|
Post by lanshark on Feb 6, 2022 1:36:54 GMT
On my desktop running W10 up-to-date, TDSS Killer today flagged sivx64.sys as "Suspicious" and "Forged" (see my attachment). The log did give me the "real" and "fake" MD5 and SHA256 checksums. I'd appreciate a kindly soul out there sending me the true versions of the checksums or maybe even checking 'em against my attachment and sending me the results.
Much obliged...
Attachments:
|
|
|
Post by siv on Feb 6, 2022 9:04:42 GMT
|
|
|
Post by lanshark on Feb 6, 2022 15:40:04 GMT
Thanks for your prompt and courteous reply.
I can't figure out how to get the version number of my current sivx64.sys, so I asked VirusTotal to scan it. The attached result says that the file is OK. Maybe you can figure out the version number from the date.
I also did a rootkit scan with MalwareBytes, which found nothing. And, for good measure, I ran DISM and SFC--with no issues found.
So, while my current version is apparently OK, is there a good reason for me to update to v5.62? If so, then it sticks in the back of my mind that replacing a system file isn't straightforward; isn't there a special procedure needed?
|
|
|
Post by siv on Feb 6, 2022 17:35:34 GMT
I asked VirusTotal to scan it I can't figure out how to get the version number of my current sivx64.sys is there a good reason for me to update to v5.62? it sticks in the back of my mind that replacing a system file isn't straightforward; isn't there a special procedure needed? A link to the VirusTotal scan information would be way more useful than a screen shot, epically so as VirusTotal will report the version, just press the details tab and you should see such as spams://www.virustotal.com/gui/file/7e9079c4621ad492199eb542b9c7597b34f933e3245581e4fbc6330c83bf0ece/detailsAnother option is to from Windows Explorer Right/Click on SIVX64.sys and select Properties. A third option is to look at the SIV Menu->Help->SIV Lookup panel which will report all the SIV versions. In general it's sensible to use the latest SIV release, but as I have no idea what release you currently have or what the system is there is no way I can make a compelling case. Post the initial SIV screen shot from your system. Why do you think that a "system file" needs to be replaced? To update SIV get the latest release, exit the old SIV64X.exe, replace the old SIV files with the new ones and finally run the new SIV64X.exe
|
|
|
Post by lanshark on Feb 6, 2022 23:42:00 GMT
Thanks for the guidance.
I downloaded, then uploaded to VirusTotal a fresh copy of sivx64.sys, which said that the file was indeed v5.62 of sivx64.sys.
spams://www.virustotal.com/gui/file/7e9079c4621ad492199eb542b9c7597b34f933e3245581e4fbc6330c83bf0ece
I then uploaded to VirusTotal a copy of what is on my pc, pretending to be sivx64.sys at C:/Windows/System32/drivers.
spams://www.virustotal.com/gui/file/53a5f19dfd63f8980784bab9634bf547145a5bab660288bdcfd3c446ceaa9c04
The file name shown by VirusTotal in the second link is vbc7ui.dll, which I think has something to do with Visual Basic, which I don't use and has never been on my machine.
Hmmmmm...
