Author Topic: Trojan Collected.5.L msdirectx.sys (Read 1950 times)

KritaKILL · « **on:** April 29, 2005, 09:39:45 PM »

I got a trojan on my other Computer called Collected.5.L found in C:\Documentsandsettings\"UserName"\msdirectx.sys
This Cuts me off from Internet and doesn't let me open heaps of applications such as hijack this so i cant find anyway of scanning to remove this bastardo

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' /> if anyone could please help me I will luv u for long time hahaha.

Thanks

Guest · « **Reply #1 on:** May 01, 2005, 12:21:48 AM »

So...... does that mean no1 has ne idea of how i can get this problem sorted then....?

Edward · « **Reply #2 on:** May 01, 2005, 12:22:48 AM »

maybe delete the file???

Manually

Guest · « **Reply #3 on:** May 01, 2005, 05:32:37 PM »

yeh i did that but it just comes back again, same as it does when deleting using avg anti virus....

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />
fully lost on this gay trojan

guestolo · « **Reply #4 on:** May 01, 2005, 07:41:13 PM »

Hi Krista
I'll need to see a Hijackthis log
Please, Read This

KritaKILL · « **Reply #5 on:** May 02, 2005, 08:00:45 PM »

Logfile of HijackThis v1.99.1
Scan saved at 12:58:32 p.m., on 3/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
H:\Setup\rsrc\demo32.exe
F:\Setups\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Win32 USB2] sevhost.exe
O4 - HKLM\..\Run: [Microsoft Explorer] iexplorer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Configuration] msmmsgr.exe
O4 - HKLM\..\Run: [WISConfiguration] win.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\\NVCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Coloreal Hint] C:\Program Files\WayTech\Coloreal\Coloreal Bright\Coloreal Hint.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\WayTech\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Appz\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Appz\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Host Protocol] svhost.exe
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [IPOT Service Drivers] compaq.exe
O4 - HKLM\..\RunServices: [Zone Alarm] vsmon.exe
O4 - HKLM\..\RunServices: [Win32 USB2] sevhost.exe
O4 - HKLM\..\RunServices: [Microsoft Explorer] iexplorer.exe
O4 - HKLM\..\RunServices: [Configuration] msmmsgr.exe
O4 - HKLM\..\RunServices: [WISConfiguration] win.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [Microsoft Host Protocol] svhost.exe
O4 - HKLM\..\RunServices: [IPOT Service Drivers] compaq.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Coloreal Bright.lnk = ?
O4 - Global Startup: Coloreal Hint.lnk = ?
O4 - Global Startup: Coloreal Visual.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Visual\ColorealVisual.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE84EFA-D238-41E6-83D6-DE877A39EA40}: NameServer = 203.96.152.4,203.96.152.12
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Thanks for the assisst dude... this virus sux

KritaKILL · « **Reply #6 on:** May 02, 2005, 08:01:58 PM »

oh yeah this is done from Safe mode as it is the only way i can get it to open.... cheers

guestolo · « **Reply #7 on:** May 02, 2005, 08:31:31 PM »

Sorry, as that link I posted you too on how to post a hijackthis log also
Requires you too register to the forum when including a log
Please take the time to do so then post back a fresh hijackthis log

KritaKILL · « **Reply #8 on:** May 02, 2005, 08:38:09 PM »

ummm... ok here ya go!!!

