Ask Me Help Desk

Ask Me Help Desk (https://www.askmehelpdesk.com/forum.php)
-   Spyware, Viruses, etc. (https://www.askmehelpdesk.com/forumdisplay.php?f=477)
-   -   Hidden driver, rootkit? C:WINDOWSSystem32Driversadojzhcu.SYS (https://www.askmehelpdesk.com/showthread.php?t=218703)

  • May 22, 2008, 10:54 AM
    Hartlieb
    Hidden driver, rootkit? C:\WINDOWS\System32\Drivers\adojzhcu.SYS
    This was missed with Kaspersky Anti-Virus 7.0 (version 7.0.1.321) and Trojanhunter 5.0. I found it; if it is a rootkit; running AVG Anti-Rootkit Free. After it was found and erased the first time when the computer was restarted it was there again only with a different ending to the file. It did the same the third time it was erased. My guess is there is something in there re-installing it on startup every time and it changes itself to be missed? Here is the starting name of the file with the change at the end every time I erased it. It would also change the ending if the computer is just restarted. It's called a Hidden Driver File by AVG Anti-Rootkit Free. All of the capitals and lower cases are how it was listed.

    C:\WINDOWS\System32\Drivers\adojzhcu.SYS
    C:\WINDOWS\System32\Drivers\amujjg5a.SYS
    C:\WINDOWS\System32\Drivers\aianq1zc.SYS

    If I check it again, I am guessing it will still be there just with a different ending. I can send you a Hijackthis scan file or anything else that you need. You build a great AV system and I hope this helps you make it better as well as helping me get rid of it, if it is bad.

    Thanks for your time

    Matt
  • May 23, 2008, 11:46 AM
    invisibleman_productions
    Please run all the 5 steps listed here
    Especially a complete scan with dr web
  • May 23, 2008, 09:47 PM
    Hartlieb
    I did the scans with all 5. There were a few spy and ad files found and deleted that I have seen before. A complete scan of Dr. Web came up with these. They were unable to be cured and were put in quarantine. I did not put the Q file in a certain place so I will have to find it if need be.

    A0075695.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP435;Probably DLOADER.Trojan;;
    A0077578.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP455;Probably DLOADER.Trojan;;
    A0100831.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP571;Probably BACKDOOR.Trojan;;
    A0100832.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP571;Probably BACKDOOR.Trojan;;
    A0100905.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP572;Probably DLOADER.Trojan;;
    A0102255.bat;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP573;Probably SCRIPT.Virus;;
    A0102470.bat;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP575;Probably SCRIPT.Virus;;

    One more scan of AVG Anti-Rootkit found this again but changed

    C:\WINDOWS\System32\Drivers\aj2g55og.SYS

    I will be reading the links on how to prevent this stuff in the future while I await your reply on what to do next.

    Thanks for your help
  • May 25, 2008, 07:07 AM
    invisibleman_productions
    The incurable are stored in your system restore folder >>C:\System Volume Information\_restore

    To remove them you need to turn off your system restore and then turn it back on

    As you have run all 5 steps you need to Visit the HijackThis Logs and Analysis forum. SWI Forums -> Malware Removal and let the hijackthis experts take a look at what's happening on your computer
  • May 25, 2008, 02:26 PM
    Hartlieb
    Yes, I did that after reading the link you had for prevention and AV scans. I will be contacting the Hijack This forum now. Thanks for the help.
  • May 25, 2008, 03:18 PM
    junglenutz123
    Quote:
    Originally Posted by Hartlieb
    This was missed with Kaspersky Anti-Virus 7.0 (version 7.0.1.321) and Trojanhunter 5.0. I found it; if it is a rootkit; running AVG Anti-Rootkit Free. After it was found and erased the first time when the computer was restarted it was there again only with a different ending to the file. It did the same the third time it was erased. My guess is there is something in there re-installing it on startup everytime and it changes itself to be missed? Here is the starting name of the file with the change at the end everytime I erased it. It would also change the ending if the computer is just restarted. It's called a Hidden Driver File by AVG Anti-Rootkit Free. All of the capitals and lower cases are how it was listed.

    C:\WINDOWS\System32\Drivers\adojzhcu.SYS
    C:\WINDOWS\System32\Drivers\amujjg5a.SYS
    C:\WINDOWS\System32\Drivers\aianq1zc.SYS

    If I check it again, I am guessing it will still be there just with a different ending. I can send you a Hijackthis scan file or anything else that you need. You build a great AV system and I hope this helps you make it better as well as helping me get rid of it, if it is bad.

    Thanks for your time

    Matt
    I would just go in and reformat your whole hard drive, if you have the operating system to install onto it. That would be your best bet, without killing too much time
  • May 25, 2008, 11:26 PM
    Hartlieb
    He, he... that was one of the things I was thinking of doing. You have any idea what this stuff could be? Because that is probably what is going to happen...

    • All times are GMT -7. The time now is 11:30 AM.