Another HijackThis Log for hacktool.rootkit virus

Having Norton running won't have caused any problems. :)

Please follow the instructions given by "29wood" in the second post of this thread. Post your results here when you have completed those steps..

Thank you for the guidance. I did as was suggested in the linked posting. The Trend Micro scan in safe mode returned 23 infections (21 files with a troj. pattern and 2 additional with a worm. pattern). I then ran NAV in safe mode (without rebooting) and it did not find anything. The third step was to get the Rootkit Revealer. To do so, I rebooted normally to restore network access. When I did so, the computer blue screened (memory dump) twice, and then NAV started sending the notices about the msdirectx.sys file again. I was trying to get a good run of the rootkit revealer this morning and would then send the files, but the blue screen errors kept me from being successful before I had to leave for work. I'll post the logs tonight (including the new hijackthis log), but would welcome any recommendations between now and then if you have them. Shall I go through the entire process in safe mode?

Thanks!
Todd

Shall I go through the entire process in safe mode?

Yes, try it that way once you get the Rootkit Revealer program downloaded.

Also- what are the full and exact errors you get when the computer Blue Screns?

I got two blue screens on the second round of scanning. The scan details and hijackthis logs will be included in a subsequent post. Below are the two blue screen text messages: (The first I got while hitting "OK" in the NAV Autoprotect window that identified the hacktool.rootkit virus in c:\windows\system32\msdirectx.sys, the second happened after a reboot while running hjackthis)

A problem has been detected and windows has been shut down to prevent damage to your computer.

PAGE_FAULT_IN_NONPAGED_AREA

If this is the first time you've seen this stop error screen, restart your computer. if this

screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer for any windows updates

you might need.

If problems continue, disable or remove any newly installed hardware of software. Disable BIOS

memory options such as caching or shadowing. If you need to use safe mode to remove or disable

components, restart your computer, press F8 to select Advanced Startup Options, and then select

Safe mode.

Technical Information:

*** STOP: 0x00000050 (0xFFFFFF71,0x00000000,0x80515F86,0x00000000)

Beginning dump of physical memory
Physical memory dump complete.
contact your system administator ot technical support group for further assistance.

_________________________________________________________________

A problem has been detected and windows has been shut down to prevent damage to your computer.

IRQL_NOT_LESS_OR_EQUAL

If this is the first time you've seen this stop error screen, restart your computer. if this

screen appears again, follow these steps:

Check to make sure any new hardware or software is properly installed.
If this is a new installation, ask your hardware or software manufacturer for any windows updates

you might need.

If problems continue, disable or remove any newly installed hardware of software. Disable BIOS

memory options such as caching or shadowing. If you need to use safe mode to remove or disable

components, restart your computer, press F8 to select Advanced Startup Options, and then select

Safe mode.

Technical Information:

*** STOP: 0x0000000A (0x01010100,0x00000002,0x00000000,0x805252D2)

Beginning dump of physical memory
Physical memory dump complete.
contact your system administator ot technical support group for further assistance.

Below are the results from the second run of scanning and hijackthis log.

<Begin TrendMicro Sysclean log>

/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/

2005-07-06, 22:52:20, Auto-clean mode specified.
2005-07-06, 22:52:20, Running scanner "C:\Documents and Settings\Todd\Desktop\TrendMicro\TSC.BIN"...
2005-07-06, 22:53:14, Scanner "C:\Documents and Settings\Todd\Desktop\TrendMicro\TSC.BIN" has finished running.
2005-07-06, 22:53:14, TSC Log:

