Rootkit ?

I was scanning with AVG Anti-Rootkit Free an it found - akhqsz8o.sys in C:\windows\system32\drivers - hidden driver file

Should I delete this or it is legal?

Nothing in Google.

 

It would probably be worthwhile taking a moment to inspect the file itself (i.e. is there an associated description/vendor, last modified date, etc., that type of info), focus on precisely what AVG is stating (exactly what message is provided), get a second opinion, and so on before pulling the trigger on an action.

Blue

 

Thanks for answering.

Panda Anti-Rootkit 1.08 did not find anything. Also there is no more information I can see about this file in AVG.

I heard that some security software sometimes hidden some files to deceive malware, could be that some file of some security software?

Currently I am using Avira free AV, WebrootDF, AVG Antispyware 7.5, A2, Superantispyware, AVG antirootkit but also many in past. like OA, ZA, NOD, Outpost.

 

As with any pair (or collection) of products, when there is a disagreement on status, it can be due to either a false positive, missed sample, or disagreement on classification. In any event, it's useful to probe deeper by, for example, explicitly forwarding the sample to AVG with a question of whether or not it is a false positive. By more information I was referring to navigating to the file in question and explicitly examining it (select>right click>Properties, what do you see)

Well, depending upon how you've configured your system, system files may be hidden

That's a lot of stuff. The other thing that can happen is that files get left behind during previous cleaning or from past removals (AV, purposeful uninstalls, etc.), so stuff can be floating around on your system not being used and get flagged sometime in the future for a variety of reasons.

Blue

 

Hi.

But the problem is I do not see the file in explorer or Total Commander (I check to show all hidden and system files).

However it change its name after reboot (now is: C:\WINDOWS\System32\Drivers\ab6qlyk8.SYS,Hidden driver file) so seem is alive not leftover. And behave exactly the way security application should to mislead malware. Maybe you know if avira is doing so? (names of file started from a so... )

 

Mhh sounds like a suspicious Rootkit, please send us a copy of this renamed file:
http://www.ewido.net/en/malware/

 

Can you tell me how to do it?

I can not see this file in explorer (I check to show all hidden and system files).

Also in safe mode nothing. And AVG Anti-Rootkit Free seems to not working in safe mode so I do not know if the hidden file is there.

 

If you cannot locate this file, then please remove it by using the AVG Anti-Rootkit Scanner.

 

Use IceSword,s file explorer to copy the file via right click.

 

I checked is not there.

 

Run a hidden files scan by RootKit unhooker please.

 

Hidden file scan did not show anything. However the file is listed in Hidden drivers section. However RU can not copy this file.

The file is on pictures. Is the file OK?

I upload two pictures because I have two versions of RU and I want to ask questions becuse the original program site do not work.

Is the program safe? The 501 version I downloaded fro Chip site and 509 from here:

Rootkit Unhooker 3.7.300.509

The version 509 have different menu but it is the same program?

Which version should I use?

Is 509 the newest version?

 

I PMed someone to have a look on this thread. If he is not busy, u will get a good help soon.

 

By the way there is some reference to spdt.exe which is from Daemon Tools (virtual dvd drive).

 

Hi Feniks

Do you have Alcohol/Daemon tools installed ?

Spdt.sys belongs to that software usually

Just noticed that last post looks like you have found your culprit!
LOL, Aigle the OP beat me to it

 

Yes I have Daemon Tools 4.10. So that changing name hidden driver belongs to Daemon Tools? Is legit then correct?

 

It is a legitimate driver.

[/panic off now ]

 

Thank you all people for your help. And I learn something new.

It is definitively Daemon Tools related. Somebody had same dilemma on other forum:

AnandTech

And discussion here at Daemon Tools forum:

Daemon Tools rootkit?

Once again thank you.

 

Thanks fcukdat for ur prompt attention.

 

Hi aigle.

So fcukdat was this person you ask for help. Thank you both.

AS you introduce me to RU can you please answer these questions I had in end of post 12? About the versions which one and if the program is safe?

 

yep

U need to visit sysinternals forums. See post no.2 here.

http://forum.sysinternals.com/forum_posts.asp?TID=12644

RKU is the best antirootkit tool available.

 

Another thanks to you aigle.

All clear and solved.

 

U are welcome.