[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Unexpected Error Message - Please Help!

Posted on 2007-03-21
11
Medium Priority
?
1,287 Views
Last Modified: 2012-06-27
Within 5 minutes of booting up my PC, I get a very unexpected error message that I do not understand:
"windWWAA: readmeWMA.EXE. Unknown Software Exception."
[1] What is this and why is it occurring?
[2] Can this "annoyance" be fixed?
THANKS!

GadgetDude
0
Comment
Question by:GadgetDude
  • 5
  • 3
  • 3
11 Comments
 
LVL 22

Expert Comment

by:orangutang
ID: 18768868
Send us your HijackThis (http://www.merijn.org/files/HiJackThis_v2.exe) log.
0
 

Author Comment

by:GadgetDude
ID: 18770283
I apologize for my lack of expertise; but, how do I "send" a log to a member?

GadgetDude
0
 
LVL 22

Expert Comment

by:orangutang
ID: 18772250
Well, download and open HijackThis (http://www.merijn.org/files/HiJackThis_v2.exe), click, "Scan", click "Save Log", copy the log's contents in a post here.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:GadgetDude
ID: 18825867
I apologize for my long absence; but, I have been sick with the flu for the past week, plus.
Anyway, this is going to sound strange; but, I think it may have something to do with a virus. Why? Because I ran a virus scan, it found and deleted a trojan and some spyware. After that, this "annoyance" just disappeared and is no longer there.
Am I making an assumption? Yes. But I am sending the long anyway.

Here's the log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:20:14 PM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
D:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\agent\pbeagent.exe
D:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\server\PBESER~1.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\Networking\Pure Networks\Network Magic\nmsrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
D:\PROGRAM FILES\Say the Time\SayTime.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
D:\Program Files\Networking\Pure Networks\Network Magic\nmapp.exe
D:\PROGRAM FILES\Say the Time\SayTime.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE
C:\Program Files\Creative\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\PROGRAM FILES\DeskFlag\deskflag.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAM FILES\Multimedia\Musicmatch\Musicmatch Jukebox\MMDiag.exe
D:\PROGRAM FILES\Multimedia\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
F:\File Sharing\eMule\eMule.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRAM FILES\SYSTEM UTILITIES\Hijack This!\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
O4 - HKLM\..\Run: [Say The Time] D:\PROGRAM FILES\Say the Time\SayTime.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [nmapp] "D:\Program Files\Networking\Pure Networks\Network Magic\nmapp.exe" -autorun
O4 - HKLM\..\Run: [\\PCS-2\EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE /P38 "\\PCS-2\EPSON Stylus Photo R340 Series" /O6 "USB001" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{CC41362B-0BB0-1033-0423-030306160001}] "C:\Program Files\Common Files\{CC41362B-0BB0-1033-0423-030306160001}\Update.exe" mc-110-12-0002239 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{CC41362B-0BB0-1033-0423-030306160001}] "C:\Program Files\Common Files\{CC41362B-0BB0-1033-0423-030306160001}\Update.exe" mc-110-12-0002239 (User 'Default user')
O4 - Startup: DeskFlag.lnk = D:\PROGRAM FILES\DeskFlag\deskflag.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172290408012
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172290534075
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - D:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - D:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - D:\Program Files\Networking\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware  (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
End of file - 13195 bytes

Thanks!

GadgetDude


0
 
LVL 22

Expert Comment

by:orangutang
ID: 18825952
Yeah, your computer seems clean but I'm not sure what:
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{CC41362B-0BB0-1033-0423-030306160001}] "C:\Program Files\Common Files\{CC41362B-0BB0-1033-0423-030306160001}\Update.exe" mc-110-12-0002239 (User 'Default user')
is. Anyway, I was thinking that windWWAA thing sounded suspicious.
0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18833895
It would have been the SDBot variant that is showing in your logfile now with the file missing:
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe (file missing)


You also need to stop and delete this service --> Client IP-IPX
At the command prompt, execute these commands pressing Enter after each:

sc stop Client IP-IPX
sc delete Client IP-IPX


Is everything now okay then?


@orangutang,
I wouldn't recommend the BETA version of Hijackthis just yet because it has more bugs than the older version.
Entries we want to see don't show up and the entries we don't want to see show up, so the log can be confusing at times.
It also has a new feature "AnalyzeThis" which can be fatal if the user used it and follow everything that the report says, :)
0
 

Author Comment

by:GadgetDude
ID: 18834271
I would like to make/ask 2 points:
[1] rpggamergirl: Found Client IP-IPX in "Services". You claim it should be deleted. Not know what it does, where it came from, I would be reluctant to delete any "Service" since I don't know its source or purpose. Further info might help.
[2] One extremely curious thing occurred ("curious" because I can't explain it): Ran Trend Micro's PC-cillin for Internet Security 2007. It found and deleted some spyware and 2 trojans. SINCE THEN: not only has the "Unexpected Error" completely disappeared; but, more importantly, it has not recurred since then.
So the conclusion begs itself: did the system can actually remove the cause of the "error" and; if so, do I still need to delete "Client IP-IPX"?

As always, I look forward to the help and concern of my fellow members.
THANKS!!!
GadgetDude :)

0
 
LVL 47

Expert Comment

by:rpggamergirl
ID: 18834458
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe (file missing)

based from the above entry that is showing in your logfile, there is no doubt that that entry belongs to SDBot variant --> "C:\WINDOWS\system32\svchosts.exe" which the file is now missing probably because of the scanners that you've used.
And it created this service --> Client IP-IPX

SDBot or any other nasties, can create errors, some nasties can creates other different symptoms.
The error you'd experienced was just a symptom.
That service created by the SDBot is not needed, though it is now harmless because the file it is pointing to is gone. You can leave it or delete it.
My advise would have been to used SDFix to remove all the relevant reg entries.


Here's what that variant may have created:

Trojan.Svchosts
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#Type
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#Start
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Security
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Enum#NextInstance



0
 

Author Comment

by:GadgetDude
ID: 18836416
rpggamergirl:
Thank you so very much for the explanation. I admit I am a little envious because you obviously know a lot more about this stuff than I. I wish I did.
Anyway, I am going to remove that service. You mentioned a program "SDFix?" Is that something I can get and learn how its used?

GadgetDude
0
 

Author Comment

by:GadgetDude
ID: 18836429
In Services, I can only disable Client IP-IPX. Unless "SD Fix" or some other method can be used to delete it?
GadgetDude
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 1000 total points
ID: 18836855
No problem, been reading hijackthis logs and malware hunting for 2 years that's all. You would know a lot more than me in a shorter time, :)

If you disabled it in Services, then you can also use Hijackthis to delete the service so it's gone.(Hijackthis Misc.Tools > Delete an NT Service > type in -> Client IP-IPX

that's why I always use the "sc.exe" at command prompt to stop and delete a bad service, kinda easier.

SDFix would have taken care the file and the service, but since the file is gone(SDBot is no longer active) SDFix might not remove the service, you can try.
It's good to run SDFix because it also restore any registry settings changed by  SDBot, as in disabled utilities etc.


>>You mentioned a program "SDFix?" Is that something I can get and learn how its used?<<
Sure, this tool is for most SDBot variants.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back

0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question