BigTex71

svasutin - thank you for the info in this thread. I came across this same rootkit yesterday on an XP computer and found this thread when searching for fsystemroot. Before finding this thread, I had noticed that the .SYS file in the drivers folder was visible, but couldn't be removed while in windows. Rt/Click properties on the file didn't have all of the normal NTFS tabs. Once I found that it was a rootkit hidden service, I was able to get it stopped and removed. Thank you. I'm working on this remotely, so I didn't have recovery console access to it. BUT . . . Upon inspecting the system with some rootkit tools, I found a second one with the name "SKYNET <random chars>.sys" running on the system as well. I wasn't able to get this one stopped and removed through remote tools. Looks like I'm going to need hands on recovery console access to this one. I do know that the person opened an .EXE email attachment last week to start the infection. Symantec called the attachment W32.SillyFDC. ThreatExpert gave it this report: http://www.threatexpert.com/report.aspx?md...074dfdaa7a53f3b