Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avg Anti-rootkit


  • Please log in to reply
6 replies to this topic

#1 swas

swas

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 11 February 2008 - 02:51 PM

Hi everyone. Today during a routine scan using AVG anti-rootkit two hidden drivers were found;

C:\Windows\System32\Drivers\ag21pnoy.SYS
C:\Windows\System32\Drivers\a4e2ttwi.SYS

I've been using AVG anti-rootkit since it came out, and this is the first thing it has ever detected. I haven't been able to find anything about these with google. I was wondering if anyone has any idea what these are, and maybe what program they are associated with. I haven't installed any new software lately, but I'm not the only one who uses this computer. Thanks for any help.
How beautiful it is to do nothing, and then rest afterward

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 PM

Posted 11 February 2008 - 03:14 PM

Not all hidden components detected by ARKs are malicious. It is normal for a Firewall, some Anti-virus and Anti-malware software (ProcessGuard, Prevx1, AVG AS), sandboxes, virtual machines and Host based Intrusion Prevention Systems (HIPS) to hook into the OS kernal/SSDT in order to protect your system.

Are you using Daemon Tools? It uses rootkit-like techniques to to hide from other applications and to circumvent copy protection schemes. Some of its files often leads to false reports by antivirus or ARK software. These are some examples I have seen.

\SystemRoot\System32\Drivers\aipoo3sv.sys
\SystemRoot\System32\Drivers\a8gmqt1g.sys
\SystemRoot\System32\Drivers\a17bv1ll.sys
\SystemRoot\System32\Drivers\a6coz31f.sys
\SystemRoot\System32\Drivers\a8w1z6pv.sys
\SystemRoot\System32\Drivers\ajmgz8bs.sys
\SystemRoot\System32\Drivers\avq9mqqi.sys
\SystemRoot\System32\Drivers\a5kvtrfn.sys

It uses semi random names but always with a*******.sys and is 8 characters long (combination of letters/numbers).
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 swas

swas
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 11 February 2008 - 03:23 PM

Hi quietman. Thank you for your very quick response. I believe at one time daemon tools was installed, but it has since been deleted. I assume these two are just a couple orphan drivers left over then. I didn't think I had any kind of malware, but its always best to ask the pro's. Would you think that AVGARK could delete these, or should I try other steps to clean them off the computer? I did search for the files on the computer, but couldn't find them(because of the rootkit techniques?) Thanks again

Edited by swas, 11 February 2008 - 03:26 PM.

How beautiful it is to do nothing, and then rest afterward

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 PM

Posted 11 February 2008 - 03:31 PM

I don't know if AVG ARK will be successful but since the program identified those entries, let it try to remove them.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 swas

swas
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 11 February 2008 - 03:39 PM

I let avg try to remove them, and rebooted. scanned again, and nothing showed up. So I guess there gone now. Thank you again for your help. :thumbsup:
How beautiful it is to do nothing, and then rest afterward

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,119 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:23 PM

Posted 11 February 2008 - 03:41 PM

Your welcome.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 swas

swas
  • Topic Starter

  • Members
  • 149 posts
  • OFFLINE
  •  
  • Local time:05:23 PM

Posted 12 February 2008 - 07:24 PM

Hi quietman, sorry to bring this up again, but today these two files showed back up again in the ARK scan. Is it okay just to leave them?, or should I try something else to remove them.

thanks
How beautiful it is to do nothing, and then rest afterward




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users