Rootkit str.sys
in [Viruses]
|
Prev: Is axel.dav a virus?
Next: khq virus
From: russg on 9 Dec 2009 20:36 On Dec 9, 8:23 pm, russg <russg...(a)sbcglobal.net> wrote: > On Dec 9, 7:37 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> > wrote:> From: "russg" <russg...(a)sbcglobal.net> > > > | I'm trying to help my grandson with his highly infected laptop. > > | It ran extreemly slowly, so I started in safe mode and ran a quick > > | scan Malwarebytes. > > | Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan > > | fakealert, > snip > > Are you saying MBAM is detecting > > > c:\windows\system32\drivers\str.sys. > > > as a rootkit ? > > Yes, here's from the 1st run of MBAM log: > Files Infected: > C:\WINDOWS\System32\lowsec\local.ds (Stolen.data) -> No action taken. > C:\WINDOWS\System32\lowsec\user.ds (Stolen.data) -> No action taken. > C:\WINDOWS\System32\lowsec\user.ds.lll (Stolen.data) -> No action > taken. > C:\WINDOWS\System32\drivers\str.sys (Rootkit.Agent) -> No action > taken. > C:\WINDOWS\System32\sdra64.exe (Trojan.FakeAlert) -> No action taken. > C:\Users\Ben\AppData\Roaming\sdra64.exe (Trojan.Agent) -> No action > taken. > > I'm not sure where the log file is from after deletion. > > I'm running AVG Anti-Rookit Free right now. It refused to run in safe > mode > and quick scan finds the C:\Win..\sys..32\drivers\str.sys and another > hidden file in the same path called .. awwufouer.sys. > I'm going to see if AVG Antirootkit works. It looks like AVG AntiRootkit does the same thing as GMER, it reaches a certain point then hangs, refuses to continue its search. AVG ARK isn't exactly hung, the traveling progress bar keeps rotating, but the path/file doesn't change at 95% in 'quick' mode.
From: David H. Lipman on 9 Dec 2009 21:38 From: "russg" <russgilb(a)sbcglobal.net> | On Dec 9, 7:37 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> | wrote: >> From: "russg" <russg...(a)sbcglobal.net> >> | I'm trying to help my grandson with his highly infected laptop. >> | It ran extreemly slowly, so I started in safe mode and ran a quick >> | scan Malwarebytes. >> | Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan >> | fakealert, | snip >> Are you saying MBAM is detecting >> c:\windows\system32\drivers\str.sys. >> as a rootkit ? | Yes, here's from the 1st run of MBAM log: | Files Infected: | C:\WINDOWS\System32\lowsec\local.ds (Stolen.data) -> No action taken. | C:\WINDOWS\System32\lowsec\user.ds (Stolen.data) -> No action taken. | C:\WINDOWS\System32\lowsec\user.ds.lll (Stolen.data) -> No action | taken. | C:\WINDOWS\System32\drivers\str.sys (Rootkit.Agent) -> No action | taken. | C:\WINDOWS\System32\sdra64.exe (Trojan.FakeAlert) -> No action taken. | C:\Users\Ben\AppData\Roaming\sdra64.exe (Trojan.Agent) -> No action | taken. | I'm not sure where the log file is from after deletion. | I'm running AVG Anti-Rookit Free right now. It refused to run in safe | mode | and quick scan finds the C:\Win..\sys..32\drivers\str.sys and another | hidden file in the same path called .. awwufouer.sys. | I'm going to see if AVG Antirootkit works. Classic Zbot infection. Can you boot into the Recovery Console ? If yes, delte the SYS file from the RC. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: russg on 9 Dec 2009 21:48 snip > > Classic Zbot infection. > > Can you boot into the Recovery Console ? > If yes, delte the SYS file from the RC. > > -- > Davehttp://www.claymania.com/removal-trojan-adware.html > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp I removed the three files using AVG AntiRK, and rebooted, which AVG ARK congratulated me on removing the rootkit. I ran a complete scan of 12/3/09 MBAM and it found an infection, I can't tell which as it is still scanning. I will try to remove the str.sys from the recovery consol after MBAM finishes. I begin to suspect 'flaten and restore from scratch' may be in order. If the rootkit involves the MBR, will a format remove it?
From: FromTheRafters on 9 Dec 2009 21:59 "russg" <russgilb(a)sbcglobal.net> wrote in message news:57d0a793-34f8-410c-bd77-acacdef47b98(a)g12g2000yqa.googlegroups.com... I don't know how to download AVG update and install it. I can't update from the infected computer as it has no internet right now, the old wireless adapter he busted and the built in one doesn't work (Compaq laptop, running Vista). I haven't used Multi-AV lately, the problem isn't that I can't find infected files. *** Oh, I see. Of course there *is* a difference between 'can't find infected files' and 'infected files are hidden' when rootkits are involved (no need to hide code within a file if the file itself can be hidden from the scanners). In many cases the rootkit must be gone before any file scanner can be effective. Good luck with the anti-rootkits you use.
From: David H. Lipman on 9 Dec 2009 22:01
From: "russg" <russgilb(a)sbcglobal.net> | snip >> Classic Zbot infection. >> Can you boot into the Recovery Console ? >> If yes, delte the SYS file from the RC. >> -- >> Davehttp://www.claymania.com/removal-trojan-adware.html >> Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp | I removed the three files using AVG AntiRK, and rebooted, which AVG | ARK | congratulated me on removing the rootkit. I ran a complete scan | of 12/3/09 MBAM and it found an infection, I can't tell which | as it is still scanning. | I will try to remove the str.sys from the recovery consol after | MBAM finishes. I begin to suspect 'flaten and restore from | scratch' may be in order. If the rootkit involves the MBR, | will a format remove it? What was "awwufouer.sys" identified as ? See: http://www.threatexpert.com/report.aspx?md5=03c8db77f600c5473cb90c650fc4bd4e http://www.threatexpert.com/report.aspx?md5=39a01ca6d77a4a9f1d3380cb6a8bed0b Both are relative to a Rustock which is a Rootkit and str.sys A wipe and re-install *may* be in order if you feel comfortable with it. -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |