I get this hiden driver thing on my AVG scan. Have you ever encountered this before??

C:\WINDOWS\System32\Drivers\ar0o2at9.SYS;"Hidden driver";"Object is hidden"


I have the folders open to see all but I can't see it at all where it says it should be.:confused:

Probably a rootkit. Try using RootkitRevealer (http://technet.microsoft.com/en-gb/sysinternals/bb897445.aspx)to see there is one. Also, have you installed and/or used any programs of late, maybe even an illegal one?

Yes I got the RootkitRevealer and this is what showed up. My question is how do I delete that file??

AVG deletes it but it comes back on the next scan.

______________________________________________________-

HKU\.DEFAULT\Control Panel\International 21/03/2008 3:13 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\International\Geo 21/03/2008 3:13 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\international_combofixbackup 21/03/2008 3:03 PM 0 bytes Security mismatch.
HKU\.DEFAULT\Control Panel\international_combofixbackup\Geo 21/03/2008 3:03 PM 0 bytes Security mismatch.
HKU\S-1-5-21-796845957-884357618-1417001333-1003\Control Panel\International 09/05/2008 11:10 AM 0 bytes Security mismatch.
HKU\S-1-5-21-796845957-884357618-1417001333-1003\Control Panel\International\Geo 09/05/2008 11:10 AM 0 bytes Security mismatch.
HKU\S-1-5-21-796845957-884357618-1417001333-1003\Control Panel\international_combofixbackup 09/05/2008 11:10 AM 0 bytes Security mismatch.
HKU\S-1-5-21-796845957-884357618-1417001333-1003\Control Panel\international_combofixbackup\Geo 09/05/2008 11:10 AM 0 bytes Security mismatch.
HKU\S-1-5-21-796845957-884357618-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4B14B88B-A963-0647-F6EF-6592C15D2691}* 21/12/2007 1:17 PM 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-21-796845957-884357618-1417001333-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B1175A90-6C7E-C6D9-A69C-712045073990}* 20/07/2008 6:00 PM 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-21-796845957-884357618-1417001333-1003\Software\SecuROM\!CAUTION! NEVER DELETE OR CHANGE ANY KEY* 03/10/2008 8:08 AM 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-21-796845957-884357618-1417001333-1003\Software\SecuROM\License information* 11/10/2008 4:56 PM 0 bytes Key name contains embedded nulls (*)
HKU\S-1-5-18\Control Panel\International 21/03/2008 3:13 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\International\Geo 21/03/2008 3:13 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\international_combofixbackup 21/03/2008 3:03 PM 0 bytes Security mismatch.
HKU\S-1-5-18\Control Panel\international_combofixbackup\Geo 21/03/2008 3:03 PM 0 bytes Security mismatch.
HKLM\SECURITY\Policy\Secrets\SAC* 12/02/2007 11:19 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SECURITY\Policy\Secrets\SAI* 12/02/2007 11:19 AM 0 bytes Key name contains embedded nulls (*)
HKLM\SOFTWARE\Classes\CLSID\{5645C8C2-E277-11CF-8FDA-00AA00A14F93}\InprocServer32\ThreadingModel 09/05/2008 11:11 AM 5 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System* 18/08/2007 5:50 PM 0 bytes Key name contains embedded nulls (*)
HKLM\SYSTEM\ControlSet027\Services\sptd\Cfg 09/05/2008 11:10 AM 0 bytes Access is denied.
C:\Documents and Settings\johnr\Local Settings\Application Data\Microsoft\Messenger\john@johnranger.com\SharingMetadata\bustedsticks@hotmail.com\DFSR\Staging\C S{B164B4A5-CF32-00C2-7200-EB9A71D8A83B}\01\13-{B164B4A5-CF32-00C2-7200-EB9A71D8A83B}-v1-{551FE40 26/10/2008 3:55 AM 8 bytes Hidden from Windows API.
C:\Documents and Settings\johnr\Local Settings\Temp\~DF754A.tmp 01/11/2008 10:52 PM 16.00 KB Hidden from Windows API.
C:\Documents and Settings\johnr\Local Settings\Temp\~DF7555.tmp 01/11/2008 10:52 PM 512 bytes Hidden from Windows API.
C:\Documents and Settings\johnr\Local Settings\Temporary Internet Files\Content.IE5\5R17FI63\CA9F06I9.HTM 01/11/2008 10:52 PM 893 bytes Visible in directory index, but not Windows API or MFT.
C:\Documents and Settings\johnr\Local Settings\Temporary Internet Files\Content.IE5\5R17FI63\CAS65N9C.HTM 01/11/2008 10:52 PM 893 bytes Hidden from Windows API.
C:\Documents and Settings\johnr\Local Settings\Temporary Internet Files\Content.IE5\5R17FI63\CAYEQ56X.HTM 01/11/2008 10:47 PM 788 bytes Visible in Windows API, but not in MFT or directory index.

Turn system restore off, boot to safe mode, run AVG and let it delete the files again, post back if that didn't work.

Turn system restore off, boot to safe mode, run AVG and let it delete the files again, post back if that didn't work.

---------------------------------------------------------------------

I did that and it seemed to delete the other hidden driver, but it picked up another driver.

Rootkits
File;"Infection";"Result"
C:\WINDOWS\System32\Drivers\as2985bl.SYS;"Hidden driver";"Object is hidden"

I've never used RootkitRevealer before, I like FSecure's "BlackLight" which you can download free. It's a simple but effective tool that finds and fixes rootkits. You can download it here if you want to give it a try.
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

As you already know, doing a Google search doesn't reveal anything but this tread (:) ) -- I'm just wondering if it's part of some DRM for a game or the like? Load any games recently?

I've never used RootkitRevealer before, I like FSecure's "BlackLight" which you can download free. It's a simple but effective tool that finds and fixes rootkits. You can download it here if you want to give it a try.
ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe

That is a nice little program and thank you for it. Unfortunitly it found nothing, but the AVG still finds hidden folders.

As you already know, doing a Google search doesn't reveal anything but this tread (:) ) -- I'm just wondering if it's part of some DRM for a game or the like? Load any games recently?

Yes I did I was trying out FAR CRY 2 but the game kept telling me that I needed better drivers. I tried to download new drivers and got an error. I gave up on it and delete the game.

I Googled for about a 1/2 on SecuROM, FC 2's DRM, and didn't find any reference to those files. I did read that there is a "special" uninstall procedure / utility to get rid of all the "special" DRM crap. You might want to check it out: it may not fix this exact problem but it would be a good idea if the games not installed...

Thanks for taking the time

Here's another good rootkit tool I've used and its free also. The downside is you have to register to get the download but they've never sent me any junk emails or such. Here is the link:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Here's another good rootkit tool I've used and its free also. The downside is you have to register to get the download but they've never sent me any junk emails or such. Here is the link:
http://www.sophos.com/products/free-tools/sophos-anti-rootkit.html

Thanks for that.

I just tried it and it did not pick up anything. I also have all these check att. They do not pick up anything as well. BUT AVG always picks up diferent ones. Take a look att.:confused:

I found the ANSWER:)

http://www.techspot.com/vb/topic103349-2.html

Thanks guys for all your help!!

Glad you got it sorted out.

Nice find!!