I was scanning with AVG Anti-Rootkit Free an it found - akhqsz8o.sys in C:\windows\system32\drivers - hidden driver file Should I delete this or it is legal? Nothing in Google.
It would probably be worthwhile taking a moment to inspect the file itself (i.e. is there an associated description/vendor, last modified date, etc., that type of info), focus on precisely what AVG is stating (exactly what message is provided), get a second opinion, and so on before pulling the trigger on an action. Blue
Thanks for answering. Panda Anti-Rootkit 1.08 did not find anything. Also there is no more information I can see about this file in AVG. I heard that some security software sometimes hidden some files to deceive malware, could be that some file of some security software? Currently I am using Avira free AV, WebrootDF, AVG Antispyware 7.5, A2, Superantispyware, AVG antirootkit but also many in past. like OA, ZA, NOD, Outpost.
As with any pair (or collection) of products, when there is a disagreement on status, it can be due to either a false positive, missed sample, or disagreement on classification. In any event, it's useful to probe deeper by, for example, explicitly forwarding the sample to AVG with a question of whether or not it is a false positive. By more information I was referring to navigating to the file in question and explicitly examining it (select>right click>Properties, what do you see) Well, depending upon how you've configured your system, system files may be hidden That's a lot of stuff. The other thing that can happen is that files get left behind during previous cleaning or from past removals (AV, purposeful uninstalls, etc.), so stuff can be floating around on your system not being used and get flagged sometime in the future for a variety of reasons. Blue
Hi. But the problem is I do not see the file in explorer or Total Commander (I check to show all hidden and system files). However it change its name after reboot (now is: C:\WINDOWS\System32\Drivers\ab6qlyk8.SYS,Hidden driver file) so seem is alive not leftover. And behave exactly the way security application should to mislead malware. Maybe you know if avira is doing so? (names of file started from a so... )
Mhh sounds like a suspicious Rootkit, please send us a copy of this renamed file: http://www.ewido.net/en/malware/
Can you tell me how to do it? I can not see this file in explorer (I check to show all hidden and system files). Also in safe mode nothing. And AVG Anti-Rootkit Free seems to not working in safe mode so I do not know if the hidden file is there.
Hidden file scan did not show anything. However the file is listed in Hidden drivers section. However RU can not copy this file. The file is on pictures. Is the file OK? I upload two pictures because I have two versions of RU and I want to ask questions becuse the original program site do not work. Is the program safe? The 501 version I downloaded fro Chip site and 509 from here: Rootkit Unhooker 3.7.300.509 The version 509 have different menu but it is the same program? Which version should I use? Is 509 the newest version?
Hi Feniks Do you have Alcohol/Daemon tools installed ? Spdt.sys belongs to that software usually Just noticed that last post looks like you have found your culprit! LOL, Aigle the OP beat me to it
Yes I have Daemon Tools 4.10. So that changing name hidden driver belongs to Daemon Tools? Is legit then correct?
Thank you all people for your help. And I learn something new. It is definitively Daemon Tools related. Somebody had same dilemma on other forum: AnandTech And discussion here at Daemon Tools forum: Daemon Tools rootkit? Once again thank you.
Hi aigle. So fcukdat was this person you ask for help. Thank you both. AS you introduce me to RU can you please answer these questions I had in end of post 12? About the versions which one and if the program is safe?
yep U need to visit sysinternals forums. See post no.2 here. http://forum.sysinternals.com/forum_posts.asp?TID=12644 RKU is the best antirootkit tool available.