Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » krdpdre.sys Rootkit Keeps Returning
Page 2 of 2 ‹‹12
March 3, 2011 21:59 Re: krdpdre.sys Rootkit Keeps Returning #151183
Reply with Quote | Quick Reply | Top
Judian

Avatar

Novice
Join Date: 24.2.2011
Posts: 9
GMER scan..

I put both the quick scan and the GMER scan in the same post, one on top of the other. I did save the file from GMER. I will attach as requested, but it is the same as the bottom half of the posted message.

If these are not correct, I will try again when the rootkit reappears.
March 4, 2011 08:33 Re: krdpdre.sys Rootkit Keeps Returning #151217
Reply with Quote | Quick Reply | Top
Pokornyz

Avatar

Administrator
Join Date: 29.11.2010
Posts: 8245
Hello Judian,

It looks like you skipped step 5.

5. In the bottom right corner, click Scan.

Please click on button Scan and wait until scan finish (Stop is changed again to Scan)

Thank you
___________________AVG TeamHow-To articles | FAQ
Gmer-Scan.PNG
March 23, 2011 09:52 Re: krdpdre.sys Rootkit Keeps Returning #154025
Reply with Quote | Quick Reply | Top
Judian

Avatar

Novice
Join Date: 24.2.2011
Posts: 9
krdpdre.sys returns..

Sorry about not replying sooner, but I have gotten in the habit of turning off my computer when I don't use it. So, the virus appears to return on a timed (by hour usage) and not date usage.

At any rate, here is the result of the quick scan and the GMER scan. First, the rootscan:

"Object name";"C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys"
"Detection name";"IRP hook, \Driver\atapi IRP_MJ_INTERNAL_DEVICE_CONTROL -> krdpdre.sys +0x21B0"
"Object type";"file"
"SDK Type";"Rootkit"
"Result";"Object is hidden"
"Action history";""

NOW THE GMER SCAN:

GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-03-23 05:40:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS421280H9AT00 rev.HA3OA70S
Running: tool.exe.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgroqkow.sys


---- Devices - GMER 1.0.15 ----

Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 krdpdre.sys
Device \Driver\atapi \Device\Ide\IdePort0 krdpdre.sys
Device \Driver\atapi \Device\Ide\IdePort1 krdpdre.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e krdpdre.sys

AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

---- EOF - GMER 1.0.15 ----


I am also adding this file and the GMER tool scan (log) as attachments as well. PLEASE help me if I have not done it properly this time.

Bob
March 24, 2011 11:53 Re: krdpdre.sys Rootkit Keeps Returning #154209
Reply with Quote | Quick Reply | Top
jirka82

Avatar

Administrator
Join Date: 19.6.2009
Posts: 3892
Hello Judian,

please note that you have provided us with anti-rootkit quick scan result again:

Judian wrote
GMER 1.0.15.15530 - http://www.gmer.net
Rootkit quick scan 2011-03-23 05:40:05
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS421280H9AT00 rev.HA3OA70S
Running: tool.exe.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kgroqkow.sys

Have you definitely clicked on the Scan button and waited for the scan to be finished (the Scan button Caption changed back from Stop to Scan) before saving the scan result?

I'm afraid we cannot help you providing us with full anti-rootkit GMER scan result further unless you describe in details what exactly have you done and which of the previously described steps cannot be performed (e.g. "nothing happens after clicking the Scan button during step 5 - the button description is not changed to Stop").

Also please use GMER File Manager locate detected file C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys and refer to the following article: How To Handle Suspicious False Positive Detection?

Thank you.
___________________AVG TeamHow-To articles | FAQ
April 19, 2011 13:46 Re: krdpdre.sys Rootkit Keeps Returning #158179
Reply with Quote | Quick Reply | Top
Judian

Avatar

Novice
Join Date: 24.2.2011
Posts: 9
all right, I think I finally understand what you are asking. When I first run GMER, it loads certain info. I was thinking that was the scan. So, according to your instructions, I asked it to do a complete scan. It took much longer than I thought it would. So, here is the file of the GMER attached.

As far as the normal rootkit info:

"Object name";"C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys"
"Detection name";"IRP hook, \Driver\atapi IRP_MJ_INTERNAL_DEVICE_CONTROL -> krdpdre.sys +0x21B0"
"Object type";"file"
"SDK Type";"Rootkit"
"Result";"Moved to Virus Vault"
"Action history";"Moved to Virus Vault"
April 20, 2011 08:48 Re: krdpdre.sys Rootkit Keeps Returning #158291
Reply with Quote | Quick Reply | Top
Pokornyz

Avatar

Administrator
Join Date: 29.11.2010
Posts: 8245
Hello Judian,

Provided GMER scan result is clean.

Please use GMER File Manager locate detected file C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys and refer to the following article: How To Handle Suspicious False Positive Detection?

Also please provide us with Msinfo Output.

Thank you


___________________AVG TeamHow-To articles | FAQ
April 22, 2011 15:17 Re: krdpdre.sys Rootkit Keeps Returning #158561
Reply with Quote | Quick Reply | Top
Judian

Avatar

Novice
Join Date: 24.2.2011
Posts: 9
more details..

The file reappeared in the rootkit scan. So I followed the steps again and it is different than the file I sent earlier on the 18th. So, I am resending it and it clearly shows the krdpdre.sys 4 times. So I am confirming if this might still be a false positive.

My assumption is it is not as it never was on my computer until I encountered that screen advertising itself as AVG.

Here is the quick scan, the GMER is attached.

"Object name";"C:\DOCUME~1\Owner\LOCALS~1\Temp\krdpdre.sys"
"Detection name";"IRP hook, \Driver\atapi IRP_MJ_INTERNAL_DEVICE_CONTROL -> krdpdre.sys +0x21B0"
"Object type";"file"
"SDK Type";"Rootkit"
"Result";"Object is hidden"
"Action history";""


Thanks in advance,

Bob
April 26, 2011 10:52 Re: krdpdre.sys Rootkit Keeps Returning #158885
Reply with Quote | Quick Reply | Top
jirka82

Avatar

Administrator
Join Date: 19.6.2009
Posts: 3892
Hello Judian,

I was not able to find any e-mail sent from your e-mail address to virus@avg.com in our system. Have you located the krdpdre.sys file using GMER file manager? If so, please copy it and send it to virus@avg.com as described in the "How To Handle Suspicious False Positive Detection?" post for analysis.

From the provided output, it seems that the file may belong to some optical drive emulation software. It is also detected by GMER so it more than likely that it is not a false alarm but a file using rootkit techniques (such detection would be correct as I have already mentioned in post #150815). Please provide us with an msinfo output as asked by PokornyZ.

Thank you.

___________________AVG TeamHow-To articles | FAQ
Page 2 of 2 ‹‹12