cannot create folder named "sys"

[Mohammad Kaihani]

I'm having the same problem. I want to install adope acrobat 7.0
professional and it wants to create a folder named SYS but it can't so the
installation is cancelled.
I'm running winXP pro with all updates. Norton antivirus (and norton
protected recycle bin).
I searched Google and it appears to be a rare problem. although i roughly
recall an e-mail from a friend a long time ago that was about some
"interesting facts about windows" that included something about not being
able to create a folder named SYS. but don't the people at Adobe know this?!

 

[itay.shpak]

I have the same problem, though stilll haven't tried, but found on
another forum something that u may try:

Yes mate. It turned out I had an active rootkit operating on my system
- not sure if you know about rootkits but they're some kind of driver
level hacker tool that can access your system and do pretty much
anything it wants.



Anyway, what it was doing was hiding itself by making its filename
invisible but a side effect was that whenever anything tried to create
a folder called "sys" the rootkit also hid that - so it's own stealth
actually gave it away in the end. For example, the rootkit was called
driver32.sys (or something) and it was hiding the "sys" part which also
made the sys folder I was trying to create invisible and thus
inaccessible.



In the end I sought help on the SpyBot forums and with their help and
the help of HiJackThis and BlackLight Beta found and eliminated it.



I'll give you the link here so you can read thru my progess and
hopefully apply it yourself. I would strongly recommend joining this
forum and posting a thread like I did too so some of the experts there
can check it out for you



Read the thread carefully and see if any of it applies - there's some
generic steps in that thread that would work for anyone. And the Ewido
anti-malware program caught literally hundreds of items that SpyBot and
AdAware missed.

The main program that stopped the rootkit tho was BlackLight beta (link
http://www.f-secure.com/blacklight/try.shtml) but that's also explained
in the thread.



Here's the main forum index link

http://forums.spybot.info/index.php

and here's the thread that dealt with my problem specifically.

http://forums.spybot.info/showthread.php?t=2554


Hope it proves useful - as I said, sign up and post a HiJackThis log
there with a little explanation. May take a day or two but you'll get
some great advice.



Hope that helps.

Phil.

 

[Guest]

I've worked it out! it's not that profound at all!

Since I have 2 opration systems, & one of them works well,
I simply boot with the good one, & kill all the suspecdts found in bad OS.
The only suspect I have is "sysbus32.sys", after I kill it, system runs back
to normal.

I suggest that:
Run RootkitRevealer first, write down all the suspects;
Boot ion safe mode & try to kill all the suspects.
In case safe mode was also affected, then try boot from flopy/CD.

If there is a invisible key in Registry, it probably a Rootkit!
Then you can safly kill all the process realted with that BAD key!

Hope this could help some of you!

 

[Bob I]

It hides the "deleted items" so they can be restored.

 

[zoltan.schavel]

Hi Phil,

Thank you very much for the info, it helped!
So this is the IBM0003 trojan. I've deleted
system32\drivers\sysbus32.sys, and now it's okay.

Thanks again,
Zoltan Schavel