4 replies to this topic

[Sherpya]

first of all, sorry if this post seems off topic, but I've found no other forums where I'm allowed to post

I've reformatted my win xp 64bit while believing to have a rootkit,
as a plain install it seems that is alchool 52% that creates
random named services with no file found

CODE

+ acsz8lmz            File not found: C:\WINDOWS\System32\Drivers\acsz8lmz.sys

since I've noticed that uninstalling alchool the problem disappears,
I would to be sure that is alchool that makes this
and not a malicious rootkit

can you confirm this?

[Robbo]

The SPTD Driver is able to hide itsself from protections and some programs will class it as a Rootkit due to this which is not the case.

[Sherpya]

no program detected as rootkit, but on 32bit windows the kernel hook avoid to see the service
on win64 the service is still visible but with a random name and the sys file is not found
(I'm using autoruns, but the service is still visible in the registry)
I would just to be sure that it was alchool to make this
(I known alchool hides itself to programs)
Btw I've just tested to another xp 64bit and it does the same thing.
I would be nice to put this in the faq that on win64 you'll see random named services
since many worm/trojan do the same thing (scrambled name), and I was scared and reinstalled win64
(there are no rootkit detectors for 64bit), then realized that was alchool

ps: I can see sptd driver on win64, it's not cloacked, not really a problem since I don't use
alchool with games backups

[Charalambos]

If you have Alcohol then this is an Alcohol's hidden driver, there is nothing to worry about.

[Sherpya]

I have alchool ok, it's not fully hidden on win64 I can still see a random named service in the service list, every reboot the name is different
with some tests on my pc and another one I've noticed that it's alchool that creates this service.

Many trojan use to create random named services, I known that alchool uses a kernel hook to hide
itself to advapi32 reg key functions, but your cloacking driver doesn't work in the same way
on 64bit windows, sptd driver is completely visible in system services and I can also see the sys file

the random named service acts as pnp device

CODE

ACPI\PNPA000\4&5d18f2df&0

Since I've noticed it and suspected something, readme and faqs were saying nothing
I strogly suggest to add in the faq that alchool on win64 creates random named fake services
on each reboot, since many trojan follow the same behavior and an user like
me can think about a malware.
I don't object about your techniques and on windows 32bit there are no fake service names (maybe the kernel hook works differently)
but an user should known what is that creates this fake services, so if I known it's alchool then I'm safe