unhiding a file, maybe a rootkit

Hi,
My AVG antivirus is finding a file and suggesting it is a rootkit. When
I try and remove it via AVG it says it can't. The files name is
a362urwu.sys and it resides in c:/windows/system32/drivers. I have
unhidden all files including system files and I am unable to see it from
a command prompt. Is there some other attribute that could be unset that
would allow me to see this file? How could I delete it?
thanks

To be on the safe side, run Spybot Search & destroy in Safe Mode on your
System.
All info below.

http://www.spybot.info/en/index.html

Spybot Search & Destroy 1.6 is a very good, FREE Anti-Spyware Program.
Download, install, update, and immunize your System with it.
Then SCAN with it.
Update it, and scan your System once a fortnight.

Important re: Safe Mode
If you happen to find a problem that you can’t uninstall / delete, reboot
the computer, and go into Safe Mode.
To get into Safe mode, tap F8 right at Power On / Startup, and use UP arrow
key to get to Safe Mode from list of options, then hit ENTER.
RESCAN your computer with Avast(or your AV) and Spybot S & D while in Safe
Mode.

--
Mick Murphy - Qld - Australia


"SwampYankee" wrote:

> Hi,
> My AVG antivirus is finding a file and suggesting it is a rootkit. When
> I try and remove it via AVG it says it can't. The files name is
> a362urwu.sys and it resides in c:/windows/system32/drivers. I have
> unhidden all files including system files and I am unable to see it from
> a command prompt. Is there some other attribute that could be unset that
> would allow me to see this file? How could I delete it?
> thanks
>

If you truly have a rootkit on your PC, the best thing to do now is back up
essential files and settings while you can, then wipe and restore the PC to
factory-new condition or reinstall Windows, whichever applies. By design
rootkits cannot be removed from the PC while it's running - they take over
the operating system and prevent you from getting to them or
eradicating/cleaning them.

--
Richard G. Harper [MVP Shell/User]
* NEW! Catch my blog ... http://msmvps.com/blogs/rgharper/
* PLEASE post all messages and replies in the newsgroups
* The Website - http://rgharper.mvps.org/


"SwampYankee" <> wrote in message
news:MPG.2307c6bf7e6843969896b6@localhost...
> Hi,
> My AVG antivirus is finding a file and suggesting it is a rootkit. When
> I try and remove it via AVG it says it can't. The files name is
> a362urwu.sys and it resides in c:/windows/system32/drivers. I have
> unhidden all files including system files and I am unable to see it from
> a command prompt. Is there some other attribute that could be unset that
> would allow me to see this file? How could I delete it?
> thanks

"SwampYankee" <> wrote in message news:MPG.2307c6bf7e6843969896b6@localhost...
> Hi,
> My AVG antivirus is finding a file and suggesting it is a rootkit. When
> I try and remove it via AVG it says it can't. The files name is
> a362urwu.sys and it resides in c:/windows/system32/drivers. I have
> unhidden all files including system files and I am unable to see it from
> a command prompt. Is there some other attribute that could be unset that
> would allow me to see this file? How could I delete it?
> thanks

Well, if AVG found it the AVG rootkit remover should be able to remove it.
http://www.brothersoft.com/avg-anti-...ree-60621.html

"Richard G. Harper" <> wrote in
news:uZ4ZUem#:

> If you truly have a rootkit on your PC, the best thing to do now is
> back up essential files and settings while you can, then wipe and
> restore the PC to factory-new condition or reinstall Windows,
> whichever applies. By design rootkits cannot be removed from the PC
> while it's running - they take over the operating system and prevent
> you from getting to them or eradicating/cleaning them.
>

I would run another rootkit detector first though because it could be a
false positive. I've had AVG do that before. F-Prot has free rootkit
detector and so does Panda sdoftware. Avast has boot time scanner that
should detect it too. If this is a known rootkit file then why does a
google search for "a362urwu.sys" come up empty?

On Sat, 9 Aug 2008 16:23:19 -0400, SwampYankee wrote:

> Hi,
> My AVG antivirus is finding a file and suggesting it is a rootkit. When
> I try and remove it via AVG it says it can't. The files name is
> a362urwu.sys and it resides in c:/windows/system32/drivers. I have
> unhidden all files including system files and I am unable to see it from
> a command prompt. Is there some other attribute that could be unset that
> would allow me to see this file? How could I delete it?
> thanks

Rootkit Removal applications.
The effectiveness of an individual Rootkit removal application are
wide-ranging and it is recommended utilizing a collection of
detection/removal tools; You are encouraged to try all of them (join
relevant fora for additional support i.e. interpretation of scan results):

DarkSpy
http://www.antirootkit.com/software/DarkSpy.htm
http://www.antirootkit.com/forums/viewforum.php?f=18

F-Secure BlackLight (Download Trial)
http://www.f-secure.com/blacklight/
http://www.antirootkit.com/forums/viewforum.php?f=13

GMER - is an application that detects and removes rootkits.
http://www.gmer.net/index.php
http://antirootkit.com/forums/index....81ffe4361c3a17

