1

Possible Duplicate:
How do I get rid of malicious spyware, malware, viruses or rootkits from my PC?

I was looking for root kits following these instructions http://computersight.com/software/how-to-manually-remove-rootkit/ and saw this in my boot log:

Loaded driver \SystemRoot\System32\Drivers\awhk9fmc.SYS

I tried to search for that filename in Google but there was absolutely nothing found. I tried to look at the file on the disk but could not find it. Nearly every other file is there. I even tried to boot in Windows 98 and mount the NTFS and see the file, but it still wasn't there. I ran a full scan with Microsoft Security Essentials but it found nothing. When I rebooted, I saw this line instead:

Loaded driver \SystemRoot\System32\Drivers\a6n163gl.SYS
  1. How can I remove this?
  2. How can I find out what it does?
  3. How can I find out when it was put in?
  4. How can I find out who wrote it?

Here is my full boot log:

    Service Pack 3 10 31 2012 17:35:36.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver sptd.sys
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver MpFilter.sys
Loaded driver KSecDD.sys
Loaded driver WudfPf.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver uagp35.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\system32\DRIVERS\amdk7.sys
Loaded driver \SystemRoot\system32\DRIVERS\sisgrp.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
Loaded driver \SystemRoot\system32\drivers\cmuda.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\sisnicxp.sys
Loaded driver \SystemRoot\System32\Drivers\avzk9sf5.SYS
Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\serial.sys
Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\parport.sys
Loaded driver \SystemRoot\system32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\serscan.sys
Loaded driver \SystemRoot\system32\drivers\DrmCAudio.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\psched.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\tap0901.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\dtsoftbus01.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\srvkp.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver 
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ctxusbm.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\cbfs3.sys
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Did not load driver \SystemRoot\System32\Drivers\StarOpen.SYS
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys
Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Improve this question
5
  • 1
    The general answer to the question in your title would be: superuser.com/questions/100360/…
    – Hennes
    Commented Oct 31, 2012 at 23:06
  • Nuke it from orbit. It is the only way to be sure.
    – Zoredache
    Commented Oct 31, 2012 at 23:39
  • @Hennes That didn't work. Step 1, Windows Defender, wouldn't download. It kept giving me an error during download install step 1. I tried it on two different computers.
    – Chloe
    Commented Nov 1, 2012 at 1:30
  • What is your goal? You stated 4 points int he question. 1) Removal is easy. 2) finding out what it does is hard 3) When it was put in may requires backups to compare between. 4) If it is a virus: probably never. If you indicate what your main answer is you might get an answer to that. As it stands the question is rather broad.
    – Hennes
    Commented Nov 1, 2012 at 1:37
  • @Hennes First goal #1. Then we can discuss the others.
    – Chloe
    Commented Nov 1, 2012 at 1:44

2 Answers 2

Reset to default
2

Its a serious pain in the rear to do. There's tools specifically designed to detect rootkits - gmer and root kit revealer come to mind. The files you're seeing are obviously not rootkit themselves - they might be generated by another actually hidden file. These would detect the rootkit, used properly. Removing them though, is difficult and these tools need some expertise to use.

First of all, your system is compromised. There's probably no real reason not to nuke and pave it. However , lets assume hypothetically you wanted to investigate what this is. Rootkits hook into the OS itself to hide themselves. In addition to the previously mentioned tools, you could use a virus rescue livecd to scan the system - microsoft system sweeper comes to mind, but there's others.

I'd then suggest going in with a linux livecd and copying out any files you mind losing, then booting back into windows. Do a AV scan again just to see what that turns up.

Then of course reinstallation is the smart choice here.

Improve this answer
4
  • That link didn't work: connect.microsoft.com/systemsweeper "Page Not Found The content that you requested cannot be found or you do not have permission to view it. If you believe you have reached this page in error, click the Help link at the top of the page to report the issue and include this ID in your e-mail: d59c6166-c614-40ef-9a03-d9df1424b155 "
    – Chloe
    Commented Nov 1, 2012 at 21:55
  • I don't consider nuking to be a practical solution. How do I remove it manually? Where does Windows keep the list of drivers to load?
    – Chloe
    Commented Nov 1, 2012 at 21:59
  • Rootkit Revealer stopped development in 2006. It is not recommended. forum.sysinternals.com/…
    – Chloe
    Commented Nov 2, 2012 at 4:34
  • Ran Autoruns in Safemode and turned off anything odd. Problem was sptd.sys which is signed and comes with Daemon Tools which spawns a random .sys later.
    – Chloe
    Commented Nov 2, 2012 at 7:17
2

OK, primary goal:

How can I remove this?

