Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hidden Driver Threat.


  • Please log in to reply
8 replies to this topic

#1 zyrolasting

zyrolasting

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 14 May 2008 - 10:28 PM

XP Pro SP3

I'm new, please inform me if I'm missing anything.
A Google search had NO results on a driver AVG 8 warned me of. The file is called a91p9ag1.sys
Naturally I'm at a loss of ideas. I would lock it in the Virus Vault but I'm not sure what damage (or help) that could cause.
I'm looking around this site to see if I can submit it, but does anyone have an idea of what it can be?

As for my current status, my PC is suffering internet slowdown (Link scanner and Surf-Shield disabled, but still no gain).
My COMODO firewall is not noting any active connections except firefox, where I am typing this post.
The only odd behavior is a freeze requiring forced system shutdown on a full screen app, (Metal Gear Solid 2) and a "hall of mirrors" in Maya 8.5 Unl.
I doubt the seriousness to these since they are a little specific.

Overall AVG reported 207 Warnings, but 206 are killbits by Spybot and SpywareBlaster, locked file reports of clearly safe files, and a suspected false
positive under HKLM\SOFTWARE\Classes\MayaAscii listed as Adware.CommonName. Seems obviously related to my 3D modeler Maya.

My primary concern is again a91p9ag1.sys
Info would be greatly appreciated, especially quick info.

EDIT:

I was about to shut down and do scans in safe mode. A Notification told me to click "Turn off" to install important updates. I am turning off without doing so, but I thought this would be important to mention.

Edited by zyrolasting, 14 May 2008 - 10:42 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 31,993 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:47 AM

Posted 15 May 2008 - 12:15 PM

Are you using Daemon Tools? It uses rootkit-like techniques to to hide from other applications and to circumvent copy protection schemes. Some of its files often leads to false reports by antivirus or ARK software. These are some examples I have seen.

%System%\Drivers\aipoo3sv.sys
%System%\Drivers\a8gmqt1g.sys
%System%\Drivers\a17bv1ll.sys
%System%\Drivers\a6coz31f.sys
%System%\Drivers\a8w1z6pv.sys
%System%\Drivers\ajmgz8bs.sys
%System%\Drivers\avq9mqqi.sys
%System%\Drivers\a5kvtrfn.sys

It uses semi random names but always with a*******.sys and is 8 characters long (combination of letters/numbers). I have read that the name changing routine may be due to the fact that Daemon Tools is sometimes used to circumvent anti-piracy measures in games so the player does not have to keep swapping out CDs. Thus, the name change may be an attempt to stop the anti-piracy systems detecting its presence.
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 zyrolasting

zyrolasting
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 15 May 2008 - 01:30 PM

Well, yes I am using it. That's a relief then.
I have a new inquiry, I looked in my services tool and I found this entry.

##Id_String2.6844F930_1628_4223_B5CC_5BB94B879762##

The description of the service is identical, no clarity to it's purpose.
Would whatever this is linked to be following a similar procedure to function?
...By chance, would it be Daemon Tools again?

Edited by zyrolasting, 15 May 2008 - 01:30 PM.


#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 31,993 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:47 AM

Posted 15 May 2008 - 01:39 PM

The string appears to be related the Bonjour Service used by Adobe Version Cue CS3
C:\Program\bonjour\mdnsresponder.exe

http://www.google.com/search?hl=en&q=I...G=Google+Search
Microsoft MVP - Consumer Security 2007-2014 MVP.gif

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:47 AM

Posted 15 May 2008 - 03:07 PM

as a footnote on virtual drives and rootkit like behavior, be ready to reload core files periodically

the different game softwares load rootkits, so it becomes a question of which one is going to corrupt the kernel and shell first

:thumbsup:

Edited by DaChew, 15 May 2008 - 03:07 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#6 zyrolasting

zyrolasting
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 15 May 2008 - 03:45 PM

I'm not sure what you mean, Chew.
And thank you for all the help, quiet!

Edited by zyrolasting, 15 May 2008 - 03:45 PM.


#7 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:47 AM

Posted 15 May 2008 - 04:02 PM

I'm not sure what you mean, Chew


I am a beta tester for a program called Imgburn and troubleshoot a lot of dvd burning problems in several forums

In one case I saw the system bus driver for SPTI corrupted by daemon tools to the point it needed to be reinstalled to get dvd/cd burning working again.

Imgburn is just about the safest bulletproof program out there.

the bottom line:

if you play with fire you get burned with it

Edited by DaChew, 15 May 2008 - 04:06 PM.

Chewy

No. Try not. Do... or do not. There is no try.

#8 zyrolasting

zyrolasting
  • Topic Starter

  • Members
  • 45 posts
  • OFFLINE
  •  
  • Local time:04:47 AM

Posted 15 May 2008 - 06:45 PM

So let me get this straight, you are mentioning a program I have never heard of before and obviously plan to never use,
or if you are referring to a forum called imgburn I have been there and viewed the topic #4107.

My burns and other hardware CD functions have not been hindered, and are working fine.
Nothing is wrong there, nor has it been wrong. My only issue was trying to figure out what something was.
It was answered, and if I have an issue I know what to get rid of.
I also possess external copies of PowerISO, MagicISO on other discs.
I just enjoy DT for the fact it can emulate more clearly than the programs above.
Thanks for enough info to be cautious, but...
What "fire" am I playing with?

Please be more specific on what gets me "burned" or what can be too much "playing".

Edited by zyrolasting, 15 May 2008 - 06:46 PM.


#9 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:47 AM

Posted 15 May 2008 - 10:43 PM

Imgburn uses SPTI to burn/read with as do newer versions of nero, it's the native system bus in windows since W2k

SPTI - Scsi Pass-Through Interface


it's replaced aspi
Chewy

No. Try not. Do... or do not. There is no try.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users