0

I guess I have a W32/Sdbot-ADD worm on my computer. There's other stuff too, though, so it took a while to pinpoint it. At first, I thought it was just Hacktool.rootkit, which Norton kept finding but was unable to delete. Then I noticed a lockx.exe in my Processes, did a search on that, and found it was this worm. Anyway, it seems to be letting other stuff onto my computer, cause Adaware and Spybot scans keep finding stuff they just fixed earlier in the day.

I initially started having problems when I clicked on a link I got in an IM message. I'm usually careful about stuff like that, but I guess I wasn't thinking (and I didn't notice until later that the person was idle at the time I received the IM from them). Let this be a lesson to everyone!

The only thing I really know is that this worm is living in c:\msdirectx.sys, and I can't delete this file. Here's my huge HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:47:31 AM, on 9/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\S24EvMon.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\ZCfgSvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Dcdjcmu\Wipbhx.exe
C:\WINNT\system32\lockx.exe
C:\WINNT\etb\pokapoka69.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\WINNT\system32\ctfmon.exe
c:\winnt\system32\win\palsp.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINNT\System32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINNT\System32\RegSrvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\System32\RoamMgr.exe
C:\WINNT\System32\ScsiAccess.EXE
C:\WINNT\System32\wdfmgr.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINNT\system32\win\palsp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MI1933~1\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yoursearchspace.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.yoursearchspace.com/sp2.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://customer.symantec.com/NASApp/web/PlsqlServlet/su_substatus.picklang?p_contact_id=481044005&p_checksum=4F4830C0&p_vendor_id=&p_vendor_tag=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:20001
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Zzjicy] C:\Program Files\Dcdjcmu\Wipbhx.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\Run: [System service68] C:\WINNT\\etb\pokapoka68.exe
O4 - HKLM\..\Run: [System service69] C:\WINNT\etb\pokapoka69.exe
O4 - HKLM\..\Run: [Boarddata] c:\winnt\system32\win\repcale.exe c:\winnt\system32\win\palsp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Startup: PictureShare.net Startup.lnk = C:\Program Files\PictureShare\PSClient.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - file://C:\Program Files\gateway\helpspot\TechTools.CAB
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/06ae547b9962e977b716/netzip/RdxIE601.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - file://C:\Program Files\gateway\helpspot\RunExeActiveX.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINNT\System32\LgNotify.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: crvlwexhauyg (fuczesyj6) - Unknown owner - C:\WINNT\system32\nrryyxlz6.exe (file missing)
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINNT\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINNT\System32\RoamMgr.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINNT\System32\S24EvMon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINNT\System32\ScsiAccess.EXE
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Any help or advice would be appreciated. Thanks.

2
Contributors
3
Replies
4
Views
12 Years
Discussion Span
Last Post by hjsqueiroz
0

First of all if you know MS-DOS will be helpful, otherwise you have to deal with windows in safe mode to kill this bug. I spent all my morning with the same problem and it was sucessful removed.

In MS-DOS mode, you have to delete the file c:\msdirectx.sys and try to find lockx.exe and ps2.exe located on Windows folder and they maybe is hidden and delete them also. but we have to use the command attrib to show them up again in order to delete it. Also there is a folder under windows called ETB and has several files on it like pokapoka69.exe and others *.ini and *.dll, but these files isn't show up even using Attrib command, because they have a clever DLL that it is hidden these files from any OS, but in DOS mode you can see it and you also can delete it.

In safe mode you need to use the MSCONFIG command to remove on startup the running programs pokapoka69.exe, lockx.exe, ps2.exe.

Also, you can use Trendmicro Scan Online in Safe Mode always or Stinger (McAfee) and make sure that the System Restore it is off, otherwise you going to invite this bug come back again and again.

0

Thank you so much! It seems to be fixed now. I went into DOS and deleted msdirectx.sys, and I couldn't delete the other files (even in DOS) until I unchecked those programs in the Startup menu in Safe Mode. I never found a ps2.exe, so I guess that was already gone...

The only problem now is that when I start my computer, once Windows loads, a message pops up titled "System Error" that says "Unable to open dialog." I'm not sure what this is referring to or how to fix it... (This was popping up before I followed your instructions, so it's not a result of anything you said I should do.)

Thank you again for your help!

0

I forgot to say about some *.bat files on the root "C:\" that disable the firewall, and others importants services that will be prevent spreading viruses and others spywares. It is not the autoexec.bat (do not delete this one, even if it clean), but others that you don't usually see it on the PC. Just edit it (Do not execute it! Always preview or edit first.)
On www.sysinternals.com there are lot of programs that you can download from free and you will be able to do some kind analize in your computer and see exactly what it is running in real-time. Good Lucky!

Also, based on your HijackThis log, I can see some others problems that you might want to take a closer look after while.

C:\Program Files\Dcdjcmu\Wipbhx.exe ( It is suspicious to me, unless you know anything about it.)

O4 - HKLM\..\Run: [Zzjicy] C:\Program Files\Dcdjcmu\Wipbhx.exe

O23 - Service: crvlwexhauyg (fuczesyj6) - Unknown owner -

C:\WINNT\system32\nrryyxlz6.exe (file missing)

See if you can find any info about it by searching in C:\ /S (subdirectorie) and also on the Registry using REGEDIT (be carefully, any mistake could cause a tragedy!!!)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.