Virus keeps coming back...

msdirectx.sys is responsible for hiding viruses and Trojans so that anti-virus programs can delete the files but ‘they keep coming back.’

I believe it is responsible for several such messages over the past few week. avast! is detecting but not removing it.

It is not detected by Blacklight.

See:

http://forum.avast.com/index.php?topic=14613.0
http://forum.avast.com/index.php?topic=13238.0

This one needs some attention avast! team.

Hi FreewheelinFrank,

Yes I have read that msdirectx.sys is created in c:\ or in C:\Windows\System32\ with a file called setup32.exe/ Sometimes there is a change in the registry in HKEY-LOCAL-MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENT VERSION\WINLOGON\SHELL where “Explorer” has been set to “Expolorer green.exe” or “Explorer gr33n.exe”. This must be reset in safe mode, and the msdirectx.sys deleted.
It must be a hacktool rootkit, because looking for it goes with regedit.exe renamed to regedit.com. There are also good regedit programs that can edit root. And some tools: go here and get flister: http://www.invisiblethings.org/tools.html
This sum-up is my two cents,

polonus

Thanks Polonus. Can you elaborate a bit on

looking for it goes with regedit.exe renamed to regedit.com.
???

And

There are also good regedit programs that can edit root.

Hi FreewheelinFrank,

The first one is a trick really because of the restrictions on all that runs as .exe does not exist for .com. You could also rename regedit.exe as _root_regedit.exe and taskmanager to _root_taskmngr.exe to be able too look at rootkit configuration files, because root = root, and what is root cannot hide from root, easy peasy. The second or other tool that can see more here is Reglite. You can get it from: http://www.resplendence.com/download/reglite.exe to be used in stead of regedit.exe. Also look at this thread:
http://forum.avast.com/index.php?topic=14363.0
I hope this helps your questions,

polonus

See also:

http://forum.avast.com/index.php?topic=14587.0

(The name of the rootkit is mistyped.)

No response from Alwil team?

From research on the Web, I believe msdirectx.sys is spawned by a worm to make itself invisible.

avast! will detect msdirectx.sys and throw up a warning, but if the worm that spawns it is not in the virus definitions, even after a boot scan, the worm will remain and immediately spawn msdirectx.sys again.

The user will complain that the virus came back or keeps coming back.

I think msdirectx.sys may be responsible for a lot of these postings. Advice given is often to diasble system restore, when in fact this rootkit could be the culprit.

Edit: It may be possible to find the file which spawns msdirectx.sys:
http://www.computing.net/security/wwwboard/forum/15882.html
(Enable view system and hidden files.)

Perhaps somebody with better technical knowledge could explain why msdirectx.sys could hide the running process and registry entries but not the file in C:\Windows\System32?

Hi FreewheelinFrank,

In most cases simply tapping F8 when the computer is booting up will allow
you the option of starting into safemode, where you should be able to get
into msconfig and remove any suspicious looking programs from startup and
services

also you may be able to turn off sys restore for the infected drive in safe
mode, this will prevent the virri from restoring it’s self

lastly a good thing to do is to empty all Temp dirs

for instance

C:\Documents And Settings[USERNAME]\Local Settings\Temp

the dir “Local Settings” is a hidden dir so you will need to view hidden
files and folders

a disk cleanup might be a good idea, to empty any cached internet files or
anything, also downloading and running stinger.exe might be a good
idea and some spyware programs, spyware blaster, ad-aware and spybot, i run
all three never have any problems.

spyware programs can sometimes detect trojans and are extremely good at
removing them

if you cant succeed in using F8 to enter XP safe mode, you might want to
read up on “recovery console” also remote virus scan from a networked
machine might work or in extreme cases run a knoppix cd, burn the data
you want recovered, and do the inevitable.

greets,

polonus

This is fine as long as the malware doesn’t run in safe mode and spawn the rootkit even that early. If it does, is it fair to say that one is truely buggered?

Hi FreewheelinFrank,

Yes, my dear malware buster, that is why we have to be protected to avoid it comes to this. We know an ounce of protection is better than a pound of cleaning afterwards. Thats why we download onto a clean system regprot from: http://www.diamondcs.com.au/index.php?page=regprot It is free.

greetings

polonus

This one does keep coming back:

http://forum.avast.com/index.php?topic=14837.msg125264#msg125264

Hi FreewheelinFrank,

What is the solution than in your option?

greets,

polonus

Hi Polonus,

The problem seems to be common to other anti-virus programs, e.g. Symantec. They recognise msdirectx.sys because it’s the FU rootkit which was written as a proof of concept and doesn’t try to hide itself like a fully fledged rootkit, but if they don’t have the definition for the Trojan or worm itself, msdirectx.sys will keep coming back. Apparently it was just cut and pasted to these worms by a script kiddy. All this you can learn from a Google search for msdirectx.sys.

If you can spot a suspicious file in safe mode, the file which is actually spawning the rootkit, it seems to be possible to remove it:

http://www.antisource.com/article.php/rootkit-msnt-msdirectx

I think avast! should flag this as a rootkit so users will know why it keeps coming back if they have it.

Appart from that, the solution would seem to be prevention: a good virus/spam filter on email accounts. BT (my ISP) is very good here: I’ve never had a malicious attachment get past their filter. If only other ISP’s were as good…

rdriv.sys seems to be another rootkit causing the same problem, perhaps a new name for the same thing?

http://forum.avast.com/index.php?topic=14830.0

http://www.dslreports.com/forum/remark,13287635

Hello gentlemen,
for what I’ve heard there’s a fair chance that Ewido can handle this, but maybe you want to have a look at this one:
http://www.sysinternals.com/utilities/rootkitrevealer.html

Fast

These seem to be the FU rootkit, and as such, will not be revealed by RootkitRevealer. In the link above, rdriv.sys is called a “pseudorootkit”.

If this was a real rootkit, the rootkit would presumably hide itself as well and anti-virus programs wouldn’t set off any alarms…

Here is a way of finding the thing up see:

http://forum.avast.com/index.php?topic=14363.0

MD5 With the use of MD5 we can easily create a 128-bit “fingerptint” (or “mesage digest” of a string or a file.
By comparing this computed value with a “known good” MD5 value hash, we can be sure for 99.9% the compared file is a legit file.

polonus

Back again:

http://forum.avast.com/index.php?topic=14907.0

Hi FreewheelinFrank,

I think you should post here something substantial about this FU
rootkit vermin, because we are going to see more and more of this nastiness. Will you? Anxious to read it?

polonus

I’m not really an expert, Polonus, but I have noticed that this rootkit seems to be responsible for a number of postings which say ‘I have a virus and it keeps coming back’. In fact avast! is identifying the FU rootkit but is unable to remove it. More information here:

http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453093441

http://www.eweek.com/article2/0,1759,1816972,00.asp

http://www.pcworld.com/news/article/0,aid,120067,00.asp

http://chaseandsam.com/virusalert.htm

Hi FreewheelinFrank,

You are not an expert per se, but with some more of these postings I would not know for sure.
How good is unhackme (free trial)? It was specially designed the find up rootkits like the FU rootkit etc, was n’t it. Link: http://www.greatis.com/unhackme/
Please comment?

polonus