Author Topic: Virus keeps coming back...  (Read 27260 times)

0 Members and 1 Guest are viewing this topic.

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Virus keeps coming back...
« on: June 27, 2005, 07:46:05 PM »
msdirectx.sys is responsible for hiding viruses and Trojans so that anti-virus programs can delete the files but 'they keep coming back.'

I believe it is responsible for several such messages over the past few week. avast! is detecting but not removing it.

It is not detected by Blacklight.

See:

http://forum.avast.com/index.php?topic=14613.0
http://forum.avast.com/index.php?topic=13238.0

This one needs some attention avast! team.




     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Re: Virus keeps coming back...
« Reply #1 on: June 27, 2005, 08:15:28 PM »
Hi FreewheelinFrank,

Yes I have read that msdirectx.sys is created in c:\ or in C:\Windows\System32\ with a file called setup32.exe/ Sometimes  there is a change in the registry in HKEY-LOCAL-MACHINE\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENT VERSION\WINLOGON\SHELL where "Explorer" has been set to "Expolorer green.exe" or "Explorer gr33n.exe". This must be reset in safe mode, and the msdirectx.sys deleted.
It must be a hacktool rootkit, because looking for it goes with regedit.exe renamed to regedit.com. There are also good regedit programs that can edit root. And some tools: go here and get flister: http://www.invisiblethings.org/tools.html
This sum-up  is my two cents,

polonus
« Last Edit: June 27, 2005, 08:21:12 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus keeps coming back...
« Reply #2 on: June 27, 2005, 08:24:36 PM »
Thanks Polonus. Can you elaborate a bit on
Quote
looking for it goes with regedit.exe renamed to regedit.com.
???

And
Quote
There are also good regedit programs that can edit root.
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Re: Virus keeps coming back...
« Reply #3 on: June 27, 2005, 08:39:21 PM »
Hi FreewheelinFrank,

The first one is a trick really because of the restrictions on all that runs as .exe does not exist for .com. You could also rename regedit.exe as _root_regedit.exe and taskmanager to _root_taskmngr.exe to be able too look at rootkit configuration files, because root = root, and what is root cannot hide from root, easy peasy. The second or other tool that can see more here  is Reglite. You can get it from: http://www.resplendence.com/download/reglite.exe to be used in stead of  regedit.exe. Also look at this thread:
http://forum.avast.com/index.php?topic=14363.0
I hope this helps your questions,

polonus
« Last Edit: June 27, 2005, 08:44:15 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus keeps coming back...
« Reply #4 on: June 28, 2005, 06:16:21 AM »
See also:

http://forum.avast.com/index.php?topic=14587.0

(The name of the rootkit is mistyped.)

No response from Alwil team?
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus keeps coming back...
« Reply #5 on: June 28, 2005, 07:33:35 AM »
From research on the Web, I believe msdirectx.sys is spawned by a worm to make itself invisible.

avast! will detect msdirectx.sys and throw up a warning, but if the worm that spawns it is not in the virus definitions, even after a boot scan,  the worm will remain and immediately spawn msdirectx.sys again.

The user will complain that the virus came back or keeps coming back.

I think msdirectx.sys may be responsible for a lot of these postings. Advice given is often to diasble system restore, when in fact this rootkit could be the culprit.

Edit: It may be possible to find the file which spawns msdirectx.sys:
http://www.computing.net/security/wwwboard/forum/15882.html
(Enable view system and hidden files.)

Perhaps somebody with better technical knowledge could explain why msdirectx.sys could hide the running process and registry entries but not the file in C:\Windows\System32?

