Srosa.sys removal (linked with usbport.sys?)

Status
Not open for further replies.
Combofix
  • Download Combofix to your desktop.
  • Double click combofix.exe & follow the prompts.
  • A window will open with a warning.
  • Type "1" (and Enter) to start the fix.
  • When the scan completes it will open a text window. Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Combofix is a very powerful tool so please do NOT do anything without instruction

Combofix will automatically save the log file to C:\combofix.txt

Highjackthis Instructions
  • Make sure you have the LATEST version of HJT (currently v2.0.0.2) it can be downloaded from HERE
  • Run the HijackThis Installer and it will automatically place HJT in C:\Program Files\TrendMicro\HijackThis\HijackThis.exe. Please don't change the directory.
  • After installing, the program launches automatically, select Scan now and save a log
  • After the scan is complete please attach your log onto the forums using the paper clip icon above your reply.
    ***Under no circumstances should you add any items to the HJT ignore list. Under no circumstances should you change the directory that highjackthis downloads to. Under no circumstances should you Fix anything without specific instruction to do so. Under no circumstances should you click any buttons other that specified in the directions including AnalyzeThis!***
 
Right
Ive done the scan

its saying its removed srosa.sys ntdlrrr.exe and wintems.exe

tried to run rootkit revealer.........again after a bit bsod usbport.sys!!!


And still, i have to go into registery, enable Wireless Zero config, and restart to get internet working

About to try what you have said Blind Dragon
 
I open Combofix, and it started fixing/scanning without me needing to type "1"

It was going through a list of exe's in the drivers folder...when it blue screened.

0x0000008E (0x00000005, 0x8054A95B, 0xED20EB4C, 0x00000000)

But when windows came on...the internet was automatically working :)
 
just tried to open combofix again. but its now says

"C:\Documents and settings blah bla bal\combofix.exe is not a valid win32 application"
 
theres no log in C:\

and when i try opening it again i get

"C:\Documents and settings blah bla bal\combofix.exe is not a valid win32 application"
 
Ok, go to start -> run -> type exactly -> combofix /u

notice the space between

Please download Deckard's System Scanner (DSS and save it to your Desktop.
DISCONNECT FROM THE INTERNET...REMOVE THE PLUG FROM THE BACK OF THE COMPUTER

Close all other windows before proceeding.

This means TURN OFF ALL other security programmes.
Norton Anti-virus, AVG Anti-spyware or any other security programmes you`re running.

Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please attach the main.txt and extra.txt in your next reply.

Re-enable your security programmes and reconnect to the net.
 
Ok, go ahead and drag and drop to the recycle bin,

if a box pops up saying that this will only remove the shortcut you will need to remove through add/remove programs in the control panel, if no box then proceed with the Deckard System Scan from my previous post

Make sure you are downloading these to your desktop
 
finally somethng that work

I didnt have Hijack this installed though...so it said its running its own HiJack this clone....Is that ok?

heres the files--

Also, about to delete combofix and retry it.
 
Deleted combofix and downloaded and re scanned.

Got alot futher,

It finished deleting files and go up to stage_8? then it blue screened

But now, when ever my pc turns on, after loading the desktop and waiting 5 or so seconds

BLUE SCEEN.....usbport.sys

Ive restarted about 6 times now, everytime this is happening
 
we removed combofix. you are not supposed to be running it. We are using Deckard in its place. Please reboot into safemode by tapping F8 before windows loads. then select safe mode. remove combofix first by trying RUN -> combofix /u then manually if that doesn't work.

While in safe mode Please navigate to and delete C:\windows\svchost.exe not to be confused with C:\WINDOWS\system32\svchost.exe

Then try booting into normal mode and see if you crash


***I just noticed you will not be able to boot into safe mode as the infection has corrupted your ability there to use Safe Mode
 
after a few more restarts, its working again.

Ran Combo fix again, and it went all the way through and rebooted my pc at the end. Still no log file, the only file called combofix.txt has this in it

=======

ComboFix 08-02-22.3 - Administrator 2008-02-22 21:12:12.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.234 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
======

But thats in the combofix folder.

