1

Possible Duplicate:
How do I get rid of malicious spyware, malware, viruses or rootkits from my PC?

I was looking for root kits following these instructions http://computersight.com/software/how-to-manually-remove-rootkit/ and saw this in my boot log:

Loaded driver \SystemRoot\System32\Drivers\awhk9fmc.SYS

I tried to search for that filename in Google but there was absolutely nothing found. I tried to look at the file on the disk but could not find it. Nearly every other file is there. I even tried to boot in Windows 98 and mount the NTFS and see the file, but it still wasn't there. I ran a full scan with Microsoft Security Essentials but it found nothing. When I rebooted, I saw this line instead:

Loaded driver \SystemRoot\System32\Drivers\a6n163gl.SYS
  1. How can I remove this?
  2. How can I find out what it does?
  3. How can I find out when it was put in?
  4. How can I find out who wrote it?

Here is my full boot log:

    Service Pack 3 10 31 2012 17:35:36.500
Loaded driver \WINDOWS\system32\ntoskrnl.exe
Loaded driver \WINDOWS\system32\hal.dll
Loaded driver \WINDOWS\system32\KDCOM.DLL
Loaded driver \WINDOWS\system32\BOOTVID.dll
Loaded driver sptd.sys
Loaded driver ACPI.sys
Loaded driver \WINDOWS\system32\DRIVERS\WMILIB.SYS
Loaded driver pci.sys
Loaded driver isapnp.sys
Loaded driver pciide.sys
Loaded driver \WINDOWS\system32\DRIVERS\PCIIDEX.SYS
Loaded driver MountMgr.sys
Loaded driver ftdisk.sys
Loaded driver PartMgr.sys
Loaded driver VolSnap.sys
Loaded driver atapi.sys
Loaded driver disk.sys
Loaded driver \WINDOWS\system32\DRIVERS\CLASSPNP.SYS
Loaded driver fltmgr.sys
Loaded driver sr.sys
Loaded driver MpFilter.sys
Loaded driver KSecDD.sys
Loaded driver WudfPf.sys
Loaded driver Ntfs.sys
Loaded driver NDIS.sys
Loaded driver uagp35.sys
Loaded driver Mup.sys
Loaded driver \SystemRoot\system32\DRIVERS\amdk7.sys
Loaded driver \SystemRoot\system32\DRIVERS\sisgrp.sys
Loaded driver \SystemRoot\system32\DRIVERS\i8042prt.sys
Loaded driver \SystemRoot\system32\DRIVERS\mouclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\kbdclass.sys
Loaded driver \SystemRoot\system32\DRIVERS\imapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\cdrom.sys
Loaded driver \SystemRoot\system32\DRIVERS\redbook.sys
Loaded driver \SystemRoot\system32\DRIVERS\GEARAspiWDM.sys
Loaded driver \SystemRoot\system32\drivers\cmuda.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbohci.sys
Loaded driver \SystemRoot\system32\DRIVERS\usbehci.sys
Loaded driver \SystemRoot\system32\DRIVERS\sisnicxp.sys
Loaded driver \SystemRoot\System32\Drivers\avzk9sf5.SYS
Loaded driver \SystemRoot\system32\DRIVERS\fdc.sys
Loaded driver \SystemRoot\system32\DRIVERS\serial.sys
Loaded driver \SystemRoot\system32\DRIVERS\serenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\parport.sys
Loaded driver \SystemRoot\system32\DRIVERS\gameenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\serscan.sys
Loaded driver \SystemRoot\system32\drivers\DrmCAudio.sys
Loaded driver \SystemRoot\system32\DRIVERS\audstub.sys
Loaded driver \SystemRoot\system32\DRIVERS\rasl2tp.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndistapi.sys
Loaded driver \SystemRoot\system32\DRIVERS\ndiswan.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspppoe.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspptp.sys
Loaded driver \SystemRoot\system32\DRIVERS\msgpc.sys
Loaded driver \SystemRoot\system32\DRIVERS\psched.sys
Loaded driver \SystemRoot\system32\DRIVERS\ptilink.sys
Loaded driver \SystemRoot\system32\DRIVERS\raspti.sys
Loaded driver \SystemRoot\system32\DRIVERS\tap0901.sys
Loaded driver \SystemRoot\system32\DRIVERS\termdd.sys
Loaded driver \SystemRoot\system32\DRIVERS\swenum.sys
Loaded driver \SystemRoot\system32\DRIVERS\update.sys
Loaded driver \SystemRoot\system32\DRIVERS\mssmbios.sys
Loaded driver \SystemRoot\system32\DRIVERS\dtsoftbus01.sys
Loaded driver \SystemRoot\System32\Drivers\NDProxy.SYS
Did not load driver \SystemRoot\System32\Drivers\NDProxy.SYS
Loaded driver \SystemRoot\system32\DRIVERS\usbhub.sys
Loaded driver \SystemRoot\system32\DRIVERS\flpydisk.sys
Did not load driver \SystemRoot\System32\Drivers\lbrtfdc.SYS
Did not load driver \SystemRoot\System32\Drivers\Sfloppy.SYS
Did not load driver \SystemRoot\System32\Drivers\i2omgmt.SYS
Did not load driver \SystemRoot\System32\Drivers\Changer.SYS
Did not load driver \SystemRoot\System32\Drivers\Cdaudio.SYS
Loaded driver \SystemRoot\System32\Drivers\Fs_Rec.SYS
Loaded driver \SystemRoot\System32\Drivers\Null.SYS
Loaded driver \SystemRoot\System32\Drivers\Beep.SYS
Loaded driver \SystemRoot\System32\drivers\vga.sys
Loaded driver \SystemRoot\System32\Drivers\mnmdd.SYS
Loaded driver \SystemRoot\System32\DRIVERS\RDPCDD.sys
Loaded driver \SystemRoot\System32\Drivers\Msfs.SYS
Loaded driver \SystemRoot\System32\Drivers\Npfs.SYS
Loaded driver \SystemRoot\system32\DRIVERS\rasacd.sys
Loaded driver \SystemRoot\system32\DRIVERS\ipsec.sys
Loaded driver \SystemRoot\system32\DRIVERS\tcpip.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbt.sys
Loaded driver \SystemRoot\System32\drivers\afd.sys
Loaded driver \SystemRoot\system32\DRIVERS\netbios.sys
Did not load driver \SystemRoot\System32\Drivers\PCIDump.SYS
Loaded driver \SystemRoot\system32\DRIVERS\srvkp.sys
Loaded driver \SystemRoot\system32\DRIVERS\rdbss.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver 
Loaded driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\system32\DRIVERS\wanarp.sys
Loaded driver \SystemRoot\System32\Drivers\Fips.SYS
Loaded driver \SystemRoot\system32\DRIVERS\ctxusbm.sys
Loaded driver \??\C:\WINDOWS\system32\drivers\cbfs3.sys
Loaded driver \SystemRoot\System32\Drivers\Fastfat.SYS
Loaded driver \SystemRoot\System32\Drivers\Cdfs.SYS
Did not load driver \SystemRoot\system32\DRIVERS\rdbss.sys
Did not load driver \SystemRoot\system32\DRIVERS\mrxsmb.sys
Loaded driver \SystemRoot\system32\drivers\wdmaud.sys
Loaded driver \SystemRoot\system32\drivers\sysaudio.sys
Loaded driver \SystemRoot\system32\drivers\splitter.sys
Loaded driver \SystemRoot\system32\drivers\aec.sys
Loaded driver \SystemRoot\system32\drivers\swmidi.sys
Loaded driver \SystemRoot\system32\drivers\DMusic.sys
Loaded driver \SystemRoot\system32\drivers\kmixer.sys
Loaded driver \SystemRoot\system32\drivers\drmkaud.sys
Loaded driver \SystemRoot\system32\DRIVERS\mrxdav.sys
Loaded driver \SystemRoot\System32\Drivers\ParVdm.SYS
Did not load driver \SystemRoot\System32\Drivers\StarOpen.SYS
Loaded driver \SystemRoot\system32\DRIVERS\srv.sys
Did not load driver \SystemRoot\system32\DRIVERS\ipnat.sys
Loaded driver \SystemRoot\System32\Drivers\HTTP.sys
Community
  • 1
Chloe
  • 6,196

