spywares in my laptop

[garg.divya]

hi,
i am not able to start safe mode...my system starts in safe mode...but then it just stops and i have to restart it..
also i am not able to perform rootkit scan...when i click on the scan option in AVG anti-rootkit...a blue screen appears on my system saying that a fatal error has occured..it shows something like "sr.sys"...
i am also not able to perform hijackthis...it started scanning but again i got a blue screen saying fatal error and i had to shut down my system..

have attached the other reports...
please help...

View attachment 19475

View attachment 19476

View attachment 19477

View attachment 19478

 

[raybay]

sr.sys is part of the Windows XP process System Restore File. System Restore system Filter Driver belongs to the software Microsoft® Windows® Operating System. sr.sys is located in the folder C:\Windows\System32\drivers.
Known file sizes on Windows XP are 73472 bytes (93% of all occurrence), 70400 bytes.
The driver can be started or stopped from Services in the Control Panel or by other programs. The program has no visible window. The service has no detailed description. The file is a trustworthy file from Microsoft. sr.sys seems to be a compressed file. Therefore the technical security rating is 2% dangerous.

It is possible for some malware to camouflage themselves as sr.sys, particularly if they are located in c:\windows or c:\windows\system32 folder. However, your scans and reports included with your message make that unlikely.

You can check the sr.sys process on your pc whether it is pest, using Windows Defender or the Security Task Manager of the Washington Post and PC World

However, I suspect you had done damge to your system by the registry editors you use. If you have a computer that uses a recovery disc set such as HP, Dell, Sony, eMachines, Gateway or others, you may have to do a complete reformat and reinistall to make a fix.

Otherwise, if you have a full version of Windows XP Home or Windows XP Professional, you can boot to the Windows disc and run it in the R or Repair mode when given the choice.

If the problem is not there, you likely have a defective driver, a defective hard drive, defective memory, or other operational hardware problem that will need some detailed detecting work.

I do not think it is a spyware problem, but you may also have a spyware problem. You may want to run your spyware scans by booting to safe mode first which you cannot do because of the other damage you have caused.

 

[garg.divya]

is there any way except formatting..

i dont want to format my laptop..
is there any other way..
how i can i boot in safe mode...
will doing system restore help me???

 

[garg.divya]

i have spywares for sure coz i did the anti-spyware scan and got some spywres of high risk..
they were...

downloader.agent.ad
hijacker.small.cf
trojan.agent.soy
rootkit.ntrootkit
trojan.dialer.qn
rootkit.agent.ey
adware.virumonde
and a few more

 

[almcneil]

If you cannot run your anti-spy/anti-rootkit scans, then you try a chkdsk scan first. If that doesn't work, then try an XP repair installation.

 

[raybay]

Based on your rootkit reports, it would be smart to do a full reformat and reinstall.

 

[garg.divya]

hey almcneil,
i am able to run anti-spyware..i hav attached the report also..bt not anti-rootkiti will perform the chkdsk n let u know..

 

[raybay]

System restore will possibly be helpful if you have been religious about setting Restore points... but if not, it will wipe out some recent installs... but will usually not damage data.

 

[momok]

Hi,

I noticed that your AVG log displays 'No Action Taken' for all the files detected.
I require you to run AVG again and quarantine the files. Pictorial instructions HERE.

Important: Please read this thread HERE before you decide whether to clean or reformat your system.

Should you decide to clean your computer, please go ahead to Viruses/Spyware/Malware, preliminary removal instructions and follow the steps given. Do follow all the instructions exactly. They will provide logs for analysis of your system so I will know how to instruct you to proceed.

Thereafter, please post fresh HijackThis, AVG Antispyware and Combofix logs as attachments into this thread. Do not copy and paste your logs if not it will be ignored and/or removed.

Also, please let me know the results of the AVG Antirootkit scan


Regards,
Your friendly momok =)

This thread is for the use of garg.divya only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[garg.divya]

hey momok,
yesterday, i was able to run my laptop in safe mode.
i will post the fresh AVG antispyware and combofix logs.
but i am not able to make a hijackthis scan..hijackThis starts scanning but then in few seconds my laptop gives an error blue screen, n i have to restart the system.

 

[almcneil]

system restore does not work with a lot of viri. Turn OFF system restore. Run your anti-virus and anti-trojan programs. Once clean, turn ON system restore.

I don't quite follow your advice about turning off System Restore. Do you mean you want to wipe out the restore points that point to the virus or are you saying that there is a problem with System Restore and you need to deactivate it before removing the virus?

As I understand, System Restore simply takes snapshots of important Windows files (settings). Whether or not you wipe out the current restore points should have no effect on the utility. I do agree that if there is a virus, the previous restore points are, therefore, useless.

 

[garg.divya]

hi,
m attaching my fresh combofix, hijackthis and AVG anti-spyware logs..
please check n help me...

no installed rootkits were found on scanning my system.

 

[momok]

Hi,

Please do not disable system restore yet. I will provide you the appropriate instructions at the end of the cleaining process.

Download the attached "Combofix-Do.txt" (from my attachment) and save it to the same folder as Combofix.

You may wish to copy and paste these instructions on notepad for easier reference later.

Boot into safe mode under your normal user name. See how HERE

Next turn on "Show all files and folders, including hidden and system". See how HERE

Run HijackThis and fix the following entries, if found (do this by placing a tick in the check boxes beside these entries and clicking "Fix checked"):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: (no name) - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - (no file)
O4 - Global Startup: Digital Line Detect.lnk = ?
O17 - HKLM\System\CCS\Services\Tcpip\..\{E9383A03-173B-4062-96C5-EDE3EAB1EF37}: NameServer = 202.56.215.54,202.56.215.55,202.56.215.6,202.56.230.6
O20 - Winlogon Notify: ssqpqrq - ssqpqrq.dll (file missing)
O20 - Winlogon Notify: winhoq32 - winhoq32.dll (file missing)

Close HJT.

Drag the Combofix-Do.txt that you downloaded earlier over on to Combofix.exe and release.

This will ask Combofix to execute the instructions within my file. Let Combofix run normally and do its job. Attach the resultant log in your reply.

Reboot into normal mode and rehide your protected OS files.

Thereafter, please post fresh HJT, ComboFix and AVG Antispyware logs from normal mode as attachments into this thread.


Regards,
Your friendly momok =)

This thread is for the use of garg.divya only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[garg.divya]

fresh HJT,combofix and anti-spyware logs

hey momok,
I did whatever u had instructed.
My fresh HJt,combofix and anti-spyware logs are attached.

 

[Tedster]

rootkits are very difficult to remove and elude many anti-viri and anti-trojan programs. It would be best to do a clean install.

 

[momok]

Hi,

Your logs look clean now.

Delete all files in AVG Antispyware Quarantine folder. (located in C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Quarantine)

Turn off system restore (XP/ME only). Learn how to do that HERE.
This will remove all the remaining nasties from your old restore points.

After that turn system restore back on.
This would have created a new safe and clean restore point for your system.

Often times, an infection can occur again not due to the incompetence of programs, but because of user habits.
May I recommend you to read this article.
This can help to prevent future infections.

Should you have any further problems, please post in this thread.


Regards,
Your friendly momok =)

This thread is for the use of garg.divya only. Please don't post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[garg.divya]

thanx a lot momok...