Hidden driver files by AVG anti-rootkit

[spra]

Hello,

when I run AVG anti-rootkit it finds a file which is characterized as hidden driver file. I clean it, then restart and then run AVG again, but now it finds another file. Some names are:

azrojng8.SYS
axzw47m3.SYS
etc.

I guess that this is something that changes names but I have no idea what it can be and how dangerous it is.

I think you recommend using Panda anti-rootkit for XP users like me and AVG for Vista users. However Panda did not detect anything and my problem is with what AVG finds.

Before posting this message here I tried following your instructions step by step except when for some reason I could not find the way to do so. For example with AVG anti-spyware I could not find how I could quarantine the entry found instead of deleting it. Also the log file says "No action taken" while the program says that all actions have been applied and the action applied I saw was 'delete'.
Anyway, the logs you need are attached as you require.

Thank you in advance for any help you might be able to provide.

 

[spra]

Is there any chance that someone helps me with this please?

 

[kritius]

I recommend you uninstall Zone alarm spyblocker,
Since recently, Zonealarm decided to include a "ZoneAlarm Spy Blocker toolbar" as well which is an optional during install.

However, this Toolbar now uses the AskJeeves/Ask.com searchengine.

More info: here.

This Toolbar is not recommened. See here: here.

Source: SpywareInfo/minkiemoes

Apart from that the logs are clean.

Update your Java Runtime Environment

• First try going to Start -> Control Panel -> double click Java
• Select the Update TAb at the top
• Click the Check for Updates button at the bottom
• If it finds the newer version (Java 6 Update 5) Follow the on screen instructions
• After it installs the newest version Go back to Control Panel -> Add/remove programs
• Uninstall any older versions of Java

If for some reason you couldn't update through the above instructions.

• Click the following link
  Java Runtime Environment 6 Update 5
• The 4th option down is the one you want (click Download)
• Check the box to agree to terms of service
• Check the box for your operating system and click 'Download selected'at the bottom
• After the install Go to Start-> Control Panel-> add/remove programs (Programs and features), and uninstall any old versions
• Navigate to C:\programfiles\Java -> delete any subfolders except the jre1.6.0_05 folder

 

[spra]

Thank you kritius,

I did what you suggested with ZoneAlarm Spy Blocker toolbar and with Java update. But please note that before I decide to post the problem here I had never used ZoneAlarm at all. I installed Zone Alarm following the instructions I found on your pages. Anyway now there must be no problem with that toolbar since I uninstalled it.

However, AVG anti-rootkit which I ran a few moments ago, keeps finding hidden driver files. This time it found "C:\WINDOWS\System32\Drivers\ajdwujw8.SYS".
So the problem is still here. Is it something I should ignore?

 

[kritius]

There is a(re) file(s) I do not recognize, please carry out the following:

• Please visit Jotti Online Malware Scan
• Copy the following line into the white text box:

C:\WINDOWS\System32\Drivers\ajdwujw8.SYS

• Click Submit.
• Please post the results of this scan to this thread.

Note: If the server is busy at the above site, try this alternative site:

• Go to Virus Total-Upload A File.
• Copy the following line into the white text box:

C:\WINDOWS\System32\Drivers\ajdwujw8.SYS

• Click Send.
• Please post the results of this scan to this thread.

 

[spra]

It returns the following line:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file

I stopped ZoneAlarm and tried again but the result is the same.

 

[kritius]

From both sites?

Please download the OTMoveIt2 by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  

  C:\WINDOWS\System32\Drivers\ajdwujw8.SYS

• Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

 

[spra]

Results from OTMoveIt2:

File/Folder C:\WINDOWS\System32\Drivers\ajdwujw8.SYS not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04232008_120733

 

[kritius]

AVG antirootkit must have been throwing up a false positive, are you able to physically navigate to that file and see it?

Try GMER and see what it says.

 

[spra]

I downloaded GMER and performed a scan. Please have a look at the results in the attached file.

Also yesterday I had an online scan by PANDA which found many infections. So in case you are interested I attach an ActiveScan.txt as well.