|
|
|
Post by siv on Feb 7, 2022 9:07:17 GMT
I then uploaded to VirusTotal a copy of what is on my pc, pretending to be sivx64.sys at C:/Windows/System32/drivers. spams://www.virustotal.com/gui/file/53a5f19dfd63f8980784bab9634bf547145a5bab660288bdcfd3c446ceaa9c04 The file name shown by VirusTotal in the second link is vbc7ui.dll, which I think has something to do with Visual Basic, which I don't use and has never been on my machine. Looking at spams://www.virustotal.com/gui/file/53a5f19dfd63f8980784bab9634bf547145a5bab660288bdcfd3c446ceaa9c04/details then clearly this in not an authentic Digitally Signed copy of SIVX64.sys and I have no idea where it came from. As it's not Digitally Signed then then the SIV service should not be able to start, what do sc qc sivdriver + sc queryex sivdriver report? It should be similar to: D:\SIV\DEV>sc queryex sivdriver
SERVICE_NAME: sivdriver TYPE : 1 KERNEL_DRIVER STATE : 4 RUNNING (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 PID : 0 FLAGS :
D:\SIV\DEV>sc qc sivdriver [SC] QueryServiceConfig SUCCESS
SERVICE_NAME: sivdriver TYPE : 1 KERNEL_DRIVER START_TYPE : 3 DEMAND_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME : \??\C:\WINDOWS\system32\Drivers\SIVX64.sys LOAD_ORDER_GROUP : TAG : 0 DISPLAY_NAME : SIV Kernel Driver DEPENDENCIES : SERVICE_START_NAME :
D:\SIV\DEV> Given the date of 2016-01-30 08:03:26 UTC then I did not even release a SIV on that date and the nearest is SIV Version 5.07 released on 14-Feb-2016, though it's possible there was a SIV V5.07 Beta. Either way when looking at the properties they should be similar to as below. I am starting to wonder if the only file you had was the fake SIVX64.sys, did you also have such as SIV64X.exe + SIVRES.dll and if so what their versions are? For me to sensibly comment further you need to post screen shots of the SIV initial screen and Menu->Help->SIV Lookup.
|
|
|
Post by lanshark on Feb 8, 2022 2:33:32 GMT
Thanks for hanging in with me on this.
In "C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\siv", all of the system files, including sivx64.sys and siv64x.sys, have tags saying in part "...version 5.36.0.0, installed Mon, Jan 14, 2019...".
I'm ready to uninstall(through my Start Menu--SIV doesn't show on "Control Panel > AllControl Panel Items > Programs and Features" or on my list of services)--what is apparently v.5.36 SIV and install v5.62. Do you forsee any issues with that?
BTW, why doesn't SIV show up in "Programs and Features"?
|
|
|
Post by siv on Feb 8, 2022 8:08:08 GMT
For me to sensibly comment further you need to post screen shots of the SIV initial screen and Menu->Help->SIV Lookup. - In "C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\siv", all of the system files, including sivx64.sys and siv64x.sys, have tags saying in part "...version 5.36.0.0, installed Mon, Jan 14, 2019...".
- I'm ready to uninstall(through my Start Menu--SIV doesn't show on "Control Panel > AllControl Panel Items > Programs and Features" or on my list of services)--what is apparently v.5.36 SIV and install v5.62. Do you foresee any issues with that? BTW, why doesn't SIV show up in "Programs and Features"?
- This location means the SIV files are all in the Windows Start menu which seems very strange as it's usual to put the SIV files in C:\Program Files\SIV\. I guess siv64x.sys is a typo and you mean siv64x.exe.
- SIV is not installed so you can't uninstall it and it's not listed in Programs and Features.
- Are the properties of "C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\siv\sivx64.sys" similar to the ones in the screen shot I posted?
- Where is the screen shot I asked for?
- When you run the V5.36 siv64x.exe then what happens? Does the SIVX64.sys in C:\Windows\System32\drivers\ get replaced with the correct SIV driver and does the service start?
All in all your system seems a mess. Were it my system I would do as follows: - Move all the files from C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\siv\ to C:\Program Files\SIV\
- Use regedit to delete any SIV related subkeys in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps. By doing this when SIV64X is run a new entry will get created and DumpFolder will be C:\Program Files\SIV\.
- Create the shortcut C:\Users\John\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\siv\SIV64X that points to C:\Program Files\SIV\SIV64X.exe
- Confirm the SIV64X shortcut works.
- Generate and post the screen shots I asked for.
- Replace all the files in C:\Program Files\SIV\ with the ones from the SIV 5.62 release.
In general it's better to post screen shots rather than telling me what you see as I may notice things you have overlooked.
|
|