Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Brand New Windows 7 Sysenter Hook -> Reports
Page 1 of 6 1234››
September 12, 2013 22:23 Brand New Windows 7 Sysenter Hook -> Reports #233676
Reply with Quote | Quick Reply | Top
martxw

Avatar

Novice
Join Date: 4.11.2010
Posts: 5
I've just done a completely fresh installation of Windows 7 Home Premium of DVD, and installed only device drivers off the ASUS DVDs, then installed AVG Free Anti Virus and only connected the network cable to download the AVG updates. And already AVG is reporting 8 rootkit threats.

I deleted all partitions off the disk before starting to install Windows 7.

* AVG AntiVirus Free 2014 build 4117
* avgreport.csv included below
* Software installed from MS Windows 7 64-bit Home Premium OEM DVD, ASUS M5A97 LE 2.0 motherboard support DVD, ASUS GeForce GT 610 support DVD, + downloaded AVG AntiVirus Free 2014.
* No optical drive emulation
* Zipped msinfo.nfo attached
* gmer1.log is default report when GMER is started.
* gmer2.log is created when manually start a scan.
* GMER reports that C:\Windows\system32\config\system and C:\Users\Mollie
tuser.dat can't be accessed because they're in use by another process.

I've run Kaspersky TDSSKiller, and it gives a clean bill of health.
Also created an AVG Rescue CD, done update & full scan, and nothing is found.

I just tried uninstalling 2014 and re-installing from a 2013 executable, but I've ended up with 2014 again - does it automatically only give you the latest?

So, is this a false positive, or do I really have a rootkit from somewhere?

cheers...
Martin... undecided

avgreport.csv:
------------------------
"Whole Computer Scan"
"Medium priority";"8";"0";"8"
"Folders selected for scanning:";"Scan whole computer"
"Started:";"12/09/2013, 22:34:50"
"Finished:";"12/09/2013, 22:35:57"
"Total object scanned:";"48222"
"User who launched the scan:";"Mollie"

"Status";"Priority";"Name";"Description";"Result"
"Infected";"Medium";"SYSENTER hook -> 0xFFFFF80003080640";"<unknown>";"Infected"
"Infected";"Medium";"SYSENTER hook -> 0xFFFFF80003080380";"<unknown>";"Infected"
"Infected";"Medium";"SYSENTER hook -> 0xFFFFF80003080640";"<unknown>";"Infected"
"Infected";"Medium";"SYSENTER hook -> 0xFFFFF80003080380";"<unknown>";"Infected"
"Infected";"Medium";"SYSENTER hook -> 0xFFFFF80003080640";"<unknown>";"Infected"
"Infected";"Medium";"SYSENTER hook -> 0xFFFFF80003080380";"<unknown>";"Infected"
"Infected";"Medium";"SYSENTER hook -> 0xFFFFF80003080380";"<unknown>";"Infected"
"Infected";"Medium";"SYSENTER hook -> 0xFFFFF80003080640";"<unknown>";"Infected"
September 13, 2013 19:45 Re: Brand New Windows 7 Sysenter Hook -> Reports #233737
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 18.6.2009
Posts: 23803
@ martxw

OK, Just to keep you fully in the picture regarding AVG Team forum support.. For your further guidance/info please refer to the availability Announcement post @ the top of the Information forum area. Please bear in mind that it's also now the weekend [9:45pm Friday evening] in Brno, Czech Rep..


AVG Forums Volunteer ModeratorAVG Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To Articles | FAQ | Free Support
September 16, 2013 20:02 Re: Brand New Windows 7 Sysenter Hook -> Reports #233827
Reply with Quote | Quick Reply | Top
WCT123

Avatar

Novice
Join Date: 16.9.2013
Posts: 6
SYSENTER hook - Virus??..

I had the exact same problem immediately after installing AVG2014 (free). Could not get back to AVG2013 and other virus programs don't find these. AVG please instruct. There are 16 of them (all in the same location and the "remove selected" and "remove all" rectangles are grayed out), as follows:

Infection NOT DELETED in AVG2014

"";"SYSENTER hook -> 0xFFFFF80002EC4B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC4B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC4B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC4B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC4B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC4B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC4B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC4B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC48C0, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC48C0, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC48C0, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC48C0, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC48C0, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC48C0, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC48C0, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF80002EC48C0, <unknown>";"Infected"

THANKS!!
September 16, 2013 20:36 Re: Brand New Windows 7 Sysenter Hook -> Reports #233829
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 18.6.2009
Posts: 23803
WCT123 wrote
Could not get back to AVG2013

Searched but this link was all I could find http://www.avg.com/ww-en/download-2013. Scroll right down to the bottom & click on 'More options'.