 

[LookinAround]

Very odd results. Curious to see how this ends up myself. As attempts to move or do much else with this thing have failed, i'd like to see if we can't learn more of its file properties. Before we begin, please download SysExporter. This tool allows you to grab various text data types from application Windows you can't otherwise simply copy to your clipboard

• Double check you've enabled "Show Hidden Files and Folders". From a File Explorer window Tools -> Folder Options-> View, then check Show Hidden Files
• Use Windows Explorer to locate the .sys file in question.
• We'll get it's file security / permission info
  • Right click Properties -> Security, click Advanced button
  • Run Sysexporter. Scroll thru the upper pane looking for the window name starting Avanced Security. You'll probably see 3 or 4.
  • Click on each one. When you click the window name, look at the data grabbed and displayed in the lower pane. We're looking the permission entries.
  • When you see the text we want, click in the lower pane to change window focus.
  • Right click Select All
  • Right click Copy Selected (Tab Delimited). Then Paste the information into a text file
• Now let's get more about its File Details
  • In Windows Explorer menu bar, click View -> Choose Details, check EVERY box, then click OK.
  • In SysExporter, click Options -> Refresh
  • Now look thru SysExporter for the window named drivers (we'll be looking for the .sys file detail listed in that window) Hint: when looking for the correct "drivers" entry in the upper pane look at the Items column. This is the total number of files displayed in that window so should be a large number.
  • Use Sysexporter again to copy the info about the .sys file in question into the text file also then post that file back here

 

[kritius]

It only really found tracking cookis and the tools that we have used so far nothing malicious in there.

c:\Documents and Settings\Spyros\Desktop\VirtumundoBeGone.exe[²ƒÇ]
C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\Process.exe
C:\WINDOWS\system32\Process.exe<===this belongs to SmitFraudFix and is not the malicious file that resides in C:\Windows\process.exe
C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\restart.exe
C:\Documents and Settings\Spyros\Desktop\VirtumundoBeGone.exe
C:\Documents and Settings\Spyros\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
D:\Downloaded files 3\free_kgb_keylogger_402.exe<===keyloggers also show up as bad however if you downloaded it then its ok.
C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\Reboot.exe


Follow the good advice by LookinAround and see what SysExporter says, but im nearly sure that its a false positive.

 

[LookinAround]

of course, i don't know if they might be false positives nor not but the two things that trouble "my instinct"
1. A rather random spelling to each of these file names
2. Try to google any of these files and nothing shows up (except this thread!) boy, the search engine web crawlers are fast!

 

[kritius]

C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\Reboot.exe
C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\restart.exe
C:\WINDOWS\system32\Process.exe
C:\Documents and Settings\Spyros\Desktop\SmitfraudFix\Process.exe
All these are to do with SmitfraudFix and are quite legit.

C:\Documents and Settings\Spyros\Desktop\VirtumundoBeGone.exe[²ƒÇ]
C:\Documents and Settings\Spyros\Desktop\VirtumundoBeGone.exe
VirtmundoBeGone

C:\Documents and Settings\Spyros\Desktop\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
ComboFix

The only one that should be of any worry is this one,
D:\Downloaded files 3\free_kgb_keylogger_402.exe

and if it was downloaded on purpose for a specific reason then theres no problem.

 

[LookinAround]

spra:

Actually, I'm going to expand on the Folder Options i had listed. You need to do the following. From a File Explorer window Tools -> Folder Options-> View. Then place or remove checkmarks as follows

• Place checkmark "Display the contents of system folders"
• Place checkmkark "Show hidden files and folders"
• Remove checkmark "Hide file extensions for known file types"
• Remove checkmark "Hide protected operating system files"
• Click OK

 

[spra]

Thank you both.

If you mean that I should search for " ajdwujw8.SYS " using Windows Explorer I did after changing the folder options as you suggested.
It didn't find it. To tell you the truth I never really expected it would.

But on the other hand, neither can I see why AVG anti-rootkit would give repeatedly false positives changing continuously the name of the file, if there is nothing there that causes the regeneration of the previously destroyed file. This doesn't sound like a bug to my ... inexperienced ears but I don't know.
So do you think there is something else to do?

 

[LookinAround]

what version of windows are you running?

 

[QuietLeni]

That hidden driver file renames itself...

