oprghdlr.sys

[jarwulf]

Out of the blue I receive a notification from Avast that it has detected a rootkit at C:\Windows\system32\drivers\oprghdlr.sys and avast wants to delete it. A search yielded nothing suspicious associated with this file and it seems like its necessary for the system. What should I do? I'm using XP btw

[DavidR]

My first response would be do no harm (until positively confirmed), so select Ignore, the only other option.

Click the Advanced option and I believe there should be an option to submit the file to the avast virus lab for further analysis (or words to that effect).

Don't check the 'Do not tell me about this rootkit in the future' option, as I don't know if there is a way to reverse that and you want to know when avast no longer alerts on it (which you won't if you selected that option).

[jarwulf]

hi, doing so lights up the privacy policy icon but when I click it nothing seems to happen. This is the free version of avast.

[DavidR]

Doing what lights up the privacy policy ?

If you mean by checking Advanced option followed by the Submit option, then that is only there if you wish to check the privacy policy. See old image example from avast5 (I don't have any current image from avast6).

If you click the OK button that should close the alert window and the actual submission process happens in the background during the next avast update check.

Interestingly after your post I ran a full rootkit scan as I have XP Pro SP3 (what XP version and SP do you have ?) and no alert.

[jarwulf]

Doing what lights up the privacy policy ?

If you mean by checking Advanced option followed by the Submit option, then that is only there if you wish to check the privacy policy. See old image example from avast5 (I don't have any current image from avast6).

If you click the OK button that should close the alert window and the actual submission process happens in the background during the next avast update check.

Interestingly after your post I ran a full rootkit scan as I have XP Pro SP3 (what XP version and SP do you have ?) and no alert.

checking the box to submit lights up the privacy policy as if you can read it but nothing happens when you click it. I have the same version of xp you have. I virtually always keep it on limited account and I haven't seen anybody on the net having a problem like I'm having so I don't know if its a false positive or not. I accidentally clicked through with the option presumably set on Delete Now but the file still seems to be present when I search for it.

[DavidR]

OK, thought you meant nothing happened when you clicked the OK button. From what I can recall the privacy policy basically states that the data sent is anonymous.

If this happened on the standard anti-rootkit scan, 8 minutes after boot ?
Then expect to see it again after your next boot, etc.

Does your file properties match that in my image attachment (click to expand) ?
The MD5 of my file is MD5: 4BB30DDC53EBC76895E38694580CDFE9

[jarwulf]

I restarted the comp after arriving elsewhere and I haven't got a message yet. The properties are the same afaik except for date created. Don't know about the MD5 though.

[DavidR]

The date of creation may be different, there are tools that can check the MD5 and the one that I use is called Hash Calculator Flyingbit, but there are bound to be more. Try a google search on MD5 hash calculator.