Reoccuring trouble with msdirectx.sys file on boot up and disabling firewall

On about Monday of this week, my son was on AOL IM and hit a link he should not have. Ever since I have been having trouble every time I boot up the computer.

Here are some of the startup symptoms:

• The firewall is disabled each time I log on and I have to turn on again
• I get a message from Avast! Antivirus that the following file exists: c:\Documents and Settings\[by name]\msdirectx.sys (BTW I have four users on my XP Home OS and no matter who I log in as, I get the same message execpt the folder corresponds to the person logging on)
• Sometime I get an error message that says something about 'strtas'
• Sometimes I have been having problems just tuning the computer off when I hit 'Shutdown' or 'Restart' and I have to do a warm shutdown by holding the on/off button in for a few seconds.

I have read the 'READ & RUN ME FIRST Before Asking for Support' thread and have followed as closely as possible. Here are some comments for each of the steps:

Step 0: Went thru that list. None of the items were listed in Control Panel / Add Remove Software so I did nothing.
1: I haven't messed with the Disable System Restore at all
2: Done
3: The only Antivirus Software I am running is the free version of Avast! v4.6Home
4: Downloaded, installed and updated all software except CounterSpy since I am running Windows XP and CAN run MS AntiSpyware.
5: Rebooted into Safe Mode. Did a bunch of cleaning on this. I had to log onto each user to use CCleaner but all other applications I ran from the Administrator user in Safe Mode. Ad-Aware caught a few items. Spybot caught a few. MS Antispyware didn't find anything. I didn't run CWShredder or Kill2Me because they did not seem to apply.
6: Ran Bitdefender and that log is attached.
6 cont: Ran Panda ActiveScan and had an interesting problem. About half way thru the scan, a window popped up and it asked me to "Choose a Profile". My choices were PstLoadTmp000 and PstLoadTmp001. I chose the first one and the entire application shut down. The log file from this first running of Panda ActiveScan is attached. I went ahead and ran this scan again. Same thing happened but this time, under my choices for profiles, there were two additional choices PstLoadTmp002 and PstLoadTmp003. I hit the cancel button and got out completely. I did not attach the second log to this posting. I then rebooted into Normal Mode
6 cont: I looked thru the Special Removal Procedures but none of them seemed to apply to me so I didn't run.
7: I ran HiJackThis and the log is attached.
8: I have not tried any of the Alternate Scans

Thank you for this service.

BTW - I think I attached the files correctly but I'm not sure. My have to do a second post if they are not attached.

 

Sure enough, I didn't get the attachments quite right. Here they are. Thanks for you patience.

 

Yes, I ran the program and then created the html file on my desktop. I then went to my desktop, opened the file and then saved as a text file. Thought it was pretty straight forward but I could have messed up.

Yes, I'm running CYBERsitter. Having a filter is not an option. Which one I use is.



I do have a couple of questions. You said:

I thought the tutorial told me not to do this.

I'll disable as you have instructed but that is a little confusing.

Another question - you said ...

I noticed that when I ran CCleaner in Safe Mode, I had to run for each individual user (i.e. I could not run CCleaner just logged in as Administrator and clean up all users.) If you're telling me to run CCleaner again, should I run for all four users and the Administrator before I delete all the files in the Prefetch folder? Or, should I just run from Administrator? just from Garland Tackett user? Is there any way to have CCleaner clean up all users at one time instead of individually?

Thanks for the prompt reply. I'll get cracking on it today and will get back with you. Again, thank you for this service.

 

done

done

done

no problems here

I booted into Safe mode as the Administrator. I deleted all the files but the last (mpW1oa.exe) because I couldn't find. I double checked that all hidden files and folders were viewable. Even did a 'search' and couldn't find. When I couldn't find under Administrator, I switched to Garland Tackett user and still couldn not find. I did delete all the .tmp files in this folder as directed.

Additional comments: I found a C:WINDOWS\INF\biU.PNF file but did not delete since it was not on your list.

I found the C:\WINDOWS\SYSTEM32\l071.exe file under the Garland Tackett user but not the Administrator (just an interesting note).

I ended running CCleaner for both the Admin and the GT user since I knew I had put deleted files to the recycle bin in each. I deleted the files in the Prefetch folder but I did not delete the folder itself since you didn't mention.

Question: I'm curious why I deleted files after I had run CCleaner. Why weren't Prefetch files deleted before I ran CCleaner?

I did this for the Admin and all four of my users.

File is attached and everything seems to be working fine. I booted up in normal mode under my user name.

 

Should I now enable the System Restore? (probably not - you probably need to look at my most recent HJT log.)

If I understand you correctly, I need to now use the cleaning proceedure on each account and and not just the Admin (in Safe mode) or just my user. Interesting. This will take longer than I thought. Those pesky teenagers. Messing up my Christmas. I really need to make them fix this mess.

 

Taking your advice, I did check out one more of my XP users (my son - his initials are MGT). When I logged into his user name, I got an error message from MS AntiSpyware indicating that there was a Comet Adware (not quite sure of the name but it was "Comet" something). MS AS asked me if I wanted to remove and I said yes. This is only coming up under my son's user login. So ...

I went thru the cleaning procedure again as outlined in your READ ME FIRST post and had these comments:

Adaware SE didn't find anything
Spybot indicated that the Security Center.Firewall needed to be fixed. I didn't fix this since I had (Per the "How to prevent malware" thread) installed a second firewall (Kerio) and turned off the MS firewall.

The Bitdefender log is attached.
I had trouble with the Panda ActiveScan. I tried to run three times and each time it failed. I couldn't ever get a log file from this scan.
The HJT file for MGT is attached.

One note - when I logged back onto the MGT user, the Comet Spyware message from MS AS did not pop up. Maybe it's gone?

Thanks for your help.