Hidden file in System32 - an34yhrb.sys - anyone hear of this?

Hello all! While using AVG Anti-Rootkit, it came across a file in my system32, drivers folder by the name of "an32yhrb.sys" and I've never heard of this nor is there ANY info Googling it. Anyone ever hear of it and do you think I should delete it?

Any suggestions would be appreciated. Thanks in advance!

 

Hi Louvega!
Welcome to Major Geeks! The file looks like a virus. It's not usually enough to delete one file. There are generally more associated with you. Please follow the instructions and links in the box.
Thanks!

​

 

ok, read all the associated posts and links and d/l'd the requested remedies. I'm in the process of installing and running. Will you be on in a couple of hours or so? I should be done soon and I will post my results. Thanks!

 

Ok, so after doing all the things you suggested and running AVG Anti-Rootkit multiple times after all that, it seems that there might be - pardon me if I don't phrase this correctly - some sort of boot sector virus or similar. All the scans turned up nothing but every time on reboot, there is a different and new file in my system32 folder. These files are always hidden like the first but when I check in the folder with "show all files" etc etc in folders view, it still can't be seen, except in the AVG Anti-Rootkit scan.

I've attached the GetRunKey file and ShowNew files as you've asked. If you need the others I'll gladly supply those also, but as I've said - none of them turned up anything.

Thanks

 

Oh, here's the Hijack This log -

and I also have a very informative program , if I could only decipher all the results it gives but here's the link for it -

http://www.rku.nm.ru/

if you'd like for me to post any logs from that also, please let me know.

Thanks again

 

Hi louvega!

In the link you posted, you mentioned it having a very informative program. Is the link to a program or to a website? Do you mean they have a good description of the malware which AVG Antirootkit identified?

The file you mentioned "an32yhrb.sys" is one we want to get rid of using a tool which goes deep into the registry. But please do the following first and post back to me before we continue:

1) HijackThis run from the desktop won't help us. Please go to the following link and install HijackThis in the correct folder and rename it from hijackthis.exe to analyse.exe as per the instructions. Do not run it until you've done everything else in this post first. Then post the log.
Downloading, Installing and Running HijackThis

AVG-Antispyware, BitDefender and Panda all found nothing? (I believe you!)

2) Then, go to add/remove programs and uninstall
- Java(TM) 6 Update 2

3) Now REBOOT your computer!!

4) After you've rebooted, please install the current version of Java in the link under STEP 6A of the READ & RUN

ME FIRST.

5) If you do not use Windows Messenger (not to be confused with MSN Messenger!!) I would like you to run Disable/Remove Windows Messenger

6) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.

7) Please post the results of the AVG Anti-rootkit scan. If they are in the form of a log, please attach it.

8) Now run a fresh scan of HijackThis from it's correct location and with the right name and attach the new log (hijackthis.log) along with the AVG Antirootkit scan log with your next post. Also, please attach fresh logs for ShowNew and GetRunKeys:

-AVG-Antirootkit scan log
-newfiles.txt
-runkeys.txt
-hijackthis.log


Thanks!
abri

 

Abri,

Thanks for all the help!

Not to change the subject but I hope I don't have to do a clean reinstall to solve this. If I have to as a last resort, I will but hopefully we can work this out. If not, I'm not exactly sure how to "wipe" everything because I don't want to carry anything over in the BIOS or boot files and was hoping maybe you might be able to describe that to me.

Just as a background, that's how I wound up here in the first place and wanted to make sure it doesn't carry over if I have to clean install again. Basically, this is a new install that I have at the moment and while I was looking "where I shouldn't have been" (if you know what I mean) I downloaded one last prog (ironically, a backup prog) and clicked on the "install" and my computer shut down and rebooted. I basically knew I "caught something" at that point and did numerous virus scans etc and turned up little until I checked the AVG Anti-Rootkit and it said there was a change in the MBR and couldn't access it. I did a Repair Console of the MBR from the Windows disk and all went well, but now it seems I obviously still have something hiding by looking at the System32, which is what led me here. This is why I believe there's some "back door" now hibernating but I hope that's not the case and we can find it here.

Anyhow, here are the files you requested - I ran them all as described and unfortunately, I couldn't save a log for the AVG Anti-Rootkit but I uploaded a screen shot for the results of it and the prog I mentioned in the previous post called Rootkit Unhooker. As I've said, it has a lot of good info, but I don't know how to make use of it all - if there's any of it you can use, let me know. You can see all the tabs it has for info in the screenshot.

Thanks again,
Lou

 

P.S.

Here's the screen shot - obviously couldn't fit it in the last post.

 

Hi louvega!

It is normal for some programs to reboot your computer after installation. Normally you get a request about it, but not always. My obvious question to this is, did you try an earlier Restore Point after this unexpected reboot? There are enough software conflicts, etc. to make the easiest solution simply backing up to an earlier restore point. This may even still be possible.

In your first post you mentioned that AVG Antirootkit found this file: an32yhrb.sys
You also mentioned that your Win32 folder contains a new hidden file each time you reboot. Does AVG Antirootkit always identify this new hidden file with the name you gave us? Or does it have a different name each time? Does it fix the file it identifies each time?

If you have not already done so, please uninstall the backup program which caused this unexpeced reboot. Then please uninstall UnHackMe and RegRun2 and see if you get the same results. Also, just for my information, was it the installation of the backup program which led you to install the scanning tools you're using, or have you experienced something more concrete which makes you believe your computer is infected? I am attentive to what AVG finds in general, but it's also possible you're pursuing a valid file belonging to another program. Which backup program was it that led to this?

abri

 

Well, the program I installed was Acronis True image but I bought it from a friend who no longer had the license and had to use a keygen to get the full use, if you get my meaning. It was this "keygen" that cause the shutdown.

