rename or remove spooldr.sys et. al.

[Guest Thufir]

"Interestingly, the trojan disables a number of security utilities,

such as F-Secure's Blacklight rootkit detector and the ZoneAlarm

firewall.

 

Manual removal procedure:

 

1. Reboot Windows into Safe Mode (not Safe Mode with Networking!)

2. Delete the following files: C:\Windows\spooldr.exe and C:\Windows

\system32\drivers\spooldr.sys

3. Reboot Windows into normal mode

4. Go to Start -> Run..., type sfc.exe /scannow and click OK

5. When prompted, insert your Windows CD to restore the corrupted

tcpip.sys"

 

<http://blog.misec.net/tag/rootkits/>

 

 

How is this file hidden? The registry is corrupted so that files are

invisible? It can only be removed from safemode (no networking) or

the recovery console?

 

 

 

thanks,

 

Thufir

[Guest sgopus]

RE: rename or remove spooldr.sys et. al.

 

I assume you are either posting this in response to a question, or your

posting for FYI, either case you need to specify what TROJAN your talking

about and refer to the original question your responding to.

 

"Thufir" wrote:

>

> "Interestingly, the trojan disables a number of security utilities,

> such as F-Secure's Blacklight rootkit detector and the ZoneAlarm

> firewall.

>

> Manual removal procedure:

>

> 1. Reboot Windows into Safe Mode (not Safe Mode with Networking!)

> 2. Delete the following files: C:\Windows\spooldr.exe and C:\Windows

> \system32\drivers\spooldr.sys

> 3. Reboot Windows into normal mode

> 4. Go to Start -> Run..., type sfc.exe /scannow and click OK

> 5. When prompted, insert your Windows CD to restore the corrupted

> tcpip.sys"

>

> <http://blog.misec.net/tag/rootkits/>

>

>

> How is this file hidden? The registry is corrupted so that files are

> invisible? It can only be removed from safemode (no networking) or

> the recovery console?

>

>

>

> thanks,

>

> Thufir

>

>