AnimeSuki Forums

Register Forum Rules FAQ Members List Social Groups Search Today's Posts Mark Forums Read

Go Back   AnimeSuki Forum > AnimeSuki & Technology > Tech Support

Notices

Reply
 
Thread Tools
Old 2008-05-04, 17:13   Link #1
sezen_atacan
Senior Member
 
Join Date: Feb 2007
Question I have a Tojan problem.

I don't know nor do I remember which file I clicked on but yesterday I accidently clicked something random garbage stuff about 10K in size, got a blue screen and now my comp is messed up accordingly:

list of symptoms---

----- Sound drivers dislodging itself constantly, everytime I do something I must reinstall sound card over and over again.

----- Video capture that worked all of a sudden didn't give me video signals anymore. Wonky fps in games when it is usually fine.

--- task manager doesn't do to good but some file/tojan/virus is hiding itself so well that it is making it appear that its explorer/windows itself that is eating up resources.

---- A file that I can't find is eating 100% computer resources.

--- Constant internet traffic as if someone is connected to my computer even though I turned off torrent and other p2p and restarted.

Actually I have spent more than 20 hours trying to find a way to get rid off the trojan but often end up with "file not found" or "some mem error to blue screen".

Can't find a good trojan-extermination program though. However, I am trying to solve windows without reinstalling because I will have to relink everything.

The fact that I am using over 100 video/audio codecs just to get some of the subs here to work is just the surface of the reason for not reinstalling windows.

I am open to solution for tough gurella-fighting style trojans. Lets use reinstall as last option ok??
sezen_atacan is offline   Reply With Quote
Old 2008-05-04, 17:28   Link #2
Utter_iMADNESS
Life's better in a harem.
*Graphic Designer
 
 
Join Date: Dec 2007
Location: Oakville, Ontario, Canada
Do you have the System Restore option enabled (assuming you have XP or Vista)? If you do then all you need to do is to do a system restore to a date before you got the trojan. Here's a guide on how to restore using XP, and here's how to use it in Vista.
__________________
Utter_iMADNESS is offline   Reply With Quote
Old 2008-05-04, 17:30   Link #3
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 28
Quote:
I am open to solution for tough gurella-fighting style trojans. Lets use reinstall as last option ok??
Always.

Do you still have the original file that caused the infection? It could be useful in determining what happened.

What security software do you already have installed? (Virus scanner, firewall, anti-spyware). In my opinion, one of the best ways to fight trojans is through the firewall. If you have a firewall already (Windows firewall doesn't count), put it into "advanced" mode if it isn't already ("advanced" being where it'll prompt you for permission over nearly any connection, incoming or outgoing). If you have a firewall in advanced mode and haven't been seeing any weird programs or weird access occurring, reset your rules within the firewall to ensure that you haven't previously allowed something.

If you find weird access through the firewall, it should tell you what file or process was attempting to communicate. Block the communication to prevent the trojan from downloading more malware to your system, and then let us know (and Google for) the name of the process/file. Hopefully there'll be easy instructions for removing it and it won't have dug too deeply into your system.

Be quick about this. The longer you have it on your system and you're connected to the internet, the greater the chances that it's loading your system with even more viruses.

Regarding system restore, if the trojan modified any core system files then those files will be restored. However, if the virus exists outside of those files that will be restored, and if the virus is sophisticated enough, it'll simply reinfect the files. System restore isn't a miracle cure, unfortunately.
__________________
Ledgem is offline   Reply With Quote
Old 2008-05-04, 19:40   Link #4
sezen_atacan
Senior Member
 
Join Date: Feb 2007
Ok, from my last windowsXP crash aka blue screen. It quite often mentions the file "srosa.sys", now according to my google of it, srosa.sys, if it is a virus should also have an acompanying exe file that hides any process this trojan is running.

I am more concerned with the high cpu usage than nusiance traffic though as it is lagging videos audios and games.

Of the many of the proclaimed "super-anti-spyware" programs I have used, it doesn't seem very useful, as I always get either it is undeletable, cannot be found, etc etc.

