Need assistance with undetected virus (directx.exe)

Files:

- directx.exe

Symptoms:

- AntiVir shutting down immediately upon logging in to Windows XP
- AntiVir not able to update
- SpywareBlaster not able to update
- Multiple ssh.exe in Task Manager (ssh not installed on PC)
- IEXPLORE.EXE also in Task Manager, yet not run by me
- Installer for Java 5.0 Update 9 would not run

Scans:

(all scans done with latest updates and the most thorough of options)

- McAfee detected nothing
- AntiVir detected nothing (Heuristics was on Medium)
- Online File Scans from avast!, Norman, Kaspersky detected nothing
- Ad-Aware SE Personal detected nothing
- AVG Anti-spyware (AKA Ewido) detected nothing
- Spybot detected directx.exe as CoolWWWSearch.SmartSearch

Solutions:

- Removed directx.exe with Spybot in Safe Mode
- All "appears" to be well now

Thoughts:

- It is funny how pretty much everything failed except for good old Spybot
- Spybot's detection name was kind of generic and provided no information
- Google searches suggest possible BLAXE and LOGPOLE viruses
- Nod32 suggests possibly a variant of Win32/Rukap.BS

Conclusions:

- I am uncertain as to which virus this actually is
- I am uncertain as to what damage has been done to my system
- None of the information searches provided me with detailed information

Jotti's:

http://img154.imagevenue.com/loc417/th_85794_jotti_122_417lo.jpg

VirusTotal:

http://img133.imagevenue.com/loc400/th_88605_virustotal_122_400lo.jpg

******************************************************

I have kept this virus in a password protected archive. I am hoping that somebody can help provide me with more detailed information as to what this virus did to my system so that I can decide if I should use a backup from a few days ago if necessary. None of these scans or my own searches for information on this has determined exactly which virus this is or exactly what it does. I am willing to send this virus in a password protected archive to anybody willing to examine it further.

Thanks,
Dave

 

It's a variant of the Rukap trojan, we've received dozens of such samples via ThreatSense. If you experience a problem removing it, boot to safe mode and delete it manually.

 

Thank you for your quick reply.
I searched the Nod32 site for Rukap and came up with no information or details.

- Is there any dataloss or file corruption for me to worry about here?

- Seeing how this appears to open up some type of backdoor, since I do have a well configured nat router, is that something for me to worry about? Could somebody still have gotten in?

Thanks,
Dave

 

I haven't analysed it thoroughly yet, but basicly trojans do not infect other files. The sample I've tested briefly didn't open any TCP/UDP port.

 

I should also point out that there were two other processes that were not on my system prior to this.

- ctfmon.exe (I have never had MS Office on this PC before)
- MDM.EXE (installed as a Windows Service, never on PC before)

From what I have read, these processes could be legitimate from MS or could be used by Trojans. However, neither of these have been running on my PC before and have never had MS Office previously. I always pay close attention as to which processes are running on my PC and any other changes made.