Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

hidden drivers


  • Please log in to reply
2 replies to this topic

#1 namsilat

namsilat

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 22 July 2009 - 03:13 PM

I have been trying to deal with malwares on my machine, and after attempts at detecting and cleaning, I still have something that looks very questionable. Rather than posting the entire log right off the bat, here is a partial list of entries marked red by RootReveal:


Name: KSecDD
Image Path: \Driver\KSecDD
Address: 0xF370F000 Size: 19712 File Visible: No Signed: -
Status: Hidden from the Windows API!

Name: KSecDD.sys
Image Path: KSecDD.sys
Address: 0xF7870000 Size: 92288 File Visible: - Signed: -
Status: -

Name: PCI_HAL
Image Path: \Driver\PCI_HAL
Address: 0x00000000 Size: 0 File Visible: No Signed: -
Status: -

Name: srescan.sys
Image Path: srescan.sys
Address: 0xF782F000 Size: 81920 File Visible: No Signed: -
Status: -


My concern with srescan.sys is that it should be a part of Zone Alarm, yet its says the file is not visible. As for KSecDD.sys, I have seen on previous scan variation of names of it. Prior to this reboot, it was kkpnbgp.sys.

BC AdBot (Login to Remove)

 


#2 namsilat

namsilat
  • Topic Starter

  • Members
  • 82 posts
  • OFFLINE
  •  
  • Local time:01:56 PM

Posted 23 July 2009 - 05:23 PM

Just an update to the situation with these questionable files. I have so far confirmed that srescan.sys is indeed with Zone Alarm, KSecDD.sys is a legit file with Windows, and not seen kkpnbgp.sys again. The only thing left is PCI_HAL, size 0 and hidden.

#3 garmanma

garmanma

    Computer Masochist


  • Staff Emeritus
  • 27,809 posts
  • OFFLINE
  •  
  • Location:Cleveland, Ohio
  • Local time:01:56 PM

Posted 24 July 2009 - 09:42 PM

PCI_HAL
I believe it is nothing to worry about

A hardware abstraction layer (HAL) is an abstraction layer, implemented in software, between the physical hardware of a computer and the software that runs on that computer. Its function is to hide differences in hardware from most of the operating system kernel, so that most of the kernel-mode code does not need to be changed to run on systems with different hardware. On a PC, HAL can basically be considered to be the driver for the motherboard and allows instructions from higher level computer languages to communicate with lower level components, such as directly with hardware.

The Windows NT operating system has a HAL in the kernel space, between hardware and kernel, drivers, executive services.[1][2] This allows portability of the Windows NT kernel-mode code to a variety of processors, with different memory management unit architectures, and a variety of systems with different I/O bus architectures; most of that code runs without change on those systems, when compiled for the instruction set for those systems. For example, the SGI Intel x86-based workstations were not IBM PC compatible workstations, but due to the HAL, Windows NT was able to run on them.

BSD, Mac OS X, Linux, CP/M, DOS, Solaris, and some other portable operating systems also have a HAL, even if it's not explicitly designated as such. Some operating systems, such as Linux, have the ability to insert one while running, like Adeos. The NetBSD operating system is widely known as having a clean hardware abstraction layer which allows it to be highly portable. As part of this system are uvm(9)/pmap(9), bus_space(9), bus_dma(9) and other subsystems. Popular buses which are used on more than one architecture are also abstracted, such as ISA, EISA, PCI, PCI-E, etc., allowing drivers to also be highly portable with a minimum of code modification.


Mark
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users