Not sure of good detectors though. It is invisible but annoying that even opening a new notepad file can send cpu usage to 100% for several seconds, longer for bigger programs.

Even scrolling on this board can warrant 99% cpu usage and laggy.

Oh and I can't find srosa.sys, but when blue screen happens it usually mentions its interference with memory. So it exists. I don't know if "legitimate" programs depend on it.

Some trojans actually "frame" legit files which causes me to reinstall some programs.
sezen_atacan is offline   Reply With Quote
Old 2008-05-04, 20:15   Link #5
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 28
Quote:
Originally Posted by sezen_atacan View Post
I am more concerned with the high cpu usage than nusiance traffic though as it is lagging videos audios and games.
Pardon me if this sounds harsh, but your priorities are off. Your computer may be sending out spam email and attempting to infect other people's computers for every second that it's connected to the internet. Not dealing with this issue, or leaving your computer connected to the internet when it doesn't need to be, is costing other people and is negligence on your part. For your own interests, you'd better care about what the virus is doing, as it may be stealing your passwords or infecting you with even more viruses.

Quote:
Of the many of the proclaimed "super-anti-spyware" programs I have used, it doesn't seem very useful, as I always get either it is undeletable, cannot be found, etc etc.
Many of these programs are simply malware themselves. It's a scam: many of these programs will claim to be free, and then seem to find spyware or viruses. You'll be requested to pay for their removal. The removal doesn't always work, and some of these programs install the viruses/spyware that they "discover." Do not go installing any random program that claims to be a security program. There's a reason that I asked what you already have on your computer. If you already have something, we'll see how we can work with it. If you have nothing, we're going to give you suggestions for software that we know is legit and has a good chance of working.

One more time: what security software do you have installed, if any? Have you tried using a System Restore? Are you using Windows XP or Vista?
__________________
Ledgem is offline   Reply With Quote
Old 2008-05-04, 20:26   Link #6
sezen_atacan
Senior Member
 
Join Date: Feb 2007
Quote:
Originally Posted by Ledgem View Post

One more time: what security software do you have installed, if any? Have you tried using a System Restore? Are you using Windows XP or Vista?

I don't really have any security software, other than the fact that I am using "spyware doctor". and the fact that I am behind a router might also be "security" as some say that its near impossible to break through reinforced router firewalls, that is part of the router. Its linksys btw.

I am using windowsXP prof edition. with SP2.

Also, spyware doctor and such always point too legitimate programs and files claiming that its spyware too. I had to reinstall my video drivers twice from missing dll files.

If using "fake" detectors is not the way then what is the "genuine" detector??

Oh, I had the system restore turned off half a year ago unfortunatley because I am trying to run resource heavy programs.
sezen_atacan is offline   Reply With Quote
Old 2008-05-04, 20:48   Link #7
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 28
Spyware Doctor should be legit, but apparently you'd need the full (paid) version to remove threats. However, what you have is a virus, not spyware. I've looked into srosa.sys and I have some very bad news for you: you're infected with a rootkit (namely, TROJ_ROOTKIT.JS). The rootkit has apparently put the virus Trojan-Downloader.Win32.Bagle.cu on your system (this is the srosa.sys). Even if you remove the trojan, the rootkit will likely continue to regenerate it on your system.

My only advice for you is to back up your personal data, format your hard drive, and reinstall Windows. I hate to recommend this as an option, but rootkits are a bit much to deal with. It's possible to remove them, but the trouble is that while a virus infects some normal files and can be removed for certain, the rootkit infects the core operating system. In other words, you'll never really know for sure whether the rootkit is in your system, or whether you've fully removed it. This represents a horrible security risk. The only way to remove it for certain is to delete the operating system. If you really want to try to fight it, you can try some rootkit removal tools (such as this free one from Sophos). If you remove the rootkit, you'll need to remove the virus that it spawns as well. However, the reason why rootkits represent such a big problem is that they heavily modify the system. In addition to not knowing whether it's fully gone, there's a chance that removing the rootkit and/or the virus will destabilize your system. Your OS may become unbootable, and you'd need to reinstall it anyway.

