srosa worm
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
After severe 'attacking' yesterday I am pleased to report that Malwarebytes shows 'no infection' although the 'drivers' folder is still reappearing on reboot, so at last some more progress.
MWB have responded to my emailing (thanks GG) and are looking at the logs.
One (extra!) lesson I have noted is that if you run Combofix (having turned off sys restore) it 'restores' sys restore as part of its process. Worth watching.
MWB have responded to my emailing (thanks GG) and are looking at the logs.
One (extra!) lesson I have noted is that if you run Combofix (having turned off sys restore) it 'restores' sys restore as part of its process. Worth watching.
Join Date: Jun 2009
Location: Georgia
Posts: 169
Likes: 0
Received 0 Likes
on
0 Posts
I am always amazed to see people "fixing" a machine over 10..20 hours, but not really getting rid of an infection, whereas to format the machine cleanly and reinstall takes a known and finite piece of time and results in a machine that is KNOWN to be clean.
The steps are:
LOW LEVEL FORMAT THE DRIVE (to remove any boot sector Rootkits) - good time to think about putting in a brand new upgrade drive
Install the new OS (get your Windows 7 if you like)
Install your applications.
Selectively copy your data files, word docs, etc.
In the future, maintain a low privilege level account and do most of your activities as that user. Login as admin when you have to install or change some settings (or use the RUN AS function to run a program as administrator)
Use High security settings for your browser (IE) , Noscript (for Firefox) and No Javascript/Plugins for Opera (use site specific settings to allow javascript and plugs for sites you particularly trust.)
The steps are:
LOW LEVEL FORMAT THE DRIVE (to remove any boot sector Rootkits) - good time to think about putting in a brand new upgrade drive
Install the new OS (get your Windows 7 if you like)
Install your applications.
Selectively copy your data files, word docs, etc.
In the future, maintain a low privilege level account and do most of your activities as that user. Login as admin when you have to install or change some settings (or use the RUN AS function to run a program as administrator)
Use High security settings for your browser (IE) , Noscript (for Firefox) and No Javascript/Plugins for Opera (use site specific settings to allow javascript and plugs for sites you particularly trust.)
Join Date: Apr 2007
Location: Tower
Posts: 80
Likes: 0
Received 0 Likes
on
0 Posts
SOURCE: wwwDOTmalwarecityDOTc0m/blog/removal-win32wormbagle-124.html
Removal Win32.Worm.Bagle
Date: 07/17/2008
Author: Andrei Bereczki
The Bagle worm is a piece of malware that spreads by itself over email, disk drives and network shares. It has rootkit capabilities that enable it to hide from the user. It disables the windows firewall and several antivirus products. It also drops a hosts file which disables access to certain anti-virus websites. Anti-virus software might be unable to perform any definition updates because of this.
In order to remove Win32.Worm.Bagle we first have to know that we are infected with it.
pci32.sys (old versions)
hldrrr.exe or
hidr.exe
mdelk.exe
Explanation: we are replacing srosa.sys with the dummy null driver that does nothing, so this is what will be loaded on system startup uppon reboot
reg delete "HKLM\SYSTEM\CurrentControl\SetServices\srosa" /F
9. Start regedit (Start -> Run then type: regedit.exe)
Browse to the following registry key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA and right click it.
Select Permissions, select Everyone then check Allow "Full-Control".
After this delete the key
At this point your system should be clean of the Bagle infection. If any of the steps above fails, please send us a copy of the file at virus-submission(AT)bitdefender.com in order to assist you with a specific removal guide.
Additional notes: this guide is intended for any type of user as long as they follow the exact steps described above. Any damage done to your system as a result of following this guide is your responsibility. Malwarecity.com cannot guarantee a successful removal for any threat version described above.
or better yet, call some techie friends or technicians. Then pay them, it's worth your data
Removal Win32.Worm.Bagle
Date: 07/17/2008
Author: Andrei Bereczki
The Bagle worm is a piece of malware that spreads by itself over email, disk drives and network shares. It has rootkit capabilities that enable it to hide from the user. It disables the windows firewall and several antivirus products. It also drops a hosts file which disables access to certain anti-virus websites. Anti-virus software might be unable to perform any definition updates because of this.
In order to remove Win32.Worm.Bagle we first have to know that we are infected with it.
- Go to Start->Run and type cmd.exe
- Browse to %windir%system32drivers by typing “cd %windir%system32drivers”
- Type “dir srosa*” and “dir *.exe”. If you have some of the following files displayed you have a bagle infection:
pci32.sys (old versions)
hldrrr.exe or
hidr.exe
mdelk.exe
- You may also check “sc query srosa” and “sc query pci32” but this may or may not return results.
- Type “copy null.sys srosa.sys” (replace srosa.sys with pci32.sys if you have the older version) in your command prompt.
