Ask Experts Questions for FREE Help !
Ask
    Hartlieb's Avatar
    Hartlieb Posts: 4, Reputation: 1
    New Member
     
    #1

    May 22, 2008, 10:54 AM
    Hidden driver, rootkit? C:\WINDOWS\System32\Drivers\adojzhcu.SYS
    This was missed with Kaspersky Anti-Virus 7.0 (version 7.0.1.321) and Trojanhunter 5.0. I found it; if it is a rootkit; running AVG Anti-Rootkit Free. After it was found and erased the first time when the computer was restarted it was there again only with a different ending to the file. It did the same the third time it was erased. My guess is there is something in there re-installing it on startup every time and it changes itself to be missed? Here is the starting name of the file with the change at the end every time I erased it. It would also change the ending if the computer is just restarted. It's called a Hidden Driver File by AVG Anti-Rootkit Free. All of the capitals and lower cases are how it was listed.

    C:\WINDOWS\System32\Drivers\adojzhcu.SYS
    C:\WINDOWS\System32\Drivers\amujjg5a.SYS
    C:\WINDOWS\System32\Drivers\aianq1zc.SYS

    If I check it again, I am guessing it will still be there just with a different ending. I can send you a Hijackthis scan file or anything else that you need. You build a great AV system and I hope this helps you make it better as well as helping me get rid of it, if it is bad.

    Thanks for your time

    Matt
    invisibleman_productions's Avatar
    invisibleman_productions Posts: 207, Reputation: 12
    Full Member
     
    #2

    May 23, 2008, 11:46 AM
    Please run all the 5 steps listed here
    Especially a complete scan with dr web
    Hartlieb's Avatar
    Hartlieb Posts: 4, Reputation: 1
    New Member
     
    #3

    May 23, 2008, 09:47 PM
    I did the scans with all 5. There were a few spy and ad files found and deleted that I have seen before. A complete scan of Dr. Web came up with these. They were unable to be cured and were put in quarantine. I did not put the Q file in a certain place so I will have to find it if need be.

    A0075695.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP435;Probably DLOADER.Trojan;;
    A0077578.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP455;Probably DLOADER.Trojan;;
    A0100831.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP571;Probably BACKDOOR.Trojan;;
    A0100832.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP571;Probably BACKDOOR.Trojan;;
    A0100905.exe;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP572;Probably DLOADER.Trojan;;
    A0102255.bat;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP573;Probably SCRIPT.Virus;;
    A0102470.bat;C:\System Volume Information\_restore{80DED19E-4EB2-4BBA-94DE-BE7FE31173DD}\RP575;Probably SCRIPT.Virus;;

    One more scan of AVG Anti-Rootkit found this again but changed

    C:\WINDOWS\System32\Drivers\aj2g55og.SYS

    I will be reading the links on how to prevent this stuff in the future while I await your reply on what to do next.

    Thanks for your help
    invisibleman_productions's Avatar
    invisibleman_productions Posts: 207, Reputation: 12
    Full Member
     
    #4

    May 25, 2008, 07:07 AM
    The incurable are stored in your system restore folder >>C:\System Volume Information\_restore

    To remove them you need to turn off your system restore and then turn it back on

    As you have run all 5 steps you need to Visit the HijackThis Logs and Analysis forum. SWI Forums -> Malware Removal and let the hijackthis experts take a look at what's happening on your computer
    Hartlieb's Avatar
    Hartlieb Posts: 4, Reputation: 1
    New Member
     
    #5

    May 25, 2008, 02:26 PM
    Yes, I did that after reading the link you had for prevention and AV scans. I will be contacting the Hijack This forum now. Thanks for the help.
    junglenutz123's Avatar
    junglenutz123 Posts: 16, Reputation: 1
    New Member
     
    #6

    May 25, 2008, 03:18 PM
    Quote Originally Posted by Hartlieb
    This was missed with Kaspersky Anti-Virus 7.0 (version 7.0.1.321) and Trojanhunter 5.0. I found it; if it is a rootkit; running AVG Anti-Rootkit Free. After it was found and erased the first time when the computer was restarted it was there again only with a different ending to the file. It did the same the third time it was erased. My guess is there is something in there re-installing it on startup everytime and it changes itself to be missed? Here is the starting name of the file with the change at the end everytime I erased it. It would also change the ending if the computer is just restarted. It's called a Hidden Driver File by AVG Anti-Rootkit Free. All of the capitals and lower cases are how it was listed.

    C:\WINDOWS\System32\Drivers\adojzhcu.SYS
    C:\WINDOWS\System32\Drivers\amujjg5a.SYS
    C:\WINDOWS\System32\Drivers\aianq1zc.SYS

    If I check it again, I am guessing it will still be there just with a different ending. I can send you a Hijackthis scan file or anything else that you need. You build a great AV system and I hope this helps you make it better as well as helping me get rid of it, if it is bad.

    Thanks for your time

    Matt
    I would just go in and reformat your whole hard drive, if you have the operating system to install onto it. That would be your best bet, without killing too much time
    Hartlieb's Avatar
    Hartlieb Posts: 4, Reputation: 1
    New Member
     
    #7

    May 25, 2008, 11:26 PM
    He, he... that was one of the things I was thinking of doing. You have any idea what this stuff could be? Because that is probably what is going to happen...

Not your question? Ask your question View similar questions

 

Question Tools Search this Question
Search this Question:

Advanced Search

Add your answer here.


Check out some similar questions!

C:WINDOWSsystem32driversetchost some how its changed! [ 5 Answers ]

don't no if I'm putting this in right subject but anyway afew weeks ago I did ascan with avg 7 the free one and this came up C:\WINDOWS\system32\drivers\etc\host and it says it has changed is this bad? Can it be fixed? Or is it OK leaving it the way it is? file |result/infection|path...

Virus in Hosts File inside Windows System32 folder [ 25 Answers ]

I have a virus in C:\\WINDOWS\system32\drivers\etc\hosts I'm using AVG free edition. I've put the file in the virus vault, it says it's possible to heal the file except that there isn't enough info to do so. Any ideas of what I should do?

Fix greyware. C:windowssystem32driversetchosts [ 8 Answers ]

AVG found the file and said it made a change to fix the problem, But trend housecall finds it every time. Housecall says it has successfully removed the infection from my PC and to run another scan, but it always comes up with it again every time I run it. Can someone tell me how to get rid...

C:WINDOWSsystem32driversetchosts [ 1 Answers ]

Hi I can't find \etc\hosts in the C:\WINDOWS\system32\drivers\ and AGV keeps telling me it has a reading error in this line. All the forums I have been to tell me to open the C:\WINDOWS\system32\drivers\etc\hosts folder and edit it to... but it isn't there how do I reinstall this folder(\etc\host)...

How do I open c:/windows/system32/drivers/etc/hosts [ 2 Answers ]

I can't find it, and I need to. Does anyone know where its located?:confused:


View more questions Search