I found a related topic on the What the Tech forums.
http://forums.whatthetech.com/Someonething…ml&hl=srosa
It may be the same as my problem. The tool mentioned in the article, Blacklight, is no longer available, but the company has a dozen or so FREE special-purpose disinfecting tools. Time to make the donuts… errrr…. bagels.[/i]
Update 12/3/2007:
Got it! With a a couple of utilities and a brief foray into the frightening forest of “safe mode.” Why do they call it safe mode when you can do so much damage from there?
Please, folks, I’m just messing around here. DON’T DO WHAT I DID TO FIX YOUR PROBLEM!!! I’m an old lady who does regular backups and I often screw things up bad enough that I have to reformat. One thing about having two hard drives is that your data is (usually) safe from your tender ministrations.
So.
This thing seems to have been a Bagel variant. The gist of it is that it runs as a driver. An “intercept directory listings and delete anti-virus files” sort of a driver. Regular spyware cleaners don’t even look at drivers. So [i]that’s[/i] what a rookit is! Now things are starting to make sense. HJT didn’t list this bug.
Bagel hid its files well. Once I ran something to detect rootkits I had something to work with – filenames and registry entries. I couldn’t find anything to clean it automatically, but as I said, I’m not afraid to reformat. In a DOS command shell “dir sr*” listed the file srosa.sys. No other way of listing the directory could see it. Not “dir,” not “dir s*.” I couldn’t list hidr.wtfever it was called, but when I tried to delete it the error message indicated that the file was indeed there but couldn’t be deleted. Safe mode it is. I deleted the files, modified the registry, and sacrificed a small animal to the ‘Net God in hopes that my laptop would reboot after what I did. Hey, stuff happens.
So after all that garbage, my laptop is no longer going out to sites in Eastern Bloc countries looking for… trouble. My hope is that I didn’t delete some driver that, say, enables me to play movies or burn mp3 CDs for the car. That remains to be seen.
However, there is an entry left in the registry called LEGACY_SROSA. Since it doesn’t expressly list the path of “srosa” I’m not sure whether to delete it.