Avast WEBforum
Other => Viruses and worms => Topic started by: FreewheelinFrank on June 27, 2005, 07:46:05 PM
-
msdirectx.sys is responsible for hiding viruses and Trojans so that anti-virus programs can delete the files but 'they keep coming back.'
I believe it is responsible for several such messages over the past few week. avast! is detecting but not removing it.
It is not detected by Blacklight.
See:
http://forum.avast.com/index.php?topic=14613.0
http://forum.avast.com/index.php?topic=13238.0
This one needs some attention avast! team.
-
Hi FreewheelinFrank,
Yes I have read that msdirectx.sys is created in c:\ or in C:\Windows\System32\ with a file called setup32.exe/ Sometimes there is a change in the registry in HKEY-LOCAL-MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENT VERSION\WINLOGON\SHELL where "Explorer" has been set to "Expolorer green.exe" or "Explorer gr33n.exe". This must be reset in safe mode, and the msdirectx.sys deleted.
It must be a hacktool rootkit, because looking for it goes with regedit.exe renamed to regedit.com. There are also good regedit programs that can edit root. And some tools: go here and get flister: http://www.invisiblethings.org/tools.html (http://www.invisiblethings.org/tools.html)
This sum-up is my two cents,
polonus
-
Thanks Polonus. Can you elaborate a bit on
looking for it goes with regedit.exe renamed to regedit.com.
???
And There are also good regedit programs that can edit root.
-
Hi FreewheelinFrank,
The first one is a trick really because of the restrictions on all that runs as .exe does not exist for .com. You could also rename regedit.exe as _root_regedit.exe and taskmanager to _root_taskmngr.exe to be able too look at rootkit configuration files, because root = root, and what is root cannot hide from root, easy peasy. The second or other tool that can see more here is Reglite. You can get it from: http://www.resplendence.com/download/reglite.exe to be used in stead of regedit.exe. Also look at this thread:
http://forum.avast.com/index.php?topic=14363.0
I hope this helps your questions,
polonus
-
See also:
http://forum.avast.com/index.php?topic=14587.0
(The name of the rootkit is mistyped.)
No response from Alwil team?
-
From research on the Web, I believe msdirectx.sys is spawned by a worm to make itself invisible.
avast! will detect msdirectx.sys and throw up a warning, but if the worm that spawns it is not in the virus definitions, even after a boot scan, the worm will remain and immediately spawn msdirectx.sys again.
The user will complain that the virus came back or keeps coming back.
I think msdirectx.sys may be responsible for a lot of these postings. Advice given is often to diasble system restore, when in fact this rootkit could be the culprit.
Edit: It may be possible to find the file which spawns msdirectx.sys:
http://www.computing.net/security/wwwboard/forum/15882.html
(Enable view system and hidden files.)
Perhaps somebody with better technical knowledge could explain why msdirectx.sys could hide the running process and registry entries but not the file in C:\Windows\System32?
-
Hi FreewheelinFrank,
In most cases simply tapping F8 when the computer is booting up will allow
you the option of starting into safemode, where you should be able to get
into msconfig and remove any suspicious looking programs from startup and
services
also you may be able to turn off sys restore for the infected drive in safe
mode, this will prevent the virri from restoring it's self
lastly a good thing to do is to empty all Temp dirs
for instance
C:\Documents And Settings\[USERNAME]\Local Settings\Temp
the dir "Local Settings" is a hidden dir so you will need to view hidden
files and folders
a disk cleanup might be a good idea, to empty any cached internet files or
anything, also downloading and running stinger.exe might be a good
idea and some spyware programs, spyware blaster, ad-aware and spybot, i run
all three never have any problems.
spyware programs can sometimes detect trojans and are extremely good at
removing them
if you cant succeed in using F8 to enter XP safe mode, you might want to
read up on "recovery console" also remote virus scan from a networked
machine might work or in extreme cases run a knoppix cd, burn the data
you want recovered, and do the inevitable.
greets,
polonus
-
This is fine as long as the malware doesn't run in safe mode and spawn the rootkit even that early. If it does, is it fair to say that one is truely buggered?
