Results 1 to 5 of 5

Thread: rootkit: srosa.sys, hldrrr.exe & bluescreen !

  1. 2008-01-10, 21:05 #1
    MarkFE
    MarkFE is offline
    Junior Member
    Join Date
    Jan 2008
    Posts
    5

    Default rootkit: srosa.sys, hldrrr.exe & bluescreen !

    Dear All,

    I am having the same annoying rootkit as some others and already looked through the other two topics posted here. But my problem is a little bit more complicated I am running Windows 2003 Server @home for some testing for work and started to have some Problems with crashing afd.sys.
    After renaming this file to .old, the following file came up: srosa.sys ALSO crashing my server with a bluescreen....

    I can't boot into safe mode either : blue screen.
    SafeBootKeyRepair.exe won't work either.

    I booted with a BartPE CD and deleted srosa.sys & hldrrr.exe and the folder C:\windows\system32\drivers\download. After another reboot the files were there again
    I checked for SpyBot and the SpybotSD.exe was gone from C:\program files\Spybot - Search & Destroy

    The Problem is probably that I can't get into the registry with BartPE either to check for more files....

    I am now running a check with azv4 (after updating it first on a running computer).
    Any idea's how to solve this problem ???

    regards,
    Mark
  2. 2008-01-10, 22:04 #2
    MarkFE
    MarkFE is offline
    Junior Member
    Join Date
    Jan 2008
    Posts
    5

    Default

    Removed srosa.sys & hldrrr.exe again from within BartPE.
    And let the updated avz4 scan: it found nothing special !

    I also downloaded mwav.exe on another PC:
    mwav.exe & updated it, burned it onto a cd and tried to start it from BartPE: mwavscam.com can't be started there

    Reboot and after logging in there was my srosa.sys bluescreen again ....
  3. 2008-01-11, 08:57 #3
    MarkFE
    MarkFE is offline
    Junior Member
    Join Date
    Jan 2008
    Posts
    5

    Default

    Ok, after removing some profiles and adding a new user I could login again and proceed without a bluescreen
    Then I removed the virus manually and ran the following:
    -mwav.exe which detected nothing but nothing related to the 2 above.
    -combofix incl a reboot, which detected some wrong keys
    So it seems the virus is gone
    BUUUUT my network connection is not working: I can give it an IP Address but there is no traffic to/from the router possible.... any idea's ???
  4. 2008-01-11, 09:41 #4
    MarkFE
    MarkFE is offline
    Junior Member
    Join Date
    Jan 2008
    Posts
    5

    Default

    SpybotSD found some cookies and bre32.dll related to Smitfraud-C -> all removed ! System seems OK now.
    But still some services are not starting and I don't have any network access
  5. 2008-01-11, 12:38 #5
    MarkFE
    MarkFE is offline
    Junior Member
    Join Date
    Jan 2008
    Posts
    5

    Default

    Ok, after fiddling with netsh int ip reset & netsh winsock reset my ip stuff is working again....
    But loads of services won't start:
    DHCP Client
    DHCP Server
    NETLOGON

    All come with around the same error:
    a socket operation encountered a dead network

    grmpf.... any idea's ??
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules