us;897079


4. Once you do the above, give us a new HijackThis log, the Silent Runners log, and any report logs that the online scanners might have generated.

Thanks DMR, a lot of good info there

But unless yikyang mistyped, he doesn't have msdirectx.sys, he has msdiretx.sys; do you know if it's related or if the MS fix will work for it?

haha..i mistype it really..its msdirectx.sys not msdiretx.sys!!sorry..haha..ok..thanks guys..i'll try..but the microsoft removal doesn't fix my prob.

"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Spyware Doctor" = ""D:\Program Files\Spyware Doctor\swdoctor.exe" /Q" ["PCTools"]
"Yahoo! Pager" = "D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"Windows Media Player" = "mcafe32.exe" [file not found]
"Regmgr" = "scvhost.exe" [file not found]
"Norton Personal Firewall" = "lah.exe" [file not found]
"NAV Auto Protect" = "navprotect.exe" [file not found]
"MsnMsgr" = ""D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"MSMSGS" = ""D:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Regmgr" = "scvhost.exe" [file not found]
"Microsoftf DDEs ContDLL" = "rune.pif" [null data]
"AVG7_EMC" = "D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"Yahoo Messenger" = "YPager.EXE" [null data]
"PPPOEOE" = "winlite.exe" [file not found]
"NeroCheck" = "D:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"Microsoftf DDEs ContrDL" = "runm.pif" [null data]
"McAfee Windows Protection" = "mcafee32.exe" [null data]
"InCD" = "D:\Program Files\Ahead\InCD\InCD.exe" [null data]
"HPDJ Taskbar Utility" = "D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" ["HP"]
"Compaq32 Service Drivers" = "msconfig32.exe" [null data]
"AVG7_CC" = "D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"msci" = "D:\DOCUME~1\YIKYAN~1.ITW\LOCALS~1\Temp\200562817262_mcinfo.exe /insfin" ["McAfee, Inc"]

HKLM\Software\Microsoft\Active Setup\Installed Components\
{306D6C21-C1B6-4629-986C-E59E1875B8AF}\(Default) = (no title provided)
\StubPath = ""D:\WINDOWS\System32\rundll32.exe" "D:\Program Files\Messenger\msgsc.dll",ShowIconsUser" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx" [empty string]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}\(Default) = "PCTools Site Guard" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll" ["PC Tools"]
{B56A7D7D-6927-48C8-A975-17DF180C71AC}\(Default) = "PCTools Browser Monitor" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "D:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Trend Micro\PC-cillin 2002\VBProp.dll" ["Trend Micro Inc."]

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "Shell" = "Explorer.exe mcafee32.exe" [MS], [null data]
INFECTION WARNING! "Userinit" = "userinit.exe,xpjava.exe" [MS], [null data]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "D:\Program Files\WinRAR\rarext.dll" [null data]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "D:\Documents and Settings\yik yang.ITWISE\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 13
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}\
"ButtonText" = "Spyware Doctor"
"CLSIDExtension" = "{A1EDC4A1-940F-48E0-8DFD-E38F1D501021}"
-> {CLSID}\InProcServer32\(Default) = "D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll" ["GuideWorks Pty. Ltd."]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AVG7 Alert Manager Server, Avg7Alrt, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 100 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 31 seconds.
---------- (total run time: 219 seconds)

Logfile of HijackThis v1.99.1
Scan saved at 5:37:28 PM, on 6/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\csrss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\xpjava.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\rune.pif
D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\WINDOWS\System32\YPager.EXE
D:\WINDOWS\System32\runm.pif
D:\WINDOWS\System32\mcafee32.exe
D:\Program Files\Ahead\InCD\InCD.exe
D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\DOCUME~1\YIKYAN~1.ITW\LOCALS~1\Temp\200562817262_mcinfo.exe
D:\Program Files\Spyware Doctor\swdoctor.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\Documents and Settings\yik yang.ITWISE\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.passport.com/resetpw.srf?lc=1033
F2 - REG:system.ini: Shell=Explorer.exe mcafee32.exe
F2 - REG:system.ini: UserInit=userinit.exe,xpjava.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - D:\PROGRA~1\SPYWAR~2\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Regmgr] scvhost.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKLM\..\Run: [AVG7_EMC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [Yahoo Messenger] YPager.EXE
O4 - HKLM\..\Run: [PPPOEOE] winlite.exe
O4 - HKLM\..\Run: [NeroCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\Run: [McAfee Windows Protection] mcafee32.exe
O4 - HKLM\..\Run: [InCD] D:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] D:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Compaq32 Service Drivers] msconfig32.exe
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [msci] D:\DOCUME~1\YIKYAN~1.ITW\LOCALS~1\Temp\200562817262_mcinfo.exe /insfin
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContrDL] runm.pif
O4 - HKLM\..\RunServices: [Microsoftf DDEs ContDLL] rune.pif
O4 - HKLM\..\RunServices: [Yahoo Messenger] YPager.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "D:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [Yahoo! Pager] D:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Windows Media Player] mcafe32.exe
O4 - HKCU\..\Run: [Regmgr] scvhost.exe
O4 - HKCU\..\Run: [Norton Personal Firewall] lah.exe
O4 - HKCU\..\Run: [NAV Auto Protect] navprotect.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - D:\PROGRA~1\SPYWAR~2\tools\iesdpb.dll
O12 - Plugin for .spop: D:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - D:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

i enable all startup process n scanned wit HJT again...thats the result..i dunno how to get rid of most of the WARES there..help me pls!!online scanner din fix my prob.HELP!!thanks in advance!