From: russg on
I'm trying to help my grandson with his highly infected laptop.
It ran extreemly slowly, so I started in safe mode and ran a quick
scan Malwarebytes.
Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan
fakealert,
rogue.multiple and hijack.userinit, and rootkit.agent. It said it
deleted all of them.
I reboot into safe mode and run a complete scan with AVG (hasn't been
updated).
It found nothing. I did a normal boot and it took forever, so I re-
boot into
safe and run malwarebytes again and rootkit is still there.
c:\windows\system32\drivers\str.sys.
I researched rootkits briefly and one said rootkits may not be
removable,
they install too much to be detected.
I'm presently running GMER scan and it hasn't found anything yet.
I guess I'll try to get GMER to remove the rootkit, and if I can't,
I'll have
to tell him that we need to format and install with the original
installation
disks.
Advise would be appreciated.
From: David H. Lipman on
From: "russg" <russgilb(a)sbcglobal.net>

| I'm trying to help my grandson with his highly infected laptop.
| It ran extreemly slowly, so I started in safe mode and ran a quick
| scan Malwarebytes.
| Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan
| fakealert,
| rogue.multiple and hijack.userinit, and rootkit.agent. It said it
| deleted all of them.
| I reboot into safe mode and run a complete scan with AVG (hasn't been
| updated).
| It found nothing. I did a normal boot and it took forever, so I re-
| boot into
| safe and run malwarebytes again and rootkit is still there.
| c:\windows\system32\drivers\str.sys.
| I researched rootkits briefly and one said rootkits may not be
| removable,
| they install too much to be detected.
| I'm presently running GMER scan and it hasn't found anything yet.
| I guess I'll try to get GMER to remove the rootkit, and if I can't,
| I'll have
| to tell him that we need to format and install with the original
| installation
| disks.
| Advise would be appreciated.

Are you saying MBAM is detecting

c:\windows\system32\drivers\str.sys.

as a rootkit ?


--
Dave
http://www.claymania.com/removal-trojan-adware.html
Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp


From: FromTheRafters on
"russg" <russgilb(a)sbcglobal.net> wrote in message
news:31b2b890-bd31-49cf-8cfb-0728ee24ab65(a)g26g2000yqe.googlegroups.com...
> I'm trying to help my grandson with his highly infected laptop.
> It ran extreemly slowly, so I started in safe mode and ran a quick
> scan Malwarebytes.
> Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan
> fakealert,
> rogue.multiple and hijack.userinit, and rootkit.agent. It said it
> deleted all of them.
> I reboot into safe mode and run a complete scan with AVG (hasn't been
> updated).
> It found nothing. I did a normal boot and it took forever, so I re-
> boot into
> safe and run malwarebytes again and rootkit is still there.
> c:\windows\system32\drivers\str.sys.
> I researched rootkits briefly and one said rootkits may not be
> removable,
> they install too much to be detected.
> I'm presently running GMER scan and it hasn't found anything yet.
> I guess I'll try to get GMER to remove the rootkit, and if I can't,
> I'll have
> to tell him that we need to format and install with the original
> installation
> disks.
> Advise would be appreciated.

GMER is good (has nice features too). Many regular AVs are adopting
anti-rootkit technology - and unless I miss my guess, it is another 'the
more the merrier' situation with regard to more comprehensive coverage.

I suggest after running MBAM in safe mode - run it again in normal mode.

Update your AVG (hasn't been updated?) and scan with it as well.

Better yet, use David's Multi AV (better scanners than AVG IMO).

....but here's the bottom line - flatten and rebuild gives you more
confidence in the results.


From: russg on
On Dec 9, 7:37 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net>
wrote:
> From: "russg" <russg...(a)sbcglobal.net>
>
> | I'm trying to help my grandson with his highly infected laptop.
> | It ran extreemly slowly, so I started in safe mode and ran a quick
> | scan Malwarebytes.
> | Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan
> | fakealert,
snip
> Are you saying MBAM is detecting
>
> c:\windows\system32\drivers\str.sys.
>
> as a rootkit ?
>
Yes, here's from the 1st run of MBAM log:
Files Infected:
C:\WINDOWS\System32\lowsec\local.ds (Stolen.data) -> No action taken.
C:\WINDOWS\System32\lowsec\user.ds (Stolen.data) -> No action taken.
C:\WINDOWS\System32\lowsec\user.ds.lll (Stolen.data) -> No action
taken.
C:\WINDOWS\System32\drivers\str.sys (Rootkit.Agent) -> No action
taken.
C:\WINDOWS\System32\sdra64.exe (Trojan.FakeAlert) -> No action taken.
C:\Users\Ben\AppData\Roaming\sdra64.exe (Trojan.Agent) -> No action
taken.

I'm not sure where the log file is from after deletion.

I'm running AVG Anti-Rookit Free right now. It refused to run in safe
mode
and quick scan finds the C:\Win..\sys..32\drivers\str.sys and another
hidden file in the same path called .. awwufouer.sys.
I'm going to see if AVG Antirootkit works.
From: russg on
On Dec 9, 8:22 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote:
> "russg" <russg...(a)sbcglobal.net> wrote in message
>
> news:31b2b890-bd31-49cf-8cfb-0728ee24ab65(a)g26g2000yqe.googlegroups.com...
>
>
>
> > I'm trying to help my grandson with his highly infected laptop.
> > It ran extreemly slowly, so I started in safe mode and ran a quick
> > scan Malwarebytes.
> > Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan
> > fakealert,
snip

> > Advise would be appreciated.
>
> GMER is good (has nice features too). Many regular AVs are adopting
> anti-rootkit technology - and unless I miss my guess, it is another 'the
> more the merrier' situation with regard to more comprehensive coverage.
>
> I suggest after running MBAM in safe mode - run it again in normal mode.
>
> Update your AVG (hasn't been updated?) and scan with it as well.
>
> Better yet, use David's Multi AV (better scanners than AVG IMO).
>
> ...but here's the bottom line - flatten and rebuild gives you more
> confidence in the results.

I don't know how to download AVG update and install it. I can't
update from the infected computer as it has no internet right now,
the old wireless adapter he busted and the built in one
doesn't work (Compaq laptop, running Vista).
I haven't used Multi-AV lately, the problem isn't
that I can't find infected files.
Thanks
 |  Next  |  Last
Pages: 1 2 3 4
Prev: Is axel.dav a virus?
Next: khq virus