Jump to content


Photo

msxmidi.exe


  • Please log in to reply
4 replies to this topic

#1 amnesiak

amnesiak

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 June 2004 - 05:46 AM

Hello,
After I`ve used CwShredder my winxp (just after start) reports that Windows cannnot find F:\system 32\services\msxmidi.exe. It also suggests that i can remove the regisry entry, but I can`t find that entry anyway.Is there any way I can fix that? I have deleted the msxmidi.exe file but the report still coming after I start the windows,
And one more thing CWSchreder also found this file smcfg.exe and asks me if I should delete it.
Please reply.

#2 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 27 June 2004 - 09:46 AM

Please do this.
Download 'Hijack This!'. http://www.spywarein.../HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.

smcfg.exe is probably a modem file and should not be deleted if you have an SMC modem.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#3 amnesiak

amnesiak

    Member

  • New Member
  • Pip
  • 2 posts

Posted 27 June 2004 - 11:05 AM

Logfile of HijackThis v1.97.7
Scan saved at 18:02:21, on 27.6.2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
F:\WINDOWS\System32\smss.exe
F:\WINDOWS\system32\winlogon.exe
F:\WINDOWS\system32\services.exe
F:\WINDOWS\system32\lsass.exe
F:\WINDOWS\System32\Ati2evxx.exe
F:\WINDOWS\system32\svchost.exe
F:\WINDOWS\System32\svchost.exe
F:\WINDOWS\system32\Ati2evxx.exe
F:\WINDOWS\system32\LEXBCES.EXE
F:\WINDOWS\Explorer.EXE
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\system32\LEXPPS.EXE
F:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
F:\Program Files\Alwil Software\Avast4\ashServ.exe
F:\WINDOWS\system32\slserv.exe
F:\WINDOWS\System32\LXSUPMON.EXE
F:\Program Files\Winamp\winampa.exe
F:\Program Files\Alwil Software\Avast4\ashDisp.exe
F:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
F:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe
F:\WINDOWS\System32\ctfmon.exe
F:\Program Files\Messenger\msmsgs.exe
F:\WINDOWS\System32\wtssvsu.exe
F:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
F:\Program Files\SpywareGuard\sgmain.exe
F:\Program Files\SpywareGuard\sgbhp.exe
F:\WINDOWS\System32\wuauclt.exe
F:\ZIP\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://213.159.117.134/index.php
F1 - win.ini: run=F:\WINDOWS\System32\services\msxmidi.exe
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - F:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SysShield IE Popup Blocker - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - F:\Program Files\SysShield Tools\Internet Eraser\pkext.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - F:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AbsoluteShield - {EE9DD090-902D-4623-9360-FB7D8666202B} - F:\Program Files\SysShield Tools\Internet Eraser\AbsoluteBar.dll
O4 - HKLM\..\Run: [LXSUPMON] F:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [NeroCheck] F:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [WinampAgent] F:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [avast!] F:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ashMaiSv] F:\PROGRA~1\ALWILS~1\Avast4\ashmaisv.exe
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "F:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "F:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKCU\..\Run: [CTFMON.EXE] F:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "F:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WAPI] F:\WINDOWS\System32\wtssvsu.exe
O4 - Startup: AbsoluteShield Internet Eraser.lnk = F:\Program Files\SysShield Tools\Internet Eraser\cseraser.exe
O4 - Startup: SpywareGuard.lnk = F:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = F:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O12 - Plugin for .spop: F:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7E08E8B6-D06B-4234-9E3D-CC768AEAD827}: NameServer = 217.72.64.10 217.72.64.11
O17 - HKLM\System\CS1\Services\Tcpip\..\{7E08E8B6-D06B-4234-9E3D-CC768AEAD827}: NameServer = 217.72.64.10 217.72.64.11

#4 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 27 June 2004 - 11:45 AM

Tick the boxes next to all these, then close all browser and explorer windows, and tell HijackThis to "Fix checked". Then Reboot.

O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKCU\..\Run: [WAPI] F:\WINDOWS\System32\wtssvsu.exe

O16 - DPF: {11111111-1111-1111-1111-111111113456} - file://c:\info6_s.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo...tsInstaller.cab

It would be a good idea to run an online virus scan. Win86.exe may be viral.
http://www.pandasoft...n_principal.htm
and/or http://housecall.trendmicro.com/

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#5 DCSIntegratorTG

DCSIntegratorTG

    Member

  • New Member
  • Pip
  • 1 posts

Posted 05 July 2004 - 11:34 AM

After 2 days of messing with this..
I too was getting this home page, also a"XXX" Start Menu shortcut, and overwrites to my hosts file. It was worse when it started. My dial-up connection was being redirected, a TIB Browser was installed, and probably a few more I don't remember anymore. AdAware would seemingly clean up some of this, but it would return on a reboot. XoftSpy found even more but could not permanently remove them. After downloading HijackThis and using it to search this and other forums, I've managed a clean sweep.

It involved deleteing system32.dll, mstasks1.exe, mstasks2.exe, etc. I wish now I had written it all down, but I don't have that kind of patience.

I've always kept up with my latest XP Critical Updates, InoculateIT signatures, and AdAware updates, but all of this infection installed very quickly. I LOVE HijackThis and this forum. I will be subscribing to the newsletter as soon as I get the site white listed on Tuesday. I found the site by googling the 213.159.117.134 ip address. Amazing! :mellow:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button