Hidden driver files by AVG anti-rootkit

By spra
Apr 16, 2008
Topic Status:
Not open for further replies.
  1. Hello,

    when I run AVG anti-rootkit it finds a file which is characterized as hidden driver file. I clean it, then restart and then run AVG again, but now it finds another file. Some names are:

    azrojng8.SYS
    axzw47m3.SYS
    etc.

    I guess that this is something that changes names but I have no idea what it can be and how dangerous it is.

    I think you recommend using Panda anti-rootkit for XP users like me and AVG for Vista users. However Panda did not detect anything and my problem is with what AVG finds.

    Before posting this message here I tried following your instructions step by step except when for some reason I could not find the way to do so. For example with AVG anti-spyware I could not find how I could quarantine the entry found instead of deleting it. Also the log file says "No action taken" while the program says that all actions have been applied and the action applied I saw was 'delete'.
    Anyway, the logs you need are attached as you require.

    Thank you in advance for any help you might be able to provide.

    Attached Files:

  2. spra

    spra Newcomer, in training Topic Starter

    Is there any chance that someone helps me with this please?
  3. kritius

    kritius TechSpot Guru Posts: 2,087

    I recommend you uninstall Zone alarm spyblocker,
    Since recently, Zonealarm decided to include a "ZoneAlarm Spy Blocker toolbar" as well which is an optional during install.

    However, this Toolbar now uses the AskJeeves/Ask.com searchengine.

    More info: here.

    This Toolbar is not recommened. See here: here.

    Source: SpywareInfo/minkiemoes

    Apart from that the logs are clean.

    Update your Java Runtime Environment
    • First try going to Start -> Control Panel -> double click Java
    • Select the Update TAb at the top
    • Click the Check for Updates button at the bottom
    • If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
    • After it installs the newest version Go back to Control Panel -> Add/remove programs
    • Uninstall any older versions of Java

    If for some reason you couldn't update through the above instructions.
    • Click the following link
      Java Runtime Environment 6 Update 5
    • The 4th option down is the one you want (click Download)
    • Check the box to agree to terms of service
    • Check the box for your operating system and click 'Download selected'at the bottom
    • After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
    • Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder
  4. spra

    spra Newcomer, in training Topic Starter

    Thank you kritius,

    I did what you suggested with ZoneAlarm Spy Blocker toolbar and with Java update. But please note that before I decide to post the problem here I had never used ZoneAlarm at all. I installed Zone Alarm following the instructions I found on your pages. Anyway now there must be no problem with that toolbar since I uninstalled it.

    However, AVG anti-rootkit which I ran a few moments ago, keeps finding hidden driver files. This time it found "C:\WINDOWS\System32\Drivers\ajdwujw8.SYS".
    So the problem is still here. Is it something I should ignore?
  5. kritius

    kritius TechSpot Guru Posts: 2,087

    There is a(re) file(s) I do not recognize, please carry out the following:
    Code:
    C:\WINDOWS\System32\Drivers\ajdwujw8.SYS
    • Click Submit.
    • Please post the results of this scan to this thread.
    Note: If the server is busy at the above site, try this alternative site:
    Code:
    C:\WINDOWS\System32\Drivers\ajdwujw8.SYS
    • Click Send.
    • Please post the results of this scan to this thread.
  6. spra

    spra Newcomer, in training Topic Starter

    It returns the following line:

    The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

    I stopped ZoneAlarm and tried again but the result is the same.
  7. kritius

    kritius TechSpot Guru Posts: 2,087

    From both sites?

    Please download the OTMoveIt2 by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
    • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

      Code:
      C:\WINDOWS\System32\Drivers\ajdwujw8.SYS
          
    • Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
    • Click the red Moveit! button.
    • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
    • Close OTMoveIt2
    Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
  8. spra

    spra Newcomer, in training Topic Starter

    Results from OTMoveIt2:

    File/Folder C:\WINDOWS\System32\Drivers\ajdwujw8.SYS not found.

    OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04232008_120733
  9. kritius

    kritius TechSpot Guru Posts: 2,087

    AVG antirootkit must have been throwing up a false positive, are you able to physically navigate to that file and see it?

    Try GMER and see what it says.
  10. spra

    spra Newcomer, in training Topic Starter

    I downloaded GMER and performed a scan. Please have a look at the results in the attached file.

    Also yesterday I had an online scan by PANDA which found many infections. So in case you are interested I attach an ActiveScan.txt as well.

