Rootkit - msnt.exe and msdirectx.sys Monday, April 25, 2005 Author: cotswold Permalink: rootkit-msnt-msdirectx

Virus Alerts

Just cleaned another variant Symantec can't detect. Neither AVG or PC-Cillin detected it as well. Generic: Rootkit Infects through: MSN The file is msnt.exe in windows/system32 (search from cmd prompt in safe mode). This file generates msdirectx.sys (also in windows/prefetch) - no matter what you rename this file it will amend registry entries to match your rename. Solution: - Boot in safe mode (F8) - start, run msconfig - remove msnt.exe from start list - reboot in safe mode - from command prompt, go to c: and check for msdirectx.sys and delete it - go to windows/system32, check for msdirectx.sys and delete it - go to windows/prefetch & search for a file with msnt in its name and delete Search for msdirectx in the registry and find the corresponding name. Note the name of the file it corresponds to (in my case this was msnt.exe). Delete all entries of msdirectx.sys. Now search for the corresponding file name (msnt.exe) in the registry and delete all of these entries. My infection had multiple registry entries as follows: Compaq system drivers = msnt.exe Delete all of these and also do a search for msdirectx.exe again. Reboot and have a nice day :-)

Rootkit - msnt.exe and msdirectx.sys
Authored by: Webmaster on Tuesday, April 26, 2005

Thanks for the writeup. I'm sure a lot of people that get infected with this are going to find this useful.
Reply to This

Rootkit - msnt.exe and msdirectx.sys
Authored by: Predogz on Wednesday, May 25, 2005

My problem was a worm called 'msdirectx.sys'. I ran Microsoft Antispyware, AVG 7.0, and another anti-worm program called Adware Away. Even after running all 3 of these programs i would still have the bug. It had control of my task manager, would not let me update windows, would not let me run McAfee.
Note that some of these programs did in fact find msdirectx.sys and remove it, but it kept reappearing anyways. What it was doing is spawning another file of a simular name called 'mspg.exe' that would recreate the file and put it on my start up programs almost as soon as it was removed.
What i had to do to remove it was boot in safemode, run msconfig utility, remove the secondary file from my Start up list. Then i rebooted in safemode.
I removed all instances of msdirectx from my C: drive. Then i checked windows/ prefetch and searched for any instances of the secondary file 'mspg' and deleted them. Then i searched for msdirectx in the registry, as well as the secondary file. and deleted all entries.
Then i rebooted and i was finally clean. I immediately updated windows, Mcafee, and all other security programs.
Note that niether my Mcafee or windows was up to date, which was completely foolish on my part. Also know that this worm would not even let me on the internet to use Symantec, Mcafee or the Windows sight with any browser i tried. Internet Explorer was totally hijacked by it, so much so that im afraid to use it again. One other thing worth noting is that it was preventing any firewall services from running on my computer by disabling and stopping the service called 'remote accessconnection manager'. When you try to restore the service it would just say 'access is denied'.
This bug was very frustrating and took me a week to figure out how to beat it. I'm currently in school for software development, and i am computer savy - to a point. But ill tell ya -this worm had me thinkin reinstall windows at the worst points of it. Its very much like a personal attack when i cant do what i want on it in my own home. I hope that this information can help you to help anyone else who may get this worm.


Reply to This

Rootkit - msnt.exe and msdirectx.sys
Authored by: stewmarsden on Sunday, May 29, 2005

Download NOD32 free from http://www.nod32.com/home/home.htm
It works on this virus as I found out after trying every other anti virus going!
Reply to This

Rootkit - msnt.exe and msdirectx.sys
Authored by: tristanm on Sunday, May 29, 2005

I had this, however, it was named "codq.exe" instead of msnt.exe. I followed the instructions, using msconfig in safe mode, regedit, etc. It was necessary to use the command "attrib -r -h -s" in order to delete codq.exe.

Hopefully it is gone now. I have AVG antivirus, it would detect msdirectx.sys but could not detect or fix codq.exe.
Reply to This

Rootkit - msnt.exe and msdirectx.sys
Authored by: xxsnoopxx on Friday, July 01, 2005

Had found a solution after 2 weeks of searching to kill msdirectx.sys. (no replicate anymore)

if you have problems with it anymore try look at your registry, maybe it helps you:

open regedit :

Hkey_local_machine -> Software -> Microsoft -> WindowsNT -> CurrentVersion -> Winlogon

on the right side search for "UserInit" if there is only the userinit.exe as value all is ok. but in my case there were a mysterious setup32.exe, too (userinit.exe,setup32.exe)after deleting it (but only the setup32.exe value!!!), all works fine no more msdirectx.sys!!! hope can help!
Reply to This

Rootkit - msnt.exe and msdirectx.sys
Authored by: wicked.wretch on Friday, July 01, 2005

After looking in many sites I finally got rid of it.

What I did is this:
After a week of trying to kill it qith AVG, I decided to get some information. I tried every solution, but everything failed. I decided to install Unackme.
I don't know if it was the program, or something else, but when windows started something called 'sysmon32.exe' crashed. The AVG alerts about msdirectx.sys stopped. I went to Hkey_local_machine -> Software -> Microsoft -> WindowsNT -> CurrentVersion -> Winlogon (thanks xxsnoopxx), but in 'Shell' I found the sysmon32.exe after explorer.exe. I deleted it, and went to c:windowssystem32 and deleted both sysmon32.exe and msdirectx.sys.

The problem with this troyan is that the file that creates msdirectx.sys changes, and so does its location in the hard drive and the registry. I believe that unhackme helped to stop sysmon32.exe, but I'm not sure.

I hope this helps.
Reply to This