« Last Edit: June 28, 2005, 07:41:33 AM by FreewheelinFrank »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Re: Virus keeps coming back...
« Reply #6 on: June 29, 2005, 08:12:44 AM »
Hi FreewheelinFrank,

In most cases simply tapping F8 when the computer is booting up will allow
you the option of starting into safemode, where you should be able to get
into msconfig and remove any suspicious looking programs from startup and
services

also you may be able to turn off sys restore for the infected drive in safe
mode, this will prevent the virri from restoring it's self

lastly a good thing to do is to empty all Temp dirs

for instance

C:\Documents And Settings\[USERNAME]\Local Settings\Temp

the dir "Local Settings" is a hidden dir so you will need to view hidden
files and folders

a disk cleanup might be a good idea, to empty any cached internet files or
anything, also downloading and running stinger.exe  might be a good
idea and some spyware programs, spyware blaster, ad-aware and spybot, i run
all three never have any problems.

spyware programs can sometimes detect trojans and are extremely good at
removing them

if you cant succeed in using F8 to enter XP safe mode, you might want to
read up on "recovery console" also remote virus scan from a networked
machine might work or in extreme cases run a knoppix cd, burn the data
you want recovered, and do the inevitable.

greets,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus keeps coming back...
« Reply #7 on: June 29, 2005, 09:18:07 AM »
This is fine as long as the malware doesn't run in safe mode and spawn the rootkit even that early. If it does, is it fair to say that one is truely buggered?
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Re: Virus keeps coming back...
« Reply #8 on: June 29, 2005, 11:35:21 AM »
Hi FreewheelinFrank,

Yes, my dear malware buster, that is why we have to be protected to avoid it comes to this. We know an ounce of protection is better than a pound of cleaning afterwards. Thats why we download onto a clean system regprot from: http://www.diamondcs.com.au/index.php?page=regprot It is free.

greetings

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus keeps coming back...
« Reply #9 on: July 07, 2005, 09:22:14 AM »
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33900
  • malware fighter
Re: Virus keeps coming back...
« Reply #10 on: July 07, 2005, 11:10:46 AM »
Hi FreewheelinFrank,

What is the solution than in your option?

greets,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus keeps coming back...
« Reply #11 on: July 07, 2005, 11:30:04 AM »
Hi Polonus,

The problem seems to be common to other anti-virus programs, e.g. Symantec. They recognise msdirectx.sys because it's the FU rootkit which was written as a proof of concept and doesn't try to hide itself like a fully fledged rootkit, but if they don't have the definition for the Trojan or worm itself, msdirectx.sys will keep coming back. Apparently it was just cut and pasted to these worms by a script kiddy. All this you can learn from a Google search for msdirectx.sys.

If you can spot a suspicious file in safe mode, the file which is actually spawning the rootkit, it seems to be possible to remove it:

http://www.antisource.com/article.php/rootkit-msnt-msdirectx

I think avast! should flag this as a rootkit so users will know why it keeps coming back if they have it.

Appart from that, the solution would seem to be prevention: a good virus/spam filter on email accounts. BT (my ISP) is very good here: I've never had a malicious attachment get past their filter. If only other ISP's were as good...
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus keeps coming back...
« Reply #12 on: July 07, 2005, 05:43:05 PM »
rdriv.sys seems to be another rootkit causing the same problem, perhaps a new name for the same thing?

http://forum.avast.com/index.php?topic=14830.0

http://www.dslreports.com/forum/remark,13287635
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog

Fast

  • Guest
Re: Virus keeps coming back...
« Reply #13 on: July 07, 2005, 06:29:26 PM »
Hello gentlemen,
for what I've heard there's a fair chance that Ewido can handle this, but maybe you want to have a look at this one:
http://www.sysinternals.com/utilities/rootkitrevealer.html

Fast
« Last Edit: July 07, 2005, 06:32:00 PM by Fast »

Offline FreewheelinFrank

  • Avast Evangelist
  • Ultra Poster
  • ***
  • Posts: 4872
  • I'm a GNU
    • Don't Surf in the Nude!
Re: Virus keeps coming back...
« Reply #14 on: July 07, 2005, 07:21:09 PM »
These seem to be the FU rootkit, and as such, will not be revealed by RootkitRevealer. In the link above, rdriv.sys is called a "pseudorootkit".


If this was a real rootkit, the rootkit would presumably hide itself as well and anti-virus programs wouldn't set off any alarms...
     Bambleweeny 57 sub-meson brain     Don't Surf in the Nude Blog