Hi spra,

I have been trying to chase down exactly the same problem on my laptop. I do not download dodgy/cracked applications and I would consider myself a "safe surfer" - not installing all and sundry, etc.

However, I built this laptop just over 7 weeks ago and installed AVG Anti-Rootkit on my machine and ran it, like you did and got a similar result - a hidden driver that Anti-Rootkit detected and I told it to delete, then rebooted. Anti-Rootkit told me that the driver had been deleted, but when i ran AVG ARK again, it came back with the same result, only with a different 8.3 name, currently ag309e59.sys.

This is *NOT*, I repeat *NOT*, a false positive, as I have corroborated the existance of this hidden driver with IceSword (an advanced rootkit-finder). However, I cannot get a signature of the file and I have not been able to detect it with either F-Secure's Blacklight or Symantec Endpoint Protection. I think that the driver has a list of root image names that it does not allow to see it and these will be on that list.

I have tried:

1) Looking for DOS-hidden files (in Explorer and in Command Prompt),
2) Booting the machine in WinPE and examining the file in the DOS there,
3) Booting the machine into DOS and examining the filesystem within DOS (in case the driver is Windows-specific).
4) Adding the file to the "PendingFileRenameOperations" registry value to rename it and rebooting but the "PendingFileRenameOperations" value gets reset back to a known state.

The one last option I am going to try is rebooting and running in Safe Mode, to see if the driver is loaded.

If I cannot find it that way, I am feeling that this might be a "rebuild job" unless someone can tell me that this "thing" is not malignant.

Regards,


QuietLeni

 

[spra]

My windows is XP pro SP2.

QuietLeni that's bad news you're bringing. Thanks anyway.

 

[peterdiva]

I recently saw on another forum that AVG Rootkit flags the Daemon tools driver. This a random number/letter file which changes on each boot, and is usually dated the same or close to sptd.sys. Spra does have Daemon tools installed.

From a minidump I just looked at:

b9ea7000 b9fa7000 sptd sptd.sys Thu Mar 06 09:32:57 2008 (47CF3BB9)
b953b000 b95a0000 awhmu8a6 awhmu8a6.SYS Thu Mar 27 21:24:26 2008 (47EB91FA)

b953b000 b95a0000 aeaixffm aeaixffm.SYS Thu Mar 27 21:24:26 2008 (47EB91FA) <-- After crash and reboot (same file).

 

[LookinAround]

QuietLeni

I just happened across IceSword this morning! Good to know it at least finds the files as well.

QuietLeni and Spra
Question that came to me was: Each time you this thing re-appear do you recall if it's after a re-boot? or recall if it reappears sometimes without a reboot? Am wondering if like some other manifestations of malware, part of it is inside your startups

- Install Autoruns
- Start it. Note its status in lower left corner of window
- Hit Esc to stop it
- Click Options and select to Hide Microsoft Entries and Verify Code Signatures
- Start the scan again (File -> Refresh)
- When done you can do File->Save to get a text file and post it

 

[LookinAround]

Interesting post peterdiva!

Based on that info i found

"Some software publishers go to great lengths to try to disable or frustrate Daemon Tools. For example, some games will check to see if the driver for Daemon Tools is loaded, and if so will take some action, such as uninstalling the toolset altogether. New releases of Daemon Tools take various measures to ensure the functionality of the application. For example, revision 4.06 randomizes the name of the virtual driver installed by the software."

And same is true for Alcohol. They both use rootkits to avoid being detected by DRM or other software apps.

Still, if you guys want to post the results of Autoruns would be happy to take a look.

 

[spra]

pederdiva,

I did have Daemon tools for a while. Then it was useless to me, so when I heard that as you say it might cause such kind of alerts I uninstalled it or at least I think I managed to do so, but that was long ago.

Anyway now I can't see Daemon tools in the Add Remove Programs list. If it has left something that keeps working I don't know how I can get rid of it.
Is there a way?

 

[spra]

Here is AutoRuns txt

 

[LookinAround]

did you remove deamon tools and replace it with alcohol 120? Alcohol 120 does the same thing and I see several alcohol related startups in the file you just posted

/**** Edit ****/
Should say, have alcohol 120 does the same thing based on what i've read since peterdiva pointed us down that path