system.drv gets deleted & system32 is invisible

G

Guest

Was 2000 Pro, I upgraded to XP Pro, hoping it would fix this. When starting
an old 'voice-mail' program, I got a system.drv file
is missing or corrupt, please reinstall. In my search for the system.drv
file, I discovered that my system32 folder is hidden and unsearchable from
explorer. Even at a command prompt, the dir command won't reveal the
directory. I can, however, 'cd' to the directory and 'dir' its contents.
Sure enough, no system.drv file exists. When I try to copy or expand
system.drv from a cab file, it is immediately deleted from my system. I
suspect a virus, but with the latest signatures, nothing shows. I've ran the
new versions of spybot and adaware with their respective, new signatures and
cleaned off all items that show. Throughout this, I am unable to make my
system32 folder visable and searchable again. I have tried the attrib -h on
the folder at the commanc prompt. I have ran sfc /scan now, but nothing was
fixed. Where else should I be looking and what else could I do? (Now, I
can't connect to my server, after this upgrade) Thank you for any help, I
know
you've helped me before, in this group.
PATOPP
 
G

Guest

It turns out, this was Malware utilizing a rootkit. According to
http://www.kpmginsiders.com/display_analysis.asp?action=vote&cs_id=135509
"The term "rootkit" stems from the Unix operating system, in which the
highest level of administrative permissions is called "root access." A
rootkit is software that grants a user advanced privileges, such as the
ability to hide files or applications from the rest of the operating system.
In the Windows operating environment, rootkits can conceal spyware,
viruses, keystroke loggers, and other malicious software. In the worst
instances, the malware can promote identity theft by capturing user
identities and passwords."
This particular instance was hiding my system32 folder and system.drv
(along with other 'system' files. I discovered this while trying to rename a
file with DOS to system.drv and it stated that the file already existed. I
could not (as administrator) even grant myself permissions or ownership of
certain areas of my drive.
THE FIX! I had new virus signatures, but an older engine. I had to
remove my drive and put it in to another computer as a secondary drive. The
other computer had a new virus scan engine and new signatures. It was able
to remove the rootkit and once installed back into its original box, the
anti-spyware programs were able to clean the malware. I hope this post helps
someone.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

system32 "invisible" system.drv deleted 1
System.Drv 1
C:\windows\system32\system missing or corrupt. 3
How do I re-install COMM.DRV 1
I want to run a batch file. Is there an easier way 2
Can't run apps in %SystemRoot%\system32 2
File not visible in explorer window...but it's there. 4
What are these ~100M files in my windows\system32? Anyone else got them? 7

Top