Jump to content
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble
Strawberry Orange Banana Lime Leaf Slate Sky Blueberry Grape Watermelon Chocolate Marble

MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically. 



BigTex71

Member
  • Content count

    1
  • Donations

    $0.00 
  • Joined

  • Last visited

Community Reputation

0 Neutral

About BigTex71

  1. svasutin - thank you for the info in this thread. I came across this same rootkit yesterday on an XP computer and found this thread when searching for fsystemroot. Before finding this thread, I had noticed that the .SYS file in the drivers folder was visible, but couldn't be removed while in windows. Rt/Click properties on the file didn't have all of the normal NTFS tabs. Once I found that it was a rootkit hidden service, I was able to get it stopped and removed. Thank you. I'm working on this remotely, so I didn't have recovery console access to it. BUT . . . Upon inspecting the system with some rootkit tools, I found a second one with the name "SKYNET <random chars>.sys" running on the system as well. I wasn't able to get this one stopped and removed through remote tools. Looks like I'm going to need hands on recovery console access to this one. I do know that the person opened an .EXE email attachment last week to start the infection. Symantec called the attachment W32.SillyFDC. ThreatExpert gave it this report: http://www.threatexpert.com/report.aspx?md...074dfdaa7a53f3b
×