Oh-Oh! AVG syas I have a rootkit!

Hi,
During my weekly scan AVG is reporting a hidden driver that is probably a
rootkit. Name and location is C:\Windows\System32\Drivers\ahsybpwc.sys.
ahsybpwc.sys turns up nothing on google. I tried to have AVG remove it
but it says that it is protected. Lets assume that this is a bad thing,
How do I manually remove this thing? Only thing that comes to mind is
booting a Ubuntu CD to memory and then deleting it manually. Any chance
that this is something I need or any suggestions on how to kill it?
thanks

"SwampYankee" <> wrote in message news:MPG.22ec3005b7e6aba79896b1@localhost...
> Hi,
> During my weekly scan AVG is reporting a hidden driver that is probably a
> rootkit. Name and location is C:\Windows\System32\Drivers\ahsybpwc.sys.
> ahsybpwc.sys turns up nothing on google. I tried to have AVG remove it
> but it says that it is protected. Lets assume that this is a bad thing,
> How do I manually remove this thing? Only thing that comes to mind is
> booting a Ubuntu CD to memory and then deleting it manually. Any chance
> that this is something I need or any suggestions on how to kill it?
> thanks

Download Autoruns:
http://technet.microsoft.com/en-us/s.../bb963902.aspx

Run it, agree to the license, select Options > Hide Microsoft entries, click on the refresh button, find the driver and
right-click and delete.

"SwampYankee" <> wrote in message
news:MPG.22ec3005b7e6aba79896b1@localhost...
> Hi,
> During my weekly scan AVG is reporting a hidden driver that is probably a
> rootkit. Name and location is C:\Windows\System32\Drivers\ahsybpwc.sys.
> ahsybpwc.sys turns up nothing on google. I tried to have AVG remove it
> but it says that it is protected. Lets assume that this is a bad thing,
> How do I manually remove this thing? Only thing that comes to mind is
> booting a Ubuntu CD to memory and then deleting it manually. Any chance
> that this is something I need or any suggestions on how to kill it?
> thanks


Try deleting it in Safe Mode.

ss.

In article <X7ydnVUEM->,
says...
> http://technet.microsoft.com/en-us/s.../bb963902.aspx
>
thanks, but it did not help. The driver is hidden so I don't think it
shows in the tool even though I told explorer to show hidden system
files.

On Sat, 19 Jul 2008 18:08:56 -0400, SwampYankee <> wrote:

>Hi,
>During my weekly scan AVG is reporting a hidden driver that is probably a
>rootkit. Name and location is C:\Windows\System32\Drivers\ahsybpwc.sys.
>ahsybpwc.sys turns up nothing on google. I tried to have AVG remove it
>but it says that it is protected. Lets assume that this is a bad thing,
>How do I manually remove this thing? Only thing that comes to mind is
>booting a Ubuntu CD to memory and then deleting it manually. Any chance
>that this is something I need or any suggestions on how to kill it?
>thanks

It is not a rootkit, and the file name is very suspicious. Try
starting in safe mode and try to delete it from there. I bet that you
will find another .sys file recreated with another random filename.
deleting the file will not help, you will need to find the registry
keys and the hidden program that creates the sys file.

You need Spybot (latest version 1.6) to get rid of it and I found
Super Anti-Spyware also helpful when similarly infected. You may have
to run these and AVG in safe mode.

Even if the programs that I have recommended do not remove the
malware, they should at least give you a name with which to Google.

Good luck!
--

Cheers,

DrT

** Stress - the condition brought about by having to
** resist the temptation to beat the living daylights
** out of someone who richly deserves it.

On Sat, 19 Jul 2008 18:08:56 -0400, SwampYankee wrote:

> Hi,
> During my weekly scan AVG is reporting a hidden driver that is probably a
> rootkit. Name and location is C:\Windows\System32\Drivers\ahsybpwc.sys.
> ahsybpwc.sys turns up nothing on google. I tried to have AVG remove it
> but it says that it is protected. Lets assume that this is a bad thing,
> How do I manually remove this thing? Only thing that comes to mind is
> booting a Ubuntu CD to memory and then deleting it manually. Any chance
> that this is something I need or any suggestions on how to kill it?
> thanks

Rootkit Removal applications.
The effectiveness of an individual Rootkit removal application are
wide-ranging and it is recommended utilizing a collection of
detection/removal tools; You are encouraged to try all of them (join
relevant fora for additional support i.e. interpretation of scan results):

DarkSpy
http://www.antirootkit.com/software/DarkSpy.htm
http://www.antirootkit.com/forums/viewforum.php?f=18

F-Secure BlackLight (Download Trial)
http://www.f-secure.com/blacklight/
http://www.antirootkit.com/forums/viewforum.php?f=13

GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php
http://antirootkit.com/forums/index....81ffe4361c3a17

IceSword
http://www.antirootkit.com/software/IceSword.htm
http://www.antirootkit.com/forums/index.php

RAIDE
http://www.rootkit.com/project.php?id=33
download:
http://www.rootkit.com/vault/petersi...IDE_BETA_1.zip
http://www.rootkit.com/boardm.php

Rootkit Revealer
http://www.microsoft.com/technet/sys...tRevealer.mspx
http://forum.sysinternals.com/forum_topics.asp?FID=15

RootKit Hook Analyzer
http://www.softpedia.com/get/Securit...Analyzer.shtml
http://www.antirootkit.com/forums/viewforum.php?f=17

RootKit Hook Analyzer
http://www.resplendence.com/hookanalyzer
http://www.antirootkit.com/forums/viewforum.php?f=17

RootAlyzer
http://forums.spybot.info/showthread.php?t=24185
http://www.spybotupdates.com/files/rootalyz.zip

Sophos Anti-Rootkit - Free tool for rootkit detection and removal
http://www.sophos.com/products/free-...i-rootkit.html
Direct link:
http://www.sophos.com/support/cleaners/sarsfx.exe
http://www.techsupportforum.com/netw...i-rootkit.html

System Virginity Verifier
http://www.softpedia.com/get/System/...Verifier.shtml
http://www.antirootkit.com/forums/viewforum.php?f=25

System Virginity Verifier
http://www.antirootkit.com/software/...y-Verifier.htm
http://www.antirootkit.com/forums/viewforum.php?f=25

VICE
http://www.rootkit.com/project.php?id=20
download:
http://www.rootkit.com/vault/fuzen_op/vice.zip
http://www.rootkit.com/boardm.php

"Make sure you always read the current user instructions for your scanning
tools to see what special steps you need to take before, during and after
the clean-up process. Then, after you've found and cleaned a rootkit,
rescan the system once you reboot to double-check that it was fully cleaned
and the malware hasn't returned."

Avoiding Rootkit Infection.
"The rules to avoid rootkit infection are for the most part the same as
avoiding any malware infection however there are some special
considerations:
Because rootkits meddle with the operating system itself they *require*
full Administrator rights to install. Hence infection can be avoided by
running Windows from an account with *lesser* privileges" (LUA in XP and
UAC in Vista).

AntiHook
http://www.infoprocess.com.au/AntiHook.php

DiamondCS ProcessGuard
http://www.diamondcs.com.au/processguard/
http://www.diamondcs.com.au/processguard/download.php

Educational viewing!
Mark Russinovich - Advanced Malware Cleaning
http://www.microsoft.com/emea/spotli...px?videoid=359

Good luck

"Kayman" <> wrote in message news:...
> On Sat, 19 Jul 2008 18:08:56 -0400, SwampYankee wrote:
>

> Rootkit Revealer
> http://www.microsoft.com/technet/sys...tRevealer.mspx
> http://forum.sysinternals.com/forum_topics.asp?FID=15
>

Rootkit Revealer does not work correctly on Vista.

You mean Vista isn't so secure that it doesn't 3rd party security software?


"Dave-UK" <> wrote in message
news: ...
>
>
> "Kayman" <> wrote in message
> news:...
>> On Sat, 19 Jul 2008 18:08:56 -0400, SwampYankee wrote:
>>
>
>> Rootkit Revealer
>> http://www.microsoft.com/technet/sys...tRevealer.mspx
>> http://forum.sysinternals.com/forum_topics.asp?FID=15
>>
>
> Rootkit Revealer does not work correctly on Vista.
>
>

"Sinner" <> wrote in message news:loDgk.4317$...
> You mean Vista isn't so secure that it doesn't 3rd party security software?
>
>

You lost me there, Sinner man!

Rootkit Revealer works fine on XP but Mark Russinovich has not updated
it to run on Vista yet. When it's run it sort of blanks out to it's own hidden screen.
Also there are lots of false positive results.
I guess he's too busy with more important stuff an Microsoft!

In article <MPG.22ec3005b7e6aba79896b1@localhost>, says...
> Hi,
> During my weekly scan AVG is reporting a hidden driver that is probably a
> rootkit. Name and location is C:\Windows\System32\Drivers\ahsybpwc.sys.
> ahsybpwc.sys turns up nothing on google. I tried to have AVG remove it
> but it says that it is protected. Lets assume that this is a bad thing,
> How do I manually remove this thing? Only thing that comes to mind is
> booting a Ubuntu CD to memory and then deleting it manually. Any chance
> that this is something I need or any suggestions on how to kill it?
> thanks
>
Looks lik a false alarm. during the virus scan I was running an update
the Nero which requires a number of restarts and tehn nero auto resumes.
Once that completed the report disapeared

thanks though