Page 2 of 2 ‹‹12
September 10, 2013 13:51 Re: IDT Entry #03 Hook #233572
Reply with Quote | Quick Reply | Top
Alcom Computing

Avatar

Novice
Join Date: 10.9.2013
Posts: 1
false positive?..

We think this may be a false positive as I have renamed the ntkrnlpa.exe to ntkrnlpa.old and copied a replacement from a different computer (same service pack). The computer it is affecting is a Windows XP Service Pack 3 Professional.

Given the forum replies here I am more convinced that it is a false positive.
September 10, 2013 15:31 Re: IDT Entry #03 Hook #233583
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 19.6.2014
Posts: 0
Alcom Computing wrote
I am more convinced that it is a false positive

Have a look @ this Announcement post link How To Handle Suspicious False Positive Detection? & please follow all the instructions.... To keep everything together there's no need to start a new thread.


AVG Forums Volunteer ModeratorAVG Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To Articles | FAQ | Free Support
September 11, 2013 11:06 Re: IDT Entry #03 Hook #233613
Reply with Quote | Quick Reply | Top
isaacdavid

Avatar

Novice
Join Date: 9.9.2013
Posts: 3
I thought it might be a false positive before I came here. A scan of ntkrnlpa.exe with AVG showed no infection, and I got the same result with VirusTotal and Jotti's. However, I'm not technically savvy enough to be confident, especially when the AVG message was hard to interpret. After all, is the suspected 'infection' in ntkrnlpa.exe or in the IDT? There does seem to be something going on with the MBR, even if it's benign. I ran Avast's rootkit scan because of the problems I was having with GMER 2.1 and have attached the results (MBR.dat has been zipped because the editing window didn't seem to like something in the .dat file).

Isaac David
September 11, 2013 14:34 Re: IDT Entry #03 Hook #233630
Reply with Quote | Quick Reply | Top
Pokornyz

Avatar

Administrator
Join Date: 29.11.2010
Posts: 8245
Hello all,

@chinapig and isaacdavid
According to results MBR still needs to be rewritten. If you are not able to do it according to provided information I suggest you visit computer repair shop.

@Alcom Computing
Unfortunately provided outputs showed "unknown MBR code" which usually indicates an infection in MBR.

Thank you



AVG Team
How-To articles | FAQ | Free Support
September 11, 2013 19:28 Re: IDT Entry #03 Hook #233633
Reply with Quote | Quick Reply | Top
chinapig

Avatar

Novice
Join Date: 29.8.2013
Posts: 3
Hi

Thanks to all for the re-assurance of the false positive; I thought/hoped it was!

As to the MBR rewrite, I'll work again on that - it's not healthy to have such things lurking!

Thanks for help & support guys.

Dave
September 12, 2013 13:00 Re: IDT Entry #03 Hook #233652
Reply with Quote | Quick Reply | Top
isaacdavid

Avatar

Novice
Join Date: 9.9.2013
Posts: 3
Correct me if I'm wrong, but the only logfile showing an unknown MBR code message was the output from AVAST's aswMBR scanner. I realised yesterday that this was being reported for Disk 1, not Disk 0. I installed a second drive a couple of weeks ago and installed Linux (Kubuntu 12.04) on it. To confirm that this was the source of the message, I disconnected the new drive and did another scan - no more 'unknown MBR code'! Since aswMBR is intended to scan a Windows environment, I assume the code relates to the Linux environment and is entirely normal. My apologies if I have caused any confusion. :frowning:

Also, before I made this discovery, I did some research on the blue screens that I had been getting during the GMER scan, and found that some people had been experiencing these BSOD's a couple of years ago in connection with ntkrnlpa.exe. Following up a suggestion I found here, I used Microsoft's verifier.exe to verify all non-Microsoft drivers and found two drivers flagged as 'never loaded': aksfridge.sys and hardlock.sys. This rang bells, as these two drivers had come up in connection with ntkrnlpa.exe in my GMER scan.

Again, following advice I found here, I downloaded autoruns.exe and disabled these two drivers to see what would happen. After rebooting, I ran the AVG scan and found that the two IDT entry #03 hook warnings no longer came up.

Could these two drivers be the cause of the false positive?

Isaac David
October 10, 2013 12:33 Re: IDT Entry #03 Hook #234980
Reply with Quote | Quick Reply | Top
sailor281

Avatar

Novice
Join Date: 10.10.2013
Posts: 1
I have the same issue. A scan with AVG rescue disk finds nothing. I have fixed the MBR but a rootkit skan still finds this. How do I get rid of it? Attached is a zip containing the avg output, msinfo output and gmer output.
October 21, 2013 12:02 Re: IDT Entry #03 Hook #235552
Reply with Quote | Quick Reply | Top
Pokornyz

Avatar

Administrator
Join Date: 29.11.2010
Posts: 8245
Hello sailor281,

Please use AVG Rescue CD and restore your MBR as described here (refer to Offline mode using AVG Rescue CD). Then, scan the system using AVG Rescue CD and remove detected threats.

Should the infection be still present after restart, please provide us with new GMER anti-rootkit scan result and new AVG full computer scan result export. Also, please provide us with a screenshot of your partition table listing as follows:
1. Run the AVG Rescue CD.
2. Switch to the linux terminal by the left ALT + F2 key combination.
3. Login as the root user.
4. Execute the fdisk -l command.
5. Take a picture of your screen and attach it to your reply.
6. Use the left ALT + F1 key combination to switch back to the AVG Rescue CD menu.

Thank you.



AVG Team
How-To articles | FAQ | Free Support
Page 2 of 2 ‹‹12