Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit?


  • Please log in to reply
11 replies to this topic

#1 zakisbak

zakisbak

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 13 September 2009 - 05:51 AM

Hi!

AVG AntiRootkit finds the following :

" C:\WINDOWS\System32\Drivers\amsddwdi.SYS,Hidden driver file "

Every time I remove it,(AVG AntiRootkit,then reboot),it reappears,except the letters change,(amsddwdi will be something different.)

(I replaced AVG 8 with Avast as Avast apparently terminates rootkits on startup,but this Hidden driver file still appears.)

My PC seems to be running fine,except :

1 - Firefox seems sluggish,though IE8 and Chrome seem fine.

2 - CPU usage is about 5 - 15 % while just browsing,seems rather high?

3 - Uh,that's it !

There is no unusual received/sent networking activity on Task Manager.

Is the Hidden driver file malicious and should it be removed?

I plan to use combofix and malwarebytes unless advised otherwise.

Thanks in advance for any advice!!

Further info. - XP Athlon 2.8,SP2,Avast Free,ZoneAlarm Firewall

- quick start-up and shut down

Thanks again
Zak
:thumbsup:

BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 13 September 2009 - 10:21 PM

Does anything show up in the RootRepeal Files scan?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 zakisbak

zakisbak
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 14 September 2009 - 02:42 PM

Thanks for your reply.
Here is the report -

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/09/14 20:41
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP2
==================================================

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\pghash.dat
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\pguard.dat
Status: Locked to the Windows API!

Path: c:\windows\internet logs\zalog.txt
Status: Size mismatch (API: 283754, Raw: 278577)

Path: C:\WINDOWS\system32\drivers\procguard.sys
Status: Locked to the Windows API!

Path: c:\documents and settings\xxxx\local settings\temp\etilqs_binrbg2o9za5kwjz1qkw
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\xxxx\local settings\temp\etilqs_oob6h06oniqvuqhwyw3f
Status: Allocation size mismatch (API: 8192, Raw: 0)

Path: c:\documents and settings\xxxx\local settings\application data\google\chrome\user data\default\current session
Status: Size mismatch (API: 112149, Raw: 112122)

Any further advice greatly appreciated.

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 14 September 2009 - 04:41 PM

Do you have ProcessGuard installed on your computer?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 zakisbak

zakisbak
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 14 September 2009 - 05:21 PM

Yes I do.

#6 zakisbak

zakisbak
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 14 September 2009 - 05:25 PM

Free version only.

#7 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 14 September 2009 - 05:28 PM

You could try uninstalling ProcessGuard to see if it is responsible for the hidden driver.

Do you use Daemon Tools? Because Daemon Tools uses rootkit like technology to hide itself.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#8 zakisbak

zakisbak
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 14 September 2009 - 05:41 PM

OK.
But I've had Process Guard for ages and no AVG Rootkit finds.

Yes I have Daemon Tools.
(Can't actually find it to uninstall.)

#9 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 14 September 2009 - 05:48 PM

Daemon Tools is almost certainly the cause of the hidden driver then.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#10 zakisbak

zakisbak
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 14 September 2009 - 06:00 PM

Uninstalled Process Guard and Daemon Tools,and AVG scan showing no hidden drivers.

Is Daemon Tools ok to reinstall ,and hidden drivers associated with it normal?

#11 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:24 PM

Posted 14 September 2009 - 06:05 PM

Yes, Daemon Tools is okay to reinstall. The hidden driver is normal for Daemon Tools.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#12 zakisbak

zakisbak
  • Topic Starter

  • Members
  • 81 posts
  • OFFLINE
  •  
  • Local time:05:24 AM

Posted 14 September 2009 - 06:07 PM

Many thanks for your help
:thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users