As far as a system restore, unfortunately I already shut that down once to flush out any possible viruses lingering in there so a chance of a restore before that point is out.

The file an32yhrb.sys just happened to be found on that particular scan - every time I reboot, it's a different one, the last one is gone and a new one takes it's place with a different name that AVG finds each time. It doesn't seem to fix the file, the old one just disappears upon each reboot, replaced by a new hidden file (I'll attach another example). These hidden files can't be seen either when I look in the System32 folder directly, even with "show hidden files" option selected. I also found a reference for this in the AVG forums but no further information. Here's the link:

http://forum.grisoft.cz/freeforum/read.php?11,106465,sv=

I've un-installed UnHackMe and RegRun2. Mainly, why I feel I've been hacked is also because I see regular short bursts of disk activity when nothing seems to be going on/computer is not in use. These are micro-seconds of the activity light flashing every 5 minutes or so, like something is accessing the drive. The AVG results combined with the shutdown and disk activity were the main reasons to check this out further though.

 

P.S.

Also, the MBR being inaccessible on the first scan after the shutdown was a warning sign for me too.

 

Hi louvega!

It would be helpful to have more than one program identify what AVG is finding. After you uninstalled the programs I asked you to uninstall, did AVG still find its name-changing driver file?

Please run the following cleaner first and then follow the instructions for the alternate scans below.

I would like for you to go to the following link and scroll down until you get to the list of rootkit scans. Please run some of those and see if they give you any additional information. The thing which is disturbing me a little is that the links you posted so far are to Russia and to the Czech Republic. The list of scans you want is about halfway down the page: Alternate Scans

Please attach the results or if they don't find anything, tell me that tool.

abri

 

Abri,

Went through most of those scans and I'll post the results here and in the following posts, what I can't fit here.

They basically seemed to turn up little except for the RootkitHookAnalyzer prog which turned up a file called "ar3puar4.SYS" which was in the system32 folder again.

The other scan results, I can't decipher so please let me know.

Thanks

 

Additional scan results -

 

Oh, and yes, AVG is still finding the "hidden driver" file - another "new" one by the name of "ankibo8a.sys" and the old one is gone, as usual.

 

Hi louvega

Can you see this program on your desktop or find it in Windows Explorer under Desktop? Do you know what it is? Both Sophos and Kaspersky identify it as a trojan/backdoor.

SysProt.exe

abri

 

That's one of the Anti-Rootkit progs listed on the link that you asked for me to go to and try some of them.

 

louvega!
Thanks. That's what I was wondering. It appears that either you are picking up a false positive, or that you have something we are unable to identify. There are none of the usual signs in your logs for either a keygen or malware. Have you tried uninstalling the Acronis? I will pass this thread on for a second opinion and see if someone else has any other suggestions.
Thanks for being patient.
abri

 

Abri,

No problem at all! Thank you so much for putting in the effort with this one and sticking with me!

Yes, I think a second opinion would be a good thing also - not to demean anything we've done so far but just that a third set of eyes might see something we missed.

Again, I appreciate all the help and maybe I won't have anything after all.

Lou

 

Hmm... ok. Sorry to have you repeat yourself but I'm not exactly sure - the repeated hidden .sys files in system32\drivers are nothing to worry about then? Even if I uninstalled all the testing progs?

 

Well, mainly the repeated hard drive activity light, microsecond bursts at approx. 5 minute intervals when there is no action on the computer and the shutdown after I used that keygen and the MBR being scanned as "inaccessible" in the first AVG anti-rootkit scan after the shutdown.

 

Hi louvega,

TimW found a thread with someone reporting something similar to what you reported with the AVG Antirootkit scan turning up a driver with a new name each time. I read through this carefully and it seems that AVG identifying a file that changes its name with each bootup is related to the installation of Acronis. The poster in that case was asked to remove a driver called sptd.sys which is used by Alcohol and Daemon Tools, to remove Acronis and to remove a file which belonged to Tuneup Utilities, all of which ultimately led to AVG Antirootkit no longer identifying a hidden file. However, ALL of the above were legitimate files, so this led me once again to believe that AVG Antirootkit is identifying something valid. I don't know if you removed Acronis in the meantime, but you might try it.

The behavior you describe of something blinking reminds me of something which AVG antivirus used to do on my own computer at bootup. It would blink an invisible window and then it would be gone. You might also try uninstalling AVG Antirootkit, simply to see if this takes away the blinking you've been noticing.

abri

 

Hey, you guys are really helpful! I appreciate all the suggestions - it really alleviates my concern - just one last question - The only thing that concerns me at this point then is the reboot when I clicked that keygen - did I possibly escape infection somehow? Maybe nothing installed then or it didn't "take", so to speak?

 

Yes, thank you. Absolutely! I'm going to remove all that stuff immediately. I appreciate all the help.

 

Hi louvega!
The following are our standard clean-up instructions just to get the tools back out that we used to clean up your computer: All software makes a change to your computer. The best advice I can give is to set a restore point before you install anything, as going back toa previous restore point can save you a lot of trouble! Your thread was interesting. Do take the time to read How to protect yourself from malware, as it's a nice read and has some good tips in it that everyone can use. Also, if you're interested in computers in general, visit our other forums. It's fun just to roam there.

abri