The only guaranteed way is to Nuke it from orbit. Reformat and reinstall.

The might be more subtle ways to remove it, but unless you know precisely what you are dealing with you can not be sure. Which means you never should use that PC for banking. No more online shopping with credit card numbers etc.

Unless you have a known good backup this a bloody annoying thing do. But it is the only way to be safe.

I suggest making a copy of the HDD first. You can do that in a lot of ways. E.g. an image tool such as Acronis, Ghost, Clonezilla. Which will allow you to return to the state you are in now. A plain copy to an external drive is easier, but do not assume that copying everything back will restore the old windows install (esp. not if the external disk is FAT32 formatted). A nice third option is to make a VMDK (vmware disk) or a VHD from the disk (Tools for that here on technet and here for Vmware).

Then wipe completely. Reinstall from a clean image. Do not try to restore any files yet. Install network drivers if needed. Then update windows completely.

Now would be a good time to make another system image. Hopefully you will never have to do this again, but if you do it will save you a lot of time.

Install drivers. Download them from a known safe source. Install and update antivirus.

Now we have a safe system and you can start to analyse the backups you took in the beginning. Run a virus scan of them. If it gets identified it might just give you the answer you are looking for.

If not, setup a virtual machine (without network). Restore the system image to that. Then install debug tools such as process explorer, Rootkitrevealer and GMER.

Now you are ready to answer your second question.

How can I find out when it was put in?

If it is spyware, trojan, virus or otherwise 'evil': you can not rely on the infected system. You will need to check the infected system with a previous backup. Unless you have a lot of regular backups this will probably not succeed.

If it is just 'normal' software, then there might be dates in the log files and on the files themselves.

How can I find out who wrote it?

If it is a virus or similar: You can not. If it is legally written software it belong to a program or driver. Those should come with information. Sadly often a driver is written by fill in your name here.

Improve this answer
7
  • How can I do it the subtle way? Where does Windows keep a list of drivers that it loads? I could not run Windows Defender; It gave an error #0D when trying to boot off CD, and would not boot off USB. I ran Kaspersky 10 and it only found Trojan-Dropper.Win32.injector in a file in C:\System Volume Information. However when I boot normally, the random .sys file is still in the boot log. I do have a backup of \Documents and Settings only.
    – Chloe
    Commented Nov 1, 2012 at 21:48
  • Reread superuser.com/questions/100360/… Then, on a PC that is not infected create a boot disk or connect the infected drive. Scan the drive and remove all the malware you find. Use several programs since to do this. Then boot safe mode (which causes minimal drivers to be loaded) and use msconfig to set 'bootlog' (2nd tab from left). Reboot. Examine log in c:/windows/nbtlog.txt. That is just the first part, but start with that.
    – Hennes
    Commented Nov 1, 2012 at 21:59
  • I already read that. I did create the CD on a laptop and it boots there. Windows Defender just sucks. I ran RootkitRevealer and GMER, but they were little help. I ran Autoruns in safe mode and turned on Verified option and turned off Hide Windows option and deselected everything that was odd. The problem was caused by sptd.sys SCSI Pass Through Device by which comes with Daemon Tools. With it off, it doesn't create a random .sys. With it enabled, it does create a random .sys. GMER classified the .sys as a SCSI device, so that gave a clue. BTW RootkitRevealer died in 2006.
    – Chloe
    Commented Nov 2, 2012 at 7:15
  • FYI: The line after Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys is the one which worried me. A hidden name? Not good.
    – Hennes
    Commented Nov 2, 2012 at 9:49
  • The properties of that driver are: Windows NT SMB Minirdr, version: 5.1.2600.6133 (xpsp_sp3_gdr.110715-1625).
    – Chloe
    Commented Nov 4, 2012 at 4:15

Not the answer you're looking for? Browse other questions tagged .