    Attached Files:

  11. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,284   +154

    Very odd results. Curious to see how this ends up myself. As attempts to move or do much else with this thing have failed, i'd like to see if we can't learn more of its file properties. Before we begin, please download SysExporter. This tool allows you to grab various text data types from application Windows you can't otherwise simply copy to your clipboard
    • Double check you've enabled "Show Hidden Files and Folders". From a File Explorer window Tools -> Folder Options-> View, then check Show Hidden Files
    • Use Windows Explorer to locate the .sys file in question.
    • We'll get it's file security / permission info
      • Right click Properties -> Security, click Advanced button
      • Run Sysexporter. Scroll thru the upper pane looking for the window name starting Avanced Security. You'll probably see 3 or 4.
      • Click on each one. When you click the window name, look at the data grabbed and displayed in the lower pane. We're looking the permission entries.
      • When you see the text we want, click in the lower pane to change window focus.
      • Right click Select All
      • Right click Copy Selected (Tab Delimited). Then Paste the information into a text file
    • Now let's get more about its File Details
      • In Windows Explorer menu bar, click View -> Choose Details, check EVERY box, then click OK.
      • In SysExporter, click Options -> Refresh
      • Now look thru SysExporter for the window named drivers (we'll be looking for the .sys file detail listed in that window) Hint: when looking for the correct "drivers" entry in the upper pane look at the Items column. This is the total number of files displayed in that window so should be a large number.
      • Use Sysexporter again to copy the info about the .sys file in question into the text file also then post that file back here
  12. kritius

    kritius TechSpot Guru Posts: 2,087

    It only really found tracking cookis and the tools that we have used so far nothing malicious in there.

    c:\Documents and Settings\Spyros\Desktop\VirtumundoBeGone.exe[²ƒÇ]
    C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\Process.exe
    C:\WINDOWS\system32\Process.exe<===this belongs to SmitFraudFix and is not the malicious file that resides in C:\Windows\process.exe
    C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\restart.exe
    C:\Documents and Settings\Spyros\Desktop\VirtumundoBeGone.exe
    C:\Documents and Settings\Spyros\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
    D:\Downloaded files 3\free_kgb_keylogger_402.exe<===keyloggers also show up as bad however if you downloaded it then its ok.
    C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\Reboot.exe


    Follow the good advice by LookinAround and see what SysExporter says, but im nearly sure that its a false positive.
  13. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,284   +154

    of course, i don't know if they might be false positives nor not but the two things that trouble "my instinct"
    1. A rather random spelling to each of these file names
    2. Try to google any of these files and nothing shows up (except this thread!) boy, the search engine web crawlers are fast!
     
  14. kritius

    kritius TechSpot Guru Posts: 2,087

    C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\Reboot.exe
    C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\restart.exe
    C:\WINDOWS\system32\Process.exe
    C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\Process.exe

    All these are to do with SmitfraudFix and are quite legit.

    C:\Documents and Settings\Spyros\Desktop\VirtumundoBeGone.exe[²ƒÇ]
    C:\Documents and Settings\Spyros\Desktop\VirtumundoBeGone.exe

    VirtmundoBeGone

    C:\Documents and Settings\Spyros\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
    ComboFix

    The only one that should be of any worry is this one,
    D:\Downloaded files 3\free_kgb_keylogger_402.exe

    and if it was downloaded on purpose for a specific reason then theres no problem.
  15. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,284   +154

    spra:

    Actually, I'm going to expand on the Folder Options i had listed. You need to do the following. From a File Explorer window Tools -> Folder Options-> View. Then place or remove checkmarks as follows
    • Place checkmark "Display the contents of system folders"
    • Place checkmkark "Show hidden files and folders"
    • Remove checkmark "Hide file extensions for known file types"
    • Remove checkmark "Hide protected operating system files"
    • Click OK
  16. spra

    spra Newcomer, in training Topic Starter

    Thank you both.

    If you mean that I should search for " ajdwujw8.SYS " using Windows Explorer I did after changing the folder options as you suggested.
    It didn't find it. To tell you the truth I never really expected it would.

    But on the other hand, neither can I see why AVG anti-rootkit would give repeatedly false positives changing continuously the name of the file, if there is nothing there that causes the regeneration of the previously destroyed file. This doesn't sound like a bug to my ... inexperienced ears but I don't know.
    So do you think there is something else to do?
  17. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,284   +154

    what version of windows are you running?
  18. QuietLeni

    QuietLeni Newcomer, in training

    That hidden driver file renames itself...

