Rootkit str.sys
russg
It ran extreemly slowly, so I started in safe mode and ran a quick
scan Malwarebytes.
Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan
fakealert,
rogue.multiple and hijack.userinit, and rootkit.agent. It said it
deleted all of them.
I reboot into safe mode and run a complete scan with AVG (hasn't been
updated).
It found nothing. I did a normal boot and it took forever, so I re-
boot into
safe and run malwarebytes again and rootkit is still there.
c:\windows\system32\drivers\str.sys.
I researched rootkits briefly and one said rootkits may not be
removable,
they install too much to be detected.
I'm presently running GMER scan and it hasn't found anything yet.
I guess I'll try to get GMER to remove the rootkit, and if I can't,
I'll have
to tell him that we need to format and install with the original
installation
disks.
Advise would be appreciated.
David H. Lipman
Are you saying MBAM is detecting
c:\windows\system32\drivers\str.sys.
as a rootkit ?
--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
FromTheRafters
news:31b2b890-bd31-49cf...@g26g2000yqe.googlegroups.com...
GMER is good (has nice features too). Many regular AVs are adopting
anti-rootkit technology - and unless I miss my guess, it is another 'the
more the merrier' situation with regard to more comprehensive coverage.
I suggest after running MBAM in safe mode - run it again in normal mode.
Update your AVG (hasn't been updated?) and scan with it as well.
Better yet, use David's Multi AV (better scanners than AVG IMO).
...but here's the bottom line - flatten and rebuild gives you more
confidence in the results.
russg
wrote:
> From: "russg" <russg...@sbcglobal.net>
>
> | I'm trying to help my grandson with his highly infected laptop.
> | It ran extreemly slowly, so I started in safe mode and ran a quick
> | scan Malwarebytes.
> | Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan
> | fakealert,
> Are you saying MBAM is detecting
>
> c:\windows\system32\drivers\str.sys.
>
> as a rootkit ?
>
Files Infected:
C:\WINDOWS\System32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\System32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\WINDOWS\System32\lowsec\user.ds.lll (Stolen.data) -> No action
taken.
C:\WINDOWS\System32\drivers\str.sys (Rootkit.Agent) -> No action
taken.
C:\WINDOWS\System32\sdra64.exe (Trojan.FakeAlert) -> No action taken.
C:\Users\Ben\AppData\Roaming\sdra64.exe (Trojan.Agent) -> No action
taken.
I'm not sure where the log file is from after deletion.
I'm running AVG Anti-Rookit Free right now. It refused to run in safe
mode
and quick scan finds the C:\Win..\sys..32\drivers\str.sys and another
hidden file in the same path called .. awwufouer.sys.
I'm going to see if AVG Antirootkit works.
russg
> "russg" <russg...@sbcglobal.net> wrote in message
>
> news:31b2b890-bd31-49cf...@g26g2000yqe.googlegroups.com...
>
>
>
> > I'm trying to help my grandson with his highly infected laptop.
> > It ran extreemly slowly, so I started in safe mode and ran a quick
> > scan Malwarebytes.
> > Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan
> > fakealert,
> > Advise would be appreciated.
>
> GMER is good (has nice features too). Many regular AVs are adopting
> anti-rootkit technology - and unless I miss my guess, it is another 'the
> more the merrier' situation with regard to more comprehensive coverage.
>
> I suggest after running MBAM in safe mode - run it again in normal mode.
>
> Update your AVG (hasn't been updated?) and scan with it as well.
>
> Better yet, use David's Multi AV (better scanners than AVG IMO).
>
> ...but here's the bottom line - flatten and rebuild gives you more
> confidence in the results.
I don't know how to download AVG update and install it. I can't
update from the infected computer as it has no internet right now,
the old wireless adapter he busted and the built in one
doesn't work (Compaq laptop, running Vista).
I haven't used Multi-AV lately, the problem isn't
that I can't find infected files.
Thanks
russg
It looks like AVG AntiRootkit does the same thing as GMER,
it reaches a certain point then hangs, refuses to continue
its search. AVG ARK isn't exactly hung, the traveling
progress bar keeps rotating, but the path/file doesn't
change at 95% in 'quick' mode.
David H. Lipman
>> as a rootkit ?
Classic Zbot infection.
Can you boot into the Recovery Console ?
If yes, delte the SYS file from the RC.
russg
>
> Classic Zbot infection.
>
> Can you boot into the Recovery Console ?
> If yes, delte the SYS file from the RC.