2005-07-06, 22:53:31, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp": Access is denied.
2005-07-06, 23:07:12, An error occurred while scanning file "C:\Documents and Settings\Todd\NTUSER.DAT": Access is denied.
2005-07-06, 23:07:12, An error occurred while scanning file "C:\Documents and Settings\Todd\ntuser.dat.LOG": Access is denied.
2005-07-06, 23:07:36, An error occurred while scanning file "C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-07-06, 23:07:36, An error occurred while scanning file "C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-07-06, 23:44:53, Could not set file for reading on "C:\WINDOWS\MEMORY.DMP": Access is denied.
2005-07-06, 23:45:19, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB824141$\user32.dll": Access is denied.
2005-07-06, 23:45:19, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB824141$\win32k.sys": Access is denied.
2005-07-06, 23:45:19, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll": Access is denied.
2005-07-06, 23:45:19, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB826939$\html32.cnv": Access is denied.
2005-07-06, 23:45:19, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll": Access is denied.
2005-07-06, 23:45:19, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll": Access is denied.
2005-07-06, 23:45:19, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe": Access is denied.
2005-07-06, 23:45:19, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe": Access is denied.
2005-07-06, 23:45:19, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB826939$\ole32.dll": Access is denied.
2005-07-06, 23:45:20, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll": Access is denied.
2005-07-06, 23:45:20, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll": Access is denied.
2005-07-06, 23:45:20, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB826939$\shell32.dll": Access is denied.
2005-07-06, 23:45:20, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB826939$\srv.sys": Access is denied.
2005-07-06, 23:45:20, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll": Access is denied.
2005-07-06, 23:45:20, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll": Access is denied.
2005-07-06, 23:45:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx": Access is denied.
2005-07-06, 23:45:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallQ828026$\wmp.dll": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\ACTIVATION.EXE-1E1C168C.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\ATI2MDXX.EXE-2A5FBD2A.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\ATIPTAXX.EXE-362CCF09.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\AUPATCH.DAT-16438FFC.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\AUPDATE.EXE-223E3682.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\AUTORUN.EXE-055703AF.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\AUUNZIP.DAT-2DB1FDF1.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\AUUPDATE.DAT-25C4984F.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CCAPP.EXE-10E11A7C.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CCPWDSVC.EXE-27405C8C.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CCREGVFY.EXE-32D048B2.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CHCP.COM-17EDBDC9.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DADAPP.EXE-3517EEA8.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DADTRAY.EXE-1C249507.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-2858C7E2.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-38C3807C.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DIRECTCD.EXE-0582AB76.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DLG.EXE-332F77D1.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DSENTRY.EXE-28A3C4CF.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DUMPREP.EXE-0AF2BF67.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\DWWIN.EXE-2C373FB7.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\FTP.EXE-06C55CF9.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\HELPSVC.EXE-1C192440.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-37930709.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\IES.EXE-2114FB03.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-2D97EBE6.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\INSUTILS.EXE-1679A95C.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGON.SCR-24ADF392.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGONUI.EXE-312BE1BF.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\LUALL.EXE-288D30C1.pf": Access is denied.
2005-07-06, 23:50:56, Could not set file for reading on "C:\WINDOWS\Prefetch\LUCOMS~1.EXE-1DF6F3E9.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIEXEC.EXE-330626DC.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\MSMSGS.EXE-0620E8B3.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVSTUB.EXE-0146EB7A.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVW32.EXE-21393D56.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVW32.EXE-21E86A90.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\NDETECT.EXE-2DABC14D.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\NMAIN.EXE-3A3D97F1.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\OSA.EXE-28494AD2.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\OUTLOOK.EXE-2D46ED9D.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\PATCH.EXE-1F0BC711.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\PDMJV.EXE-05B90F9E.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\PROPELAC.EXE-1A4A8696.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\PSPA.EXE-0610C6DF.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\QCONSOLE.EXE-1BC342DB.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\RASAUTOU.EXE-10B4F92F.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\REGEDIT.EXE-2AE3423E.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\ROOTKITREVEALER.EXE-320D9762.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-3DA75B89.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-4FF9832D.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-614D7FD5.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-67E85A51.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-6E8D4657.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\SNDMON.EXE-1C89C7E1.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\SSPIPES.SCR-111D20AE.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\SYNTPENH.EXE-2B70B91C.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\SYNTPLPR.EXE-0340D8DF.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSMON32.EXE-1040E1AD.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\TRAYCTL.EXE-30A5783A.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.EXE-009ED701.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\UPD.EXE-1912787E.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\URLMAP.EXE-2A71A1E4.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\USRPRMPT.EXE-3B41CCA8.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\UZSHL.EXE-32580D30.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\WINWORD.EXE-0614BEA2.pf": Access is denied.
2005-07-06, 23:50:57, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf": Access is denied.
2005-07-06, 23:54:35, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT": Access is denied.
2005-07-06, 23:54:35, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG": Access is denied.
2005-07-06, 23:54:35, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SAM": Access is denied.
2005-07-06, 23:54:35, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG": Access is denied.
2005-07-06, 23:54:35, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SECURITY": Access is denied.
2005-07-06, 23:54:35, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG": Access is denied.
2005-07-06, 23:54:35, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE": Access is denied.
2005-07-06, 23:54:35, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG": Access is denied.
2005-07-06, 23:54:35, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM": Access is denied.
2005-07-06, 23:54:35, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG": Access is denied.
2005-07-06, 23:57:27, Running scanner "C:\Documents and Settings\Todd\Desktop\TrendMicro\VSCANTM.BIN"...
2005-07-07, 00:34:53, Files Detected:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/6/2005 23:57:28
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (104247 Patterns) (2005/07/04) (271500)
Command Line: C:\Documents and Settings\Todd\Desktop\TrendMicro\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Todd\Desktop\TrendMicro

