?
Solved

IDE driver changes name at every boot.  Virus ?

Posted on 2010-11-18
7
Medium Priority
?
609 Views
Last Modified: 2012-06-22
Hello,

Having some problems with my XP SP3 system, I have started investigating in depth the boot process.
I have the /BOOTLOG enabled for years on my system.
This logs some boot details in the %windir%/ntbtlog.txt file.
I therefore started to look if I couldnt find any weird driver name in that file.
I actually found one :
            Loaded driver \SystemRoot\System32\Drivers\ausdht7g.SYS
I looked in my system32/drivers directory for the file but didn't find it.
I therefore looked more deeply and found that this driver changes name at every reboot, since December 2006, date at which it started appearing.
Running DriverView from Nirsoft shows that the driver is loaded and is listed as IDE/ATAPI Port Driver, 5.1.2600.5512 (xpsp.080413-2108), Microsoft Corporation, Microsoft® Windows® Operating System.

Here are the relevant lines from the ntbtlog.txt file, showing the names used for this driver :

+ egrep 'Service Pack|\\a.......\.SYS' ntbtlog3.txt
 Service Pack 1 9 21 2004 23:37:59.375
 Service Pack 1 9 21 2004 23:43:03.375
 Service Pack 1 9 21 2004 23:55:11.375
 Service Pack 1 9 22 2004 10:37:54.375
 Service Pack 1 9 22 2004 12:12:25.359
 Service Pack 1 9 22 2004 14:16:00.375
 Service Pack 1 9 22 2004 14:50:32.375
 Service Pack 1 9 22 2004 14:55:32.359
 Service Pack 1 9 22 2004 15:07:57.375
 Service Pack 1 9 22 2004 15:14:52.375
 Service Pack 1 9 22 2004 15:19:52.375
 Service Pack 1 9 22 2004 15:37:17.375
 Service Pack 1 9 22 2004 15:48:45.375
 Service Pack 1 9 23 2004 00:54:29.375
 Service Pack 1 9 23 2004 22:38:07.375
 Service Pack 1 9 27 2004 19:47:06.375
 Service Pack 1 9 30 2004 23:20:12.359
 Service Pack 110  4 2004 19:50:22.375
......... removed lines ...................
 Service Pack 111 30 2006 11:28:20.375
 Service Pack 112  2 2006 13:38:25.375
 Service Pack 112  2 2006 19:57:22.375
Loaded driver \SystemRoot\System32\Drivers\av8k5o1x.SYS
 Service Pack 112  5 2006 09:04:56.375
Loaded driver \SystemRoot\System32\Drivers\abn1c3w1.SYS
 Service Pack 112  8 2006 01:44:51.375
Loaded driver \SystemRoot\System32\Drivers\a3i8gtoc.SYS
 Service Pack 112  8 2006 09:56:31.375
Loaded driver \SystemRoot\System32\Drivers\ai2p9vf3.SYS
 Service Pack 112 10 2006 17:49:37.375
Loaded driver \SystemRoot\System32\Drivers\alk546a6.SYS
 Service Pack 112 11 2006 07:48:15.375
Loaded driver \SystemRoot\System32\Drivers\ad7z7kj2.SYS
 Service Pack 112 16 2006 14:19:10.375
Loaded driver \SystemRoot\System32\Drivers\appa9qnt.SYS
 Service Pack 112 16 2006 14:22:06.375
Loaded driver \SystemRoot\System32\Drivers\akrh9cbk.SYS
 Service Pack 112 16 2006 14:32:09.375
Loaded driver \SystemRoot\System32\Drivers\as4z7wv3.SYS
 Service Pack 112 16 2006 15:53:29.375
Loaded driver \SystemRoot\System32\Drivers\a4kd3tp5.SYS
 Service Pack 112 16 2006 16:19:45.375
Loaded driver \SystemRoot\System32\Drivers\aa093efi.SYS
 Service Pack 112 18 2006 00:35:58.375
Loaded driver \SystemRoot\System32\Drivers\ayr26ro8.SYS
..........  removed lines ...................
Loaded driver \SystemRoot\System32\Drivers\awbvgwq8.SYS
 Service Pack 311 16 2010 19:34:43.375
Loaded driver \SystemRoot\System32\Drivers\akuf1rvi.SYS
 Service Pack 311 16 2010 20:35:10.375
Loaded driver \SystemRoot\System32\Drivers\axkel46g.SYS
 Service Pack 311 18 2010 14:54:04.375
Loaded driver \SystemRoot\System32\Drivers\a6z2qu01.SYS
 Service Pack 311 19 2010 01:03:38.359
Loaded driver \SystemRoot\System32\Drivers\ausdht7g.SYS

Of course I ran a full scan of my C drive and no virus was found.
I tried to find any weird program which would have been installed at that date, but didn't see anything weird.

Any idea where this strange behaviour is coming from ?

Thanks in advance.

Michel
0
Comment
Question by:michelhans
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 49

Expert Comment

by:dbrunton
ID: 34169804
0
 

Author Comment

by:michelhans
ID: 34169955
Ran TDSSKiller, which only pointed to sptd.sys, which is the Alcohol 120% Virtual CD driver.  I removed it temporarily.
Note that in the report, TDSS did not list the questionnable driver, although it is listed in the registry.

Running Malware.
0
 

Author Comment

by:michelhans
ID: 34170053
Hitman pro and MalwareBytes done, with no significant discovery.  Will reboot anyway for the small changes.  Note that Combofix requires Antivirus to be uninstalled, which I do not want to do.  
Will keep posted.
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 
LVL 49

Expert Comment

by:dbrunton
ID: 34170081
What anti-virus are you running?

I'm just wondering if this is an anti-virus file.
0
 
LVL 49

Accepted Solution

by:
dbrunton earned 1600 total points
ID: 34170101
You've actually fixed the problem.  

It is sptd.sys

Full details here http://www.bleepingcomputer.com/forums/topic203985.html

Looks like Daemon Tools or Alcohol.
0
 
LVL 27

Assisted Solution

by:Tolomir
Tolomir earned 400 total points
ID: 34170925
I guess this random name is used to fool some games music CDs that the "copyright breaker" is installed.
If it were sptd.sys all the time one could easily identify such a tool.
0
 

Author Comment

by:michelhans
ID: 34172305
Ok.  So, this is explained.  No threat there.    I downloaded the latest version of Alcohol and reinstalled.


@tolomir : I actually contacted Alcohol Soft and they confirmed it is to fool the copyright protections.

@dbrunton : The antivirus I'm running is McAfee Enterprise 8.5i.

I'm surprised that none of the 3 malware detectors noticed the 'hidden' driver.

Thanks all for your help.
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses
Course of the Month10 days, 6 hours left to enroll

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question