    Hi spra,

    I have been trying to chase down exactly the same problem on my laptop. I do not download dodgy/cracked applications and I would consider myself a "safe surfer" - not installing all and sundry, etc.

    However, I built this laptop just over 7 weeks ago and installed AVG Anti-Rootkit on my machine and ran it, like you did and got a similar result - a hidden driver that Anti-Rootkit detected and I told it to delete, then rebooted. Anti-Rootkit told me that the driver had been deleted, but when i ran AVG ARK again, it came back with the same result, only with a different 8.3 name, currently ag309e59.sys.

    This is *NOT*, I repeat *NOT*, a false positive, as I have corroborated the existance of this hidden driver with IceSword (an advanced rootkit-finder). However, I cannot get a signature of the file and I have not been able to detect it with either F-Secure's Blacklight or Symantec Endpoint Protection. I think that the driver has a list of root image names that it does not allow to see it and these will be on that list.

    I have tried:

    1) Looking for DOS-hidden files (in Explorer and in Command Prompt),
    2) Booting the machine in WinPE and examining the file in the DOS there,
    3) Booting the machine into DOS and examining the filesystem within DOS (in case the driver is Windows-specific).
    4) Adding the file to the "PendingFileRenameOperations" registry value to rename it and rebooting but the "PendingFileRenameOperations" value gets reset back to a known state.

    The one last option I am going to try is rebooting and running in Safe Mode, to see if the driver is loaded.

    If I cannot find it that way, I am feeling that this might be a "rebuild job" unless someone can tell me that this "thing" is not malignant.

    Regards,


    QuietLeni
  19. spra

    spra Newcomer, in training Topic Starter

    My windows is XP pro SP2.

    QuietLeni that's bad news you're bringing. Thanks anyway.
  20. peterdiva

    peterdiva TechSpot Ambassador Posts: 1,202

    I recently saw on another forum that AVG Rootkit flags the Daemon tools driver. This a random number/letter file which changes on each boot, and is usually dated the same or close to sptd.sys. Spra does have Daemon tools installed.

    From a minidump I just looked at:

    b9ea7000 b9fa7000 sptd sptd.sys Thu Mar 06 09:32:57 2008 (47CF3BB9)
    b953b000 b95a0000 awhmu8a6 awhmu8a6.SYS Thu Mar 27 21:24:26 2008 (47EB91FA)

    b953b000 b95a0000 aeaixffm aeaixffm.SYS Thu Mar 27 21:24:26 2008 (47EB91FA) <-- After crash and reboot (same file).
  21. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,284   +154

    QuietLeni

    I just happened across IceSword this morning! Good to know it at least finds the files as well.

    QuietLeni and Spra
    Question that came to me was: Each time you this thing re-appear do you recall if it's after a re-boot? or recall if it reappears sometimes without a reboot? Am wondering if like some other manifestations of malware, part of it is inside your startups

    - Install Autoruns
    - Start it. Note its status in lower left corner of window
    - Hit Esc to stop it
    - Click Options and select to Hide Microsoft Entries and Verify Code Signatures
    - Start the scan again (File -> Refresh)
    - When done you can do File->Save to get a text file and post it
  22. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,284   +154

    Interesting post peterdiva!

    Based on that info i found

    "Some software publishers go to great lengths to try to disable or frustrate Daemon Tools. For example, some games will check to see if the driver for Daemon Tools is loaded, and if so will take some action, such as uninstalling the toolset altogether. New releases of Daemon Tools take various measures to ensure the functionality of the application. For example, revision 4.06 randomizes the name of the virtual driver installed by the software."

    And same is true for Alcohol. They both use rootkits to avoid being detected by DRM or other software apps.

    Still, if you guys want to post the results of Autoruns would be happy to take a look.
  23. spra

    spra Newcomer, in training Topic Starter

    pederdiva,

    I did have Daemon tools for a while. Then it was useless to me, so when I heard that as you say it might cause such kind of alerts I uninstalled it or at least I think I managed to do so, but that was long ago.

    Anyway now I can't see Daemon tools in the Add Remove Programs list. If it has left something that keeps working I don't know how I can get rid of it.
    Is there a way?
  24. spra

    spra Newcomer, in training Topic Starter

    Here is AutoRuns txt
  25. LookinAround

    LookinAround TechSpot Chancellor Posts: 8,284   +154

    did you remove deamon tools and replace it with alcohol 120? Alcohol 120 does the same thing and I see several alcohol related startups in the file you just posted

    /**** Edit ****/
    Should say, have alcohol 120 does the same thing based on what i've read since peterdiva pointed us down that path
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.