Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » IRP Hook Rootkit - Are These Malware?
August 15, 2011 06:19 IRP Hook Rootkit - Are These Malware? #170714
Reply with Quote | Quick Reply | Top
JimJG

Avatar

Novice
Join Date: 15.8.2011
Posts: 2
Hello,

I recently removed a TDSS rootkit (using the Kaspersky lab TDSSKiller utility). Between SuperAntiSpyware and AVG, other trojans were found and removed. Afterwards, I upgrade my AVG to 10.0.1392 (virus DB 1520/3834) noting that it included anti-rootkit feature. A full scan by AVG yields no infections, but the rootkit scan yields the following 10 rootkits (all categorized as white-listed)

"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_PNP -> PCIIDEX.SYS PciIdeXDebugPrint+0x2D80";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\PCIIde IRP_MJ_SYSTEM_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2DB4";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_INTERNAL_DEVICE_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2E38";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_POWER -> PCIIDEX.SYS +0x692";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\IntelIde IRP_MJ_SYSTEM_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2DB4";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\PCIIde IRP_MJ_PNP -> PCIIDEX.SYS PciIdeXDebugPrint+0x2D80";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\PCIIde IRP_MJ_INTERNAL_DEVICE_CONTROL -> PCIIDEX.SYS PciIdeXDebugPrint+0x2E38";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\PCIIDEX.SYS";"IRP hook, \Driver\PCIIde IRP_MJ_POWER -> PCIIDEX.SYS +0x692";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_PNP -> CLASSPNP.SYS ClassDebugPrint+0x6FB";"Object is white-listed (critical/system file that should not be removed)"
"";"C:\WINDOWS\system32\DRIVERS\CLASSPNP.SYS";"IRP hook, \Driver\Disk IRP_MJ_SYSTEM_CONTROL -> CLASSPNP.SYS ClassInitialize+0x666";"Object is white-listed (critical/system file that should not be removed)"

Are these detections something I should worry about? I don't seem to have any symtoms after removal of known malware as described above, but I want to be sure I have a clean system.

Here are details on my system:

OS Name Microsoft Windows XP Professional
Version 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer Microsoft Corporation
System Manufacturer Sony Corporation
System Model VGN-BX563B
System Type X86-based PC
Processor x86 Family 6 Model 13 Stepping 8 GenuineIntel ~1729 Mhz
BIOS Version/Date Phoenix Technologies LTD R0160X5, 11/25/2005
SMBIOS Version 2.31
Windows Directory C:\WINDOWS
System Directory C:\WINDOWS\system32
Boot Device \Device\HarddiskVolume1
Hardware Abstraction Layer Version = "5.1.2600.5512 (xpsp.080413-2111)"
Page File C:\pagefile.sys

I am attaching the following files

AVG whole computer scan results (CSV file)
AVG rootkit scan results (CSV file)

I'll attach the following in a subsequent post

GMER rootkit and malware scan log (txt file)
GMER autostart scan log (txt file)

Thank you



August 15, 2011 06:22 Re: IRP Hook Rootkit - Are These Malware? #170715
Reply with Quote | Quick Reply | Top
JimJG

Avatar

Novice
Join Date: 15.8.2011
Posts: 2
Additional files..

Here are the GMER scans

GMER rootkit and malware scan log (txt file)
GMER autostart scan log (txt file)
August 15, 2011 06:33 Re: IRP Hook Rootkit - Are These Malware? #170716
Reply with Quote | Quick Reply | Top
fahadhasin96

Avatar

Hacker
Join Date: 22.5.2011
Posts: 445
Hello JimJG,

In order to analyse you better, please also provide Msinfo Output.

Please note that rootkits can be either correct or malicious. Correct rootkits may be installed as a part of legitimate application. AVG detects all the rootkits (not only infected).In case the AVG program finds some rootkits it does not necessarily mean, that the rootkit is infected. Sometimes, rootkits are used as drivers or they are a part of correct applications. The list of some well-known rootkits can be found in the FAQ #2346.

Your thread is quite similar to this thread : "IRP Hook" Rootkits Found - Are They Harmful?.

Also I would like to inform you using AVG together with other security products is not recommended. Please see FAQ #4247.

Thank you.
August 15, 2011 09:08 Re: IRP Hook Rootkit - Are These Malware? #170723
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 18.6.2009
Posts: 23803
Please note that not all rootkit detections are a threat. You can read more in here - Anti-Rootkit False Positives part.

Also just for your future ref this is what "Object is white-listed (critical/system file that should not be removed)" can signify.... You have a critical Windows system file that got infected... removing it without taking the proper steps would make your system unbootable. In short you need to do it manually. This is why that file is whitelisted. Have a look @ this 'How-To' link How To Replace A System File.


AVG Free Volunteer ModeratorAVG Free Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To articles | FAQ
August 15, 2011 10:30 Re: IRP Hook Rootkit - Are These Malware? #170728
Reply with Quote | Quick Reply | Top
dusano123

Avatar

Moderator
Join Date: 30.9.2009
Posts: 3566
Hello JimJG,

Detection of these particular rootkits should be removed in one of the following AVG program updates.

For now you can ignore the detection.

Thank you
___________________AVG TeamHow-To articles | FAQKW: 67254
August 15, 2011 10:54 Re: IRP Hook Rootkit - Are These Malware? #170733
Reply with Quote | Quick Reply | Top
fahadhasin96

Avatar

Hacker
Join Date: 22.5.2011
Posts: 445
Wow.... It's a great response. This is the reason I love AVG...!!! Its best Anti-Virus in the world...
November 6, 2011 00:32 Re: IRP Hook Rootkit - Are These Malware? #179893
Reply with Quote | Quick Reply | Top
ldcraig

Avatar

Novice
Join Date: 6.11.2011
Posts: 1
IRP hooks..

My computer also has a rootkit called IRP hook in (I believe) the Driver folder. But I can't find it to remove it, and successive scans with AVG failed to remove it as well. I'm not a tech, I'm a user, and my computer was running very slowly. I found a few other viruses with AVG and managed to get rid of those, but the IRP hook is still there.

I've read on these forums that some rootkits are benign and needed. Is this one of them? How can I tell when I can't even find its whole name? The AVG window only shows "IRP hook \Driver\atapiDriverStartIO..." and then I can't see anymore. I have Windows XP. If you need more info to tell me if I need to worry, you'll have to walk me through the steps to find it for you. Thanks for any help you can give.
~~Laura
November 6, 2011 04:46 Re: IRP Hook Rootkit - Are These Malware? #179905
Reply with Quote | Quick Reply | Top
fahadhasin96

Avatar

Hacker
Join Date: 22.5.2011
Posts: 445
Please provide the GMER output and Msinfo Output. Please also provide the Anti-Rootkit Scan result export.


Best Regards,
Fahad Hasin,Hacker,AVG Forums
AVG Forums' member since - 22 May, 2011

How-To articles | FAQ | Free Support