For MVP: Trojan-horse associated with C:\WINDOWS\system32\wdmaud.s

Posted: 01-18-2009, 10:27 PM
Hi. My AntiVirus Grisoft (AVG) Free Edition 8.0, build 176 detected a Trojan
horse associated with the file C:\WINDOWS\system32\wdmaud.sys and I suppose
probably a restore-point file containing that file. Currently I have
Windows XP Home Edition Service Pack 3 and later Windows updates installed on
my computer. The "heal" option of AVG put those two files into the virus
vault of AVG, one by me and one automatically after I started an AVG scan of
my computer for "threats," as the AVG Free Edition calls computer malware.
Then I emptied the virus vault of AVG. According to the AVG instructions I
read and remember, after the heal option is selected to deal with the malware
either a) the infection is removed from the file or b), in the case that the
file itself is a virus, or perhaps malware, the file is moved to the virus
vault. So since that file was moved to the virus fault, one might conclude
that the file is a malware file. However, from the Internet I get the
impression that wdmaud.sys is likely in Windows XP and later service packs to
it, which contradicts what I wrote in the previous sentence! So I consider
two possible explanations: 1) The real Windows XP file wdmaud.sys became
infected with a Trojan horse. But the AVG Free Edition was unable to remove
that Trojan horse from the file and therefore moved the file to the virus
vault. 2) Someone made his or her own, "pure," Trojan-horse file and
purposely named it wdmaud.sys, the same name as a Microsoft Corporation file.

The next thing is how to obtain an uninfected copy of the real, Windows XP
file C:\WINDOWS\system32\wdmaud.sys. I attempted to obtain it by "Run sfc
/scannow". But after doing that I looked in Windows Explorer with hidden
files set to be shown and could not find C:\WINDOWS\system32\wdmaud.sys. I
wonder if the problem could be as simple as requiring a restart of my
computer in order to see C:\WINDOWS\system32\wdmaud.sys in Windows Explorer,
something I think I will try. But assuming that fails, what took place? I
assume I should obtain a good copy of C:\WINDOWS\system32\wdmaud.sys. How
should I obtain it?

Although my final question is now specific, the solution could help me with
a general solution on how to replace a single Windows-XP system file with an
uninfected and up-to-date version of it. Thanks in advance for your help.

For MVP: Trojan-horse associated with C:\WINDOWS\system32\wdmaud.s


Responses to "For MVP: Trojan-horse associated with C:\WINDOWS\system32\wdmaud.s"

PA Bear [MS MVP]
Guest
Posts: n/a
 
Re: For MVP: Trojan-horse associated with C:\WINDOWS\system32\wdmaud.s
Posted: 01-18-2009, 10:42 PM
You'll find support for AVG Free-related issues here, Pat:
http://freeforum.avg.com/

FWIW:

• C:\WINDOWS\system32\Drivers\wdmaud.sys <=this one is legit

• C:\WINDOWS\system32\wdmaud.sys <=this one is not!

If (1) AVG moved the file to the Vault, (2) you emptied the Vault, and (3)
your computer (including IE, Windows Update, and AVG's automatic or manual
updater) is working OK, you needn't do anything further.
--
~Robear Dyer (PA Bear)
MS MVP-IE, Mail, Security, Windows Desktop Experience - since 2002
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.net/


Pat S. wrote:
> Hi. My AntiVirus Grisoft (AVG) Free Edition 8.0, build 176 detected a
> Trojan horse associated with the file C:\WINDOWS\system32\wdmaud.sys and I
> suppose probably a restore-point file containing that file. Currently I
> have Windows XP Home Edition Service Pack 3 and later Windows updates
> installed on my computer. The "heal" option of AVG put those two files
> into the virus vault of AVG, one by me and one automatically after I
> started an AVG scan of my computer for "threats," as the AVG Free Edition
> calls computer malware. Then I emptied the virus vault of AVG. According
> to the AVG instructions I read and remember, after the heal option is
> selected to deal with the malware either a) the infection is removed from
> the file or b), in the case that the file itself is a virus, or perhaps
> malware, the file is moved to the virus vault. So since that file was
> moved to the virus fault, one might conclude that the file is a malware
> file. However, from the Internet I get the impression that wdmaud.sys is
> likely in Windows XP and later service packs to it, which contradicts what
> I wrote in the previous sentence! So I consider two possible
> explanations:
> 1) The real Windows XP file wdmaud.sys became infected with a Trojan
> horse.
> But the AVG Free Edition was unable to remove that Trojan horse from the
> file and therefore moved the file to the virus vault. 2) Someone made his
> or her own, "pure," Trojan-horse file and purposely named it wdmaud.sys,
> the same name as a Microsoft Corporation file.
>
> The next thing is how to obtain an uninfected copy of the real, Windows XP
> file C:\WINDOWS\system32\wdmaud.sys. I attempted to obtain it by "Run sfc
> /scannow". But after doing that I looked in Windows Explorer with hidden
> files set to be shown and could not find C:\WINDOWS\system32\wdmaud.sys.
> I
> wonder if the problem could be as simple as requiring a restart of my
> computer in order to see C:\WINDOWS\system32\wdmaud.sys in Windows
> Explorer,
> something I think I will try. But assuming that fails, what took place?
> I
> assume I should obtain a good copy of C:\WINDOWS\system32\wdmaud.sys.
> How
> should I obtain it?
>
> Although my final question is now specific, the solution could help me
> with
> a general solution on how to replace a single Windows-XP system file with
> an
> uninfected and up-to-date version of it. Thanks in advance for your help.
 
LinkBack Thread Tools Display Modes
 


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On
Forum Jump


Similar Threads
Thread Thread Starter Forum Replies Last Post
System32 Trojan horse Ron Windows XP Setup 1 09-25-2004 06:59 AM
Trojan Horse Mike_Ornellas@adobeforums.com Mac Photoshop 1 04-09-2004 03:59 PM
help with xp and a trojan horse fred Windows XP Setup 4 02-17-2004 05:12 PM
Norton Systems Work Trojan Horse warning - C:\Windows\System32\SVC.EXE Don Windows XP Security & Administration 1 10-26-2003 02:37 PM
Trojan Horse Virus Infected C:Windows\System32\svcinit.exe Brian Windows XP Security & Administration 1 10-24-2003 02:09 AM