nairos
2009-06-10, 21:54
This is strange - I'll try to be concise about what I'm encountering.
1) I CANNOT launch Spybot, HijackThis, Malwarebytes, etc normally.
2) I CAN run all of the above if I rename their EXEs to something random.
3) I was infected with viruses / spyware, but I think I've removed it all.
4) My computer now comes up clean in scans by: Spybot, Malwarebytes, F-Secure Easy Clean, and Symantec Anti Virus.
5) When I run the normal Spybot exe, it actually appears in the task manager list, but doesn't show up on screen. In other words SpybotSD.exe appears to start running, and stay running, but nothing ever shows up on screen.
So I'm puzzled. Is it possible that the disabling of these security programs is caused by a lingering registry key, or something else other than a running process?
I've attached a HJT log below. You'll see spybot in the running processes, but it is NOT running visibly on screen. Additionally, you'll see "Renamed-HJT.exe" - this is simply the renamed HijackThis executable (I had to rename it to get it to run.
Logfile of HijackThis v1.99.1
Scan saved at 2:38:06 PM, on 6/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\User\Desktop\Renamed-HJT.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\blah.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Just a quick note - when I said "I was infected by viruses / spyware" - that gives the impression that I was using a majorly compromised PC.
In reality, I had just recently reinstalled, so it's a fairly clean machine. I made the mistake of running one EXE that I shouldn't have. I recognized the mistake immediately, and tried to clean everything ASAP.
Not sure if that has any impact on anything though.
Follow-up.
I used Regmon to see what was going on once I closed most of what was running. The following registry access is occuring constantly. Over and over and over again, without pause.
1 1.37612486 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
2 1.37613988 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
3 1.37617743 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
4 1.37618923 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
5 1.37622643 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
6 1.37624216 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXserv SUCCESS "\\?\globalroot\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"
7 1.37625325 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
8 1.37629282 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
9 1.37630367 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
10 1.37633777 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
11 1.37636125 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
12 1.37639630 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
13 1.37641037 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXl SUCCESS "\\?\globalroot\systemroot\system32\MSIVXmfifoukdubtckhmwxtakdrkrvqqaohbq.dll"
14 1.37642121 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
15 1.37645745 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
16 1.37646902 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\start SUCCESS 0x1
17 1.37647951 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
18 1.37651169 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
19 1.37652326 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\type SUCCESS 0x1
20 1.37653351 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
21 1.37656593 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
22 1.37657928 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\imagepath SUCCESS "\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"
23 1.37658954 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
24 2.32949328 System:4 OpenKey HKLM\System\CurrentControlSet\Services\SymEvent\Parameters SUCCESS Access: 0x20019
25 2.32950807 System:4 QueryValue HKLM\System\CurrentControlSet\Services\SymEvent\Parameters\LPNtoSPN SUCCESS 0x1
26 2.32952118 System:4 CloseKey HKLM\System\CurrentControlSet\Services\SymEvent\Parameters SUCCESS
27 2.37616611 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
28 2.37617850 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
29 2.37621474 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
30 2.37622619 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
31 2.37627554 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
32 2.37628961 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXserv SUCCESS "\\?\globalroot\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"
33 2.37630057 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
34 2.37633991 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
35 2.37635088 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
36 2.37638474 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
37 2.37639570 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
38 2.37642956 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
39 2.37644339 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXl SUCCESS "\\?\globalroot\systemroot\system32\MSIVXmfifoukdubtckhmwxtakdrkrvqqaohbq.dll"
40 2.37645411 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
41 2.37649035 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
42 2.37650204 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\start SUCCESS 0x1
43 2.37651229 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
44 2.37654448 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
45 2.37655592 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\type SUCCESS 0x1
46 2.37656617 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
47 2.37659788 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
48 2.37661099 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\imagepath SUCCESS "\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"
And rootkit revealer revealed this:
HKLM\SECURITY\Policy\Secrets\SAC* 6/8/2009 1:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 6/8/2009 1:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\MSIVX 6/10/2009 3:20 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys 6/10/2009 2:42 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys 6/10/2009 2:42 PM 0 bytes Hidden from Windows API.
It looks like "MSIVX" is a rootkit, because it seems to be what is causing the rapid-fire registry activity.
Does anyone know how to remove it?
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
1) I CANNOT launch Spybot, HijackThis, Malwarebytes, etc normally.
2) I CAN run all of the above if I rename their EXEs to something random.
3) I was infected with viruses / spyware, but I think I've removed it all.