Just removed combofix as you said to do.

Also, svchost.exe had already been removed by RegRun, if i remeber correctly.

Ok

So whats next........
 
Can you follow my Hijackthis instructions above and attach a log using the paperclip icon above your reply

according to your last scan C:\windows\svchost.exe is still running
 
Im not to sure what you mean by

"attach a log using the paperclip icon above your reply"

But ive attached it to this message


Those other 2 files i attached earlier, were they any good?
 
I am going to look through the logs a little more carefully and will post back shortly but just wanted to show you this

If you look in your log of running processes the next to last process before Hijackthis ->C:\WINDOWS\svchost.exe
 
cant get into safe mode.

blue screen

0x0000007b (0xF894D528, 0xc0000034, 0x00000000x 0x00000000)

Never had any problem like this ever before! mad!
 
Ok, lets give this a try as part of the fix is going to require running in safe mode

Download avz4en.zip here - it may be a slow download so be patient.

Unzip it to a folder on your desktop.

Double click on AVZ.exe.

Click on File - System Recovery.

Put a checkmark next to "10. Restore SafeBoot registry keys"

Click on Execute selected operations (if you get a warning asking you to continue, click the "ok" button to the left in the display - the software source is written in Russian so may not translate correctly). Once completed click OK- Close and close AVZ Antiviral Toolkit (do not use this for any other purposes there to avoid damaging your system).

Then reboot, allow a full startup and next reboot into Safe Mode.
-------------------------------------------------------------------------------------------------------

You May Want To Add the following instructions to a Notepad file On your Desktop
1)Reboot the computer in Safe Mode (at the start of the boot sequence, press and hold F8, then choose Safe Mode from the Windows boot menu).

2)Use Task Manager to terminate the worm process (it may be called "hidr.exe" or "srosa.sys").

3)# Delete the following files if there:

  • C:\Windows\System32\drivers\srosa.sys
    C:\Windows\System32\drivers\hidr.exe
    C:\Windows\svchost.exe

4)Select Start - Search -> search for both srosa.sys and hidr.exe
 if either are found delete all instances of them

5)Select Start - Run - Type regedit
*Delete the following parameter only if there:

  • [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "drvsyskit" = "%System%\drivers\hidr.exe"

6)Delete the following registry key:

  • [HKCU\Software\FirstRRRun]

7)Delete the following folder and its contents:

  • C:\Windows\exefqd

Run a scan only with Hijackthis and fix
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O23 - Service: BVWIFOLT - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\BVWIFOLT.exe (file missing)
O23 - Service: FNQT - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FNQT.exe (file missing)
O23 - Service: FXTISOL - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\FXTISOL.exe (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: ZAXHQLNL - Unknown owner - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ZAXHQLNL.exe (file missing)

-------------------------------------------------------------------------------------------------------------------------------------------------

Reboot to Normal Mode and post a fresh Hijackthis log and Deckard Scan log
 
try this

Download the ZIP file, extract the SafeBoot-for-Windows-XP-SP2.reg file and merge it into the registry by double-clicking it:
SafeBoot.zip

Click YES on the following screen
safebootmerge.PNG
 
Managed to get it in the end, and it work :D

I deleted scvhost in safe mode but when i did a new scan once i restarted, i saw it was still there, so i manage to termante it and delete it, then i rescaned :)


Heres the 2 new logs
 
Status
Not open for further replies.

Similar threads

midian182
Activision Blizzard investigates hacking campaign linked to cheat software
Replies
5
Views
179
Uncle Al
Uncle Al
D
Microsoft blames a bug for accidentally installing Copilot on Windows 11 devices
Replies
7
Views
99
LimyG
LimyG
Daniel Sims
US TikTok ban could begin next year as Biden signs law, but legal battle looms
Replies
5
Views
34
GodisanAtheist
GodisanAtheist

Latest posts

Back