AVG | AVG Support and Discussion Forums

English
- Česky
- English
- Español
- Français
- Português

Can’t find the answer you are looking for?

Get free phone support.

Folder

AVG Forums » Other topics » Virus Removal, Tools for Removing » IRP Hook Rootkit - Are These Malware?

New thread Reply

August 15, 2011 06:19	IRP Hook Rootkit - Are These Malware? #170714
	Reply with Quote \| Quick Reply \| Top
JimJG Novice Join Date: 15.8.2011 Posts: 2	Hello, I recently removed a TDSS rootkit (using the Kaspersky lab TDSSKiller utility). Between SuperAntiSpyware and AVG, other trojans were found and removed. Afterwards, I upgrade my AVG to 10.0.1392 (virus DB 1520/3834) noting that it included anti-rootkit feature. A full scan by AVG yields no infections, but the rootkit scan yields the following 10 rootkits (all categorized as white-listed) "";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_PNP -> PCIIDEX.SYS PciIdeXDebugPrint+0x2D80";"Object is white-listed (critical/system file that should not be removed)" "";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\PCIIde IRP_MJ_SYSTEM_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2DB4";"Object is white-listed (critical/system file that should not be removed)" "";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_INTERNAL_DEVICE_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2E38";"Object is white-listed (critical/system file that should not be removed)" "";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_POWER -> PCIIDEX.SYS +0x692";"Object is white-listed (critical/system file that should not be removed)" "";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_SYSTEM_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2DB4";"Object is white-listed (critical/system file that should not be removed)" "";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\PCIIde IRP_MJ_PNP -> PCIIDEX.SYS PciIdeXDebugPrint+0x2D80";"Object is white-listed (critical/system file that should not be removed)" "";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\PCIIde IRP_MJ_INTERNAL_DEVICE_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2E38";"Object is white-listed (critical/system file that should not be removed)" "";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\PCIIde IRP_MJ_POWER -> PCIIDEX.SYS +0x692";"Object is white-listed (critical/system file that should not be removed)" "";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_PNP -> CLASSPNP.SYS ClassDebugPrint+0x6FB";"Object is white-listed (critical/system file that should not be removed)" "";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_SYSTEM_CONTROL -> CLASSPNP.SYS ClassInitialize+0x666";"Object is white-listed (critical/system file that should not be removed)" Are these detections something I should worry about? I don't seem to have any symtoms after removal of known malware as described above, but I want to be sure I have a clean system. Here are details on my system: OS Name Microsoft Windows XP Professional Version 5.1.2600 Service Pack 3 Build 2600 OS Manufacturer Microsoft Corporation System Manufacturer Sony Corporation System Model VGN-BX563B System Type X86-based PC Processor x86 Family 6 Model 13 Stepping 8 GenuineIntel ~1729 Mhz BIOS Version/Date Phoenix Technologies LTD R0160X5, 11/25/2005 SMBIOS Version 2.31 Windows Directory C:\WINDOWS System Directory C:\WINDOWS\system32 Boot Device \Device\HarddiskVolume1 Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)" Page File C:\pagefile.sys I am attaching the following files AVG whole computer scan results (CSV file) AVG rootkit scan results (CSV file) I'll attach the following in a subsequent post GMER rootkit and malware scan log (txt file) GMER autostart scan log (txt file) Thank you AVG rootkit scan results.csv AVG whole computer scan results.csv

August 15, 2011 06:22	Re: IRP Hook Rootkit - Are These Malware? #170715
	Reply with Quote \| Quick Reply \| Top
JimJG Novice Join Date: 15.8.2011 Posts: 2	Additional files.. Here are the GMER scans GMER rootkit and malware scan log (txt file) GMER autostart scan log (txt file) GMER autostart scan log.txt GMER rootkit and malware scan log.txt

August 15, 2011 06:33	Re: IRP Hook Rootkit - Are These Malware? #170716
	Reply with Quote \| Quick Reply \| Top
fahadhasin96 Hacker Join Date: 22.5.2011 Posts: 445	Hello JimJG, In order to analyse you better, please also provide Msinfo Output. Please note that rootkits can be either correct or malicious. Correct rootkits may be installed as a part of legitimate application. AVG detects all the rootkits (not only infected).In case the AVG program finds some rootkits it does not necessarily mean, that the rootkit is infected. Sometimes, rootkits are used as drivers or they are a part of correct applications. The list of some well-known rootkits can be found in the FAQ #2346. Your thread is quite similar to this thread : "IRP Hook" Rootkits Found - Are They Harmful?. Also I would like to inform you using AVG together with other security products is not recommended. Please see FAQ #4247. Thank you.

August 15, 2011 09:08	Re: IRP Hook Rootkit - Are These Malware? #170723
	Reply with Quote \| Quick Reply \| Top
BIG AL 43 Moderator Join Date: 18.6.2009 Posts: 21667	Please note that not all rootkit detections are a threat. You can read more in here - Anti-Rootkit False Positives part. Also just for your future ref this is what "Object is white-listed (critical/system file that should not be removed)" can signify.... You have a critical Windows system file that got infected... removing it without taking the proper steps would make your system unbootable. In short you need to do it manually. This is why that file is whitelisted. Have a look @ this 'How-To' link How To Replace A System File. AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063 Alan How-To articles \| FAQ

August 15, 2011 10:30	Re: IRP Hook Rootkit - Are These Malware? #170728
	Reply with Quote \| Quick Reply \| Top
dusano123 Moderator Join Date: 30.9.2009 Posts: 3566	Hello JimJG, Detection of these particular rootkits should be removed in one of the following AVG program updates. For now you can ignore the detection. Thank you ___________________AVG TeamHow-To articles \| FAQKW: 67254

August 15, 2011 10:54	Re: IRP Hook Rootkit - Are These Malware? #170733
	Reply with Quote \| Quick Reply \| Top
fahadhasin96 Hacker Join Date: 22.5.2011 Posts: 445	Wow.... It's a great response. This is the reason I love AVG...!!! Its best Anti-Virus in the world...

November 6, 2011 00:32	Re: IRP Hook Rootkit - Are These Malware? #179893
	Reply with Quote \| Quick Reply \| Top
ldcraig Novice Join Date: 6.11.2011 Posts: 1	IRP hooks.. My computer also has a rootkit called IRP hook in (I believe) the Driver folder. But I can't find it to remove it, and successive scans with AVG failed to remove it as well. I'm not a tech, I'm a user, and my computer was running very slowly. I found a few other viruses with AVG and managed to get rid of those, but the IRP hook is still there. I've read on these forums that some rootkits are benign and needed. Is this one of them? How can I tell when I can't even find its whole name? The AVG window only shows "IRP hook \Driver\atapiDriverStartIO..." and then I can't see anymore. I have Windows XP. If you need more info to tell me if I need to worry, you'll have to walk me through the steps to find it for you. Thanks for any help you can give. ~~Laura

November 6, 2011 04:46	Re: IRP Hook Rootkit - Are These Malware? #179905
	Reply with Quote \| Quick Reply \| Top
fahadhasin96 Hacker Join Date: 22.5.2011 Posts: 445	Please provide the GMER output and Msinfo Output. Please also provide the Anti-Rootkit Scan result export. Best Regards, Fahad Hasin,Hacker,AVG Forums AVG Forums' member since - 22 May, 2011 How-To articles \| FAQ \| Free Support

New thread Reply

Go to

Previous thread |

Up to parent | Next thread