Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Mar 18, 2005 | Updated Sep 15, 2017

VirTool:WinNT/FURootkit.A

Detected by Microsoft Defender Antivirus

Aliases: Backdoor.Sdbot (Symantec) FURootkit trojan (McAfee)

Summary

Virtool:Win32/FURootkit.A is a kernel-mode rootkit program that targets computers running certain versions of Microsoft Windows. It is primarily used to hide certain processes from process viewers or to hide certain device drivers. This rootkit is often bundled with other malicious software. For example, it is installed on a computer by some variants of Win32/Rbot.
To manually recover from infection by Virtool:WinNT/FURootkit.A, perform the following steps:
  1. Disconnect from the Internet.
  2. Delete the rootkit file from your computer.
  3. Delete the rootkit registry entry.
  4. Scan with antivirus software.
  5. Restart your computer.
  6. Take steps to prevent re-infection.

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

Delete the rootkit file from your computer

To delete the rootkit file from the computer
  1. Click Start, and then click Run.
  2. In the Open field, type %windir%\system32  
  3. Press Enter.
  4. Click the Name column to sort files by name.
  5. Delete the file msdirectx.sys.

Delete the rootkit registry entries

Virtool:WinNT/FURootkit.A creates entries in the Windows registry that attempts to run it as a service.
To delete the worm registry entry
  1. Click Start, and then click Run.
  2. In the Open field, type regedit
  3. Press Enter.
  4. Navigate to the registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\msdirectx
  5. Right-click the key and click Delete.
  6. Click Yes to confirm the deletion.
  7. Navigate to the registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\msdirectx
  8. Right-click the key and click Delete.
  9. Click Yes to confirm the deletion.
  10. Close the Registry Editor.

Scan with antivirus software

Virtool:WinNT/FURootkit.A can infect many files on your computer. To clean these files, you must run a full-system scan with an up-to-date antivirus product. If you don't have antivirus software installed, you can get it from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

Restart your computer
Virtool:WinNT/FURootkit.A is a kernel-mode driver that cannot be removed without restarting your computer.

To restart your computer

  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Take steps to prevent re-infection

Do not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.
Follow us