Logfile of HijackThis v1.99.1
Scan saved at 12:58:32 p.m., on 3/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
H:\Setup\rsrc\demo32.exe
F:\Setups\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Win32 USB2] sevhost.exe
O4 - HKLM\..\Run: [Microsoft Explorer] iexplorer.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Configuration] msmmsgr.exe
O4 - HKLM\..\Run: [WISConfiguration] win.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\\NVCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Coloreal Hint] C:\Program Files\WayTech\Coloreal\Coloreal Bright\Coloreal Hint.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\WayTech\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Appz\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Appz\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Host Protocol] svhost.exe
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [IPOT Service Drivers] compaq.exe
O4 - HKLM\..\RunServices: [Zone Alarm] vsmon.exe
O4 - HKLM\..\RunServices: [Win32 USB2] sevhost.exe
O4 - HKLM\..\RunServices: [Microsoft Explorer] iexplorer.exe
O4 - HKLM\..\RunServices: [Configuration] msmmsgr.exe
O4 - HKLM\..\RunServices: [WISConfiguration] win.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [Microsoft Host Protocol] svhost.exe
O4 - HKLM\..\RunServices: [IPOT Service Drivers] compaq.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Coloreal Bright.lnk = ?
O4 - Global Startup: Coloreal Hint.lnk = ?
O4 - Global Startup: Coloreal Visual.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Visual\ColorealVisual.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE84EFA-D238-41E6-83D6-DE877A39EA40}: NameServer = 203.96.152.4,203.96.152.12
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

guestolo · « **Reply #9 on:** May 02, 2005, 08:50:48 PM »

Let's see if we can get you to run a log in Normal mode

Do this for now in safe mode
First download Dcombobulator
and Disable DCOM
http://grc.com/files/DCOMbob.exe

==Download and Unzip to a folder Hoster.zip
Open Hoster>>Click on "Restore Original Hosts"
OK it

Next:==Download and Install this small program
to help clean your temp folders,cookies, etc...
Windows Cleanup
Give the link time to load or try it twice, it may be busy
==Open Windows CleanUp!>>START>>programs>>Cleanup!
Click on the CleanUp button, let it finish scanning for files, when it's done
Decline to Log off

Afterwards
Do another scan with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Win32 USB2] sevhost.exe
O4 - HKLM\..\Run: [Microsoft Explorer] iexplorer.exe

O4 - HKLM\..\Run: [Configuration] msmmsgr.exe
O4 - HKLM\..\Run: [WISConfiguration] win.exe

O4 - HKLM\..\Run: [Microsoft Host Protocol] svhost.exe
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [IPOT Service Drivers] compaq.exe
O4 - HKLM\..\RunServices: [Zone Alarm] vsmon.exe
O4 - HKLM\..\RunServices: [Win32 USB2] sevhost.exe
O4 - HKLM\..\RunServices: [Microsoft Explorer] iexplorer.exe
O4 - HKLM\..\RunServices: [Configuration] msmmsgr.exe
O4 - HKLM\..\RunServices: [WISConfiguration] win.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [Microsoft Host Protocol] svhost.exe
O4 - HKLM\..\RunServices: [IPOT Service Drivers] compaq.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart into Normal mode and try running a scan with Hijackthis and posting the log

KritaKILL · « **Reply #10 on:** May 02, 2005, 09:32:33 PM »

Virus popd up so i clickd delete... then hijackthis wouldnt stay open for more than a second so i had to keep double-clicking for a while but it popd up with the result an here they are...

Logfile of HijackThis v1.99.1
Scan saved at 2:28:00 p.m., on 3/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\Appz\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Appz\InCD\InCD.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\micront.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\System32\svhost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\compaq.exe
C:\Program Files\WayTech\Coloreal\Coloreal Bright\Coloreal Bright.exe
C:\Program Files\E-Color\Common\IconMgr.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\\NVCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Coloreal Hint] C:\Program Files\WayTech\Coloreal\Coloreal Bright\Coloreal Hint.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\WayTech\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Appz\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Appz\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Host Protocol] svhost.exe
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [IPOT Service Drivers] compaq.exe
O4 - HKLM\..\RunServices: [Microsoft Host Protocol] svhost.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [IPOT Service Drivers] compaq.exe
O4 - HKCU\..\Run: [Win32 USB2] sevhost.exe
O4 - HKCU\..\Run: [Zone Alarm] vsmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [Microsoft Host Protocol] svhost.exe
O4 - HKCU\..\Run: [Windows Update Manager Client] C:\WINDOWS\system32\msservcnnct.exe
O4 - HKCU\..\Run: [IPOT Service Drivers] compaq.exe
O4 - HKCU\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKCU\..\RunServices: [Microsoft Host Protocol] svhost.exe
O4 - HKCU\..\RunServices: [IPOT Service Drivers] compaq.exe
O4 - Global Startup: Coloreal Bright.lnk = ?
O4 - Global Startup: Coloreal Hint.lnk = ?
O4 - Global Startup: Coloreal Visual.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Visual\ColorealVisual.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE84EFA-D238-41E6-83D6-DE877A39EA40}: NameServer = 203.96.152.4,203.96.152.12
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