-
Hi FreewheelinFrank,
Yes, my dear malware buster, that is why we have to be protected to avoid it comes to this. We know an ounce of protection is better than a pound of cleaning afterwards. Thats why we download onto a clean system regprot from: http://www.diamondcs.com.au/index.php?page=regprot It is free.
greetings
polonus
-
This one does keep coming back:
http://forum.avast.com/index.php?topic=14837.msg125264#msg125264
-
Hi FreewheelinFrank,
What is the solution than in your option?
greets,
polonus
-
Hi Polonus,
The problem seems to be common to other anti-virus programs, e.g. Symantec. They recognise msdirectx.sys because it's the FU rootkit which was written as a proof of concept and doesn't try to hide itself like a fully fledged rootkit, but if they don't have the definition for the Trojan or worm itself, msdirectx.sys will keep coming back. Apparently it was just cut and pasted to these worms by a script kiddy. All this you can learn from a Google search for msdirectx.sys.
If you can spot a suspicious file in safe mode, the file which is actually spawning the rootkit, it seems to be possible to remove it:
http://www.antisource.com/article.php/rootkit-msnt-msdirectx
I think avast! should flag this as a rootkit so users will know why it keeps coming back if they have it.
Appart from that, the solution would seem to be prevention: a good virus/spam filter on email accounts. BT (my ISP) is very good here: I've never had a malicious attachment get past their filter. If only other ISP's were as good...
-
rdriv.sys seems to be another rootkit causing the same problem, perhaps a new name for the same thing?
http://forum.avast.com/index.php?topic=14830.0
http://www.dslreports.com/forum/remark,13287635
-
Hello gentlemen,
for what I've heard there's a fair chance that Ewido can handle this, but maybe you want to have a look at this one:
http://www.sysinternals.com/utilities/rootkitrevealer.html
Fast
-
These seem to be the FU rootkit, and as such, will not be revealed by RootkitRevealer. In the link above, rdriv.sys is called a "pseudorootkit".
If this was a real rootkit, the rootkit would presumably hide itself as well and anti-virus programs wouldn't set off any alarms...
-
Here is a way of finding the thing up see:
http://forum.avast.com/index.php?topic=14363.0
MD5 With the use of MD5 we can easily create a 128-bit "fingerptint" (or "mesage digest" of a string or a file.
By comparing this computed value with a "known good" MD5 value hash, we can be sure for 99.9% the compared file is a legit file.
polonus
-
Back again:
http://forum.avast.com/index.php?topic=14907.0
-
Hi FreewheelinFrank,
I think you should post here something substantial about this FU
rootkit vermin, because we are going to see more and more of this nastiness. Will you? Anxious to read it?
polonus
-
I'm not really an expert, Polonus, but I have noticed that this rootkit seems to be responsible for a number of postings which say 'I have a virus and it keeps coming back'. In fact avast! is identifying the FU rootkit but is unable to remove it. More information here:
http://www3.ca.com/securityadvisor/pest/pest.aspx?id=453093441
http://www.eweek.com/article2/0,1759,1816972,00.asp
http://www.pcworld.com/news/article/0,aid,120067,00.asp
http://chaseandsam.com/virusalert.htm
-
Hi FreewheelinFrank,
You are not an expert per se, but with some more of these postings I would not know for sure.
How good is unhackme (free trial)? It was specially designed the find up rootkits like the FU rootkit etc, was n't it. Link: http://www.greatis.com/unhackme/
Please comment?
polonus
-
I think if you google around, you'll find alot of information about unhackme. :)
-
How good is unhackme (free trial)? It was specially designed the find up rootkits like the FU rootkit etc, was n't it. Link: http://www.greatis.com/unhackme/
Please comment?
polonus
I wish somebody would: :'(
http://forum.avast.com/index.php?topic=14816.0
I tested it on my computer, but I can only say it didn't find anything. A google search brings up a lot of download sites but no tests or reviews.
-
And back again!
Has nobody found and answer to FU yet?
Is the only solution to flatten and reinstall?
Is it possible to disable the rootkit driver somehow?
http://forum.avast.com/index.php?topic=16356.0
-
I have some great technical advise: STAY OFF PORN SITES! ;D
I mean my God, where else on earth could you possibly pick up such a malicious virus? ??? Oh, and one more thing, always surf the net with Firefox or Opera and never IE. Now tell me that ain't great technical advise? ;)
-
Porn sites are not the only source of infection.
They often seem to be the source because once any spyware gets its foot in your door, it tends to invite in all its friends, and sooner or later you end up with porn links on your desktop.
There's a lot of money in advertising: an adware program may be intended to show you adverts for decent products, but then the creators of that program can bundle more spyware along with it and make money by doing so, and then these programs make money bundling other products, and all the time the spyware and adverts get more evil and sleazy.
