Just cleaned another variant Symantec can't detect. Neither AVG or PC-Cillin detected it as well.
Generic: Rootkit
Infects through: MSN
The file is msnt.exe in windows/system32 (search from cmd prompt in safe mode). This file generates msdirectx.sys (also in windows/prefetch) - no matter what you rename this file it will amend registry entries to match your rename.
Solution:
- Boot in safe mode (F8)
- start, run msconfig
- remove msnt.exe from start list
- reboot in safe mode
- from command prompt, go to c: and check for msdirectx.sys and delete it
- go to windows/system32, check for msdirectx.sys and delete it
- go to windows/prefetch & search for a file with msnt in its name and delete
Search for msdirectx in the registry and find the corresponding name. Note the name of the file
it corresponds to (in my case this was msnt.exe).
Delete all entries of msdirectx.sys. Now search for the corresponding file name (msnt.exe) in the registry and delete all of these entries.
My infection had multiple registry entries as follows:
Compaq system drivers = msnt.exe
Delete all of these and also do a search for msdirectx.exe again.
Reboot and have a nice day :-)
http://www.antisource.com/article.php/rootkit-msnt-msdirectx