TechSpot

Problem with rofl.sys

By booyahgz
Feb 15, 2006
  1. I have been getting nonstop mcafee notices that rofl.sys has been infected by the NTRootKit-P virus, and that it's been cleaned. I've tried pretty much everything, and I can't get rid of it. Could someone please help me?
     
  2. PanicX

    PanicX TechSpot Ambassador Posts: 830

  3. Nukey

    Nukey TS Rookie Posts: 114

    Kaspersky is one of the best anti-virus tools out there. Go for it.
     
  4. Tedster

    Tedster Techspot old timer..... Posts: 10,074   +13

    trend micro solution:

    Solution:

    Identifying the Malware Program

    To remove this malware, first identify the malware program.

    1. Scan your system with your Trend Micro antivirus product.
    2. NOTE the path and file name of all files detected as TROJ_ROOTKIT.AE.

    Trend Micro customers need to download the latest virus pattern file before scanning their system. Other users can use Housecall, the Trend Micro online virus scanner.

    Restarting in Safe Mode

    • On Windows 2000

    1. Restart your computer.
    2. Press the F8 key, when you see the Starting Windows bar at the bottom of the screen.
    3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

    • On Windows XP

    1. Restart your computer.
    2. Press F8 after the Power-On Self Test (POST) is done. If the Windows Advanced Options Menu does not appear, try restarting and then pressing F8 several times after the POST screen.
    3. Choose the Safe Mode option from the Windows Advanced Options Menu then press Enter.

    • On Windows Server 2003

    1. Restart your computer.
    2. When you are prompted to select the operating system to start, press F8.
    3. On the Windows Advanced Option menu, use the arrow keys to select Safe Mode, and then press Enter.

    Deleting the Malware File(s)

    1. Right-click Start then click Search... or Find..., depending on the version of Windows you are running.
    2. In the Named input box, type name of file(s) detected earlier.
    3. In the Look In drop-down list, select the drive that contains Windows, then press Enter.
    4. Once located, select the file then press Delete.

    Editing the Registry

    This malware modifies the system's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

    1. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
    2. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

    Removing Autostart Entries from the Registry

    Removing autostart entries from the registry prevents the malware from executing at startup. In this procedure, you will need the name(s) of the file(s) detected earlier.

    If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

    1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
    2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
    3. In the right panel, locate and delete the entry or entries whose data value is the malware path and file name of the file(s) detected earlier.
    4. Close Registry Editor.

    Important Windows XP Cleaning Instructions

    Users running Windows XP must disable System Restore to allow full scanning of infected systems.

    Users running other Windows versions can proceed with the succeeding procedure set(s).

    Running Trend Micro Antivirus

    If you are currently running in safe mode, please restart your system normally before performing the following solution.

    Scan your system with Trend Micro antivirus and delete files detected as TROJ_ROOTKIT.AE. To do this, Trend Micro customers must download the latest virus pattern file and scan their system. Other Internet users can use HouseCall, the Trend Micro online virus scanner.
     
  5. booyahgz

    booyahgz TS Rookie Topic Starter

    I did that, and it worked fine for like a week, but now i'm having the exact same problem again.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.