Skip to main content
Skip to main content
Microsoft Security Intelligence
Cart 0 items in shopping cart
Sign in
Published Jun 15, 2005 | Updated Sep 15, 2017

VirTool:WinNT/Macpro.A

Detected by Microsoft Defender Antivirus

Aliases: BackDoor-CST (McAfee)

Summary

VirTool:WinNT/Macpro.A is a kernel-mode rootkit that targets Windows NT, Windows 2000, and Windows XP. It can hide processes, files, folders, and registry values on the infected computer. It is dropped by Backdoor:Win32/Samsteal.A.dr.
To recover manually from VirTool:WinNT/Macpro.A:
  1. Disconnect from the Internet.
  2. Remove the Trojan service.
  3. Delete the Trojan file.
  4. Take steps to prevent re-infection.

Disconnect from the Internet

To help ensure that your computer is not actively infecting other computers, disconnect it from the Internet before proceeding. Print this Web page or save a copy on your computer; then unplug your network cable and disable your wireless connection. You can reconnect to the Internet after completing these steps.

Remove the Trojan service

To remove the Trojan service
  1. On the Start menu, click Settings, then click Control Panel.
  2. Double-click Administrative Tools.
  3. Double-click Services.
  4. If a service called mac128 is in the list, right-click it.
  5. If the service is running, click Stop.
  6. Right-click the service again and click Properties.
  7. Under Startup Type, change the type to Disabled.

Delete the Trojan file

To delete the Trojan file
  1. Click Start, and click Run.
  2. In the Open field, type %windir%\VirtualMGR, for example, C:\Windows\VirtualMGR
  3. Click OK.
  4. Click Name to sort files by name.
  5. If the file mac128.sys is in the list, delete it.
  6. On the Desktop, right-click the Recycle Bin and click Empty Recycle Bin.
  7. Click Yes to confirm the deletion.

Restart your computer

To restart your computer
  1. On the Start menu, click Shut Down.
  2. Select Restart from the drop-down list and click OK.

Take steps to prevent re-infection

Do not reconnect your computer to the Internet until the computer is protected from re-infection. See the "Preventing Infection" section for more information.
Follow us