2 Answers2

2

OK, primary goal:

How can I remove this?

The only guaranteed way is to Nuke it from orbit. Reformat and reinstall.

The might be more subtle ways to remove it, but unless you know precisely what you are dealing with you can not be sure. Which means you never should use that PC for banking. No more online shopping with credit card numbers etc.

Unless you have a known good backup this a bloody annoying thing do. But it is the only way to be safe.

I suggest making a copy of the HDD first. You can do that in a lot of ways. E.g. an image tool such as Acronis, Ghost, Clonezilla. Which will allow you to return to the state you are in now. A plain copy to an external drive is easier, but do not assume that copying everything back will restore the old windows install (esp. not if the external disk is FAT32 formatted). A nice third option is to make a VMDK (vmware disk) or a VHD from the disk (Tools for that here on technet and here for Vmware).

Then wipe completely. Reinstall from a clean image. Do not try to restore any files yet. Install network drivers if needed. Then update windows completely.

Now would be a good time to make another system image. Hopefully you will never have to do this again, but if you do it will save you a lot of time.

Install drivers. Download them from a known safe source. Install and update antivirus.

Now we have a safe system and you can start to analyse the backups you took in the beginning. Run a virus scan of them. If it gets identified it might just give you the answer you are looking for.

If not, setup a virtual machine (without network). Restore the system image to that. Then install debug tools such as process explorer, Rootkitrevealer and GMER.

Now you are ready to answer your second question.

How can I find out when it was put in?

If it is spyware, trojan, virus or otherwise 'evil': you can not rely on the infected system. You will need to check the infected system with a previous backup. Unless you have a lot of regular backups this will probably not succeed.

If it is just 'normal' software, then there might be dates in the log files and on the files themselves.

How can I find out who wrote it?

If it is a virus or similar: You can not. If it is legally written software it belong to a program or driver. Those should come with information. Sadly often a driver is written by fill in your name here.

Hennes
  • 65,804
  • 7
  • 115
  • 169
2

Its a serious pain in the rear to do. There's tools specifically designed to detect rootkits - gmer and root kit revealer come to mind. The files you're seeing are obviously not rootkit themselves - they might be generated by another actually hidden file. These would detect the rootkit, used properly. Removing them though, is difficult and these tools need some expertise to use.

First of all, your system is compromised. There's probably no real reason not to nuke and pave it. However , lets assume hypothetically you wanted to investigate what this is. Rootkits hook into the OS itself to hide themselves. In addition to the previously mentioned tools, you could use a virus rescue livecd to scan the system - microsoft system sweeper comes to mind, but there's others.

I'd then suggest going in with a linux livecd and copying out any files you mind losing, then booting back into windows. Do a AV scan again just to see what that turns up.

Then of course reinstallation is the smart choice here.

Journeyman Geek
  • 133,878