Porn links and pop-ups are sometimes the symptom of a venal enterprise, the lowest common denominator, the last link in a chain of infection that may start with something entirely innocent.
where else could you pick up such an infection?
1) opening email attachments
2) clicking on links in spam emails
3) instant messaging file transfers
4) downloading from peer-to-peer networks
5) downloading program cracks
6) downloading phoney anti-spyware or internet cleanup products
7) even connecting to the net without a firewall or up-to-date OS and browser
Actually even malicious web sites are not particularly dangerous if your OS and browser are up-to-date: most really on ancient exploits like the MS Virtual Machine ByteVerfiy, which was patched years ago or security weaknesses in older versions of IE. Just don't fall for the social engineering of notices which say 'you have spyware, download this program' or 'download this program to clean your internet tracks', or 'you need this plug in to proceed'.
The really big dangers today are:
1) having no firewall
2) not updating your OS
3) no virus and spam filtering by ISP's
Anybody with no firewall and a OS which is out of date is going to get infected even connecting to the internet.
Anybody who doesn't have good spam and virus filtering provided by their ISP is going to have to be very careful about attachments arriving in their inbox, because these are likely to contain a new worm or virus, and if it's one that uses a rootkit, you're very likely to not even see it, and if you see it, it may be impossible to remove like for so many people who've had a FU rootkit infection.
And don't rely on an anti-virus program to catch viruses in email attachments, because even the best will not catch a new one for a few hours or even days.
A good rule is, only open email attachments if you know what it is, who sent it, and you have confirmation from them that they really did send it.
Don't be one of the people starting a thread here saying 'I have a virus and it keeps coming back' because you have been warned. If you get a FU rootkit infection then you are FU**ED. Avoid it in the first place!
-
Hi FreewheelinFrank,
Interesting background information can be found here:
http://www.f-secure.com/weblog/archives/archive-052005.html#00000559. Fu rootkit can be prevented though, using a program like ProcessGuard prevents it.
greets,
polonus
-
I don't know whether this is of any help to you Freewheeling Frank, ( and welcome back friend!) but these FU rootkits are being discussed at DSL reports or Broadband reports.
From their search I found 4 pages of hits. Here's the link to the search:
http://www.dslreports.com/nsearch?q=FU+rootkit+&cat=remark
Hope this might help. Good luck..................
-
Hi FreewheelinFrank,
Hope I didn't offend you. I was joking about the porn site thing but if all else fails in removing the rootkit, will a fresh install of Windows help? This usually wipes out the C: Drive and a fresh install starts you off new again. Perhaps you have already thought of this and I assume you don't want to do this or maybe this might not work but I can't see how. ???
-
No, I'm not offended. I just wanted to make clear that porn links and pop-ups appearing on a computer may actually arrive via an innocent looking site or download.
Ben Edelman has an interesting video on his site showing how they can arrive after downloading a music video clip- something your kids might do innocently.
So it may seem that porn sites are the source of all infection, if every infected computer is infested with porn pop-ups and links, but it's important to point out what the real dangers are.
I'm happy to say I don't have a problem with this rootkit myself. Following the advice in my previous posting, I have never had a virus, worm or Trojan infection.
I started this thread to comment on all the people who were coming to the forum saying 'I have a virus and it keeps coming back.' In many cases this seems to be because they have a rootkit on their system which anti-virus programs will detect but not clean.
Yes, a reinstall will remove it, but it's far better to prevent infection in the first place , especially as other more sophisticated rootkit infections may not be detected at all. Anybody not aware of the risks and preventative measures may end up with a malware infection which anti-virus programs can not even detect let alone remove.
Malware writers seem to be one step ahead in the arms race with anti-virus developers at the moment, and this thread is intended as a warning.
Have a look at the problems people have had with a rootkit infection and follow the advice in this thread and others in the forum to avoid infection in the first place.
PS, thanks for the interesting link, Kakapo!
-
Good news! Microsoft are tackling this problem!
Rootkit Detection Coming to Windows AntiSpyware
http://www.eweek.com/article2/0,1895,1838294,00.asp
-
Maybe avast should develop some sort of rootkit detector.
