Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG Antirootkit keeps finding renamed .sys file after every reboot


  • Please log in to reply
9 replies to this topic

#1 Quasi5

Quasi5

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 16 February 2009 - 04:34 PM

As far as I could tell, nothing was wrong with this computer. I'm having problems with my other computer (have run every program except ComboFix on it and so far it looks good again) and for giggles I ran AVG Antirootkit Free on this "uninfected" computer.

It found a hidden driver file: C:\WINDOWS\System32\Drivers\ay5s0cg8.sys.

I selected it to be removed and rebooted. I ran AVG ARK again and it again found another hidden driver file. This time named something completely different. It removed it and rebooted. I ran it again and another file popped up, named something else (is this the polymorphic I hear about?)

So I ran all the major AV software (CureIt, Kaspersky, Bitdefender) and finally found Win32.Virut.ce. But it was found in a Restore point directory...nothing active.

My computer runs XP Pro SP3, with 4 drives (1 OS / 3 RAID0).

I have current logs from RSIT, GMER, DRWeb, SDFix if you want me to post them.

Thank you!

Edited by Quasi5, 16 February 2009 - 04:35 PM.


BC AdBot (Login to Remove)

 


#2 Quasi5

Quasi5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 16 February 2009 - 10:38 PM

After doing many, many searches and reading I ran across this regarding my randomly named hidden driver:

I'm working in company that develops the OSAM.

If you have an sptd.sys driver (driver of CD/DVD emulator; installed with Alcohol 120%, Daemon Tools and some others), then your randomly named hidden driver ("aa9ak670.sys") is not a malicious and it is not a rootkit (just using rootkit technologies) -- it's a part of sptd.sys. This behavior (hide a dropped driver and kill the body of the driver) was made by authors of SPTD to prevent CD-copy protectors, who trying to detect and doesn't allow to work a CD-emulator software.


I have Alcohol120 running so I can relax a little with that knowledge. I'm still curious about this SSDT entry from Gmer, though.

SSDT - spxs.sys - ZwEnumerateKey [0xB9EC6CA2]
SSDT - spxs.sys - ZwEnumerateValueKey [0XB9EC7030]

Each time I run Gmer, the "spxs.sys" is a different file name. (ie, spis.sys, spys.sys, spie.sys, etc...) Does anyone know if this is also related to Alcohol120? I disabled the virtual drives but still get the rootkit activity and the randomly named sp**.sys file.

#3 Quasi5

Quasi5
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:04:30 AM

Posted 16 February 2009 - 11:37 PM

Just to satisfy curiousity, I uninstalled Alcohol120 and rebooted. I ran Gmer again and it still showed the SSDT - sp**.sys (**=random letters) as showing up. I did a little more searching and found someone else with the same issue on Malwarebytes forum (topic 9419).

Instead of running through the custom script as advised by his assigned guru, the guy just deleted his "spdt.sys" file and this issue went away.

So...that's what I did as well. I renamed it zzz***.***zzz and it no longer shows up when I run Gmer. I checked my other computers and none of them show to have the "spdt.sys" file installed (717,296 bytes)

Ya got me....pretty much 1 day and 2 nights of doing nothing but running AV and Malware just to figure out I still can't figure it out. Ugh. I really should be outside...not locked up with obsessive curiousity about what is going on with my computers...lol.

If any experts see this and can share any info about it I would really be thankful for it. Have fun!

#4 thesexiestguy

thesexiestguy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 28 March 2009 - 10:47 PM

Quasi5,
I have been experiencing this phenomena for quite a time,like in terms of years.
Recently,I had a lot of Bsods and explorer crashes and my network driver keeps uninstalled automatically.
So I run a lot of antivirus,antispyware,malware removers etc.
As of posting this,I am using ESET Smart Security 4.
Malwarebytes' Antimalware.
Zonealarm Firewall.
Found a lot of malwares and quarantined them.
But explorer still keeps killed from time to time.
The problem is,after I run Autoruns from Sysinternals,
I always find 2 randomly named sys files in Drivers section of autoruns.
Seems like the names of both files always start with 'a',followed by random 8 characters.
Like I said,I have been seeing this phenomena for some years.
I just format my hdd and reinstall windows when ever I saw this before.
But this time,I thought it must be a real badass rootkit and ran fsecure blacklight,icesword,gmer,rootrepeal even combofix,
after many researches and reading through a lot of forum posts all over the net.
gmer showed these random named files but didn't give me an alert.
blacklight didn't show anything.
combofix fixed some of my files but not the named files.
Then when I run Icesword,in the SSDT section,a lot of entries are in red and one of them is the file you mentioned,ssXX.sys.
the XX part keeps changing after each reboot.
There is another fishy entry in SSDT section,an Unknown entry keeps working in SSDT section.
The rest of the SSDT entry are ok.
I search for that ssXX.sys in autoruns,but can't find it.
Can't find all those mentioned .sys files in system32\drivers even though they are listed to exist in that folder in autoruns.
rootrepeal also showed the same ssXX.sys file entries.
I also have both Alcohol 120% and Daemon tool installed on my box.
And whenever I tried to get into safe mode,I was asked 'Press any key to stop loading sptd.sys.
I don't know if it's relevant or not though.
One last thing is,in process explorer from sysinternals,when I checked the explorer entry,it seems like it was started by imapi.exe.So I killed explorer from taskmanager,and I found that it was restarted by imapi.exe and
also in icesword,I found that in the process creation section,there were some entries about imapi.exe.
I am just a user.Not a technician.
So,I can't fully comprehand the significance of my findings.
Like you,I have the logs from different antirootkit products.
One real last thing is,whenever I installed Superantispyware,it installed alright,but then can't update and worse,
after the reboot required by the installation,I lost my network drivers somehow.
It seems to be a DNS problem,in the network icon-status-connection status tab,everything is blank,
and when I clicked repair,it showed,tcpip settings cannot be retrieved or something like that.
Strangely,if I uninstall Superantispyware,everything goes back to normal.
By now,the explorer seems more stable than before,rarely goes crashing but it still happens,
I hope that it's just a hardware issue rather than any trojan,virus or rootkit,because in the eventviewer page,
I have a lot of IPNAT errors.
Anyway,I search all through the internet and found only you have similar problems.
I also found that entry you talked about from a guy in OSAM,during my research.
But as I was more afraid of rootkits back then,so I didn't take it seriously.
Now,the only seeming problems apparent to me now are these driver sys files,
I will rename that sptd.sys now.
And hopefully,I can come back and post the results.
Please keep your fingers crossed for me.
Thanks for your kind efforts to present your findings.

