Found this on my computer (WinXP Home Ed.) yesterday. My 10 yr old daughter has discovered AIM (Another problem, another time), and recently, when I closed AIM, it kept trying to reload every 5 min.
So I ran Avast, and it gave me the Win32:Trojan-gen.{other} warning and an infected file “msdirectx.sys” dated 8//05 in the c:/documents and settings/[my username]/ folder and some z*.exe file in its own folder (can’t remember the name now, sorry). So, I proceed to delete that. Then I performed the following steps in the following order…
Did a thorough scan with Avast. (nothing)
Rebooted. On reboot, file “msdirectx.sys” was found on startup in memory. Sent to chest. Something is still in memory though, that Avast is not picking up. Task Manager is disabled. (Ctl-Alt-Del brings it up and then immediately closes) All administrative tools are disabled.
Disabled Restore and cleaned again. Didn’t work.
Performed a system boot scan. Found nothing. Virus found again after Windows starts.
Apparrently, this virus generates the file “msdirectx.sys” in the “documents and settings” folder of anyone who logs on at startup. Avast cannot keep part of it from loading into memory even though it reports “msdirectx.sys” is found and prevented from loading.
Looking around the computer, I find an icon for “Spythunder” on the desktop I don’t recognize. It points to a nonexistent program in the Spythunder folder. The only program in the folder is “setup.exe”. Delete that and the folder. Still no effect. A check of the website www.spythunder.com at work (non-infected) gives a message saying “forbidden access to this server”
Now every computer on the net is treating me like I have the plague. (This is from work, again, non-infected) I think they sense something and won’t let me connect. But I had no problem until I actually discovered this thing.
Having deleted the file with avast you are unlikely to find the same file again, there may however be a registry entry that is regenerating this - the best tool to find this is hijackthis and the best place for info and tools is below.
Visit Eddy’s Website click the “HiJackThis Section” and also the “Malware removal instructions and applications” section, and follow the directions there and get back to us if you need more help…
Tried running Avast in Safe Mode. It found absolutely nothing. Ad-Aware 6 (free version) found nothing as well. In Safe Mode, the virus apparently does not load. The msdirectx.sys file is not created and I have control over Task Manager again.
However, a reboot back to normal mode leaves me back in the same situation I was in and msdirectx.sys is there again. (Avast still can’t find it in memory.)
Below is a hijack log of my computer in safe mode.
The next reply is one in normal mode. Anything jump out as being strange? (I thought it was strange that the AOL Client was loading even though I hadn’t started it.)
Safe Mode:
Logfile of HijackThis v1.99.1
Scan saved at 1:20:32 PM, on 2/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Logfile of HijackThis v1.99.1
Scan saved at 1:29:50 PM, on 2/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Just for future reference, in case someone runs a search and finds this thread…
The parts in bold in the log file in the previous post are the problem. (IF I got it all…) Neither Avast nor HijackThis will flag them as a potential problem.
As far as I can tell, this is how it works. AOLCLIENT.EXE loads into memory and is responsible for disabling the task manager and prob. “component services” in the “administrative tools” folder. The best way to kill it is to use the HijackThis task manager to close it. Then your task manager will operate normally.
wipv6.exe in the windows/system folder seems to be responsible for sending information out from your computer. One of these MAY be responsible for dropping msdirectx.sys (which Avast will find) into your “documents and settings” folder. One of these, maybe this one, turns off your Windows firewall, so the others can do their work.
I scanned with “another program” and it found 2 more little pieces in the “document and settings” folder and a “d & s /*/temp” folder, some little .pif file, and another, and it reported the pieces, anyway, as IRC/BackDoor.SdBot.138.BN
That’s all I know. Hopefully someone else can fill in the blanks from there. I would truly love to fully eradicate the filthy worm (the author, as well as the program). Gone are the days when you could just delete a little .com file or format c: /MBR. I’m changing all my passwords from a different computer and hunkering down for the next 2 weeks.
I’m now as paranoid as the rest of you guys… Let me know if I missed anything.
The parts in bold in the log file in the previous post are the problem. (IF I got it all...) Neither Avast nor Hijak will flag them as a potential problem.
Not correct, the link to the hijackthis analysis page I gave flags up the AOLCLIENT.EXE as an Unknown process, which to me means you should investigate further.
True, but with a green check, same as my email checker. It was a very useful program though, it sure helped track everything down and allowed me to get rid of AOLCLIENT.EXE. Thanks for the help.
just returned from my travels with my trusty laptop. whilst away Avast reported msdirectx as infected and deleted it. But it kept appearing agian on boot up ans every time I went on line my laptop uploaded about 3 Mb of ‘stuff’. Luckily the machine is a bare machine with no personal/financial info on it just lots of photos. Task Manager wouldn’t run, nor msconfig and I couldn’t install ZoneAlarm.
I assume I have a Trojan but Avast couldn’t find anything wrong (nor could McAfee’s Stinger!)
Eventually downloaded Kasparsky AV which identified a set of about 5 Trojans and got rid of them.
Will a future version of Avast be able to sort this if it should reoccur?
(Another problem, another time), and recently, when I closed AIM, it kept trying to reload every 5 min.
(This is from work, again, non-infected) I think they sense something and won’t let me connect. But I had no problem until I actually discovered this thing.
Let me know if I missed anything.