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0034268.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0035267.sys [TROJ_ROOTKIT.H]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0036260.sys [TROJ_ROOTKIT.H]
C:\WINDOWS\SYSTEM32\msdirectx.sys [TROJ_ROOTKIT.H]
C:\WINDOWS\SYSTEM32\sysmon32.exe [WORM_RBOT.BPU]
48461 files have been read.
48461 files have been checked.
34400 files have been scanned.
46452 files have been scanned. (including files in archived)
5 files containing viruses.
Found 5 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/7/2005 00:34:53
---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-07, 00:34:53, Files Clean:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/6/2005 23:57:28
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (104247 Patterns) (2005/07/04) (271500)
Command Line: C:\Documents and Settings\Todd\Desktop\TrendMicro\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Todd\Desktop\TrendMicro

Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0034268.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0035267.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP124\A0036260.sys
Success Clean [ TROJ_ROOTKIT.H]( 1) from C:\WINDOWS\SYSTEM32\msdirectx.sys
48461 files have been read.
48461 files have been checked.
34400 files have been scanned.
46452 files have been scanned. (including files in archived)
5 files containing viruses.
Found 5 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/7/2005 00:34:53 37 minutes 18 seconds (2238.25 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-07, 00:34:53, Clean Fail:
Copyright (c) 1990 - 2004 Trend Micro Inc.
Report Date : 7/6/2005 23:57:28
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 715 (104247 Patterns) (2005/07/04) (271500)
Command Line: C:\Documents and Settings\Todd\Desktop\TrendMicro\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Todd\Desktop\TrendMicro

48461 files have been read.
48461 files have been checked.
34400 files have been scanned.
46452 files have been scanned. (including files in archived)
5 files containing viruses.
Found 5 viruses totally.
Maybe 0 viruses totally.
Stop At : 7/7/2005 00:34:53 37 minutes 18 seconds (2238.25 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-07-07, 00:34:53, Scanner "C:\Documents and Settings\Todd\Desktop\TrendMicro\VSCANTM.BIN" has finished running.
<End TrendMicro sysclean log>

<Begin result of Norton Antivirus system scan>
One Virus found: Hacktool.Rootkit
Source: C:\WINDOWS\System32\msdirectx.sys
Repair failed, access to file denied. Note that I still get this warning from Norton AV autoprotect.
<End result of Norton Antivirus system scan>

<Begin result of RootkitRevealer>
No discrepancies were found
<Begin result of RootkitRevealer>

<Begin result of hijackthis post-run log>
Logfile of HijackThis v1.99.1
Scan saved at 7:28:12 AM, on 7/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\LocalNet Express 2.0\PropelAC.exe
C:\Program Files\CASIO\PC Connect for CASSIOPEIA\pclstart.exe
C:\Program Files\UltimateZip 2.7\uzqkst.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\LocalNet Express 2.0\prpl_IePopupBlocker.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\LocalNet Express 2.0\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip 2.7\uzqkst.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Connect for CASSIOPEIA starter.lnk = ?
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\LocalNet Express 2.0\pac-addwl.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-image.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: CWQJWON - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Todd\LOCALS~1\Temp\CWQJWON.exe
O23 - Service: EWXUXYXFY - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Todd\LOCALS~1\Temp\EWXUXYXFY.exe
O23 - Service: IAFP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Todd\LOCALS~1\Temp\IAFP.exe
O23 - Service: IES - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Todd\LOCALS~1\Temp\IES.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LGVUPEI - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Todd\LOCALS~1\Temp\LGVUPEI.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: PCM - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Todd\LOCALS~1\Temp\PCM.exe
O23 - Service: PDMJV - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Todd\LOCALS~1\Temp\PDMJV.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XXXEQZVOW - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Todd\LOCALS~1\Temp\XXXEQZVOW.exe
<End result of hijackthis post-run log>

Thanks again for your help! I'm going to bring this computer into work today so that I can work through this issue more quickly.
Todd

I found it odd that the rootkitrevealer did not return any discrepencies when I ran it last, so I decided to run it again. When I did, I was met with additional blue screen errors. At one time, the error included a specific reference to the msdirectx.sys file as the probable culprit. The others were as I have posted above. I did get a discrepency before it blue screened the last time and wrote it down. This run did not complete, but here is the result that I do have:

HKLM\Software\Microsoft\cryptography\RNG\Seed - Data Mismatch between windows API and raw data hive data

Hope this helps some.

