« previous next »
Pages: [1]

Author Topic: Is this malware? "\Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog  (Read 5205 times)

0 Members and 1 Guest are viewing this topic.

January 16, 2015, 04:25:12 PM

jayh

  • Newbie
  • Offline
  • *
  • 2
  • Reputation:
    0
    • View Profile
Is this malware? "\Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog
« on: January 16, 2015, 04:25:12 PM »
Hi All,

After running Roguekiller on my Vista SP2 64bit Dell Studio 1537 laptop, items were listed in RED under the Antirootkit tab, and listed in the Antirootkit section of the report.

¤¤¤ Antirootkit : 7 (Driver: Loaded) ¤¤¤

[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass6 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass5 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass4 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass3 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass2 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)
[Filter(Root.Keylogger)] \Driver\kbdclass @ \Device\KeyboardClass0 : \Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog.sys)

These are concerning as they are listed in RED.
When the cursor is hovered over them this message appears: "Critical - the item is malware and should be removed"

Researching on the web I found information that appears to show that Watchdog.sys is a Microsoft OS driver used to monitor thread usage of display drivers.

From http://msdn.microsoft.com/en-us/library/ff553890.aspx :
"In Microsoft Windows XP SP1 and later operating systems, GDI uses a watchdog timer to monitor the time that threads spend executing in the display driver. The watchdog defines a time threshold. If a thread spends more time in a display driver than the threshold specifies, the watchdog tries to recover by switching to VGA graphics mode."

And - the file properties appear to be properties of a legitimate Microsoft file.
See attached screenshot "Watchdog.sys properties.jpg"

Also the listings show "\Driver\vmkbd".
Does this mean virtual machine keyboard?
VMware Workstation is installed on this laptop.
Could these entries be related to the virtual machines created on this laptop, and therefore not harmful?

Should these entries be whitelisted?
Or -
Are these keyloggers? Are these malware? And should they be deleted?
Are there other steps that should be taken?

If they are malware could you please explain:
how you know that, what they are, and what most likely is the name of the malware that caused it.
And any other steps that should be taken.

Your help is greatly appreciated.
Thanks very much!
Logged
Reply #1January 18, 2015, 04:28:21 PM

Curson

  • Global Moderator
  • Hero Member
  • Offline
  • *****
  • 2809
  • Reputation:
    100
    • View Profile
Re: Is this malware? "\Driver\vmkbd @ Unknown (\SystemRoot\System32\drivers\watchdog
« Reply #1 on: January 18, 2015, 04:28:21 PM »
Hi jayh,

vmkbd is linked to VMWare products.
These entries are indeed false positives. This will be fixed in the next release of RogueKiller.

Thank you for bringing this issue to our attention.

Regards.
Logged
Pages: [1]
« previous next »