Rootkit str.sys
in [Viruses]
|
Prev: Is axel.dav a virus?
Next: khq virus
From: russg on 9 Dec 2009 19:17 I'm trying to help my grandson with his highly infected laptop. It ran extreemly slowly, so I started in safe mode and ran a quick scan Malwarebytes. Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan fakealert, rogue.multiple and hijack.userinit, and rootkit.agent. It said it deleted all of them. I reboot into safe mode and run a complete scan with AVG (hasn't been updated). It found nothing. I did a normal boot and it took forever, so I re- boot into safe and run malwarebytes again and rootkit is still there. c:\windows\system32\drivers\str.sys. I researched rootkits briefly and one said rootkits may not be removable, they install too much to be detected. I'm presently running GMER scan and it hasn't found anything yet. I guess I'll try to get GMER to remove the rootkit, and if I can't, I'll have to tell him that we need to format and install with the original installation disks. Advise would be appreciated.
From: David H. Lipman on 9 Dec 2009 19:37 From: "russg" <russgilb(a)sbcglobal.net> | I'm trying to help my grandson with his highly infected laptop. | It ran extreemly slowly, so I started in safe mode and ran a quick | scan Malwarebytes. | Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan | fakealert, | rogue.multiple and hijack.userinit, and rootkit.agent. It said it | deleted all of them. | I reboot into safe mode and run a complete scan with AVG (hasn't been | updated). | It found nothing. I did a normal boot and it took forever, so I re- | boot into | safe and run malwarebytes again and rootkit is still there. | c:\windows\system32\drivers\str.sys. | I researched rootkits briefly and one said rootkits may not be | removable, | they install too much to be detected. | I'm presently running GMER scan and it hasn't found anything yet. | I guess I'll try to get GMER to remove the rootkit, and if I can't, | I'll have | to tell him that we need to format and install with the original | installation | disks. | Advise would be appreciated. Are you saying MBAM is detecting c:\windows\system32\drivers\str.sys. as a rootkit ? -- Dave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp
From: FromTheRafters on 9 Dec 2009 20:22 "russg" <russgilb(a)sbcglobal.net> wrote in message news:31b2b890-bd31-49cf-8cfb-0728ee24ab65(a)g26g2000yqe.googlegroups.com... > I'm trying to help my grandson with his highly infected laptop. > It ran extreemly slowly, so I started in safe mode and ran a quick > scan Malwarebytes. > Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan > fakealert, > rogue.multiple and hijack.userinit, and rootkit.agent. It said it > deleted all of them. > I reboot into safe mode and run a complete scan with AVG (hasn't been > updated). > It found nothing. I did a normal boot and it took forever, so I re- > boot into > safe and run malwarebytes again and rootkit is still there. > c:\windows\system32\drivers\str.sys. > I researched rootkits briefly and one said rootkits may not be > removable, > they install too much to be detected. > I'm presently running GMER scan and it hasn't found anything yet. > I guess I'll try to get GMER to remove the rootkit, and if I can't, > I'll have > to tell him that we need to format and install with the original > installation > disks. > Advise would be appreciated. GMER is good (has nice features too). Many regular AVs are adopting anti-rootkit technology - and unless I miss my guess, it is another 'the more the merrier' situation with regard to more comprehensive coverage. I suggest after running MBAM in safe mode - run it again in normal mode. Update your AVG (hasn't been updated?) and scan with it as well. Better yet, use David's Multi AV (better scanners than AVG IMO). ....but here's the bottom line - flatten and rebuild gives you more confidence in the results.
From: russg on 9 Dec 2009 20:23 On Dec 9, 7:37 pm, "David H. Lipman" <DLipman~nosp...(a)Verizon.Net> wrote: > From: "russg" <russg...(a)sbcglobal.net> > > | I'm trying to help my grandson with his highly infected laptop. > | It ran extreemly slowly, so I started in safe mode and ran a quick > | scan Malwarebytes. > | Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan > | fakealert, snip > Are you saying MBAM is detecting > > c:\windows\system32\drivers\str.sys. > > as a rootkit ? > Yes, here's from the 1st run of MBAM log: Files Infected: C:\WINDOWS\System32\lowsec\local.ds (Stolen.data) -> No action taken. C:\WINDOWS\System32\lowsec\user.ds (Stolen.data) -> No action taken. C:\WINDOWS\System32\lowsec\user.ds.lll (Stolen.data) -> No action taken. C:\WINDOWS\System32\drivers\str.sys (Rootkit.Agent) -> No action taken. C:\WINDOWS\System32\sdra64.exe (Trojan.FakeAlert) -> No action taken. C:\Users\Ben\AppData\Roaming\sdra64.exe (Trojan.Agent) -> No action taken. I'm not sure where the log file is from after deletion. I'm running AVG Anti-Rookit Free right now. It refused to run in safe mode and quick scan finds the C:\Win..\sys..32\drivers\str.sys and another hidden file in the same path called .. awwufouer.sys. I'm going to see if AVG Antirootkit works.
From: russg on 9 Dec 2009 20:32
On Dec 9, 8:22 pm, "FromTheRafters" <erra...(a)nomail.afraid.org> wrote: > "russg" <russg...(a)sbcglobal.net> wrote in message > > news:31b2b890-bd31-49cf-8cfb-0728ee24ab65(a)g26g2000yqe.googlegroups.com... > > > > > I'm trying to help my grandson with his highly infected laptop. > > It ran extreemly slowly, so I started in safe mode and ran a quick > > scan Malwarebytes. > > Malwarebytes found 19 malwares, backdoor.bot, stolen.data, trojan > > fakealert, snip > > Advise would be appreciated. > > GMER is good (has nice features too). Many regular AVs are adopting > anti-rootkit technology - and unless I miss my guess, it is another 'the > more the merrier' situation with regard to more comprehensive coverage. > > I suggest after running MBAM in safe mode - run it again in normal mode. > > Update your AVG (hasn't been updated?) and scan with it as well. > > Better yet, use David's Multi AV (better scanners than AVG IMO). > > ...but here's the bottom line - flatten and rebuild gives you more > confidence in the results. I don't know how to download AVG update and install it. I can't update from the infected computer as it has no internet right now, the old wireless adapter he busted and the built in one doesn't work (Compaq laptop, running Vista). I haven't used Multi-AV lately, the problem isn't that I can't find infected files. Thanks |