IceSword
http://www.antirootkit.com/software/IceSword.htm
http://www.antirootkit.com/forums/index.php

RAIDE
http://www.rootkit.com/project.php?id=33
download:
http://www.rootkit.com/vault/petersi...IDE_BETA_1.zip
http://www.rootkit.com/boardm.php

Rootkit Revealer
http://www.microsoft.com/technet/sys...tRevealer.mspx
http://forum.sysinternals.com/forum_topics.asp?FID=15

RootKit Hook Analyzer
http://www.softpedia.com/get/Securit...Analyzer.shtml
http://www.antirootkit.com/forums/viewforum.php?f=17

RootKit Hook Analyzer
http://www.resplendence.com/hookanalyzer
http://www.antirootkit.com/forums/viewforum.php?f=17

RootAlyzer
http://forums.spybot.info/showthread.php?t=24185
http://www.spybotupdates.com/files/rootalyz.zip

Sophos Anti-Rootkit - Free tool for rootkit detection and removal
http://www.sophos.com/products/free-...i-rootkit.html
Direct link:
http://www.sophos.com/support/cleaners/sarsfx.exe
http://www.techsupportforum.com/netw...i-rootkit.html

System Virginity Verifier
http://www.softpedia.com/get/System/...Verifier.shtml
http://www.antirootkit.com/forums/viewforum.php?f=25

System Virginity Verifier
http://www.antirootkit.com/software/...y-Verifier.htm
http://www.antirootkit.com/forums/viewforum.php?f=25

VICE
http://www.rootkit.com/project.php?id=20
download:
http://www.rootkit.com/vault/fuzen_op/vice.zip
http://www.rootkit.com/boardm.php

"Make sure you always read the current user instructions for your scanning
tools to see what special steps you need to take before, during and after
the clean-up process. Then, after you've found and cleaned a rootkit,
rescan the system once you reboot to double-check that it was fully cleaned
and the malware hasn't returned."

Avoiding Rootkit Infection.
"The rules to avoid rootkit infection are for the most part the same as
avoiding any malware infection however there are some special
considerations:
Because rootkits meddle with the operating system itself they *require*
full Administrator rights to install. Hence infection can be avoided by
running Windows from an account with *lesser* privileges" (LUA in XP and
UAC in Vista).

AntiHook
http://www.infoprocess.com.au/AntiHook.php

DiamondCS ProcessGuard
http://www.diamondcs.com.au/processguard/
http://www.diamondcs.com.au/processguard/download.php

Educational viewing!
Mark Russinovich - Advanced Malware Cleaning
http://www.microsoft.com/emea/spotli...px?videoid=359

"SwampYankee" <> wrote in message news:MPG.2307c6bf7e6843969896b6@localhost...
> Hi,
> My AVG antivirus is finding a file and suggesting it is a rootkit. When
> I try and remove it via AVG it says it can't. The files name is
> a362urwu.sys and it resides in c:/windows/system32/drivers. I have
> unhidden all files including system files and I am unable to see it from
> a command prompt. Is there some other attribute that could be unset that
> would allow me to see this file? How could I delete it?
> thanks

I thought I'd have a look at the free AVG rootkit tool I quoted
http://www.brothersoft.com/avg-anti-...ree-60621.html

I downloaded it and ran it. It found a hidden driver, awonbkrx.sys
This file was not shown by Explorer, Autoruns or cmd.exe.
So I decided to let the program remove it which it did.
It says you have to reboot to complete the process so after rebooting
a message appears telling me that the rootkit has been removed and would I like
to have permanent protection by going to the AVG website and installing AVG software.
I selected no and ran the program again to check that the "rootkit" had been removed.
Guess what, another rootkit found, avnrd3e1.sys.
Every time you get rid of one the program finds another! Amazing.

Screen shots:
http://www.admin1.myzen.co.uk/


So I wouldn't worry too much about what AVG antivirus tells you. You would be better off uninstalling it.

"Dave-UK" <> wrote in message
news:cp-...
>
>
> "SwampYankee" <> wrote in message
> news:MPG.2307c6bf7e6843969896b6@localhost...
>> Hi,
>> My AVG antivirus is finding a file and suggesting it is a rootkit. When
>> I try and remove it via AVG it says it can't. The files name is
>> a362urwu.sys and it resides in c:/windows/system32/drivers. I have
>> unhidden all files including system files and I am unable to see it from
>> a command prompt. Is there some other attribute that could be unset that
>> would allow me to see this file? How could I delete it?
>> thanks
>
> I thought I'd have a look at the free AVG rootkit tool I quoted
> http://www.brothersoft.com/avg-anti-...ree-60621.html
>
> I downloaded it and ran it. It found a hidden driver, awonbkrx.sys
> This file was not shown by Explorer, Autoruns or cmd.exe.
> So I decided to let the program remove it which it did.
> It says you have to reboot to complete the process so after rebooting
> a message appears telling me that the rootkit has been removed and would I
> like
> to have permanent protection by going to the AVG website and installing
> AVG software.
> I selected no and ran the program again to check that the "rootkit" had
> been removed.
> Guess what, another rootkit found, avnrd3e1.sys.
> Every time you get rid of one the program finds another! Amazing.
>
> Screen shots:
> http://www.admin1.myzen.co.uk/
>
>
> So I wouldn't worry too much about what AVG antivirus tells you. You would
> be better off uninstalling it.

it's also possible that it is reinstalling when you reboot or it wasn't
completely removed..
rootkits are notoriously difficult to remove.

