Page 1 of 2 12››
September 28, 2010 16:30 Rootkit Scan- IRP Hook #109985
Reply with Quote | Quick Reply | Top
jonny109

Avatar

Senior
Join Date: 7.7.2009
Posts: 38
Hi all,

I just did a rootkit scan and it found an "IRP hook". I am unsure of whether to remove it because it is from the system 32 file. Could this be a false positive because last months scans from AVG, Spybot and Malwarebytes did not show up anything?

*I have just run a scan with Malwarebytes and it found nothing and have also run a scan with Hitman pro and it found nothing)

Thanks
September 28, 2010 16:52 Re: Rootkit Scan- IRP Hook #109987
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 19.6.2014
Posts: 0
Please provide us more information about your system so that we may have it to base our suggestions on, see What information should I include?.


AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To articles | FAQ | Knowledge Base
September 28, 2010 17:02 Re: Rootkit Scan- IRP Hook #109989
Reply with Quote | Quick Reply | Top
jonny109

Avatar

Senior
Join Date: 7.7.2009
Posts: 38
System information:

Windows XP Service pack 3
AVG 10.0.1120
Database 422/3164

Other protection software installed:
Malwarebytes Anti-Malware
Spybot Search & Destroy

File name of rootkit infection: Please see attached photo in first post

I hope this is everything
September 28, 2010 17:10 Re: Rootkit Scan- IRP Hook #109991
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 19.6.2014
Posts: 0
Assume that you are using the AVG Free version?...

File name of rootkit infection: Please see attached photo in first post

Did you by any chance edit your posting?. If so, Your attached files would have been deleted. Presently if a user (not a moderator) edits their post with an attached file it's deleted. This situ is in the process of being investigated.


AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To articles | FAQ | Knowledge Base
September 28, 2010 17:24 Re: Rootkit Scan- IRP Hook #109993
Reply with Quote | Quick Reply | Top
jonny109

Avatar

Senior
Join Date: 7.7.2009
Posts: 38
Yes I am using AVG free. Yes I did edit my post and was unaware of the picture disappearing after edit. Please find attached in this post the photo
Rootkit scan.JPG
September 28, 2010 17:38 Re: Rootkit Scan- IRP Hook #109997
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 19.6.2014
Posts: 0
Could this be a false positive

Have you tested the file at Jotti Virusscan or alternatively at VirusTotal to check for detection ratio between several AntiVirus vendors?....

Reporting suspected false positives to virus@avg.com.... Only option available as an AVG Free user.... Please follow these instructions What to do if you suspect a detection is a false positive.


AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To articles | FAQ | Knowledge Base
September 28, 2010 18:07 Re: Rootkit Scan- IRP Hook #110003
Reply with Quote | Quick Reply | Top
jonny109

Avatar

Senior
Join Date: 7.7.2009
Posts: 38
Thanks, Big AL 43. I have reported it to the email address and believe it is a false positive
September 29, 2010 13:46 Re: Rootkit Scan- IRP Hook #110129
Reply with Quote | Quick Reply | Top
jirka82

Avatar

Administrator
Join Date: 19.6.2009
Posts: 3892
Hello jonny109,

the newly introduced AVG Anti-Rootkit detects rootkit like behavior (e.g. IRP hooks). Some of legitimate applications use rootkit techniques for various reasons. It seems that the detected file belongs to Drive Letter access. Could you please uninstall the related software and check whether the AVG detects nothing then? You may ignore the detection in such case (after installing the software back).

Also, I was not able to find any e-mail sent from your e-mail address (used when registering on this forum) to virus@avg.com. If you will send the sample, please mention that it is detected by AVG AntiRootkit 2011 and its exact detection name and path.

Thank you.

___________________AVG TeamHow-To articles | FAQ | Knowledge Base
November 7, 2010 18:04 Re: Rootkit Scan- IRP Hook #125169
Reply with Quote | Quick Reply | Top
dhsmusic

Avatar

Novice
Join Date: 26.10.2010
Posts: 2
Hi,

I'm having the exact same experience - same file, same location, etc.. http://forums.avg.com/ww-en/avg-free-forum?sec=thread&act=show&id=121857. I submitted a post about it, but I think it got buried in the stacks of other posts...

I think it's probably a false positive, but I'm very curious as to what you discover...

Thanks,
David
November 8, 2010 13:28 Re: Rootkit Scan- IRP Hook #125363
Reply with Quote | Quick Reply | Top
ondraploteny

Avatar

Administrator
Join Date: 27.3.2009
Posts: 6996
Hello dhsmusic,

your mentioned post was already answered the same day.

As mentioned in the pointed thread:
Anti-Rootkit False Positives
Please be informed that AVG Anti-Rootkit detects all processes (not digitally certified by trusted authority), which are using rootkit technique to hide their actions. The detected rootkit can be a virus, as well as a part of a commercial application (more information).

In case of suspicion about a falsely detected rootkit, please locate it and send to virus@avg.com for closer analysis.


Thank you
___________________AVG TeamHow-To articles | FAQ
Page 1 of 2 12››