TechSpot

Srosa.sys removal (linked with usbport.sys?)

By magic_mat
Feb 22, 2008
  1. jobeard

    jobeard TS Ambassador Posts: 9,315   +618

  2. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Combofix
    • Download Combofix to your desktop.
    • Double click combofix.exe & follow the prompts.
    • A window will open with a warning.
    • Type "1" (and Enter) to start the fix.
    • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
    Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

    Combofix will automatically save the log file to C:\combofix.txt

    Highjackthis Instructions
    • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
    • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
    • After installing, the program launches automatically, select Scan now and save a log
    • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
      ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so. Under no circumstances should you click any buttons other that specified in the directions including AnalyzeThis!***
     
  3. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    Right
    Ive done the scan

    its saying its removed srosa.sys ntdlrrr.exe and wintems.exe

    tried to run rootkit revealer.........again after a bit bsod usbport.sys!!!


    And still, i have to go into registery, enable Wireless Zero config, and restart to get internet working

    About to try what you have said Blind Dragon
     
  4. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, your next reply should include

    1)combofix log
    2)Hijackthis log
     
  5. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    I open Combofix, and it started fixing/scanning without me needing to type "1"

    It was going through a list of exe's in the drivers folder...when it blue screened.

    0x0000008E (0x00000005, 0x8054A95B, 0xED20EB4C, 0x00000000)

    But when windows came on...the internet was automatically working :)
     
  6. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    just tried to open combofix again. but its now says

    "C:\Documents and settings blah bla bal\combofix.exe is not a valid win32 application"
     
  7. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    ok see if there is a log file located at C:\combofix.txt

    if so attach it here, if not try running again
     
  8. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    theres no log in C:\

    and when i try opening it again i get

    "C:\Documents and settings blah bla bal\combofix.exe is not a valid win32 application"
     
  9. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, go to start -> run -> type exactly -> combofix /u

    notice the space between

    Please download Deckard's System Scanner (DSS) and save it to your Desktop.
    DISCONNECT FROM THE INTERNET...REMOVE THE PLUG FROM THE BACK OF THE COMPUTER

    Close all other windows before proceeding.

    This means TURN OFF ALL other security programmes.
    Norton Anti-virus, AVG Anti-spyware or any other security programmes you`re running.

    Double-click on dss.exe and follow the prompts.
    When it has finished, dss will open two Notepads main.txt and extra.txt -- please attach the main.txt and extra.txt in your next reply.

    Re-enable your security programmes and reconnect to the net.
     
  10. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    again

    "combofix is not a valid win32 application"
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, go ahead and drag and drop to the recycle bin,

    if a box pops up saying that this will only remove the shortcut you will need to remove through add/remove programs in the control panel, if no box then proceed with the Deckard System Scan from my previous post

    Make sure you are downloading these to your desktop
     
  12. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    finally somethng that work

    I didnt have Hijack this installed though...so it said its running its own HiJack this clone....Is that ok?

    heres the files--

    Also, about to delete combofix and retry it.
     
  13. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    Deleted combofix and downloaded and re scanned.

    Got alot futher,

    It finished deleting files and go up to stage_8? then it blue screened

    But now, when ever my pc turns on, after loading the desktop and waiting 5 or so seconds

    BLUE SCEEN.....usbport.sys

    Ive restarted about 6 times now, everytime this is happening
     
  14. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    we removed combofix. you are not supposed to be running it. We are using Deckard in its place. Please reboot into safemode by tapping F8 before windows loads. then select safe mode. remove combofix first by trying RUN -> combofix /u then manually if that doesn't work.

    While in safe mode Please navigate to and delete C:\windows\svchost.exe not to be confused with C:\WINDOWS\system32\svchost.exe

    Then try booting into normal mode and see if you crash


    ***I just noticed you will not be able to boot into safe mode as the infection has corrupted your ability there to use Safe Mode
     
  15. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    after a few more restarts, its working again.