You remarked that part of the reason you're against reinstalling Windows is because you have dozens of codecs - if you've used CCCP, that should be all you need to play back anime easily. There's unfortunately no way to make reinstalling your programs any easier.

In order to prevent infections in the future, please get some security software. If you're going to reinstall Windows, disconnect it from the internet and have security software ready to install before you connect it to the internet. I'd recommend using AVG for a virus scanner (free) and Comodo as a firewall (also free). Please take security seriously, especially if you're going to be running Windows.
__________________
Ledgem is offline   Reply With Quote
Old 2008-05-04, 21:54   Link #8
sezen_atacan
Senior Member
 
Join Date: Feb 2007
umm when I try to run sophos after installer it says that sarcli.exe, sargui.exe and helper.exe are not "valid win32 apss" and closed down. Is this the trojan's attempt to destroy even the slightest retaliation against it??
sezen_atacan is offline   Reply With Quote
Old 2008-05-04, 23:09   Link #9
bayoab
Senior Member
 
Join Date: Nov 2003
Quote:
Originally Posted by Ledgem View Post
Spyware Doctor should be legit, but apparently you'd need the full (paid) version to remove threats. However, what you have is a virus, not spyware. I've looked into srosa.sys and I have some very bad news for you: you're infected with a rootkit (namely, TROJ_ROOTKIT.JS). The rootkit has apparently put the virus Trojan-Downloader.Win32.Bagle.cu on your system (this is the srosa.sys). Even if you remove the trojan, the rootkit will likely continue to regenerate it on your system.
The removal instructions on Kaspersky are simple enough that it is probably worth going after and not all that major a rootkit.

http://www.viruslist.com/en/viruses/...=21780028#doc2

http://www.trendmicro.com/vinfo/viru...%2EQU&VSect=Sn

Quote:
Originally Posted by sezen_atacan View Post
umm when I try to run sophos after installer it says that sarcli.exe, sargui.exe and helper.exe are not "valid win32 apss" and closed down. Is this the trojan's attempt to destroy even the slightest retaliation against it??
Yes. It will typically go after a bunch of fixed file names and/or has changed the way that exe's are opened. See the above link.

Norton notes the shell reset tool may be required if regedit autocloses.

Post a hijackthis log if you can too so that we can get a better picture of what is going on.

Also, you might want to try using trendmicro's housecall or another online scanner (symantec, mcafee and a few others also have one) since those tend to use semi-randomized file names to protect themselves.
bayoab is offline   Reply With Quote
Old 2008-05-05, 00:08   Link #10
sezen_atacan
Senior Member
 
Join Date: Feb 2007
Thanks Ledgem and Bayoab, looks like I have managed to supress the problem... for now at least. Computer resources are back to normal with no "suspicious" traffic.

However, I am still a bit uncertain as to whether or not to use this current "stable" status to make a "ghost-backup" yet.

Oh also, there is a "dwnld" aka some download folder in system32/drivers with a whole bunch of numbered exclusive exe files. Currently inactive. leave it alone? Some people mentioned of getting rid of some folders in whole but I think that is kinda blanket overkill.

being a bit paranoid... will they come back in my sleep while I get a few subs overnight here??
sezen_atacan is offline   Reply With Quote
Old 2008-05-05, 00:22   Link #11
Ledgem
Love Yourself
 
 
Join Date: Mar 2003
Location: Northeast USA
Age: 28
Get a firewall to help make sure that it won't happen. Even if you have a virus on your system, if it can't connect to the internet to download other malware or receive instructions for what to do, it's essentially quarantined and out of commission. Still, be extra vigilant and watch over your system to ensure that no weird behavior starts up again.
__________________
Ledgem is offline   Reply With Quote
Reply

Tags
computer security, malware

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 08:38.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
We use Silk.