Explanation: we are replacing srosa.sys with the dummy null driver that does nothing, so this is what will be loaded on system startup uppon reboot
- type “attrib +r +h srosa.sys” in your command prompt
- Reboot
- Open a command shell again (see step 1 from the detection process)
- Go to %windir%system32drivers (see step 2 from the detection process)
- Unhide the hidden srosa file: “attrib -h srosa.sys”
- Delete the files you detected earlier by typing: “del /f filename”. For example: “del /f srosa.sys”, “del /f hldrrr.exe”, “del /f mdelk.exe” etc.
- Delete the registry keys it created by typing:
reg delete "HKLM\SYSTEM\CurrentControl\SetServices\srosa" /F
9. Start regedit (Start -> Run then type: regedit.exe)
Browse to the following registry key: HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_SROSA and right click it.
Select Permissions, select Everyone then check Allow "Full-Control".
After this delete the key
At this point your system should be clean of the Bagle infection. If any of the steps above fails, please send us a copy of the file at virus-submission(AT)bitdefender.com in order to assist you with a specific removal guide.
Additional notes: this guide is intended for any type of user as long as they follow the exact steps described above. Any damage done to your system as a result of following this guide is your responsibility. Malwarecity.com cannot guarantee a successful removal for any threat version described above.
or better yet, call some techie friends or technicians. Then pay them, it's worth your data
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Hmm ! Quite a postal backlog there.
Firstly I would prefer NOT to have to re-install all my programmes if I can avoid it. Obviously it is a last option.
aquamon - I didn't get a fair bit of that post and I don't recognise "Weren't you the same person earlier this year ..........". If you look back you will see there is nothing 'visible' in startup. Services are possibly next on the list after MWB come back again. They have asked for the combofix scan log
C-N thanks - checked all that a while ago and nothing there. Either a different variant or I got had rid of those bits myself.
The other 'advantage' to sticking with it is, of course, it improves the virus knowledge base (and I'm with GG
)
Firstly I would prefer NOT to have to re-install all my programmes if I can avoid it. Obviously it is a last option.
aquamon - I didn't get a fair bit of that post and I don't recognise "Weren't you the same person earlier this year ..........". If you look back you will see there is nothing 'visible' in startup. Services are possibly next on the list after MWB come back again. They have asked for the combofix scan log
C-N thanks - checked all that a while ago and nothing there. Either a different variant or I got had rid of those bits myself.
The other 'advantage' to sticking with it is, of course, it improves the virus knowledge base (and I'm with GG
)
Join Date: Apr 2007
Location: Tower
Posts: 80
Likes: 0
Received 0 Likes
on
0 Posts
BOAC, the best option, IMO, is to just disconnect your HD and scan it in a clean system with updated AV. Then reconnect to your machine again. edit: Check also your windows firewall settings, in control panel. I'm sure it's also modified to allow the worm to propagate.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Thought I would pop my head out of the trench and dodge the muck and bullets..................
So far MWB have been most attentive. They called for a combofix log and I have just run Combofix again with a script they sent, and have returned the log at their request. Very impressive for a 'free' software supplier.
So far MWB have been most attentive. They called for a combofix log and I have just run Combofix again with a script they sent, and have returned the log at their request. Very impressive for a 'free' software supplier.
Last edited by BOAC; 27th Oct 2009 at 22:38.
Per Ardua ad Astraeus
Thread Starter
Join Date: Mar 2000
Location: UK
Posts: 18,579
Likes: 0
Received 0 Likes
on
0 Posts
Gone!
MBAM cleared most of it but the rogue folders kept returning on boot. A mate sent me a link to 2 'new' av progs, Panda 'Cloud', an AV prog and Norman 2009 Malware cleaner (site nicely on a USB stick!). Norman does not need to be installed.
Panda required uninstallation of my (Avast) AV which I did and ran Panda Cloud. It found and cleaned a few entries. I also ran Norman which found more.
This am I have NO return of the folders. A MBAM scan shows me uninfected. I do not know which of the 2 'new' ones fixed it, of course, but I prefer Norman as it sits with the AV running. I'll add links to my forthcoming links in the sticky for both.
MBAM cleared most of it but the rogue folders kept returning on boot. A mate sent me a link to 2 'new' av progs, Panda 'Cloud', an AV prog and Norman 2009 Malware cleaner (site nicely on a USB stick!). Norman does not need to be installed.
Panda required uninstallation of my (Avast) AV which I did and ran Panda Cloud. It found and cleaned a few entries. I also ran Norman which found more.
This am I have NO return of the folders. A MBAM scan shows me uninfected. I do not know which of the 2 'new' ones fixed it, of course, but I prefer Norman as it sits with the AV running. I'll add links to my forthcoming links in the sticky for both.
Spoon PPRuNerist & Mad Inistrator
Result! 
I admire your perseverance.
May I re-iterate my advice to run as a standard user account as much as possible?
SD
I admire your perseverance.
May I re-iterate my advice to run as a standard user account as much as possible?
SD
Lesson learnt.