Rootkit shield :)
-
Hi DukeNukem,
A very interesting read can be found here:
http://www.phrack.org/phrack/63/p63-0x08_Raising_The_Bar_For_Windows_Rootkit_Detection.txt Read it, you will find that function hooking for log on password sniffing and e.g. redirection msgina.dll! WlxLoggedOutSAS() to hidden rootkit func, which is to log the passwords to be sent to the intruder (using CC). The goals of these rootkits are: hide intruder's processes, to hide reg keys that enable start up of the intruder's tools after sys reboot, hide some files for intruding tools. Helpful can be to debug the MS Kernel which the MS Kernel Debugger to be downloaded from www.microsoft.com so one can debug usermode processes in start system in debug mode, this requires reboot, use livekd tool from sysinternals.com (does not need reboot).
Classic API hooking with rootkit code is hooking NtReadVirtualMem to cheat on debugger, reading processes mem, some of this happens with pmdump.exe tool too. Kernel mem in read-only mode seems a safe choice. Source of Info : P. Rutkowska-Warszawa. From these lines one thing can be observed: rootkits versus AV detection is ongoing warfare, and we are out in the trenches. Adding debugging functionality to AV start up scanning and memory signature scans is to be advised imho. Only slowly now AV products show to react.
greets,
polonus
-
Back again!
http://forum.avast.com/index.php?topic=16788.from1128590890;topicseen#msg142490
-
msdirectx.sys has been tackled with a manual fix. Signs of infection in a HJT log below, may or may not be present, as well as detection of msdirectx.sys by AV.
F2 - REG:system.ini: Shell=Explorer.exe *randomnamed.exe*
The fix;
*Click here (http://www.geekstogo.com/modules.php?modid=5&action=download&id=4) to download Killbox by Option^Explicit.
*Double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\System32\randomnamed.exe << get the filename from the HJT log
C:\WINDOWS\System32\msdirectx.sys
*Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
*Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
While your computer is restarting, tap the F8 key continually until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.
Run HijackThis and put checkmarks in front of he following items.
Close all windows except HijackThis and click Fix checked:
F2 - REG:system.ini: Shell=Explorer.exe random.exe
Boot back to normal and copy the part in bold below into notepad. Save it as unlegacy.reg (set filetype to "All Files")
REGEDIT4
[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSDIRECTX]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSDIRECTX]
[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx]
Doubleclick the file you made and confirm you want to merge it with the registry.
-
Back again:
http://forum.avast.com/index.php?topic=16965.0
-
Back again!
http://forum.avast.com/index.php?topic=17334.0
-
Back again:
http://forum.avast.com/index.php?topic=17364.0
-
If Killbox can delete this fellow at reboot, why can't avast? ??? :-\ :'(
http://forum.avast.com/index.php?topic=14618.msg142666#msg142666
-
Back again!
http://forum.avast.com/index.php?topic=17747.from1133389209;topicseen#msg151226
These so-called pseudo-rootkits don't seem impossible to deal with by cleaning out the registry entries that run them:
http://forum.avast.com/index.php?topic=16788.msg142663#msg142663
Why can't avast! scan the registry for rootkit entries before a boot time scan?
-
Hello FwF,
I have asked info about such a tool in the general forum. A tool that alerts to every change in files and application attributes, and all changes in the registry. A bit like ISpy etc, but this tool I did not trust because you could create an application like User to All Users etc, kill threads, but also double program start ups, and when that can be done remotely, you have the same double sword situation. What do you have in mind? The truth is that monitoring programs like SSM etc. can keep you out of a lot of trouble here. For the moment prevention is the best policy IMO. We have seen for instance recently a lot of installations of ad- & spyware via Firefox pop-ups, that users misinterpret for genuine MS ones. I think the precautions not having the possibilities to contact the malware sources through block list programs is good. The recent Israeli thought about an AV-immunization network is as yet impracticable and vulnerable, but we will see other solutions than running behind the facts in the foreseeable future.
greets,
polonus
-
Hello folks,
This is a tool that you should try:
http://www.resplendence.com/hookanalyzer Hookanalyzer is free.
Also you can use rkdetector from: http://rkdetector.com/
greets,
polonus
-
Back again:
http://forum.avast.com/index.php?topic=18055.0
-
Hello FwF,
How to check yourself if you have the F4! Rootkit?
Click Start, and click Run.
In the Open text box, type: cmd
Click OK. A command-line shell appears.
At the command promt, type: dir
%windir%\system32\$sys$filesystem/aries.sys
Press: Enter
The system displays the name aries.sys if the file is present.
Otherwise the system displays: "File Not Found".
That's all,
polonus