Solved

Unexpected Error Message - Please Help!

Posted on 2007-03-21
11
1,278 Views
Last Modified: 2012-06-27
Within 5 minutes of booting up my PC, I get a very unexpected error message that I do not understand:
"windWWAA: readmeWMA.EXE. Unknown Software Exception."
[1] What is this and why is it occurring?
[2] Can this "annoyance" be fixed?
THANKS!

GadgetDude
0
Comment
Question by:GadgetDude
  • 5
  • 3
  • 3
11 Comments
 
LVL 22

Expert Comment

by:orangutang
Comment Utility
Send us your HijackThis (http://www.merijn.org/files/HiJackThis_v2.exe) log.
0
 

Author Comment

by:GadgetDude
Comment Utility
I apologize for my lack of expertise; but, how do I "send" a log to a member?

GadgetDude
0
 
LVL 22

Expert Comment

by:orangutang
Comment Utility
Well, download and open HijackThis (http://www.merijn.org/files/HiJackThis_v2.exe), click, "Scan", click "Save Log", copy the log's contents in a post here.
0
 

Author Comment

by:GadgetDude
Comment Utility
I apologize for my long absence; but, I have been sick with the flu for the past week, plus.
Anyway, this is going to sound strange; but, I think it may have something to do with a virus. Why? Because I ran a virus scan, it found and deleted a trojan and some spyware. After that, this "annoyance" just disappeared and is no longer there.
Am I making an assumption? Yes. But I am sending the long anyway.

Here's the log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:20:14 PM, on 3/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
D:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\agent\pbeagent.exe
D:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\server\PBESER~1.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\System32\GEARSec.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
C:\WINDOWS\system32\MsPMSPSv.exe
D:\Program Files\Networking\Pure Networks\Network Magic\nmsrvc.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
D:\PROGRAM FILES\Say the Time\SayTime.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
D:\Program Files\Networking\Pure Networks\Network Magic\nmapp.exe
D:\PROGRAM FILES\Say the Time\SayTime.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE
C:\Program Files\Creative\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE
C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Brother\Brmfcmon\BrMfimon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
D:\PROGRAM FILES\DeskFlag\deskflag.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\rotatelogs.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAM FILES\Multimedia\Musicmatch\Musicmatch Jukebox\MMDiag.exe
D:\PROGRAM FILES\Multimedia\Musicmatch\Musicmatch Jukebox\mim.exe
C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
F:\File Sharing\eMule\eMule.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\PROGRAM FILES\SYSTEM UTILITIES\Hijack This!\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe irprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [pccguide.exe] C:\PROGRA~1\TRENDM~1\INTERN~2\pccguide.exe
O4 - HKLM\..\Run: [Say The Time] D:\PROGRAM FILES\Say the Time\SayTime.exe
O4 - HKLM\..\Run: [LVCOMSX] "C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe"
O4 - HKLM\..\Run: [nmapp] "D:\Program Files\Networking\Pure Networks\Network Magic\nmapp.exe" -autorun
O4 - HKLM\..\Run: [\\PCS-2\EPSON Stylus Photo R340 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAJA.EXE /P38 "\\PCS-2\EPSON Stylus Photo R340 Series" /O6 "USB001" /M "Stylus Photo R340"
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [BrMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUN
O4 - HKLM\..\Run: [ControlCenter3] C:\Program Files\Brother\ControlCenter3\brctrcen.exe /autorun
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKCU\..\Run: [OE] "C:\Program Files\Trend Micro\Internet Security 2007\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ATI DeviceDetect] C:\Program Files\ATI Multimedia\main\ATIDtct.EXE
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKUS\S-1-5-19\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{CC41362B-0BB0-1033-0423-030306160001}] "C:\Program Files\Common Files\{CC41362B-0BB0-1033-0423-030306160001}\Update.exe" mc-110-12-0002239 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{CC41362B-0BB0-1033-0423-030306160001}] "C:\Program Files\Common Files\{CC41362B-0BB0-1033-0423-030306160001}\Update.exe" mc-110-12-0002239 (User 'Default user')
O4 - Startup: DeskFlag.lnk = D:\PROGRAM FILES\DeskFlag\deskflag.exe
O8 - Extra context menu item: Append to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://D:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\dtv\EXPLBAR.DLL
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172290408012
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172290534075
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: APC PBE Agent (APCPBEAgent) - APC - D:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\agent\pbeagent.exe
O23 - Service: APC PBE Server (APCPBEServer) - APC - D:\PROGRA~1\APC\POWERC~1\APC\POWERC~1\server\PBESER~1.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - D:\Program Files\Networking\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - D:\Program Files\Networking\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware  (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\PcScnSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~2\tmproxy.exe
End of file - 13195 bytes

Thanks!

