Yes I have read that msdirectx.sys is created in c:\ or in C:\Windows\System32\ with a file called setup32.exe/ Sometimes there is a change in the registry in HKEY-LOCAL-MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENT VERSION\WINLOGON\SHELL where “Explorer” has been set to “Expolorer green.exe” or “Explorer gr33n.exe”. This must be reset in safe mode, and the msdirectx.sys deleted.
It must be a hacktool rootkit, because looking for it goes with regedit.exe renamed to regedit.com. There are also good regedit programs that can edit root. And some tools: go here and get flister: http://www.invisiblethings.org/tools.html
This sum-up is my two cents,
The first one is a trick really because of the restrictions on all that runs as .exe does not exist for .com. You could also rename regedit.exe as _root_regedit.exe and taskmanager to _root_taskmngr.exe to be able too look at rootkit configuration files, because root = root, and what is root cannot hide from root, easy peasy. The second or other tool that can see more here is Reglite. You can get it from: http://www.resplendence.com/download/reglite.exe to be used in stead of regedit.exe. Also look at this thread: http://forum.avast.com/index.php?topic=14363.0
I hope this helps your questions,
From research on the Web, I believe msdirectx.sys is spawned by a worm to make itself invisible.
avast! will detect msdirectx.sys and throw up a warning, but if the worm that spawns it is not in the virus definitions, even after a boot scan, the worm will remain and immediately spawn msdirectx.sys again.
The user will complain that the virus came back or keeps coming back.
I think msdirectx.sys may be responsible for a lot of these postings. Advice given is often to diasble system restore, when in fact this rootkit could be the culprit.
Perhaps somebody with better technical knowledge could explain why msdirectx.sys could hide the running process and registry entries but not the file in C:\Windows\System32?
In most cases simply tapping F8 when the computer is booting up will allow
you the option of starting into safemode, where you should be able to get
into msconfig and remove any suspicious looking programs from startup and
services
also you may be able to turn off sys restore for the infected drive in safe
mode, this will prevent the virri from restoring it’s self
lastly a good thing to do is to empty all Temp dirs
for instance
C:\Documents And Settings[USERNAME]\Local Settings\Temp
the dir “Local Settings” is a hidden dir so you will need to view hidden
files and folders
a disk cleanup might be a good idea, to empty any cached internet files or
anything, also downloading and running stinger.exe might be a good
idea and some spyware programs, spyware blaster, ad-aware and spybot, i run
all three never have any problems.
spyware programs can sometimes detect trojans and are extremely good at
removing them
if you cant succeed in using F8 to enter XP safe mode, you might want to
read up on “recovery console” also remote virus scan from a networked
machine might work or in extreme cases run a knoppix cd, burn the data
you want recovered, and do the inevitable.
This is fine as long as the malware doesn’t run in safe mode and spawn the rootkit even that early. If it does, is it fair to say that one is truely buggered?
Yes, my dear malware buster, that is why we have to be protected to avoid it comes to this. We know an ounce of protection is better than a pound of cleaning afterwards. Thats why we download onto a clean system regprot from: http://www.diamondcs.com.au/index.php?page=regprot It is free.
The problem seems to be common to other anti-virus programs, e.g. Symantec. They recognise msdirectx.sys because it’s the FU rootkit which was written as a proof of concept and doesn’t try to hide itself like a fully fledged rootkit, but if they don’t have the definition for the Trojan or worm itself, msdirectx.sys will keep coming back. Apparently it was just cut and pasted to these worms by a script kiddy. All this you can learn from a Google search for msdirectx.sys.
If you can spot a suspicious file in safe mode, the file which is actually spawning the rootkit, it seems to be possible to remove it:
I think avast! should flag this as a rootkit so users will know why it keeps coming back if they have it.
Appart from that, the solution would seem to be prevention: a good virus/spam filter on email accounts. BT (my ISP) is very good here: I’ve never had a malicious attachment get past their filter. If only other ISP’s were as good…
MD5 With the use of MD5 we can easily create a 128-bit “fingerptint” (or “mesage digest” of a string or a file.
By comparing this computed value with a “known good” MD5 value hash, we can be sure for 99.9% the compared file is a legit file.
I think you should post here something substantial about this FU
rootkit vermin, because we are going to see more and more of this nastiness. Will you? Anxious to read it?
I’m not really an expert, Polonus, but I have noticed that this rootkit seems to be responsible for a number of postings which say ‘I have a virus and it keeps coming back’. In fact avast! is identifying the FU rootkit but is unable to remove it. More information here:
You are not an expert per se, but with some more of these postings I would not know for sure.
How good is unhackme (free trial)? It was specially designed the find up rootkits like the FU rootkit etc, was n’t it. Link: http://www.greatis.com/unhackme/
Please comment?