>
> --
> Davehttp://www.claymania.com/removal-trojan-adware.html
> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp
I removed the three files using AVG AntiRK, and rebooted, which AVG
ARK
congratulated me on removing the rootkit. I ran a complete scan
of 12/3/09 MBAM and it found an infection, I can't tell which
as it is still scanning.
I will try to remove the str.sys from the recovery consol after
MBAM finishes. I begin to suspect 'flaten and restore from
scratch' may be in order. If the rootkit involves the MBR,
will a format remove it?
FromTheRafters
I don't know how to download AVG update and install it. I can't
update from the infected computer as it has no internet right now,
the old wireless adapter he busted and the built in one
doesn't work (Compaq laptop, running Vista).
I haven't used Multi-AV lately, the problem isn't
that I can't find infected files.
***
Oh, I see. Of course there *is* a difference between 'can't find
infected files' and 'infected files are hidden' when rootkits are
involved (no need to hide code within a file if the file itself can be
hidden from the scanners).
In many cases the rootkit must be gone before any file scanner can be
effective.
Good luck with the anti-rootkits you use.
David H. Lipman
| snip
>> Classic Zbot infection.
What was "awwufouer.sys" identified as ?
See:
http://www.threatexpert.com/report.aspx?md5=03c8db77f600c5473cb90c650fc4bd4e
http://www.threatexpert.com/report.aspx?md5=39a01ca6d77a4a9f1d3380cb6a8bed0b
Both are relative to a Rustock which is a Rootkit and str.sys
A wipe and re-install *may* be in order if you feel comfortable with it.
russg
>
> What was "awwufouer.sys" identified as ?
>
>
> http://www.threatexpert.com/report.aspx?md5=39a01ca6d77a4a9f1d3380cb6...
>
> Both are relative to a Rustock which is a Rootkit and str.sys
>
> A wipe and re-install *may* be in order if you feel comfortable with it.
>
AntiRK.
It was identified as a hidden file in the C:\windows\system32\drivers
directory.
I don't have a log of that, but it had two entries, one may have been
as
a 'driver'.
I may be making progress. The full scan MBAM identifies no rootkits
now.
Identifies file rogue.installer and infected registry key
spyware.passwords.
MBAM says it removed them. Now I'll see if F11 can enter the recovery
consol, but won't try that just yet. I'll reboot a few times and re-
run
MBAM.
russg
downloading MP3s at www.jamglue.com.
He wants a clean computer, so, if we get his 4 gigs of music off the
laptop, he's willing to
recover it.
I believe we may have it cleaned, however. Several reboots and re-
scans and maybe.
The Central Scrutinizer
--
"russg" <russ...@sbcglobal.net> wrote in message
news:ff626291-caf5-4d98...@j24g2000yqa.googlegroups.com...
russg
> "russg" <russg...@sbcglobal.net> wrote in message
I believe it is done. The AVG Anti-Rootkit worked, along with MBAM in
getting rid of other stuff.
I've rebooted and re-scanned with MBAM, both full scan and quick scan,
safe and normal mode
scans, reports clean.
Thanks for the help, it was almost as quick as being on the phone.
FromTheRafters
***
Glad to hear you've gotten it cleaned. "Flatten and Rebuild" is not
always necessary, but everyone should (IMO) have it planned out so that
it is the easiest route - certainly having a recent known good disk
image handy makes recovery by this drastic method much less daunting.
A little planning ahead and this type of recovery becomes easier than a,
perhaps, cleaning with all of these good tools.
Something to consider anyways - and it works for harddrive malfunctions
too (let's see a 'cleaner' do that!).
***
David H. Lipman
| I believe it is done. The AVG Anti-Rootkit worked, along with MBAM in
| getting rid of other stuff.
| I've rebooted and re-scanned with MBAM, both full scan and quick scan,
| safe and normal mode
| scans, reports clean.
| Thanks for the help, it was almost as quick as being on the phone.
Fantastic Russ!
russg
I used to use Ghost. That was before it trashed my computer, I had to
re-build from scratch. It happened during a backup. It completed and
then refused to re-boot, it just kept cycling thru the black pre-
windows
screen. I could boot with ubuntu and was able to back up some of
my most important stuff. Ubuntu was neat, but kept refusing to
copy more stuff to usb memory sticks.
I don't like Norton/Symantec much, but thought Ghost 2003 was
good. Not any more. I don't know of a good replacement.
I've used Ghost before and this didn't happen. I may buy
Nero backit up, which I've used without problems.
russg
Grandson says computer isn't working right, wants to restore from
original backup discs.
I haven't scanned it with MBAM, but I'll take his word that it isn't
right.