| View previous topic :: View next topic |
| Author |
Message |
bongobill
Guest
IP: 80.41.*.*
|
 Posted: Sat Aug 25, 2007 4:21 pm Post subject: kdaiz.exe - rootkit? |
|
|
A buddy has used AVG rootkit remover and found the file:
C:\WINDOWS\system32\kdaiz.exe
It's classed as a 'Hidden File' - Google doesn't find an explanation of this file anywhere.
Anyone got any ideas?
bb
|
|
| Back to top |
|
 |
PCBruiser
SRT Team Lead
Forums Admin
Joined: May 11, 2005
Posts: 11723
|
|
| Back to top |
|
|
swatkat
Security Expert
Joined: Mar 04, 2005
Posts: 2039
|
| Posted: Mon Aug 27, 2007 4:07 am Post subject: |
|
|
Hi,
It could be related to Zlob fake codec rootkit. To verify this, go to Start Menu > Run. Here, type regedit and press Enter key. In the Registry Editor, navigate to the following key (by clicking the "+" symbols):
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Click on the above-mentioned Winlogon key to select it. Now, in the right-side pane of Registry Editor, there should be a value called System under the "Name" column. Please check what is there in "Data" column corresponding to this System value.
If you see kdaiz.exe in front of System value, then it's Zlob rootkit. Then, it's better to remove it using AVG Anti-Rootkit or any other anti-rootkit tools.
_________________
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
- Albert Einstein
|
|
| Back to top |
|
|
bongobill
Guest
IP: 86.129.*.*
|
| Posted: Mon Aug 27, 2007 4:21 pm Post subject: Kdaiz.exe upload to Unknown Files forum - extension error |
|
|
Hi,
Sorry, but can't upload the suspect file because AVG Anti-Rootkit won't allow the saving of the file in a form the Unknown Files forum will accept.
Thanks to swatkat for your advice - appreciated - the file is as you describe. Will attempt removal.
Regards,
BB
|
|
| Back to top |
|
|
bongobill
Guest
IP: 86.129.*.*
|
| Posted: Mon Aug 27, 2007 4:54 pm Post subject: AVG Anti-Rootkit removal failed |
|
|
Hi,
AVG Anti-Rootkit reports that the rootkit has been deleted, but on re-scanning, it still finds the file kdaiz.exe exactly wher eit was before. I have performed this operation on the infected computer a couple of ties and a scan still finds the file.
Any help appeciated,
BB
|
|
| Back to top |
|
|
bongobill
Guest
IP: 86.129.*.*
|
| Posted: Mon Aug 27, 2007 5:31 pm Post subject: McAfee Rootkit remover renamed fille |
|
|
Hi again,
I've downloaded McAfee Rootkit Remover and it detected kdaiz.exe. I've sent a copy to McAfee and have renamed the file. Both McAfee and AVG rootkit removers now do not detect the file. Hopefully the problem is solved. It's been a persistent little devil!
Regards,
BB
|
|
| Back to top |
|
|
swatkat
Security Expert
Joined: Mar 04, 2005
Posts: 2039
|
| Posted: Tue Aug 28, 2007 5:17 pm Post subject: |
|
|
Hi,
Glad to hear that you were able to remove the rootkit  To prevent such infections in future, you can take a look at CastleCops Malware Re-Infection Prevention page here:
http://wiki.castlecops.com/Malware_Prevention:_Prevent_Re-infection
_________________
Only two things are infinite, the universe and human stupidity, and I'm not sure about the former.
- Albert Einstein
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