4) My computer now comes up clean in scans by: Spybot, Malwarebytes, F-Secure Easy Clean, and Symantec Anti Virus.
5) When I run the normal Spybot exe, it actually appears in the task manager list, but doesn't show up on screen. In other words SpybotSD.exe appears to start running, and stay running, but nothing ever shows up on screen.
So I'm puzzled. Is it possible that the disabling of these security programs is caused by a lingering registry key, or something else other than a running process?
I've attached a HJT log below. You'll see spybot in the running processes, but it is NOT running visibly on screen. Additionally, you'll see "Renamed-HJT.exe" - this is simply the renamed HijackThis executable (I had to rename it to get it to run.
Logfile of HijackThis v1.99.1
Scan saved at 2:38:06 PM, on 6/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\User\Desktop\Renamed-HJT.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunOnce: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\blah.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
Just a quick note - when I said "I was infected by viruses / spyware" - that gives the impression that I was using a majorly compromised PC.
In reality, I had just recently reinstalled, so it's a fairly clean machine. I made the mistake of running one EXE that I shouldn't have. I recognized the mistake immediately, and tried to clean everything ASAP.
Not sure if that has any impact on anything though.
Follow-up.
I used Regmon to see what was going on once I closed most of what was running. The following registry access is occuring constantly. Over and over and over again, without pause.
1 1.37612486 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
2 1.37613988 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
3 1.37617743 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
4 1.37618923 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
5 1.37622643 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
6 1.37624216 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXserv SUCCESS "\\?\globalroot\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"
7 1.37625325 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
8 1.37629282 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
9 1.37630367 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
10 1.37633777 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
11 1.37636125 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
12 1.37639630 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
13 1.37641037 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXl SUCCESS "\\?\globalroot\systemroot\system32\MSIVXmfifoukdubtckhmwxtakdrkrvqqaohbq.dll"
14 1.37642121 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
15 1.37645745 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
16 1.37646902 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\start SUCCESS 0x1
17 1.37647951 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
18 1.37651169 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
19 1.37652326 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\type SUCCESS 0x1
20 1.37653351 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
21 1.37656593 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
22 1.37657928 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\imagepath SUCCESS "\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"
23 1.37658954 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
24 2.32949328 System:4 OpenKey HKLM\System\CurrentControlSet\Services\SymEvent\Parameters SUCCESS Access: 0x20019
25 2.32950807 System:4 QueryValue HKLM\System\CurrentControlSet\Services\SymEvent\Parameters\LPNtoSPN SUCCESS 0x1
26 2.32952118 System:4 CloseKey HKLM\System\CurrentControlSet\Services\SymEvent\Parameters SUCCESS
27 2.37616611 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
28 2.37617850 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
29 2.37621474 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
30 2.37622619 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
31 2.37627554 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
32 2.37628961 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXserv SUCCESS "\\?\globalroot\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"
33 2.37630057 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
34 2.37633991 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x40000000
35 2.37635088 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
36 2.37638474 System:4 CreateKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x40000000
37 2.37639570 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
38 2.37642956 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS Access: 0x1
39 2.37644339 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules\MSIVXl SUCCESS "\\?\globalroot\systemroot\system32\MSIVXmfifoukdubtckhmwxtakdrkrvqqaohbq.dll"
40 2.37645411 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys\modules SUCCESS
41 2.37649035 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
42 2.37650204 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\start SUCCESS 0x1
43 2.37651229 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
44 2.37654448 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
45 2.37655592 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\type SUCCESS 0x1
46 2.37656617 System:4 CloseKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS
47 2.37659788 System:4 OpenKey HKLM\system\currentcontrolset\services\MSIVXserv.sys SUCCESS Access: 0x1
48 2.37661099 System:4 QueryValue HKLM\system\currentcontrolset\services\MSIVXserv.sys\imagepath SUCCESS "\systemroot\system32\drivers\MSIVXqnayckekcbqewuhbsoqodsrjuxjtarmr.sys"
And rootkit revealer revealed this:
HKLM\SECURITY\Policy\Secrets\SAC* 6/8/2009 1:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 6/8/2009 1:40 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\MSIVX 6/10/2009 3:20 AM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet001\Services\MSIVXserv.sys 6/10/2009 2:42 PM 0 bytes Hidden from Windows API.
HKLM\SYSTEM\ControlSet002\Services\MSIVXserv.sys 6/10/2009 2:42 PM 0 bytes Hidden from Windows API.
It looks like "MSIVX" is a rootkit, because it seems to be what is causing the rapid-fire registry activity.
Does anyone know how to remove it?
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)