For MVP: Trojan-horse associated with C:\WINDOWS\system32\wdmaud.s


Pat S.

Hi. My AntiVirus Grisoft (AVG) Free Edition 8.0, build 176 detected a Trojan
horse associated with the file C:\WINDOWS\system32\wdmaud.sys and I suppose
probably a restore-point file containing that file. Currently I have
Windows XP Home Edition Service Pack 3 and later Windows updates installed on
my computer. The "heal" option of AVG put those two files into the virus
vault of AVG, one by me and one automatically after I started an AVG scan of
my computer for "threats," as the AVG Free Edition calls computer malware.
Then I emptied the virus vault of AVG. According to the AVG instructions I
read and remember, after the heal option is selected to deal with the malware
either a) the infection is removed from the file or b), in the case that the
file itself is a virus, or perhaps malware, the file is moved to the virus
vault. So since that file was moved to the virus fault, one might conclude
that the file is a malware file. However, from the Internet I get the
impression that wdmaud.sys is likely in Windows XP and later service packs to
it, which contradicts what I wrote in the previous sentence! So I consider
two possible explanations: 1) The real Windows XP file wdmaud.sys became
infected with a Trojan horse. But the AVG Free Edition was unable to remove
that Trojan horse from the file and therefore moved the file to the virus
vault. 2) Someone made his or her own, "pure," Trojan-horse file and
purposely named it wdmaud.sys, the same name as a Microsoft Corporation file.

The next thing is how to obtain an uninfected copy of the real, Windows XP
file C:\WINDOWS\system32\wdmaud.sys. I attempted to obtain it by "Run sfc
/scannow". But after doing that I looked in Windows Explorer with hidden
files set to be shown and could not find C:\WINDOWS\system32\wdmaud.sys. I
wonder if the problem could be as simple as requiring a restart of my
computer in order to see C:\WINDOWS\system32\wdmaud.sys in Windows Explorer,
something I think I will try. But assuming that fails, what took place? I
assume I should obtain a good copy of C:\WINDOWS\system32\wdmaud.sys. How
should I obtain it?

Although my final question is now specific, the solution could help me with
a general solution on how to replace a single Windows-XP system file with an
uninfected and up-to-date version of it. Thanks in advance for your help.



PA Bear [MS MVP]

You'll find support for AVG Free-related issues here, Pat:


• C:\WINDOWS\system32\Drivers\wdmaud.sys <=this one is legit

• C:\WINDOWS\system32\wdmaud.sys <=this one is not!

If (1) AVG moved the file to the Vault, (2) you emptied the Vault, and (3)
your computer (including IE, Windows Update, and AVG's automatic or manual
updater) is working OK, you needn't do anything further.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads