Possible Virus damage, HJT log included.

Have a computer running Windows XP Professional. It was service pack 1 and spywared up to the hilt.

Have cleaned off a lot of spyware and viruses. Have installed Service pack 2. But am having problems with the SP2 Firewall in that it starts up but then after about a minute switches off and will not turn back on. Also when you run task manager you do not get the menu bar or tab bar along the top.

Have run a number of antivirus software and used Hijack this to clean out a lot of nasties. But have a line in the register that HJT cannot seem to remove: O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll I have selected this but it just comes straight back. Have tried it in safe mode as well.

Is this what is causing my problems with the Windows Firewall and task manager, or am I missing something else.

Logfile of HijackThis v1.99.1
Scan saved at 3:15:26 PM, on 7/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Connect 4\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.ntlworld.com
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefender.com/scan8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O20 - Winlogon Notify: drct16 - C:\WINDOWS\SYSTEM32\drct16.dll

Thankyou in advance for all help.

Vortigern

 

Reboot to safe mode, run HijackThis and fix the 020 entry. Then click start>run and type cmd to open a command window. Type the following commands, hitting enter after each.

attrib -r -s -h C:\WINDOWS\SYSTEM32\drct16.dll
del C:\WINDOWS\SYSTEM32\drct16.dll

DO NOT do this if the winlogon entry wasn't present in safe mode! If the file is successfully deleted without the entry being fixed, your computer will not startup on reboot!

If the entry is not there in safe mode, try this. Open C:\WINDOWS\SYSTEM32, right click and choose New>Text Document. Name it drct16.old and click OK to the warning. Leave the document blank! Now do the above commands followed by this.

ren C:\WINDOWS\SYSTEM32\drct16.old drct16.dll

Reboot and fix the winlogon entry in HJT. Reboot again and delete the dummy drct16.dll file.

Important! All spaces in those commands must be done properly. You can also save them to text and copy/paste them in.

 

Thanks for the reply.

I followed the instructions I selected fix on hijack this, change the attributes but I was unable to run the del command because it was in use by another process.

Any ideas.

Thanks

Vortigern

 

Did you try the dummy file/rename bit? If so, and that didn't work, lets try another method before using the Recovery Console, which is the only other way I've found to kill one of those stubborn guys.

Start with downloading "Registry Search Tool" (RegSrch.vbs) from here
http://www.billsway.com/vbspage/
start it and paste in drct16.dll, wait for it to complete the search, click ok at the prompt. Then when wordpad opens, copy that back here please.

 

Thanks for you help, heres what I ended up doing.

Windows in safe mode would not allow me to do anything to the file drct16.dll I ended up going into safe mode with command prompt, this still didn't allow me to delete the file, but it did allow me to copy and rename it.

I copied it first, just in case. Then I renamed it, started up the computer in normal mode, ran HJT, it still had the 20 item but this time it reported it as file missing and allowed me to remove the entry.

But this did not stop the problem with the task bar. I then created another user and found that the new user had no problems. Renamed the original users profile and re-created it fixed the problems.

As for the two drct16 files. When I installed new antivirus software on the machine it indentified both the copy and rename and blew them out of existance. Identified them as haxdoorsomething or other.

Machine now successfully working. Thanks for your help.

Vortigern