4 Replies Latest reply on Nov 5, 2009 1:54 PM by secured2k


      Anyone see this?  Actual product from VirusScan.


      Actual threat names: W32/Cutwail.a!rootkit

      Affected Object: C:\WINDOWS\System32\drivers\ndis.sys

        • 1. Re: W32/Cutwail.a!rootkit
          Peter M

          Moved to Malware Discussion.


          What makes you think it's a  McAfee product?   It's well documented in the web as an infection.


          Are you seeking help with removal or just pointing it out?

          • 2. Re: W32/Cutwail.a!rootkit

            My McAfee AV detected this and has been removed.


            ePolicy Orchestrator Notification

            Rule: Virus Detected and Removed

            Rule Defined At: Directory

            Description: Notifications sends an e-mail message when "Virus Detected and Removed" events are received.


            Number of events: 1

            Actual threat names: W32/Cutwail.a!rootkit


            Actual products: VirusScan


            Affected Computer IP:


            Affected Computer Name:


            Affected Object: C:\WINDOWS\System32\drivers\ndis.sys


            Source computer IP addresses: Not Available



            For additional information, see the Notification Log in the ePolicy Orchestrator console.

            • 3. Re: W32/Cutwail.a!rootkit
              Peter M

              We deal only with home products here and the home/home office type of setup.   You'll have to post in Business I think but let me check.

              • 4. Re: W32/Cutwail.a!rootkit

                This is an old rootkit virus that requires the NDIS.SYS file to replaced from a known clean backup while not running Windows. This means using a Boot CD or a "Scheduling a delayed file operation."