Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Anti-Rootkit Scan- Inline Hook
February 11, 2011 17:06 Anti-Rootkit Scan- Inline Hook #148894
Reply with Quote | Quick Reply | Top
at3456

Avatar

Novice
Join Date: 11.2.2011
Posts: 1
Hi,

I have Windows 7 and AVG Anti-Virus 2011 installed.

I have just run an anti-rootkit scan and the following rootkits were identified:

"";"<unknown>";"Inline hook ntdll.dll ZwAccessCheckByType -> 0x20C78791";"Object is hidden"
"";"<unknown>";"Inline hook ntdll.dll ZwAlpcImpersonateClientOfPort -> 0x20C78DD9";"Object is hidden"
"";"<unknown>";"Inline hook ntdll.dll ZwImpersonateClientOfPort -> 0x20C78D58";"Object is hidden"
"";"<unknown>";"Inline hook ntdll.dll ZwSetInformationProcess -> 0x20C789AB";"Object is hidden"

Following the scan i selected the 'remove all unhealed infections' option and was then informed that a computer restart was required. Following the restart i ran the rootkit scan again and the same information is displayed. I have carried out this operation several times all with the same end result.

I have run Spybot and Windows Defender (usually disabled) but they do not identify any problems.

Can you tell me the following:

1. Are these rootkits dangerous/ should i be concerned?
2. What are they/what do they do?
3. How do i remove them?

Thanks in advance
February 12, 2011 06:47 Re: Anti-Rootkit Scan- Inline Hook #148944
Reply with Quote | Quick Reply | Top
MarkOfNottingham

Avatar

Novice
Join Date: 12.2.2011
Posts: 3
Same same..

Its always nice to see the AVG staff replying to worried users in a timely manner :disappointed:

Im using Windows 7 and AVG Free 2011.

Anyway, I had exactly the same issue yesterday, I had 4 <unknown> rootkit inline hook ntldll.dll with the same names, but the hex addresses where a little different. AVG couldnt (or wouldnt) remove them even in power user mode and no other scanners reported any problems. So I was left high and dry. I was asking myself is it a rootkit or is it not? WTF is going on. I spent the first hour in panic mode changing my passwords and checking my paypal and bank accounts. Then I spent then next 4 HOURS formatting, reinstalling and updating.

Thanks for erm....nothing.
February 12, 2011 13:49 Re: Anti-Rootkit Scan- Inline Hook #148972
Reply with Quote | Quick Reply | Top
BGBrereton

Avatar

Novice
Join Date: 12.2.2011
Posts: 3
I have also had AVG report the same thing.

I think reformatting the hard drive may be a bit of an over-reaction. The AVG reporting looks like a heuristic to me – that is, it’s reporting something that is common to viruses, rather than explicitly identifying an actual infection. This is an important feature of any anti-virus software so that fast spreading viruses can be caught before an explicit definition update is produced but it can lead to “false positives” – ie the incorrect identification of safe file as a possible infection.

ntdll.dll is a core Windows system file. Windows 7 is much better than earlier versions of Windows at preventing these files from being replaced or corrupted. That is probably why AVG can’t remove it – which is also probably a good thing as successfully deleting this file would probably cause serious damage to Windows.

There was a set of updates to Windows 7 through Windows Update on Tuesday, so I guessed that these may have updated ntdll.dll in a way that has caused AVG to report a false positive. I confirmed this by rolling Windows back to before the Windows Update was applied using System Restore. AVG then reported my PC as clean. Simply re-applying the Windows Update caused AVG to report the possible rootkit again. For me, this pretty much confirms a false positive.

So, I think there is actually no infection. My guess would be that AVG will produce an update soon that removes the false positive.

For the guy that already seems to have reformatted his hard drive, the confirmation of my conclusion would be that after completely re-installing Windows and AVG and then applying all of the Windows Update patches, the rootkit report from AVG comes back. This would clearly show that AVG is reporting a rootkit on a clean system.
February 12, 2011 13:55 Re: Anti-Rootkit Scan- Inline Hook #148974
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 19.6.2014
Posts: 0
All Users

Reporting suspected false positives to virus@avg.com.... Only option available as an AVG Free user.... Please follow these instructions What to do if you suspect a detection is a false positive.

Also if you think that a file is being detected in error, you can submit it here http://samplesubmit.avg.com/ww-en/sample-scanning on this new webpage.


AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To articles | FAQ
February 12, 2011 19:41 Re: Anti-Rootkit Scan- Inline Hook #149036
Reply with Quote | Quick Reply | Top
dusano123

Avatar

Moderator
Join Date: 30.9.2009
Posts: 3566
Hello all,

Please proceed as per this post by Jirka. Scan your computer with Rescue CD and provide us with requested outputs so we can analyze this issue further.

Thank you
___________________AVG TeamHow-To articles | FAQ
February 12, 2011 20:25 Re: Anti-Rootkit Scan- Inline Hook #149052
Reply with Quote | Quick Reply | Top
BGBrereton

Avatar

Novice
Join Date: 12.2.2011
Posts: 3
I have sent an e-mail to virus@avg.com to report the suspected false positive as suggested. As this seems to be getting attention here, I'm attaching the result overview export file here as well.

I'll try the AVG Rescue CD tomorrow.
February 13, 2011 22:37 Re: Anti-Rootkit Scan- Inline Hook #149236
Reply with Quote | Quick Reply | Top
BGBrereton

Avatar

Novice
Join Date: 12.2.2011
Posts: 3
Well, I ran a AVG Recovery CD scan and it came up with zero infections. But I noticed it was using a database dated today, so after that I updated AVG in the normal way and re-ran a normal root-kit scan. This also came up with zero infections.

So in conclusion: it was a false positive that AVG have now addressed. Case closed.