Hi all,

I just did a rootkit scan and it found an "IRP hook". I am unsure of whether to remove it because it is from the system 32 file. Could this be a false positive because last months scans from AVG, Spybot and Malwarebytes did not show up anything?

*I have just run a scan with Malwarebytes and it found nothing and have also run a scan with Hitman pro and it found nothing)

Thanks

Please provide us more information about your system so that we may have it to base our suggestions on, see What information should I include?.

---

AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan

---

How-To articles | FAQ | Knowledge Base

System information:

Windows XP Service pack 3
AVG 10.0.1120
Database 422/3164

Other protection software installed:
Malwarebytes Anti-Malware
Spybot Search & Destroy

File name of rootkit infection: Please see attached photo in first post

I hope this is everything

Assume that you are using the AVG Free version?...


Did you by any chance edit your posting?. If so, Your attached files would have been deleted. Presently if a user (not a moderator) edits their post with an attached file it's deleted. This situ is in the process of being investigated.

---

AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan

---

How-To articles | FAQ | Knowledge Base

Yes I am using AVG free. Yes I did edit my post and was unaware of the picture disappearing after edit. Please find attached in this post the photo

Have you tested the file at Jotti Virusscan or alternatively at VirusTotal to check for detection ratio between several AntiVirus vendors?....

Reporting suspected false positives to virus@avg.com.... Only option available as an AVG Free user.... Please follow these instructions What to do if you suspect a detection is a false positive.

---

AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan

---

How-To articles | FAQ | Knowledge Base

Thanks, Big AL 43. I have reported it to the email address and believe it is a false positive

Hello jonny109,

the newly introduced AVG Anti-Rootkit detects rootkit like behavior (e.g. IRP hooks). Some of legitimate applications use rootkit techniques for various reasons. It seems that the detected file belongs to Drive Letter access. Could you please uninstall the related software and check whether the AVG detects nothing then? You may ignore the detection in such case (after installing the software back).

Also, I was not able to find any e-mail sent from your e-mail address (used when registering on this forum) to virus@avg.com. If you will send the sample, please mention that it is detected by AVG AntiRootkit 2011 and its exact detection name and path.

Thank you.

___________________AVG TeamHow-To articles | FAQ | Knowledge Base

Hi,

I'm having the exact same experience - same file, same location, etc.. http://forums.avg.com/ww-en/avg-free-forum?sec=thread&act=show&id=121857. I submitted a post about it, but I think it got buried in the stacks of other posts...

I think it's probably a false positive, but I'm very curious as to what you discover...

Thanks,
David

Hello dhsmusic,

your mentioned post was already answered the same day.

As mentioned in the pointed thread:


Thank you
___________________AVG TeamHow-To articles | FAQ