Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Suspicious File in Ad-Aware


  • Please log in to reply
6 replies to this topic

#1 Katrex

Katrex

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 12 February 2009 - 02:05 PM

I was doing some scans in safe mode, and Ad-Aware detected a suspicious file:

d3dramp.dll - Here is an image of the detection: Imageshack.

In two different locations.

Ad-aware does not seem to detect these files in normal mode.

I've tried searching google but I can't find anything conclusive... can anyone help determine if these files is good or not?

I am using Windows Vista Home Premium, 64-bit Edition.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 12 February 2009 - 02:13 PM

d3dramp.dll

Determining whether a file is malware or a legitimate process sometimes depends on the location (path) it is running from. One of the ways that malware tries to hide is to give itself the same name as a critical system file. However, it then places itself in a different location on your computer.

Anytime you come across a suspicious file for which you cannot find any information about, the file has a legitimate name but is not located where it is supposed to be, or you want a second opinion, submit it to Jotti's virusscan or VirusTotal. In the "File to upload & scan" box, browse to the location of the suspicious file and submit (upload) it for scanning/analysis.
-- Post back with the results of the file analysis.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 12 February 2009 - 02:36 PM

Both instances of the .dll (SysWoW64 path, and the winsxs path) come up clean on both of the websites you linked.

Edited by Katrex, 12 February 2009 - 02:37 PM.


#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:53 PM

Posted 12 February 2009 - 10:18 PM

Windows on windows 64 and widows side by side seem to cause a lot of false positives as programs develop to work with vista 64 bit?

You are running that OS?
Chewy

No. Try not. Do... or do not. There is no try.

#5 Katrex

Katrex
  • Topic Starter

  • Members
  • 44 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 12 February 2009 - 11:06 PM

Yes, 64-bit Vista Home Premium.

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:53 PM

Posted 12 February 2009 - 11:30 PM

Files Infected:
C:\Windows\System32\regedit.exe (Trojan.Agent) -> No action taken.


Here's another one to look out for with x64 systems, regedit is not in that location but when a 32bit malware scanner looks there it thinks it is

:thumbsup:
Chewy

No. Try not. Do... or do not. There is no try.

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:53 PM

Posted 13 February 2009 - 09:24 AM

Anti-malware scanners have problems enumerating the drivers and services on 64-bit machines.

WOW64 is the x86 emulator that allows 32-bit Windows-based applications to run on 64-bit Windows but x86 applications are re-directed to the x86 \syswow64 when seeking the x64 \system32.

Any time a 32-bit process attempts to access c:\windows\system32 the WoW64 layer redirects it into c:\windows\syswow64 which contains all of the 32-bit Windows binaries. This prevents a 32-bit process from trying to load a 64-bit binary. Any scripts or tools running in a 32-bit process that is referencing this directory will be automatically redirected to the syswow64 directory.

Making the Move to x64: File System Redirection

File System Redirection
Running 32-bit Applications
Windows x64 Watch List
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users