Rootkit ?

Discussion in 'ewido anti-spyware forum' started by feniks, Nov 17, 2007.

Thread Status:
Not open for further replies.
  1. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    I was scanning with AVG Anti-Rootkit Free an it found - akhqsz8o.sys in C:\windows\system32\drivers - hidden driver file

    Should I delete this or it is legal?

    Nothing in Google.
     
  2. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    It would probably be worthwhile taking a moment to inspect the file itself (i.e. is there an associated description/vendor, last modified date, etc., that type of info), focus on precisely what AVG is stating (exactly what message is provided), get a second opinion, and so on before pulling the trigger on an action.

    Blue
     
  3. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Thanks for answering.

    Panda Anti-Rootkit 1.08 did not find anything. Also there is no more information I can see about this file in AVG.

    I heard that some security software sometimes hidden some files to deceive malware, could be that some file of some security software?

    Currently I am using Avira free AV, WebrootDF, AVG Antispyware 7.5, A2, Superantispyware, AVG antirootkit but also many in past. :) like OA, ZA, NOD, Outpost.
     
  4. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    As with any pair (or collection) of products, when there is a disagreement on status, it can be due to either a false positive, missed sample, or disagreement on classification. In any event, it's useful to probe deeper by, for example, explicitly forwarding the sample to AVG with a question of whether or not it is a false positive. By more information I was referring to navigating to the file in question and explicitly examining it (select>right click>Properties, what do you see)
    Well, depending upon how you've configured your system, system files may be hidden
    That's a lot of stuff. The other thing that can happen is that files get left behind during previous cleaning or from past removals (AV, purposeful uninstalls, etc.), so stuff can be floating around on your system not being used and get flagged sometime in the future for a variety of reasons.

    Blue
     
  5. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Hi.

    But the problem is I do not see the file in explorer or Total Commander (I check to show all hidden and system files). o_O

    However it change its name after reboot (now is: C:\WINDOWS\System32\Drivers\ab6qlyk8.SYS,Hidden driver file) so seem is alive not leftover. And behave exactly the way security application should to mislead malware. Maybe you know if avira is doing so? (names of file started from a so... :) )
     
  6. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
  7. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Can you tell me how to do it? :doubt:

    I can not see this file in explorer (I check to show all hidden and system files).

    Also in safe mode nothing. And AVG Anti-Rootkit Free seems to not working in safe mode so I do not know if the hidden file is there.
     
  8. karl.ewido

    karl.ewido former ewido team

    Joined:
    Dec 9, 2005
    Posts:
    236
    Location:
    Germany
    If you cannot locate this file, then please remove it by using the AVG Anti-Rootkit Scanner.
     
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Use IceSword,s file explorer to copy the file via right click.
     

    Attached Files:

  10. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    I checked is not there. o_O
     
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Run a hidden files scan by RootKit unhooker please.
     
  12. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Hidden file scan did not show anything. However the file is listed in Hidden drivers section. However RU can not copy this file.

    The file is on pictures. Is the file OK?

    I upload two pictures because I have two versions of RU and I want to ask questions becuse the original program site do not work.

    Is the program safe? The 501 version I downloaded fro Chip site and 509 from here:

    Rootkit Unhooker 3.7.300.509

    The version 509 have different menu but it is the same program?

    Which version should I use?

    Is 509 the newest version?
     

    Attached Files:

  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    I PMed someone to have a look on this thread. If he is not busy, u will get a good help soon.
     
  14. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    By the way there is some reference to spdt.exe which is from Daemon Tools (virtual dvd drive).
     
  15. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Hi Feniks

    Do you have Alcohol/Daemon tools installed ?

    Spdt.sys belongs to that software usually:)

    Just noticed that last post looks like you have found your culprit!
    LOL, Aigle the OP beat me to it:D
     
  16. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Yes I have Daemon Tools 4.10. So that changing name hidden driver belongs to Daemon Tools? Is legit then correct?
     
  17. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    It is a legitimate driver.

    [/panic off now:thumb: ]
     
  18. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Thank you all people for your help. And I learn something new.

    It is definitively Daemon Tools related. Somebody had same dilemma on other forum:

    AnandTech

    And discussion here at Daemon Tools forum:

    Daemon Tools rootkit?

    Once again thank you. :) :thumb:
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Thanks fcukdat for ur prompt attention.
     
  20. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Hi aigle.

    So fcukdat was this person you ask for help. Thank you both.

    AS you introduce me to RU can you please answer these questions I had in end of post 12? About the versions which one and if the program is safe?
     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    yep
    U need to visit sysinternals forums. See post no.2 here.

    http://forum.sysinternals.com/forum_posts.asp?TID=12644

    RKU is the best antirootkit tool available.
     
  22. feniks

    feniks Registered Member

    Joined:
    Sep 30, 2007
    Posts:
    130
    Another thanks to you aigle. :thumb: :)

    All clear and solved.
     
  23. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    U are welcome.
     
Thread Status:
Not open for further replies.