--
A Professional Amateur...If anyone knew it all, none of would be here!

Change Alpha to Numeric to reply

On Sat, 9 Aug 2008 19:05:14 -0600, Not Me wrote:

> "Dave-UK" <> wrote in message
> news:cp-...
>>
>>
>> "SwampYankee" <> wrote in message
>> news:MPG.2307c6bf7e6843969896b6@localhost...
>>> Hi,
>>> My AVG antivirus is finding a file and suggesting it is a rootkit. When
>>> I try and remove it via AVG it says it can't. The files name is
>>> a362urwu.sys and it resides in c:/windows/system32/drivers. I have
>>> unhidden all files including system files and I am unable to see it from
>>> a command prompt. Is there some other attribute that could be unset that
>>> would allow me to see this file? How could I delete it?
>>> thanks
>>
>> I thought I'd have a look at the free AVG rootkit tool I quoted
>> http://www.brothersoft.com/avg-anti-...ree-60621.html
>>
>> I downloaded it and ran it. It found a hidden driver, awonbkrx.sys
>> This file was not shown by Explorer, Autoruns or cmd.exe.
>> So I decided to let the program remove it which it did.
>> It says you have to reboot to complete the process so after rebooting
>> a message appears telling me that the rootkit has been removed and would I
>> like
>> to have permanent protection by going to the AVG website and installing
>> AVG software.
>> I selected no and ran the program again to check that the "rootkit" had
>> been removed.
>> Guess what, another rootkit found, avnrd3e1.sys.
>> Every time you get rid of one the program finds another! Amazing.
>>
>> Screen shots:
>> http://www.admin1.myzen.co.uk/
>>
>>
>> So I wouldn't worry too much about what AVG antivirus tells you. You would
>> be better off uninstalling it.
>
> it's also possible that it is reinstalling when you reboot or it wasn't
> completely removed..
> rootkits are notoriously difficult to remove.

Precisely! If the scan results after a few runs with *different* scanners
are ambigious I'd resort to:
http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
http://www.elephantboycomputers.com/...alling_Windows - What
you will need on-hand

"Kayman" <> wrote in message news:OduP8po#...
> On Sat, 9 Aug 2008 19:05:14 -0600, Not Me wrote:
>
>> "Dave-UK" <> wrote in message
>> news:cp-...
>>>
>>>
>>> "SwampYankee" <> wrote in message
>>> news:MPG.2307c6bf7e6843969896b6@localhost...
>>>> Hi,
>>>> My AVG antivirus is finding a file and suggesting it is a rootkit. When
>>>> I try and remove it via AVG it says it can't. The files name is
>>>> a362urwu.sys and it resides in c:/windows/system32/drivers. I have
>>>> unhidden all files including system files and I am unable to see it from
>>>> a command prompt. Is there some other attribute that could be unset that
>>>> would allow me to see this file? How could I delete it?
>>>> thanks
>>>
>>> I thought I'd have a look at the free AVG rootkit tool I quoted
>>> http://www.brothersoft.com/avg-anti-...ree-60621.html
>>>
>>> I downloaded it and ran it. It found a hidden driver, awonbkrx.sys
>>> This file was not shown by Explorer, Autoruns or cmd.exe.
>>> So I decided to let the program remove it which it did.
>>> It says you have to reboot to complete the process so after rebooting
>>> a message appears telling me that the rootkit has been removed and would I
>>> like
>>> to have permanent protection by going to the AVG website and installing
>>> AVG software.
>>> I selected no and ran the program again to check that the "rootkit" had
>>> been removed.
>>> Guess what, another rootkit found, avnrd3e1.sys.
>>> Every time you get rid of one the program finds another! Amazing.
>>>
>>> Screen shots:
>>> http://www.admin1.myzen.co.uk/
>>>
>>>
>>> So I wouldn't worry too much about what AVG antivirus tells you. You would
>>> be better off uninstalling it.
>>
>> it's also possible that it is reinstalling when you reboot or it wasn't
>> completely removed..
>> rootkits are notoriously difficult to remove.
>
> Precisely! If the scan results after a few runs with *different* scanners
> are ambigious I'd resort to:
> http://michaelstevenstech.com/cleanxpinstall.html - Clean Install How-To
> http://www.elephantboycomputers.com/...alling_Windows - What
> you will need on-hand

Perhaps I didn't make it clear the first time. Grisoft's free rootkit tool is nothing more than
a con trick.
The tool writes a couple of entries onto the hard disk and then proclaims to have found
a rootkit. There is no "hidden file" , that's why you cant see it.
If you delete the file and registry entries that this tool has written it finds another rootkit
on the next run.
It is a total con trick. Screen shots here:
http://www.admin1.myzen.co.uk/