msdirectx.sys please help?

[Guest_matt_*]

Hello,

i somehow stumbled upon getting a trojan that i can't get rid of - i'm usually alright at getting rid of viruses n stuff but this one i can't get rid of.

msdirectx.sys is being created in the c:/ however i do beleive it is just a copy of another file i cannot find.

i have avg free edition scanner - which picks up the msdirectx.sys file but nothing else.

it does not let me open regedit, however i made a copy and renamed it so i can now use regedit. i dont really know how regedit works though and dont want to screw it all up.

lavasoft adware only picks up a browser hijack in the registry that i have remved.

please help me - this is driving me nuts my internet sending / receiving all the time, not to mention the spyware and junk that is coming accross too.

i have tried creating the batch file and running pskill found on this page - http://www.antisource.com/article.php/spyb...ebc08-msdirectx

my email is freestylemxer55Email Removed if you want it. thankyou for any help, matt dean

[Guest_matt_*]

please, somebody?

[Guest_matt_*]

please - why won't anybody help me... i'm desperate... i have work i need done three days ago and a computer thats not working properly... PLEASE help please!

[Catz]

hey,

I was just wondering if you have service pack 2 installed? I had msdirectx file appearing in my user file and system 32 and it would keep reappearing on bootup. Questolo gave me a fix which deleted it temporarily but on the second reboot it had come back, i decided to try fix again and i had to download sp2 manually because my automatic updates wouldnt work, i also had to download it through mozilla firefox explorer and not standard internet explorer. it took ages to install maybe few hrs because my computer was running very slow, but now that i have it the virus hasnt returned. you'll probably need way to delete all files this virus seems to create before you install it.

Hope this helps

[RickW]

The batch routine I created specifically removes the "hpsebc08.exe" version of this virus, it won't help with any other variant.  It also does not remove msdirectx.sys because antivirus software already detects it.

If you run HiJackThis and post the logs to Forum - HiJackThis Log Analysis we might be able to get your virus removed...

[PILSEN]

I actually found the SAME virus on my XP Pro  system, same pop-up (C:\Msdirect.sys - Hacktool Rootkit), but foudn it spawning from a file in C:\Windows\System32 called 'setup32.exe'.
Try and delete that file. That fixed the problem for me.

It is likely that the file that spawns the msdirectx.sys file changes, so a good way to find out what file is the culprit is by going into the Control Panel's logs and check for system events and errors. find out the date whe the msdirectx.sys errors started popping up, then look for files created on that same day in the system32 folder. The delte the .exe files created on the day the pop-ups started.

[Guest]

My computer was infected by this virus yestoday. Every time I delete msdirectx.sys. it came back very soon. I ran regedit and found the key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINOWS NT\CURRENTVERSION\WINLOGON\SHELL was changed to "Explorer green.exe". So I changed this key back to  "Explorer" in safe mode, and delete msdirectx.sys under c:\windows\system32. No problem has been found till now.
my Email: [email protected]

[Guest too]

I had the same problem as above ("found the key HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINOWS NT\CURRENTVERSION\WINLOGON\SHELL was changed to "Explorer green.exe""), except mine was gr33n.exe and not green.exe.

I removed the gr33n.exe and left just exporer.exe and then found and deleted the file gr33n.exe-xxxxxxxx.pf in the C:\WINDOWS\PREFETCH directory and things seem OK now.

My computer was infected while updating a new install of Windows XP Pro from the Microsoft Update site on June 17, 2006 in the afternoon and I'm assuming this is yet another variant of the virus.

I picked up MANY viruses while JUST running all the updates to Win XP Pro - That was the ONLY site I visited after a fresh Windows install on a new hard drive!  I had even disabled MS Messenger from running.

I'm assuming these hackers are attacking the Windows installs BEFORE the updates can be run, so they can get to non-security updated machines.

Hope this helps someone else.

[Guest]

Hello everyone,

i spent the last 2 days hunting this worm down on my mum's computer and got to the bottom of this... I thought I would post my solution here so as to add to the scarce info available on the net about this one.

I got my lead from the green.exe reg key change.  i downloaded and ran hijackthis (just do a search on google to find the free download) where I noticed this strange Explorer.exe green.exe reg key value.  several booting in safemode did not get rid of the msdirectx.sys file, kept cropping back within a few secs, even in safe mode.  

Hence in safe mode I tried to change the winlogon shell reg key back to simply Explorer.exe.... you see in safe mode you still execute the explorer.exe at logon, hence this green app gets lauched at startup. Even renaming the reg key would change it back to its corrupted value after i closed regedit.    so i launched  the taskmanager and killed the green.exe app.  This did it!  I changed the reg key again, deleted the msdirectx.sys and needed to delete the green.exe file as well using an explorer window where i unched the "hide system files" in the tools options section.

anyhow, hote the above helps for someone.

best of luck

Vrata

[Robert Griffiths]

Thanks for your contributions on this topic. However, I came across a file called mcafee32.exe, rather than green.exe that caused all of the problems. This was a little add as the notebook had AVG installed!

[Colster]

.........and MSGMSNGS.EXE.

[Fj]

I had the same problem I found the answer at www.ewido.net/en/download/ refere to posting on this site No.  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' />  http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'\' /> 18677

[Andris]

http://securityresponse.symantec.com/[email protected]

the most interesting is description: Executes the file C:\winsystem.exe which drops the file msdirectx.sys, currently detected as Hacktool.Rootkit. The rootkit will be started as a service (msdirectx), in an attempt to hide both the rootkit itself and to hide the running W32.Mytob.AR@mm process

the removal tool also is available there.

Worked out for me.