MSFN is made available via donations, subscriptions and advertising revenue. The use of ad-blocking software hurts the site. Please disable ad-blocking software or set an exception for MSFN. Alternatively, register and become a site sponsor/subscriber and ads will be disabled automatically.
chrispm started following Fixed New FystemRoot Rootkit Virus ( Worm? ) Trojan
chrispm replied to svasutin's topic in Malware Prevention and SecurityI don't know if this is going to help anyone, but I have actually fixed a machine with this running on it, although it was NOT easy and I needed to use a fair few tools to get it going. My first point of call was to run RootAlyzer (from the SpyBot website) - this highlighted some files that were hidden from Windows (use the deep scan option for best results). You could not unhide them in any way, shape or form. So I booted from a Linux Live CD and sure enough, I was able to find and remove the offending files. Another package I used was Process Master 1.1 (Trial) - it highlighted a hidden process that was running, and told me where the file was located - again, I could not delete this - even in Safe Mode, so another boot into Linux Live sorted that out. I was then able to run the normal spyware tools (Combofix, Malware Bytes, SuperantiSpyware etc) - all of the tools found something, but they are all clear. I found an extra entry for 127.0.0.1 in the hosts file, and checking the Internet Options found a proxy apparently running locally on IP 127.0.0.1 on port 7171. From there on in, I used Regedit to find all instances of %fystemroot%. I re-enabled Windows Updates and Background Intelligent Transfer and can download updates. Finally, Kaspersky is now finding nothing on the PC....