    Ran Combo fix again, and it went all the way through and rebooted my pc at the end. Still no log file, the only file called combofix.txt has this in it

    =======

    ComboFix 08-02-22.3 - Administrator 2008-02-22 21:12:12.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.234 [GMT 1:00]
    Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .
    ======

    But thats in the combofix folder.

    Just removed combofix as you said to do.

    Also, svchost.exe had already been removed by RegRun, if i remeber correctly.

    Ok

    So whats next........
     
  16. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Can you follow my Hijackthis instructions above and attach a log using the paperclip icon above your reply

    according to your last scan C:\windows\svchost.exe is still running
     
  17. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    Im not to sure what you mean by

    "attach a log using the paperclip icon above your reply"

    But ive attached it to this message


    Those other 2 files i attached earlier, were they any good?
     
  18. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I am going to look through the logs a little more carefully and will post back shortly but just wanted to show you this

    If you look in your log of running processes the next to last process before Hijackthis ->C:\WINDOWS\svchost.exe
     
  19. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    cant get into safe mode.

    blue screen

    0x0000007b (0xF894D528, 0xc0000034, 0x00000000x 0x00000000)

    Never had any problem like this ever before! mad!
     
  20. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Ok, lets give this a try as part of the fix is going to require running in safe mode

    Download avz4en.zip here - it may be a slow download so be patient.

    Unzip it to a folder on your desktop.

    Double click on AVZ.exe.

    Click on File - System Recovery.

    Put a checkmark next to "10. Restore SafeBoot registry keys"

    Click on Execute selected operations (if you get a warning asking you to continue, click the "ok" button to the left in the display - the software source is written in Russian so may not translate correctly). Once completed click OK- Close and close AVZ Antiviral Toolkit (do not use this for any other purposes there to avoid damaging your system).

    Then reboot, allow a full startup and next reboot into Safe Mode.
    -------------------------------------------------------------------------------------------------------

    You May Want To Add the following instructions to a Notepad file On your Desktop
    1)Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).

    2)Use Task Manager to terminate the worm process (it may be called "hidr.exe" or "srosa.sys").

    3)# Delete the following files if there:

    • C:\Windows\System32\drivers\srosa.sys
      C:\Windows\System32\drivers\hidr.exe
      C:\Windows\svchost.exe

    4)Select Start - Search -> search for both srosa.sys and hidr.exe
    if either are found delete all instances of them

    5)Select Start - Run - Type regedit
    *Delete the following parameter only if there:

    • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
      "drvsyskit" = "%System%\drivers\hidr.exe"

    6)Delete the following registry key:

    • [HKCU\Software\FirstRRRun]

    7)Delete the following folder and its contents:

    • C:\Windows\exefqd

    Run a scan only with Hijackthis and fix
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O23 - Service: BVWIFOLT - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\BVWIFOLT.exe (file missing)
    O23 - Service: FNQT - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FNQT.exe (file missing)
    O23 - Service: FXTISOL - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FXTISOL.exe (file missing)
    O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
    O23 - Service: ZAXHQLNL - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ZAXHQLNL.exe (file missing)

    -------------------------------------------------------------------------------------------------------------------------------------------------

    Reboot to Normal Mode and post a fresh Hijackthis log and Deckard Scan log
     
  21. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    i try to download it

    404 - HTTP not found

    any other links to download it from?
     
  22. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    try this

    Download the ZIP file, extract the SafeBoot-for-Windows-XP-SP2.reg file and merge it into the registry by double-clicking it:
    SafeBoot.zip

    Click YES on the following screen
    [​IMG]
     
  23. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    Managed to get it in the end, and it work :D

    I deleted scvhost in safe mode but when i did a new scan once i restarted, i saw it was still there, so i manage to termante it and delete it, then i rescaned :)


    Heres the 2 new logs
     
  24. magic_mat

    magic_mat TS Rookie Topic Starter Posts: 30

    Bump for Blind Dragon :]
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...