guestolo · « **Reply #11 on:** May 02, 2005, 10:14:10 PM »

We're going to have to throw a few scanners on your computer
You have some nasties in there

Could you do the following please
=Download the RKFiles.zip
http://skads.org/special/rkfiles.zip
UNZIP the contents to it's own folder

==Download the Pocket Killbox
UNZIP it to a folder of your choice

Download and then Install
Ewido Trojan Scanner

When installing, under "Additional Options" UNCHECK "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We'll fix that later
From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido
We'll need it later

Please save these instructions to a Notepad file and save it to your Desktop>>Close all browser windows, disconnect from the Internet

Open Hijackthis>>Open Misc tools section>>Open Process Manager
Kill these processes if found or if you can
C:\WINDOWS\System32\micront.exe
C:\WINDOWS\System32\compaq.exe
C:\WINDOWS\System32\svhost.exe <-notice the spelling, DON'T try and end svchost.exe

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [Microsoft Host Protocol] svhost.exe
O4 - HKLM\..\Run: [Required Service Drivers] micront.exe
O4 - HKLM\..\Run: [IPOT Service Drivers] compaq.exe
O4 - HKLM\..\RunServices: [Microsoft Host Protocol] svhost.exe
O4 - HKLM\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKLM\..\RunServices: [IPOT Service Drivers] compaq.exe
O4 - HKCU\..\Run: [Win32 USB2] sevhost.exe
O4 - HKCU\..\Run: [Zone Alarm] vsmon.exe

O4 - HKCU\..\Run: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [Microsoft Host Protocol] svhost.exe
O4 - HKCU\..\Run: [Windows Update Manager Client] C:\WINDOWS\system32\msservcnnct.exe
O4 - HKCU\..\Run: [IPOT Service Drivers] compaq.exe
O4 - HKCU\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKCU\..\RunServices: [Microsoft Host Protocol] svhost.exe
O4 - HKCU\..\RunServices: [IPOT Service Drivers] compaq.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

==Run Pocket KillBox>>Now killbox and this notepad file is open
Click on Tools>>Delete Temp files

In the Full Path of File to Delete box, copy and paste the entire line directly below in bold, do not type this in

C:\WINDOWS\System32\micront.exe

Select the radio button to
Delete on Reboot
Click The Red circle and a white X
When prompted to Delete on Reboot, click YES
If prompted to Reboot Now, Click NO

Continue to copy and paste the next paths to the files below into killbox
Selecting Delete on Reboot after each

C:\WINDOWS\System32\compaq.exe
C:\WINDOWS\System32\svhost.exe
C:\WINDOWS\System32\sevhost.exe
C:\WINDOWS\system32\msservcnnct.exe
C:\WINDOWS\system32\vsmon.exe

When you've entered the last path to the file
Allow the computer to Reboot
or Restart the computer anyways
Please Restart into Safe mode

In Safe mode
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Run Windows CleanUp! again
Decline to Log off

==Open Ewido trojan scanner
Click on the Scanner button in the left menu, then click on the Start button. This scan can take a while, so give it time to run
If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file.
Save the report

Open the folder you unzipped rkfiles.zip too
Double click to run Rkfiles.bat
Wait for the scan to finish, give this time
When it's done a log will be produced, save this log
By default, it is saved to C:\Log.txt

Restart back to Normal mode
Post the log produced by rkfiles.bat and the Ewido report
Also post back a fresh Hijackthis log

