directx.exe - Dangerous

directx.exe

Manual removal instructions:

Antivirus Report of directx.exe:
directx.exe Malware
directx.exeDangerous
directx.exeHigh Risk
directx.exe
Added as a result of the BLAXE VIRUS!

W32.HLLW.Blaxe is a worm that attempts to copy itself through the Grokster, KaZaA, and iMesh file-sharing networks.
This virus is written in the Microsoft Visual Basic programming language and is compressed with UPX.

When W32.HLLW.Blaxe runs, it does the following:

1. Copies itself as:
%Windir%\WinBat.exe
%Windir%\DirectX.exe
%Temp%\Messenger Plus! - Setup.exe
C:\Windll32.dll

%Windir% = C:\Windows or C:\Winnt
%Temp% = C:\Windows\Temp

2. Adds the value:
"DirectX"="%Windir%\DirectX.exe" to the registry keys:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

3. Searches for the Winzip.exe and, if found, and then copies itself to the same location as WZExtract.exe.

4. Sets the value:
"[Default]"=""
in the registry key:
HKEY_LOCAL_MACHINE\Software\CLASSES\WinZip\shell\open\command

5. Creates a hidden folder, %Windir%\Kernell, and then copies itself into this folder using random names from a list.
There is some examples:
Adobe Photoshop crack.exe
Adult(hardcore sex movie xxx)movie.exe
Age of Empires 2 crack.exe
anastasia anal.jpg.exe
AOL password stealer.exe
Christina Aguilera movie.exe
Crack XBOX live.exe
Fifa 2004 crack.exe
Hotmail account hacker in 30 minutes.exe
Lord of the rings VCD.exe
MSN banner remover.exe
Windows XP Home to Professional Upgrade.exe
ZoneAlarm Firewall Pro.exe

6. Adds the values:
"dir0"="012345:%Windir%\kernell"
"dir1"="012345:%Windir%\kernell"
"dir2"="012345:%Windir%\kernell"
to the registry keys:
HKEY_CURRENT_USER\Software\Grokster\LocalContent
HKEY_CURRENT_USER\Software\iMesh\Client\LocalContent
HKEY_CURRENT_USER\Software\KaZaA\LocalContent

7. Searches for the .exe files on the A drive. If a floppy disk is loaded in the A drive, the worm may copy itself as A:\*.exe.exe.

8. Creates the file, C:\FTP.bat, and uses this batch file to connect to a predefined FTP server, and then download the file, Update.exe, to the root folder.
(Antivirus products detect the downloaded Update.exe as W32.Spybot.Worm.)

Removal instruction:
1. Disable System Restore (Windows Me/XP).
2. Run a full system scan with your antiviral program and delete all the files detected as W32.HLLW.Blaxe.
3. Delete the values that were added to the registry.

Navigate to the key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
and delete the value:
"DirectX"="%Windir%\DirectX.exe"

Then navigate to the key:
HKEY_LOCAL_MACHINE\Software\CLASSES\WinZip\shell\open\command
and modify the value to refer to the location of the Winzip32.exe file. (This is usually C:\Program Files\Winzip\Winzip32.exe.)

Navigate to each of the following keys:
HKEY_CURRENT_USER\Software\Grokster\LocalContent
HKEY_CURRENT_USER\Software\iMesh\Client\LocalContent
HKEY_CURRENT_USER\Software\KaZaA\LocalContent
and delete the values:
"dir0"="012345:%Windir%\kernell"
"dir1"="012345:%Windir%\kernell"
"dir2"="012345:%Windir%\kernell"

Remove directx.exe now!

Dmitry Sokolov:

I created UnHackMe in 2006 to fix the problem that antivioruses did not fix: detecting rootkits.

Since that time I work every day to fix the issues that antiviruses cannot.

If your antivirus have not helped you solve the problem, you should try UnHackMe.

We are a small company and you can ask me directly, if you have any questions.

Testimonials

You can read UnHackMe testimonials here.