#5 thesexiestguy

thesexiestguy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 28 March 2009 - 11:16 PM

I am back reporting the findings.
Well,the random named files are gone in autoruns.
and in icesword,there is no ssXX.sys activities anymore.
So it seems like the rootkit like activity is by sptd.sys.
Now the bad news is,I can no longer run alcohol 120% and Daemontools anymore.
Both of them showed sptd driver cannot be loaded.
So back to square one and I have to rename that offending sptd.sys back.
My explorer just crashed.
So,there might be some problem still persist somehow.
And icesword SSDT still shows activities by an unknown process.
Might be a rootkit,virus or trojan.
But now the recurring random drivers problem is solved.
In one way,I learnt something out of all this,even though at a price of 3 days doing nothing but running scans...
Well,I hope this can help some sleepless soul out there who keeps wondering where these random named files keep coming.
(I mean only this specific random style conforming to what we both experienced,the rest is most likely a malware)
On my way to solve the remaining problem of unknown process activities in icesword SSDT section...
ps:I nearly forgot to mention that the random named sys files in autoruns have a description of IDE/ATAPI port driver with a publisher as Microsoft.So,they really really seems legit.
Hoping this information might help somebody out there...

#6 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:30 AM

Posted 28 March 2009 - 11:31 PM

It's a cake and eat it too problem, just like rootkits the design is to fool windows. An analogy would be the filter driver problem with cd/dvd apps and the system bus. You keep adding these kernel hooking low level drivers and you end with a game of chinese whispers.

http://en.wikipedia.org/wiki/Chinese_whispers

Sooner or later all these drivers become corrupted
Chewy

No. Try not. Do... or do not. There is no try.

#7 thesexiestguy

thesexiestguy

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:30 AM

Posted 28 March 2009 - 11:43 PM

Nicely put.
To err is human,and I'm only human...
Though,I appreciate your kind response.

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:07:30 AM

Posted 29 March 2009 - 12:05 AM

I tested Daemon Tools 3 years ago for some support work I do in a DVD burning forum I moderate. I am still hunting down the remnants.
Chewy

No. Try not. Do... or do not. There is no try.

#9 gts77

gts77

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 02 August 2009 - 11:02 AM

I am confused by legitimacy of sptd.sys. I seem to have no application that could be using this file. I do not have daemon tools or alcohol. I am unable to delete the sptd.sys - cannot rename this since it is being showing used. cannot edit and delete the registry setting that corresponds to this driver - it says access denied to edit or even view permissions. tried even running regedit as a SYSTEM process even that failed.

I think even antivirus would not be able to scan this file since it is locked up - i cannot even copy the file to scan. I am also looking for any answer to this.

#10 paulg1971

paulg1971

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 23 November 2009 - 04:10 AM

:mellow:Hi everyone!

I too have wasted a whole weekend throwing every anti-rootkit and 30-day full trials of all the big AV software. Only AVG anti-rootkit shows random a***.sys on every boot. In my case both computers (1 media centre and 1 music pc) are 'infected'.

Something interesting - I have a dual boot of W7 beta and my main Vista. In W7 scan is clear (as not really used) - but removing the a***.sys from AVG anti-rootkit and then re-booting into W7 and scanning vista from there shows clear, so this a***.sys seems to 're-install' on boot.

I also have used daemon tools lite recently on both PC's so i think i'll re-install this and alcohol 120% and then using an uninstaller (eg Your Uninstaller) i'll remove them and re-scan (I need to sort this before I get divorced!). I can also remove 'spdt.sys' from my W7 side and i'll try that tonight!

I've always been a NOD32 fan as it's lightweight and written in machine code not in basic!

Any views anyone? Please post....

Thanks,
Paul.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users