Thanks!
Todd

1. Both of the original Blue Screen errors pretty much point to a problem with a corrupt/conflicting Windows driver or service in your case, which could be the result of damage cause by the infections.

Check your hardware in Device Manager and see if any of your devices are reported to be having problems. If so, try uninstalling and reinstalling the problematic device and its drivers. You can also try a Repair installation of Windows to fix corrupted or missing files. More info on the Stop errors and instructions for doing the Repair install can be found here:

STOP: 0x00000050
STOP: 0x0000000A

2. The sysmon32.exe file is malicious, and may be related to the msdirectx.sys problem. Please do the following:

You will need to disconnect from the Internet for most of the cleaning procedures, so you should print out the following instructions or save them into a text file using Notepad.

- Run HJT again and have it fix:
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe

- Reboot into Safe Mode.

- Disable System Restore. Instructions and explanation are here.

- - Open Windows Explorer, and in the Folder Options->View settings under the Tools menu, select "show hidden files and folders", and uncheck "Hide protected operating system files" and "Hide extentions for known file types".

- Search your entire drive for all instances of files named sysmon32.exe and delete them. Repeat this for files named msdirectx.sys.

- For every user account listed under C:\Documents and Settings, delete the entire contents of these folders (but not the folders themselves):

Important: One of the normal steps in eliminating malicious programs is to entirely delete the contents of all Temp folders. Given that, if any data that you care about is living in those Temp folders, you need to move it to a safe location now, or it will be erased along with everything else!

1. Cookies
2. Local Settings\Temp
3. Local Settings\History
4. Local Settings\Temporary Internet Files

- Delete the entire content of your C:\Windows\Temp folder.

- Delete the entire content of your C:\Windows\Prefetch folder. (<- Important!)

Note- If you get any messages concerning the deletion of system files such as desktop.ini or index.dat, just choose to delete those files; they'll be automatically regenerated by Windows if needed. Windows will allow you to delete the versions of those files which exist in sub-folders within the main Temp/Temorary folders, but might not let you delete the versions of those files that exist in the main Temp folders themselves; this is normal and OK.

- Empty your Recycle Bin.

- Run another full system scan with Norton.

3. Reboot normally and post a new HJT log.

After following the steps exactly as you suggested, I went though all steps and ran the full NAV system scan in safe mode. NAV found the msdirectx.sys file and I deleted it through the NAV inerface. I then rebooted normally and logged in. Shortly after login, NAV popped a window indicating that it found an infected file (msdirectx.sys at c:\windows\system32\). I ran the HJT which again found the line:
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe

I checked and fixed the item again and rebooted. Same thing - still with NAV popping virus warnings on the msdirectx.sys and HJT log showing sysmon32.exe.

I look forward to your next recommendations! :eek:

Thanks again for your help!

Todd

There another infectious file hiding somewhere that's bringing those infections back to life. :(

The latest version of Microsoft's Malicious Software Removal Tool is supposed to be able to deal with at least some variants of the "msdirectx.sys" infection.

Information, instructions, and the download link for the tool are here:

http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en

Run it and see if it does the job. Let us know the results.

No luck. I ran it once and it did not find anything. I ran it a second time and it found the FURootkit, cleaned it and prompted for a restart. Upon restart, the msdirectx.sys notice from NAV and the sysmon32.exe registry entry were back. Any other suggestions? (Please) Below is the latest HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 9:54:07 PM, on 7/7/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\sysmon32.exe
C:\Documents and Settings\Todd\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\LocalNet Express 2.0\prpl_IePopupBlocker.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\LocalNet Express 2.0\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip 2.7\uzqkst.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Connect for CASSIOPEIA starter.lnk = ?
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\LocalNet Express 2.0\pac-addwl.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-image.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: CWQJWON - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\CWQJWON.exe (file missing)
O23 - Service: EWXUXYXFY - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\EWXUXYXFY.exe (file missing)
O23 - Service: IAFP - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\IAFP.exe (file missing)
O23 - Service: IES - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\IES.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LGVUPEI - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\LGVUPEI.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NZS - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\NZS.exe (file missing)
O23 - Service: PCM - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\PCM.exe (file missing)
O23 - Service: PDMJV - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\PDMJV.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SXYPL - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\SXYPL.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XXXEQZVOW - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\XXXEQZVOW.exe (file missing)

Thanks!!
Todd

BTW - when I run the rootkit revealer, I get the following:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 7/7/2005 4:30 PM 80 bytes Data mismatch between Windows API and raw hive data.

Is there something specific to do for this condition?

... Is there something specific to do for this condition?

I'll have to check for more info on whatever version of this beast that you have, but I won't be able to do that until tomorrow.

NP - I spent much of last night going through everything on the TweakXP forum here (http://forum.tweakxp.com/forum/Topic4303-29-1.aspx) to no avail. Some of those steps were already in place. I did find a few references to an Alisa virus that should have been cleaned. However, the sysmon32.exe and the msdirectx.sys continue to persist. I look forward to your further guidance and appreciate the time you have taken with this most frustrating issue.

...Still waiting for the wombat of happiness... ;)

BTW - when I run the rootkit revealer, I get the following:

HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed 7/7/2005 4:30 PM 80 bytes Data mismatch between Windows API and raw hive data.

Is there something specific to do for this condition?

No- that message would be expected in this case.

The message itself means that the data in a Registry entry was updated during the time that RootKit Revealer was scanning the Registry. In the case of that particular Registry key (the Random Number Generator seed), the system automatically changes the seed value many times a minute to maintian the "randomness" (and therefore the security) of the cryptographic keys it generates.

Any other thoughts?

Any other thoughts?

Yes, and hopefully they work.

One of our other members (thanks crunchie!) sent me these specific removal instructions early today:

* Download Killbox by Option^Explicit:
http://www.geekstogo.com/modules.php?modid=5&action=download&id=4

*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.

*In the killbox program, select the Delete on Reboot option.

*Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\sysmon32.exe
C:\WINDOWS\System32\msdirectx.sys

*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the Pending Operations prompt.

* While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Run HijackThis and put checkmarks in front of the following items. Close all windows except HijackThis and click Fix checked:

F2 - REG:system.ini: Shell=Explorer.exe sysmon32.exe
C:\WINDOWS\System32\msdirectx.sys

* Boot back to normal and copy the part in bold below into notepad. Save it as unlegacy.reg (set filetype to "All Files")

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]

* Doubleclick the file you made and confirm you want to merge it with the registry.

* Reboot once more and post a new log.

Thanks!! So glad you were able to find some additional information. It *appears* to have worked. The HijackThis log pasted below. I'm going to start a series of system scans to confirm, but Norton is no longer popping messages about the msdirectx.sys file. :mrgreen:

Please let me know if you see anything else!

Regards,
Todd

Logfile of HijackThis v1.99.1
Scan saved at 11:53:09 PM, on 7/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\CASIO\PC Connect for CASSIOPEIA\pclstart.exe
C:\Program Files\LocalNet Express 2.0\PropelAC.exe
C:\Program Files\UltimateZip 2.7\uzqkst.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Money\System\urlmap.exe
C:\Documents and Settings\Todd\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\LocalNet Express 2.0\prpl_IePopupBlocker.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "C:\Program Files\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Propel Accelerator] "C:\Program Files\LocalNet Express 2.0\trayctl.exe" /STARTUPLAUNCH
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: UltimateZip Quick Start.lnk = C:\Program Files\UltimateZip 2.7\uzqkst.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PC Connect for CASSIOPEIA starter.lnk = ?
O8 - Extra context menu item: Allow pop-ups from this site - C:\Program Files\LocalNet Express 2.0\pac-addwl.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Refresh Pa&ge with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-page.html
O8 - Extra context menu item: Refresh Pi&cture with Full Quality - C:\Program Files\LocalNet Express 2.0\pac-image.html
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1121223509813
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: CWQJWON - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\CWQJWON.exe (file missing)
O23 - Service: EPHNOCWBAC - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Todd\LOCALS~1\Temp\EPHNOCWBAC.exe
O23 - Service: EWXUXYXFY - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\EWXUXYXFY.exe (file missing)
O23 - Service: IAFP - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\IAFP.exe (file missing)
O23 - Service: IES - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\IES.exe (file missing)
O23 - Service: KBQUYQENPSMPBO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Todd\LOCALS~1\Temp\KBQUYQENPSMPBO.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LGVUPEI - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\LGVUPEI.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: NZS - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\NZS.exe (file missing)
O23 - Service: PCM - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\PCM.exe (file missing)
O23 - Service: PDMJV - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\PDMJV.exe (file missing)
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SXYPL - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\SXYPL.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
O23 - Service: XXXEQZVOW - Unknown owner - C:\DOCUME~1\Todd\LOCALS~1\Temp\XXXEQZVOW.exe (file missing)