Strange rootkit totally stealth!

Hello,
Some time ago I was performing a scan with some antirootkit utilities and all reported my PC as clean. Later I tried AVG Anti-Rootkit Free Edition and it found a sys file in my harddisk. Unfortunately I cannot search this driver using Explorer or standard utilities. So I tried to delete this with AVG Anti-Rootkit. The program successfully deleted the sys file. The problem is that upon Windows restart the driver loaded itself but with other name.
So I'm combating a rootkit that when is deleted is created again using random names. No AV/AntiRootkit is able to delete the garbage.
The PC behaviour is OK. I think it can be a "legal" rootkit like the Sony's one.
I read BioShock (one of the best game I ever played) install a rootkit. Can be this the problem?
I need to at least copy the driver to send it to my AV company but it's stealth.
Here's a screenshot taked from AVG Anti-Rootkit.

Thanks guys!

Specs:
- Windows XP SP2 with all updates.
- ESS
- MSI K9N4 SLI with nForce 500 SLI as chipset
- Seagate 160 SATAII
- ATI X1550 DDR2 512
- 2GB RAM Kingston DDR2 667 Mhz
- AMD Athlon 64 x2 3600+ overclooked at 4000+ (2100 Mhz)

 

Go for the Gusto!

USEC Radix Anti-Rootkit

Scroll down to RADIX Anti-RootKit. I believe theres a fresh url to this In-Depth Prober!!! Should give you LOTS of useful info, some in living color too! Claims to "fixes on the fly patched things...and confirms Vm presence see..."

 

And you say this is a "totally stealth" rootkit?

What makes you think you'll be able to spot anything untoward that this driver is doing? Just because your PC seems okay means only that - your PC seems okay. It doesn't mean this driver isn't doing anything malicious behind the scenes.

My guess is that something else is constantly re-creating this driver file whenever you delete it. Your best bet would be to obtain a HijackThis! or SREng scan log and post it at specialized malware removal forums for experts to assist you.

Jot down the path/file name and reboot into Safe Mode. The file should then be visible. If that fails, use GMER's file copy function to obtain an isolated copy of that file.

 

Thanks for confirming what my gut feeling told me. And some of these games want you to install the C++ Libraries - AARGH!!!

Acronis keeps saving my Arse....

 

Hi sir_carew! Please to copy the file, use following tools as I posted here. Or u can use a linux live CD or bartPE boot CD. Let us know about the results. I assmue u can,t see the file via explorer. Am I right?
https://www.wilderssecurity.com/showpost.php?p=1159605&postcount=18

 

BIOSHOCK'S old new's. That driver file may be related to something else.

http://www.engadget.com/2007/08/25/sonys-back-for-more-running-bioshock-drm-with-a-rootkit/

http://arstechnica.com/news.ars/pos...-air-bioshock-does-not-contain-a-rootkit.html

Long debate on gamingbob.com.


GF

 

Ah the propaganda man from sysinternals has already told about and spread the news like hungry fire.

Either confirms Subvirt or Buggy Buffer OVerflow.

 

Hello!
Finally I was able to take a copy of this file. Only Rootkit Unhooker was able to take a copy of the file. with Gmer nothing was found, even with the explorer option it had.
See the screenshot.
Thanks!!!

 

Do you have Alcohol/Daemon tools installed ?

https://www.wilderssecurity.com/showthread.php?t=187641
https://www.wilderssecurity.com/showthread.php?t=191806&highlight=daemon tools

HTH

 

Hi,
Yes, I've Daemon Tools. I think also that DT is the suspicious here.
So We can say DT install a rootkit?

 

Well, I've read the links you gave me and now I understand all!
Thanks to everyone who help me!