EDIT>>Sorry, I added a couple entries to be killed with Killbox and the fixes with Hijackthis, I didn't expect you to get back so fast
If you missed them, we'll get them next time

KritaKILL · « **Reply #12 on:** May 02, 2005, 10:21:44 PM »

I cant run hijackthis in normal mode.... it just closes as soon as it opens.... can the forst step be done in safe mode or can i only work through normal mode?

guestolo · « **Reply #13 on:** May 02, 2005, 10:23:28 PM »

You can do all steps in Safe mode if you have too
But make sure you get Ewido installed and updated

P.s>>I hope you seen my Edit above

KritaKILL · « **Reply #14 on:** May 02, 2005, 11:56:40 PM »

Duuuuuuuuuuuuuuuuude!!!
i rekon u may have cleared it off, there was no virus pop up and i can run hijack this! from normal mode!!!

heres the stuff u wanted to see:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on:         4:31:30 p.m., 3/05/2005
+ Report-Checksum:      19E27B80

+ Date of database:      3/05/2005
+ Version of scan engine:   v3.0

+ Duration:            19 min
+ Scanned Files:         55178
+ Speed:            46.12 Files/Second
+ Infected files:         1
+ Removed files:         1
+ Files put in quarantine:      1
+ Files that could not be opened:   0
+ Files that could not be cleaned:   0

+ Binder:      Yes
+ Crypter:      Yes
+ Archives:      Yes

+ Scanned items:
   C:\
   D:\
   E:\
   F:\

+ Scan result:
   C:\WINDOWS\system32\drivers\drv\firedaemon.exe -> Backdoor.SdBot.nj -> Cleaned with backup

::Report End

-----------------------------------------------------------

F:\New Folder

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
-----------
C:\WINDOWS\system32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\daemon.dll: UPX!
C:\WINDOWS\tsc.exe: UPX!
C:\WINDOWS\vsapi32.dll: UPX!t4
Finished
bye

-------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:51:49 p.m., on 3/05/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\WF2K.EXE
C:\Program Files\Microsoft Hardware\Keyboard\type32.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\Appz\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Appz\InCD\InCD.exe
C:\WINDOWS\system32\qttask.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\WayTech\Coloreal\Coloreal Bright\Coloreal Bright.exe
C:\Program Files\E-Color\Common\IconMgr.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\\NVCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Coloreal Hint] C:\Program Files\WayTech\Coloreal\Coloreal Bright\Coloreal Hint.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\WayTech\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Appz\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Appz\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Win32 USB2] sevhost.exe
O4 - HKCU\..\Run: [Zone Alarm] vsmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [Microsoft Host Protocol] svhost.exe
O4 - HKCU\..\Run: [Windows Update Manager Client] C:\WINDOWS\system32\msservcnnct.exe
O4 - HKCU\..\Run: [IPOT Service Drivers] compaq.exe
O4 - HKCU\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKCU\..\RunServices: [Microsoft Host Protocol] svhost.exe
O4 - HKCU\..\RunServices: [IPOT Service Drivers] compaq.exe
O4 - Global Startup: Coloreal Bright.lnk = ?
O4 - Global Startup: Coloreal Hint.lnk = ?
O4 - Global Startup: Coloreal Visual.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Visual\ColorealVisual.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE84EFA-D238-41E6-83D6-DE877A39EA40}: NameServer = 203.96.152.4,203.96.152.12
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

guestolo · « **Reply #15 on:** May 03, 2005, 12:15:01 AM »

Is msdirectx.sys still hanging around??
I'm not sure if your totally clean yet

Do another scan with Hijackthis and put a check next to these entries:

O4 - HKCU\..\Run: [Win32 USB2] sevhost.exe
O4 - HKCU\..\Run: [Zone Alarm] vsmon.exe

