Drivers are very critical in Windows because a badly coded driver will make the Windows unstable and causing crashes with blue screen of death. Most of the time a driver file has a .sys extension. When someone uses the word “low-level”, “kernel” or “ring0″ in Windows, it also actually means driver. For example, a low-level keylogger such as Elite Keylogger by Widestep uses a signed driver to capture the keystrokes on your keyboard. Royal Hack, a famous cheating tool for CounterStrike uses ring0 driver to avoid Valve Anti-Cheat (VAC) detection. Rootkits is a type of malware that uses driver to hide its existence and preventing it from easily being detected. A lot of security software such as antivirus, Zemana Anti-Logger, KeyScrambler Premium are also using drivers. As you can see, drivers are very powerful and fortunately it is not something that any programmer can code.
There are quite a few really powerful tools such as GMER that can be used to check for rootkits but they can be a bit too confusing for normal or inexperienced computer users. One tool that I can suggest you to try out is DriverView created Nir Sopher who is famous for releasing useful tools that are free and portable.
Basically DriverView is a very small tool at only 33KB in size that lists all the drivers currently loaded in your Windows operating system. It shows a lot of useful information about the drivers such as the file name, company, product name, description, version, created and modified date, path, file type, service and display name.
The highlighted lines are driver files by Elite Keylogger and Invisible Keylogger Stealth
Most of the loaded drivers are by Microsoft and generally they are stable and safe. You can easily shorten the list by clicking on the View from the menubar and select Hide Microsoft Drivers where only third party drivers will be displayed. Now you can investigate the non-Microsoft drivers to see if you have any possible malicious drivers by searching for the file name in Google and uploading it to VirusTotal to have it scanned with 42 different antiviruses. Do take note that DriverView don’t have the ability to remove or delete the driver.
You should notice that there are 3 unknown drivers which are dump_dumpata.sys, dump_dumpfve.sys and dump_msahci.sys listed in DriverView on Windows 7. If you right click on any of the 3 drivers from DriverView and select File Properties, you will get the error popup saying “Windows cannot find C:\Windows\System32\Drivers\dump_msahci.sys. Make sure you typed the name correctly, and then try again“.
This 3 files are not rootkits or anything dangerous but are related to creating memory dumps when Windows 7 crashes. You can easily disable the 3 unknown dump_dumpata.sys, dump_dumpfve.sys and dump_msahci.sys drivers from being loaded by going to Control Panel > System > Advanced system settings > click the Settings button for Startup and Recovery > click on the drop down menu from the Write debugging information and select (none). Click OK to close all the Windows, restart your computer and the 3 drivers will no longer appear in DriverView.
As useful as DriverView is, after further testing I discovered that DriverView reads only the VERSIONINFO resource which can be found in the Details tab when you right click on the a file and select Properties. It lacks of the capability to read the name of signer for the Digital Signature. One can easily edit a malicious rootkit driver file properties using a resource editor or a crypter and DriverView will think that it belongs to Microsoft and even possibly hiding it from being displayed when the “Hide Microsoft Drivers” option is enabled. However, getting a digital code signing certificate is not easy. The animated screenshot below is a proof that DriverView reads the VERSIONINFO but not the digital signature. Please refer back to the first screenshot to see the information displayed by DriverView for the RDPCDD2k.sys file.
DriverView is free, portable and works on Windows 2000, Windows NT, Windows XP, Windows Vista, Windows 7, and Windows Server 2003/2008, both 32-bit and 64-bit.