Drivers are very critical in Windows because a badly coded driver will make the Windows unstable and causing crashes with blue screen of death. Most of the time a driver file has a .sys extension. When someone uses the word “low-level”, “kernel” or “ring0” in Windows, it also actually means driver.
A 3rd party modpack is a modpack distributed through the FTB launcher that is not maintained by the FTB team. Types of 3rd party. Log in or Sign up. Feed the Beast. Home Forums > Third Party Area > Third Party Modpacks > Modpack Creation > 3rd Party Modpack Guidelines. Discussion in 'Modpack Creation' started. If a mod is on the.
For example, a low-level keylogger such as Elite Keylogger by Widestep uses a signed driver to capture the keystrokes on your keyboard. Royal Hack, a famous cheating tool for CounterStrike uses ring0 driver to avoid Valve Anti-Cheat (VAC) detection. Rootkits is a type of malware that uses driver to hide its existence and preventing it from easily being detected. A lot of security software such as antivirus, Zemana Anti-Logger, KeyScrambler Premium are also using drivers. As you can see, drivers are very powerful and fortunately it is not something that any programmer can code.
There are quite a few really powerful tools such as GMER that can be used to check for rootkits but they can be a bit too confusing for normal or inexperienced computer users. One tool that I can suggest you to try out is DriverView created Nir Sopher who is famous for releasing useful tools that are free and portable.
Basically DriverView is a very small tool at only 33KB in size that lists all the drivers currently loaded in your Windows operating system. It shows a lot of useful information about the drivers such as the file name, company, product name, description, version, created and modified date, path, file type, service and display name.The highlighted lines are driver files by Elite Keylogger and Invisible Keylogger Stealth
Most of the loaded drivers are by Microsoft and generally they are stable and safe. You can easily shorten the list by clicking on the View from the menubar and select Hide Microsoft Drivers where only third party drivers will be displayed. Now you can investigate the non-Microsoft drivers to see if you have any possible malicious drivers by searching for the file name in Google and uploading it to VirusTotal to have it scanned with 42 different antiviruses. Do take note that DriverView don’t have the ability to remove or delete the driver.
You should notice that there are 3 unknown drivers which are dump_dumpata.sys, dump_dumpfve.sys and dump_msahci.sys listed in DriverView on Windows 7. If you right click on any of the 3 drivers from DriverView and select File Properties, you will get the error popup saying “Windows cannot find C:WindowsSystem32Driversdump_msahci.sys. Make sure you typed the name correctly, and then try again“.
This 3 files are not rootkits or anything dangerous but are related to creating memory dumps when Windows 7 crashes. You can easily disable the 3 unknown dump_dumpata.sys, dump_dumpfve.sys and dump_msahci.sys drivers from being loaded by going to Control Panel > System > Advanced system settings > click the Settings button for Startup and Recovery > click on the drop down menu from the Write debugging information and select (none). Click OK to close all the Windows, restart your computer and the 3 drivers will no longer appear in DriverView.
As useful as DriverView is, after further testing I discovered that DriverView reads only the VERSIONINFO resource which can be found in the Details tab when you right click on the a file and select Properties. It lacks of the capability to read the name of signer for the Digital Signature. One can easily edit a malicious rootkit driver file properties using a resource editor or a crypter and DriverView will think that it belongs to Microsoft and even possibly hiding it from being displayed when the “Hide Microsoft Drivers” option is enabled. However, getting a digital code signing certificate is not easy. The animated screenshot below is a proof that DriverView reads the VERSIONINFO but not the digital signature. Please refer back to the first screenshot to see the information displayed by DriverView for the RDPCDD2k.sys file.
DriverView is free, portable and works on Windows 2000, Windows NT, Windows XP, Windows Vista, Windows 7, and Windows Server 2003/2008, both 32-bit and 64-bit.
Download DriverView
You might also like:
5 Methods to Load Unsigned Drivers in Windows 7, 8 and Vista 64-bit (x64)5 Tools to Backup and Restore your Windows DriversElite Keylogger 5 with Digitally Signed Driver for 64-bit Windows SupportHow To Make a Windows XP Install Disc That Includes DriversIdentify What is Loaded with rundll32.exe in the Windows Task List3rd Party Mod Steam
Nirsoft has developed lot of tools from passview to wincrashreport. You can easily check the cause of blue screen with bluescreenview also developed by nirsoft. I don’t believe in using 3rd party tools until and unless they really make things interesting for me like the realtek creative mod (try it and u’ll know the difference).
Replythanks a lot for the info. i visit nirsoft website and discover a lot of useful stuff there.
ReplyP.S.: Nirsofer also publishes *ServiWin*:
“ServiWin allows you to easily stop, start, restart, pause, and continue service or driver, change the startup type of service or driver (automatic, manual, disabled, boot or system), save the list of services and drivers to file, or view HTML report of installed services/drivers in your default browser.”
nirsoft.net/utils/serviwin.html
Nice article, as usual. I’ve used Nirsofer’s unique utilities for years, including DriverView. I especially like that you can signup to be notified by RSS when an update is available for any of his scores of tools. It would be nice if DriverView included the ability to uninstall unused drivers, too.
I have found six-or-seven Comodo drivers left-over on my system, even though I uninstalled their internet-security software months ago. I’ve tried AppRemover, AV Uninstall Tools Pack with no success. Revo does not detect anything either.
Can you suggest a way to *safely* uninstall/delete these left-overs? Since, besides Email Signing Certificates, I have no other Comodo products installed, will I “break” anything if I simply delete the files?
Thanks.
ReplyThanks Raymond. Using this nifty little program I was able to track down a leftover driver from Comodo Backup Utility (vdbus.sys). I then used System Internal’s AutoRuns to double check and consequently disabled it. When I’m satisfied that all is good I’ll delete it from the system and any registry entry found by AutoRuns.