O4 - HKCU\..\Run: [Required Service Drivers] micront.exe
O4 - HKCU\..\Run: [Microsoft Host Protocol] svhost.exe
O4 - HKCU\..\Run: [Windows Update Manager Client] C:\WINDOWS\system32\msservcnnct.exe
O4 - HKCU\..\Run: [IPOT Service Drivers] compaq.exe
O4 - HKCU\..\RunServices: [Required Service Drivers] micront.exe
O4 - HKCU\..\RunServices: [Microsoft Host Protocol] svhost.exe
O4 - HKCU\..\RunServices: [IPOT Service Drivers] compaq.exe

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Restart your computer

Post back a fresh Hijackthis log

Could you also do the following
Download and UNZIP to desktop
Export.zip, so you now have Export.bat on the desktop

Double click on Export.bat
A new file called Export.txt MAY be placed on your desktop, if it is can you copy and paste back the contents
If nothing is produced, let me know that too

KritaKILL · « **Reply #16 on:** May 03, 2005, 12:30:39 AM »

heres the new hijack this:

C:\Program Files\Microsoft Hardware\Mouse\point32.exe
D:\Appz\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
D:\Appz\InCD\InCD.exe
C:\WINDOWS\system32\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\GEARSEC.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\WayTech\Coloreal\Coloreal Bright\Coloreal Bright.exe
C:\Program Files\E-Color\Common\IconMgr.exe
C:\Program Files\E-Color\Colorific\hgcctl95.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\E-Color\E-Color Indicator\TICIcon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\\NVCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [WinFast2KLoadDefault] rundll32.exe wf2kcpl.dll,DllLoadDefaultSettings
O4 - HKLM\..\Run: [Coloreal Hint] C:\Program Files\WayTech\Coloreal\Coloreal Bright\Coloreal Hint.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\WayTech\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [WinFoxV2] C:\WINDOWS\System32\WF2K.EXE
O4 - HKLM\..\Run: [IntelliType] "C:\Program Files\Microsoft Hardware\Keyboard\type32.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [iTunesHelper] D:\Appz\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Appz\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\\NVMCTRAY.DLL,NvTaskbarInit
O4 - Global Startup: Coloreal Bright.lnk = ?
O4 - Global Startup: Coloreal Hint.lnk = ?
O4 - Global Startup: Coloreal Visual.lnk = C:\Program Files\WayTech\Coloreal\Coloreal Visual\ColorealVisual.exe
O4 - Global Startup: E-Color.lnk = C:\Program Files\E-Color\Common\IconMgr.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O17 - HKLM\System\CCS\Services\Tcpip\..\{9DE84EFA-D238-41E6-83D6-DE877A39EA40}: NameServer = 203.96.152.4,203.96.152.12
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

just gona do the export.zip thing now

KritaKILL · « **Reply #17 on:** May 03, 2005, 12:33:31 AM »

no txt doc's appeared on my desktop

KritaKILL · « **Reply #18 on:** May 03, 2005, 01:03:08 AM »

So is that my PC sussed for now dude?

guestolo · « **Reply #19 on:** May 03, 2005, 10:36:14 PM »

Sounds good

Can you do the following please

If everything is running better

You should disable system restore---restart your computer--enable system restore
This will clear all your restore points and ensure you don't restore any nasties
Once reenabled it will create a fresh restore point
How to Disable and Re-enable System Restore feature

Once back in Windows and System Restore is reenabled

You should set up protection against future attacks

SpywareBlaster 3.3 by JavaCool
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link

With both, Check for updates every couple of weeks
Keep the link to IE-Spyad bookmarked so you can check for updates
SpywareBlaster, after every update just simply enable all protection

Post back one last hijackthis log and include the Whole log, you cut off the top part

Also, just for a double check
Can you download this file
http://www.sysinternals.com/files/rootkitrevealer.zip
Unzip it to it own folder or to your desktop.
Run RootkitRevealer.exe and scan your system. When the scan is complete click on File, Save, and save the log file. Copy and paste the log file here.

News:

Author Topic: Trojan Collected.5.L msdirectx.sys (Read 1950 times)

KritaKILL

Guest

Guest

KritaKILL

KritaKILL