Mystery drivers w/o company info etc

Posted By: androidi | Oct 28th, 2005 @ 11:23 PM
page 1 of 1
Comments: 1 | Views: 4533
#Oct 28th, 2005 @ 11:23 PM
androidi
androidi

My laptop had not shutdown properly last night so decided to do some investigation on what suspicious services and drivers I have installed.

Ever encountered messages where Windows is waiting for "Sample" or "Proxy desktop" to shutdown? (Ending program - Sample, Ending program - Proxy Desktop)

AFAIK I have no such things installed. The proxy desktop is apparently Microsoft's own undocumented things, with only single mention in API docs. Very annoying that the ending program dialog can't bother to tell anything about the source of the error (like company name of "sample" or "proxy desktop") without a kernel mode debugger (since everything has shutdown only kernel debugger can help here). (Obviously these do not appear in services, drivers or process explorer when system is running.. Doh!)

I still have no idea what causes them to randomly come, however looking at drivers installed I found in WINDOWS\system32\drivers the following files with no company or any other information on them:

U3sHlpDr.sys -- No clue about this
tandpl.sys, enodpl.sys -- read on

While searching info on these "mystery drivers", I came across this interesting post.


Safedisc, Securom, Tages, VOB ProtectCD and most other commercial copy protections do install 'hidden' drivers:
- Secdrv is a driver installed by Safedisc
- UAService7.exe is a service installed by Securom 7 (i do not know if this protection installs a driver)
- Enodpl/Tandpl/Lemsgt/Hwpsgt are drivers installed by Tages
- SshDrvXX (where XX is a number) is a driver installed by ProtectCD
As you can see, almost all protections install "something" without your knowledge. But there is one big difference: the drivers installed by the protections apart from Starforce seem to be totally harmless. For example, I have never ever heard problems that were directly related to the Safedisc driver.

The Starforce drivers are getting worse each time they are being updated: the latest versions even prevent you from properly reading DPM info from CD/DVD media

Disappointing to find that games and license software are installing all sort of suspiciously names drivers and services without information on who made them and what they are for. If you encountered a service named "LaMeNaMe" wouldn't you suspect a spyware? I would, but there are some protection software using this kind of silly names.

What the is it with some companies that they can't have their name on the driver/services? Must be afraid of getting sued.

It'll be interesting to see how many games fail to install due to lack of properly signed hidden drivers in Vista. Though I think MS will play along and make the hidden auto-installed drivers work as usual.

#Oct 29th, 2005 @ 10:00 AM
Karim
Karim
Trapped in a world he never made!
androidi wrote:
(Obviously these do not appear in services, drivers or process explorer when system is running.. Doh!)


Couple of suggestions - apologies if you know this stuff already:

Sometimes these nasty things are revealed when you go into Device Manager, and select Show Hidden Devices from the View menu.  This will add a node to your device list called "Non Plug-and-Play Adapters."  Expand that and, if you have bogus drivers, you'll see often see them there.

If you aren't sure what a specific driver does, you can right-click it, select Properties, click the Driver tab, then click the "Driver Details..." button.  That will show you the name & location of the file(s) associated with that driver.

Also, Security Task Manager is a great tool for finding hidden processes:

http://www.neuber.com/taskmanager/

It has saved the day more than once for me when helping someone dig malware out of their system.  Highly recommended.
page 1 of 1
Comments: 1 | Views: 4533
Microsoft Communities