AVG Forums Volunteer ModeratorAVG Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To Articles | FAQ | Free Support
September 17, 2013 00:23 Re: Brand New Windows 7 Sysenter Hook -> Reports #233833
Reply with Quote | Quick Reply | Top
WCT123

Avatar

Novice
Join Date: 16.9.2013
Posts: 6
SYSENTER hook -"virus"?..

Thank you BigAl for the lead to AVG2013 (Free). On reflection, installing that would only give me "false security" for the offending files would still be there only I would not know of it.

Could you get AVG to make up its mind if these files are real or only false positives? My research (way out of my depth, btw) suggests that the "sysenter hook" is part of processor architecture and has been around since XP. Tripping over them, however, seems to be new with AVG2014. THANKS!!
September 17, 2013 00:47 Re: Brand New Windows 7 Sysenter Hook -> Reports #233835
Reply with Quote | Quick Reply | Top
cloudace

Avatar

Novice
Join Date: 17.9.2013
Posts: 1
source of infection SYS enter hook..

http://download.cnet.com/Facebook-Friend-Alert/3000-12941_4-75824132.html
This is indeed a virus. Here is one of the sources of infection listed above. I've tried removing it several times but cannot obtain all the locations in which it is hiding.
AVG 2014 is unable to determine its locations the only thing he can determine is as follows
"";"SYSENTER hook -> 0xFFFFF800032D5B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF800032D5B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF800032D5B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF800032D5B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF800032D5B80, <unknown>";"Infected"
"";"SYSENTER hook -> 0xFFFFF800032D5B80, <unknown>";"Infected"
etc. 16 entries
two orange.infection rating unknown location
I attempted to download the software to send information back to AVG but the email I was sent leads to a link which is no longer active. I then searched out the program but it would freeze when generating the report and was absolutely no help. System restore points were corrupted with this data as well. It is very malicious even on the 30 day free trial of the 2014 antivirus. The program was useless so was Avast. To this date I've only seen one program claiming to remove it but it contained viruses as well.
I called AVG customer service. They were absolutely no help on this matter. If anybody can please tell me how these viruses are masquerading as an operations file I would like to know.
September 18, 2013 22:39 Re: Brand New Windows 7 Sysenter Hook -> Reports #233908
Reply with Quote | Quick Reply | Top
Jsing

Avatar

Novice
Join Date: 18.9.2013
Posts: 2
Fluke?..

i have the same 16 threats just after updating to AVG 2014, it seems from the story the original poster is telling us that this could very well be a false positive considering how a rootkit would infect a computer (would have to go through trojan, or website, and OP said he only went to AVG from start up). i would like to know for sure though if this is an actual threat, and if so how would we remove it? (considering AVG doesn't allow it)
September 19, 2013 21:33 Re: Brand New Windows 7 Sysenter Hook -> Reports #233949
Reply with Quote | Quick Reply | Top
Jsing

Avatar

Novice
Join Date: 18.9.2013
Posts: 2
Update..

Since the moderators do not seem very active in solving any thread i'd just like to give you guys an update on this issue, apparently this infection IS A FALSE POSITIVE. This is after talking to an AVG representative and having him look at my records.
September 22, 2013 17:14 Re: Brand New Windows 7 Sysenter Hook -> Reports #234040
Reply with Quote | Quick Reply | Top
Have Some Die

Avatar

Novice
Join Date: 27.9.2011
Posts: 5
Jsing wrote
Update..

Since the moderators do not seem very active in solving any thread i'd just like to give you guys an update on this issue, apparently this infection IS A FALSE POSITIVE. This is after talking to an AVG representative and having him look at my records.

Thanks for putting my mind at ease (sort of). I've been using this system for about 3 months with AVG Free 2013 finding nothing but the occasional tracking cookies. I'm pretty vigilant with my web browsing behavior and file downloads. However yesterday I upgrade to 2014 and I wake up this morning to find 16 of these "SYSENTER hook" rootkits all with the same message and only 2 different hex locations. However, if I read this thread correctly, it seems there might actually be some people with a real infection. Could you please direct me to the best route to get in touch with an AVG representative to verify that mine is indeed a false positive? I've never needed to do so before. Thanks.

http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=234184
September 22, 2013 20:28 Re: Brand New Windows 7 Sysenter Hook -> Reports #234048
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 18.6.2009
Posts: 23803
Have Some Die wrote
Could you please direct me to the best route to get in touch with an AVG representative to verify mine is indeed a false positive?

Have a look @ this Announcement post link How To Handle Suspicious False Positive Detection? & please follow the appropriate instructions.


AVG Forums Volunteer ModeratorAVG Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To Articles | FAQ | Free Support
Page 1 of 6 1234››