Tweet
I have recently updated my NVIDIA display and some MB drivers (as well as some other drivers).
I now notice that my device manager shows a weird description (afsvbqxn) and its driver is a non-existent sys file of that name under SCSI and RAID Controllers. Autoruns shows it to load under HKLM\System\CCS\Services with the description of an IDE/ATAPI port driver. I searched the location of the driver files but can not find it (C:\WINDOWS\SYSTEM32\DRIVERS\afsvbqxn.sys). Autoruns does not show the file as not found! - smelling rootkit here.
I can uninstall it without apparent consequences as my other SCSI driver is fine (SiS 3114 Soft Raid Controller). However, if I run a search for new hardware, it comes back again but with a weird name of just 8 random letters.
Relevant Everest reports attached along with the reg key containing it.
Do you think it might have something to do with Daemon Tools or ASPI? Doesn't that install some SCSI driver? Or perhaps NVIDIA trying to install a RAID driver in competition with the SiS one?
Anyway, how to fix? And should I be worried?
EDIT- Additional Info: After uninstall and reboot, Windows automatically finds a device and installs a CD-Rom (leads me to suspect DTools). It also brings back this device and the name always seems to start with A (it's now called anp3ww6f). Weird, huh? (Every reboot, it seems to change its name but always starting with an A). According to Autoruns, the driver is 94k, version 5.01.2600.5512 (M$ driver, right?), is verified by M$, and dated 14 April 2008. However, the icon in Autoruns is the same as the drivers which are reported as File Not Found (eg Changer.sys). It also reports that Process Explorer says the process is not running (which is awful strange for an IDE driver). I reckon this is actually atapi.sys (and it is now showing in IDE ATA/ATAPI controllers but on reboot it is back in SATA RAID Controllers).
BTW: Rootkit Revealer revealed nothing abnormal. SPTD (Daemon Tools) was inaccessible but that is normal.
Regards
I now notice that my device manager shows a weird description (afsvbqxn) and its driver is a non-existent sys file of that name under SCSI and RAID Controllers. Autoruns shows it to load under HKLM\System\CCS\Services with the description of an IDE/ATAPI port driver. I searched the location of the driver files but can not find it (C:\WINDOWS\SYSTEM32\DRIVERS\afsvbqxn.sys). Autoruns does not show the file as not found! - smelling rootkit here.
I can uninstall it without apparent consequences as my other SCSI driver is fine (SiS 3114 Soft Raid Controller). However, if I run a search for new hardware, it comes back again but with a weird name of just 8 random letters.
Relevant Everest reports attached along with the reg key containing it.
Do you think it might have something to do with Daemon Tools or ASPI? Doesn't that install some SCSI driver? Or perhaps NVIDIA trying to install a RAID driver in competition with the SiS one?
Anyway, how to fix? And should I be worried?
EDIT- Additional Info: After uninstall and reboot, Windows automatically finds a device and installs a CD-Rom (leads me to suspect DTools). It also brings back this device and the name always seems to start with A (it's now called anp3ww6f). Weird, huh? (Every reboot, it seems to change its name but always starting with an A). According to Autoruns, the driver is 94k, version 5.01.2600.5512 (M$ driver, right?), is verified by M$, and dated 14 April 2008. However, the icon in Autoruns is the same as the drivers which are reported as File Not Found (eg Changer.sys). It also reports that Process Explorer says the process is not running (which is awful strange for an IDE driver). I reckon this is actually atapi.sys (and it is now showing in IDE ATA/ATAPI controllers but on reboot it is back in SATA RAID Controllers).
BTW: Rootkit Revealer revealed nothing abnormal. SPTD (Daemon Tools) was inaccessible but that is normal.
Regards
Comment