Question
 | | | | | 
May 22, 2008, 09:54 AM
| | New Member  | | Join Date: May 2008
Posts: 4
| | | Hidden driver, rootkit? C:\WINDOWS\System32\Drivers\adojzhcu.SYS
This was missed with Kaspersky Anti-Virus 7.0 (version 7.0.1.321) and Trojanhunter 5.0. I found it; if it is a rootkit; running AVG Anti-Rootkit Free. After it was found and erased the first time when the computer was restarted it was there again only with a different ending to the file. It did the same the third time it was erased. My guess is there is something in there re-installing it on startup everytime and it changes itself to be missed? Here is the starting name of the file with the change at the end everytime I erased it. It would also change the ending if the computer is just restarted. It's called a Hidden Driver File by AVG Anti-Rootkit Free. All of the capitals and lower cases are how it was listed.
C:\WINDOWS\System32\Drivers\adojzhcu.SYS
C:\WINDOWS\System32\Drivers\amujjg5a.SYS
C:\WINDOWS\System32\Drivers\aianq1zc.SYS
If I check it again, I am guessing it will still be there just with a different ending. I can send you a Hijackthis scan file or anything else that you need. You build a great AV system and I hope this helps you make it better as well as helping me get rid of it, if it is bad.
Thanks for your time
Matt
 | | | | | | |
Answers
| | | | | |
May 23, 2008, 10:46 AM
|
#2
| | Junior Member
Join Date: Jul 2006
Posts: 196
| Please run all the 5 steps listed here
especially a complete scan with dr web | |
| | | | | | | | | | | | |
May 23, 2008, 08:47 PM
|
#3
| | New Member
Join Date: May 2008
Posts: 4
| I did the scans with all 5. There were a few spy and ad files found and deleted that I have seen before. A complete scan of Dr. Web came up with these. They were unable to be cured and were put in quarantine. I did not put the Q file in a certain place so I will have to find it if need be.
A0075695.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP435;Probably DLOADER.Trojan;;
A0077578.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP455;Probably DLOADER.Trojan;;
A0100831.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP571;Probably BACKDOOR.Trojan;;
A0100832.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP571;Probably BACKDOOR.Trojan;;
A0100905.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP572;Probably DLOADER.Trojan;;
A0102255.bat;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP573;Probably SCRIPT.Virus;;
A0102470.bat;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP575;Probably SCRIPT.Virus;;
One more scan of AVG Anti-Rootkit found this again but changed
C:\WINDOWS\System32\Drivers\aj2g55og.SYS
I will be reading the links on how to prevent this stuff in the future while I await your reply on what to do next.
Thanks for your help | |
| | | | | | | | | | | | |
May 25, 2008, 06:07 AM
|
#4
| | Junior Member
Join Date: Jul 2006
Posts: 196
| The incurable are stored in your system restore folder >>C:\System Volume Information\_restore
To remove them you need to turn off your system restore and then turn it back on
As you have run all 5 steps you need to Visit the HijackThis Logs and Analysis forum. SWI Forums -> Malware Removal and let the hijackthis experts take a look at whats happening on your computer | |
| | | | | | | | | | | | |
May 25, 2008, 01:26 PM
|
#5
| | New Member
Join Date: May 2008
Posts: 4
| Yes, I did that after reading the link you had for prevention and AV scans. I will be contacting the Hijack This forum now. Thanks for the help. | |
| | | | | | | | | | | | |
May 25, 2008, 02:18 PM
|
#6
| | New Member
Join Date: May 2008
Posts: 16
| Quote: | Originally Posted by Hartlieb This was missed with Kaspersky Anti-Virus 7.0 (version 7.0.1.321) and Trojanhunter 5.0. I found it; if it is a rootkit; running AVG Anti-Rootkit Free. After it was found and erased the first time when the computer was restarted it was there again only with a different ending to the file. It did the same the third time it was erased. My guess is there is something in there re-installing it on startup everytime and it changes itself to be missed? Here is the starting name of the file with the change at the end everytime I erased it. It would also change the ending if the computer is just restarted. It's called a Hidden Driver File by AVG Anti-Rootkit Free. All of the capitals and lower cases are how it was listed.
C:\WINDOWS\System32\Drivers\adojzhcu.SYS
C:\WINDOWS\System32\Drivers\amujjg5a.SYS
C:\WINDOWS\System32\Drivers\aianq1zc.SYS
If I check it again, I am guessing it will still be there just with a different ending. I can send you a Hijackthis scan file or anything else that you need. You build a great AV system and I hope this helps you make it better as well as helping me get rid of it, if it is bad.
Thanks for your time
Matt |
I would just go in and reformat your whole harddrive, if you have the operating system to install onto it. that would be your best bet, without killing too much time | |
| | | | | | | | | | | | |
May 25, 2008, 10:26 PM
|
#7
| | New Member
Join Date: May 2008
Posts: 4
| He, he... that was one of the things I was thinking of doing. You have any idea what this stuff could be? Because that is probably what is going to happen... | |
| | | | | | | | Question Tools | Search this Question | | | | | Display Modes |  Linear Mode | |
