Guest Thufir Posted August 23, 2007 Posted August 23, 2007 "Interestingly, the trojan disables a number of security utilities, such as F-Secure's Blacklight rootkit detector and the ZoneAlarm firewall. Manual removal procedure: 1. Reboot Windows into Safe Mode (not Safe Mode with Networking!) 2. Delete the following files: C:\Windows\spooldr.exe and C:\Windows \system32\drivers\spooldr.sys 3. Reboot Windows into normal mode 4. Go to Start -> Run..., type sfc.exe /scannow and click OK 5. When prompted, insert your Windows CD to restore the corrupted tcpip.sys" <http://blog.misec.net/tag/rootkits/> How is this file hidden? The registry is corrupted so that files are invisible? It can only be removed from safemode (no networking) or the recovery console? thanks, Thufir
Guest sgopus Posted August 23, 2007 Posted August 23, 2007 RE: rename or remove spooldr.sys et. al. I assume you are either posting this in response to a question, or your posting for FYI, either case you need to specify what TROJAN your talking about and refer to the original question your responding to. "Thufir" wrote: > > "Interestingly, the trojan disables a number of security utilities, > such as F-Secure's Blacklight rootkit detector and the ZoneAlarm > firewall. > > Manual removal procedure: > > 1. Reboot Windows into Safe Mode (not Safe Mode with Networking!) > 2. Delete the following files: C:\Windows\spooldr.exe and C:\Windows > \system32\drivers\spooldr.sys > 3. Reboot Windows into normal mode > 4. Go to Start -> Run..., type sfc.exe /scannow and click OK > 5. When prompted, insert your Windows CD to restore the corrupted > tcpip.sys" > > <http://blog.misec.net/tag/rootkits/> > > > How is this file hidden? The registry is corrupted so that files are > invisible? It can only be removed from safemode (no networking) or > the recovery console? > > > > thanks, > > Thufir > >
Recommended Posts