GMER scan..

I put both the quick scan and the GMER scan in the same post, one on top of the other. I did save the file from GMER. I will attach as requested, but it is the same as the bottom half of the posted message.

If these are not correct, I will try again when the rootkit reappears.

Hello Judian,

It looks like you skipped step 5.


Please click on button Scan and wait until scan finish (Stop is changed again to Scan)

Thank you
___________________AVG TeamHow-To articles | FAQ

krdpdre.sys returns..

Sorry about not replying sooner, but I have gotten in the habit of turning off my computer when I don't use it. So, the virus appears to return on a timed (by hour usage) and not date usage.

At any rate, here is the result of the quick scan and the GMER scan. First, the rootscan:

"Object name";"C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys"
"Detection name";"IRP hook, \Driver\atapi IRP_MJ_INTERNAL_DEVICE_CONTROL -> krdpdre.sys +0x21B0"
"Object type";"file"
"SDK Type";"Rootkit"
"Result";"Object is hidden"
"Action history";""

NOW THE GMER SCAN:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-03-23 05:40:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS421280H9AT00 rev.HA3OA70S
Running: tool.exe.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgroqkow.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 krdpdre.sys
Device \Driver\atapi \Device\Ide\IdePort0 krdpdre.sys
Device \Driver\atapi \Device\Ide\IdePort1 krdpdre.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e krdpdre.sys

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


I am also adding this file and the GMER tool scan (log) as attachments as well. PLEASE help me if I have not done it properly this time.

Bob

Hello Judian,

please note that you have provided us with anti-rootkit quick scan result again:


Have you definitely clicked on the Scan button and waited for the scan to be finished (the Scan button Caption changed back from Stop to Scan) before saving the scan result?

I'm afraid we cannot help you providing us with full anti-rootkit GMER scan result further unless you describe in details what exactly have you done and which of the previously described steps cannot be performed (e.g. "nothing happens after clicking the Scan button during step 5 - the button description is not changed to Stop").

Also please use GMER File Manager locate detected file C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys and refer to the following article: How To Handle Suspicious False Positive Detection?

Thank you.
___________________AVG TeamHow-To articles | FAQ

all right, I think I finally understand what you are asking. When I first run GMER, it loads certain info. I was thinking that was the scan. So, according to your instructions, I asked it to do a complete scan. It took much longer than I thought it would. So, here is the file of the GMER attached.

As far as the normal rootkit info:

"Object name";"C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys"
"Detection name";"IRP hook, \Driver\atapi IRP_MJ_INTERNAL_DEVICE_CONTROL -> krdpdre.sys +0x21B0"
"Object type";"file"
"SDK Type";"Rootkit"
"Result";"Moved to Virus Vault"
"Action history";"Moved to Virus Vault"

Hello Judian,

Provided GMER scan result is clean.

Please use GMER File Manager locate detected file C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys and refer to the following article: How To Handle Suspicious False Positive Detection?

Also please provide us with Msinfo Output.

Thank you


___________________AVG TeamHow-To articles | FAQ

more details..

The file reappeared in the rootkit scan. So I followed the steps again and it is different than the file I sent earlier on the 18th. So, I am resending it and it clearly shows the krdpdre.sys 4 times. So I am confirming if this might still be a false positive.

My assumption is it is not as it never was on my computer until I encountered that screen advertising itself as AVG.

Here is the quick scan, the GMER is attached.

"Object name";"C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys"
"Detection name";"IRP hook, \Driver\atapi IRP_MJ_INTERNAL_DEVICE_CONTROL -> krdpdre.sys +0x21B0"
"Object type";"file"
"SDK Type";"Rootkit"
"Result";"Object is hidden"
"Action history";""


Thanks in advance,

Bob

Hello Judian,

I was not able to find any e-mail sent from your e-mail address to virus@avg.com in our system. Have you located the krdpdre.sys file using GMER file manager? If so, please copy it and send it to virus@avg.com as described in the "How To Handle Suspicious False Positive Detection?" post for analysis.

From the provided output, it seems that the file may belong to some optical drive emulation software. It is also detected by GMER so it more than likely that it is not a false alarm but a file using rootkit techniques (such detection would be correct as I have already mentioned in post #150815). Please provide us with an msinfo output as asked by PokornyZ.

Thank you.

___________________AVG TeamHow-To articles | FAQ