GadgetDude


0
 
LVL 22

Expert Comment

by:orangutang
Comment Utility
Yeah, your computer seems clean but I'm not sure what:
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{CC41362B-0BB0-1033-0423-030306160001}] "C:\Program Files\Common Files\{CC41362B-0BB0-1033-0423-030306160001}\Update.exe" mc-110-12-0002239 (User 'Default user')
is. Anyway, I was thinking that windWWAA thing sounded suspicious.
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
It would have been the SDBot variant that is showing in your logfile now with the file missing:
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe (file missing)


You also need to stop and delete this service --> Client IP-IPX
At the command prompt, execute these commands pressing Enter after each:

sc stop Client IP-IPX
sc delete Client IP-IPX


Is everything now okay then?


@orangutang,
I wouldn't recommend the BETA version of Hijackthis just yet because it has more bugs than the older version.
Entries we want to see don't show up and the entries we don't want to see show up, so the log can be confusing at times.
It also has a new feature "AnalyzeThis" which can be fatal if the user used it and follow everything that the report says, :)
0
 

Author Comment

by:GadgetDude
Comment Utility
I would like to make/ask 2 points:
[1] rpggamergirl: Found Client IP-IPX in "Services". You claim it should be deleted. Not know what it does, where it came from, I would be reluctant to delete any "Service" since I don't know its source or purpose. Further info might help.
[2] One extremely curious thing occurred ("curious" because I can't explain it): Ran Trend Micro's PC-cillin for Internet Security 2007. It found and deleted some spyware and 2 trojans. SINCE THEN: not only has the "Unexpected Error" completely disappeared; but, more importantly, it has not recurred since then.
So the conclusion begs itself: did the system can actually remove the cause of the "error" and; if so, do I still need to delete "Client IP-IPX"?

As always, I look forward to the help and concern of my fellow members.
THANKS!!!
GadgetDude :)

0
 
LVL 47

Expert Comment

by:rpggamergirl
Comment Utility
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe (file missing)

based from the above entry that is showing in your logfile, there is no doubt that that entry belongs to SDBot variant --> "C:\WINDOWS\system32\svchosts.exe" which the file is now missing probably because of the scanners that you've used.
And it created this service --> Client IP-IPX

SDBot or any other nasties, can create errors, some nasties can creates other different symptoms.
The error you'd experienced was just a symptom.
That service created by the SDBot is not needed, though it is now harmless because the file it is pointing to is gone. You can leave it or delete it.
My advise would have been to used SDFix to remove all the relevant reg entries.


Here's what that variant may have created:

Trojan.Svchosts
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX#NextInstance
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#Service
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#Legacy
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#ConfigFlags
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#Class
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#ClassGUID
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_CLIENT_IP-IPX00#DeviceDesc
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#Type
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#Start
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#ErrorControl
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#ImagePath
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#DisplayName
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX#ObjectName
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Security
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Security#Security
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Enum
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Enum#0
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Enum#Count
HKLM\SYSTEM\CurrentControlSet\Services\Client IP-IPX\Enum#NextInstance



0
 

Author Comment

by:GadgetDude
Comment Utility
rpggamergirl:
Thank you so very much for the explanation. I admit I am a little envious because you obviously know a lot more about this stuff than I. I wish I did.
Anyway, I am going to remove that service. You mentioned a program "SDFix?" Is that something I can get and learn how its used?

GadgetDude
0
 

Author Comment

by:GadgetDude
Comment Utility
In Services, I can only disable Client IP-IPX. Unless "SD Fix" or some other method can be used to delete it?
GadgetDude
0
 
LVL 47

Accepted Solution

by:
rpggamergirl earned 250 total points
Comment Utility
No problem, been reading hijackthis logs and malware hunting for 2 years that's all. You would know a lot more than me in a shorter time, :)

If you disabled it in Services, then you can also use Hijackthis to delete the service so it's gone.(Hijackthis Misc.Tools > Delete an NT Service > type in -> Client IP-IPX

that's why I always use the "sc.exe" at command prompt to stop and delete a bad service, kinda easier.

SDFix would have taken care the file and the service, but since the file is gone(SDBot is no longer active) SDFix might not remove the service, you can try.
It's good to run SDFix because it also restore any registry settings changed by  SDBot, as in disabled utilities etc.


>>You mentioned a program "SDFix?" Is that something I can get and learn how its used?<<
Sure, this tool is for most SDBot variants.
Download SDFix and save it to your desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.zip

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
*  Instead of Windows loading as normal, a menu with options should appear;
*  Select the first option, to run Windows in Safe Mode, then press "Enter".
*  Choose your usual account.

*  Open the extracted folder and double click "RunThis.bat" to start the script.
*  Type "Y" to begin the script.
*  It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
*  Press any Key and it will restart the PC.
*  Your system will take longer that normal to restart as the fixtool will be running and removing files.
*  When the desktop loads the Fixtool will complete the removal and display "Finished", then press any key to end the script and load your desktop icons.
*  Finally open the SDFix folder on your desktop and copy and paste the contents of the results file "Report.txt" back

0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now