globalroot\sytemroot\system32\MSIVX

lost87 · ‎07-08-2009

I am having a major problem with my computer. I have Windows Vista Home Premium service pack 1. When I click on firefox or internet explore, I get the error message globalroot\systemroot\system32\MSIVXstgkdxnmyccuibqqrtejjxyotauwwj.dll. However, when I click okay, the internet will open up. Also, occassionally when I am on the internet or restart my computer, I hear an ad of some type and music. After I click out of the browser, it continues to speak to me. Whatever I have causes internet explore to open on its own and I have to close out of 10 or so windows. I have tried the following things windows defender stopped scanning after 45 minutes, but it scanned in safe mode and found nothing. My synametec antivirus version 10.20.276 has been disabled and will not scan in either safe or normal mode. I have installed Malwarebyes and spybot search and destroy which will not even open or give me the option of scanning. I have tried system restore and it had a disc failure causing it not to complete the restore.

dbrisendine · ‎10-06-2008

Before doing the GMER scan, please uninstall Spybot S&D and reboot your machine. Then follow the steps below.

Please download GMER from http://www.gmer.net and run the program. Select "Scan" and then "Save" the log. Do nothing else with the GMER program as it can harm your system if used incorrectly. Then attach the log file as a text file to a post here. The Add Attachments link is below the orange Post button. It will be reviewed for possible malware and we will get back to you. Again, thanks for your help in this.

lost87 · ‎07-08-2009

I tried running the program you suggested and it didn't work. I've uploaded a screenshot of the error I received. What do you think I should do?

[edit: Resized image to fit screen.]

Message Edited by shannons on 07-08-2009 08:29 PM

delphinium · ‎11-21-2008

lost87:

Don't worry about it. A lot of programs are prevented from working by rootkits. It was worth a try to pick out some of the stuff ahead of time. We do need the GMER log as also suggested by Dbrisendine. The link is in his post.

See if it will run. If not at first, try it in safe mode as well.

We have a lot of success with the MSIVX rootkits. It will just take some time as we only have one guru capable of this kind of work.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain

lost87 · ‎07-08-2009

Okay, I tried again in normal mode and it was able to scan. Here is my log. Thanks for the help.

Quads · ‎07-21-2008

Hi

Now (read carefully) If you have Spybot S&D uninstall it.

Also during the restarts with Avenger if Your PC has a Startup repair center like with HP and Toshiba tell it to start Normally if it kicks in.

1. Download Avenger to your desktop,

Unzipped version http://homepages.slingshot.co.nz/~crutches/Avenger/

Creators website http://swandog46.geekstogo.com/avenger2/avenger2.html with zipped version to the unzip to desktop

2. Click to run "Avenger.exe" (right click "Run as Administrator" if using Vista)

3. In the "Input script here:" copy and paste the script between the lines

Drivers to disable:

MSIVXserv.sys

Drivers to delete:

MSIVXserv.sys

Files to delete:

C:\Autorun.inf

D:\Autorun.inf

C:\Windows\System32\drivers\MSIVXdtkiqpiunjyvpxwoqpbgbuterfiwepgb.sys

C:\Windows\System32\MSIVXstgkdxnmyxccpuibqqrtejjxyotauwwj.dll

C:\Windows\System32\MSIVXxafircvfpyqnrxeitvcmjbopvxteupex.dll

C:\WINDOWS\System32\MSIVXcount

C:\Users\Christine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LSQUMVUK\bCA6RC2RQ.js

C:\Users\Christine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LSQUMVUK\langCAWJTHA7.js

C:\Users\Christine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LSQUMVUK\bCAKGHXLN.js

C:\Users\Christine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RV7MC4KV\iframe3[7].htm

C:\Users\Christine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RV7MC4KV\bCAPTFFVU.js

C:\Users\Christine\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YDDQUZ0L\error[1]

C:\Users\Christine\AppData\Roaming\Microsoft\Windows\Cookies\christine@d1.openx[1].txt

Registry keys to delete:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet005\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet006\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet007\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet008\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet009\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet010\Services\MSIVXserv.sys

HKEY_LOCAL_MACHINE\SOFTWARE\MSIVX

Here is a screenshot (script updated since shot)

Make sure the "Automatically disable any rootkits found" is NOT selected

4. Click "Execute"

You will be asked to restart the PC click "Yes", when the PC restarts the load screen will takes slightly longer, then when it looks as though windows is loading the PC will restart again.

Then when Windows fully loads the Avenger log will be loaded, showing files it could or could not find.

5. Restart the PC again, then see if you can install Update and run Malwarebytes

Quads

lost87 · ‎07-08-2009

I entered all that information into Avenger and quite a few errors occurred, most of which were in the Registry keys. I was able to scan my computer with Malewarebytes and it found 4 things, two of which it was unable to delete and just put in quarantine. I have scanned my computer with Symantec antivirus, windows defender, spyware doctor, and Malewarebytes.

I no longer get an error message on my computer nor does it talk to me. Thanks for all of your help. I was wondering if my computer is safe to use again. I have changed all of passwords to everything I have logged into. Do you have any suggestions on preventing anything like this happening again?

Thanks for all the help. It is nice to know that you take the time to help people with these problems.

Quads · ‎07-21-2008

The errors for the registry keys is because you don't or won't have all the control sets, silly.

Avenger would have got the rootkit to then allow the other programs to run.

Quads

delphinium · ‎11-21-2008

Lost87:

What happened to you can happen to any of us at any time. A few things will help. If you are running Norton Antivirus, you need a good compatible two-way firewall. Windows firewall is not good enough. Comodo is often recommended.

Running two real-time antivirus engines at the same time increase, rather than decrease vulnerabilities.

Make sure your Windows is fully patched and updated and all program vulnerabilities are patched.

Nothing is foolproof.

Under certain circumstances profanity provides relief denied even to prayer.
Mark Twain