I believe that a user at my company has gotten a RootKit installed on her laptop.
Research on the Internet particularly at http://sandbox.norman.no/live_2.html?logfile=810935 leads me to think that the malware is an updated version of the FU_RootKit. I say updated because the registry keys and files names don't quite match.
This appears to be a three step chain where the step one executable looks for (and creates, if needed) a file called winstk32.exe, then runs it. Winstk32 then tries to create msdirectx.sys and SMonitor.sys. It also tries to create a tftp connection to somewhere. The AV on the laptop sees and kills the two files in the last step and the Firewall software is blocking the tftp. I managed to prevent winstk32.exe from being recreated and run on every boot by creating an empty Notepad doc with the same name in the System32 directory.
Have exported and deleted various relevant registry entries per the URL above. The user will have to e-mail those to me, if they are desired.
User has XP SP2 with all current MS updates. MS updates were not current when she got the problem. She also has McAfee VirusScan Enterprise 8.0i with all current patches and virus definitions, McAfee Desktop Firewall 8.5 Patch 4, Ad-Aware 1.06 SE, Spybot S&D 1.4, Windows Defender.
Will post again when I have more but will welcome any suggestions, in the meantime, such as how best to clean off the offending malware and what the executable in step one might be. It isn't MSNMEssenger.exe as in the Norman URL.
August 9, 2006 5:36 PM
June 26, 2008 2:28 PM