Folder AVG Forums » Other topics » Virus Removal, Tools for Removing » Rootkit Detection Virtual Machine
June 25, 2012 15:20 Rootkit Detection Virtual Machine #210615
Reply with Quote | Quick Reply | Top
braddesu

Avatar

Novice
Join Date: 25.6.2012
Posts: 3
Rootkit detection on a Virtual machine

I am running a Microsoft Virtual machine of Windows XP (SP 3) Build 2600 Professional 32bit (Fully patched) on an Windows 7 Pro - I7 64 bit install.

The VM has AVG Free 2012 loaded (virusdatabase version 2437/5092) and version 2012.0.2180 and when I run a full scan get the following report:

Scan "Anti-Rootkit scan" completed.
Rootkits;"3";"0";"3"

Rootkits
;"File";"Infection";"Result"
;"<unknown>";"Corrupted section hal.dll[.text] HalBeginSystemInterrupt+0x73, size 10 bytes";"Object is hidden"
;"<unknown>";"Corrupted section hal.dll[.text] HalDisableSystemInterrupt+0x21, size 7 bytes";"Object is hidden"
;"<unknown>";"Corrupted section hal.dll[.text] HalEnableSystemInterrupt+0x6C, size 7 bytes";"Object is hidden"

If I run MS Security Essentials i finds no threat detected and neither does the MS Safety Scanner (1.0.3001.0). AVG cannot heal or remove and reports them as potentially dangerous rootkits which it can't remove.

Does anyone know whether these are actually an issue or whether just the product of the OS running as a VM and producing a false positive.
June 25, 2012 16:41 Re: Rootkit Detection Virtual Machine #210643
Reply with Quote | Quick Reply | Top
_malchys_

Avatar

Administrator
Join Date: 2.5.2012
Posts: 1875
Hello braddesu,

Please provide us with more information (AVG scan result export, MSInfo output and GMER scan results) regarding this issue.

Thank you.



AVG Team
How-To articles | FAQ | Free Support

June 26, 2012 00:29 Re: Rootkit Detection Virtual Machine #210745
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 18.6.2009
Posts: 23807
@ braddesu

For your info also have a look thro' this link http://forums.avg.com/ww-en/avg-forums?sec=thread&act=show&id=205259.


AVG Forums Volunteer ModeratorAVG Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To Articles | FAQ | Free Support
June 26, 2012 13:08 Re: Rootkit Detection Virtual Machine #210812
Reply with Quote | Quick Reply | Top
braddesu

Avatar

Novice
Join Date: 25.6.2012
Posts: 3
Upload result & Scan info..

I read you posts for a similar case as suggested. (ie: May 30, 2012 16:45 Object Inaccessible, Running Virtual PC #205259 raye215). This user's situation is almost an exact duplicate, except I'm running a later version of AVG and with later version of Database. Even his errors for his three rootkits were the same results ie:

Rootkits
;"File";"Infection";"Result"
;"<unknown>";"Corrupted section hal.dll[.text] HalBeginSystemInterrupt+0x73, size 10 bytes";"Object is hidden"
;"<unknown>";"Corrupted section hal.dll[.text] HalDisableSystemInterrupt+0x21, size 7 bytes";"Object is hidden"
;"<unknown>";"Corrupted section hal.dll[.text] HalEnableSystemInterrupt+0x6C, size 7 bytes";"Object is hidden"

I have run GMER and MSinfo. As soon as I ran GMER I ended with seven rootkits found which I can't get rid off. It seems to me these are all false postives. The three as a standard install of the VM and GMER creating the other four issues. Your posts with regard to Raye conclude "No, it is one bit corruption it doesn't influence any functionality." Which I understand to be "it's not a problem don't worry about". What is a one bit corruption however?

Really I need to know:
1) What is a one bit corruption and is it even worth addressing as an issue?
2) Are the other 4 rootkits detected the results of GMER and can I ignore them?
3) Surely if these are know issue but have no impact on the VM or have any negative side effects you shouldn't be flagging them as a problem?
4) Even if you try to cure the rootkits one by one - it's does not work - is there any solution?

Kind Regards

Braddesu
June 28, 2012 15:41 Re: Rootkit Detection Virtual Machine #211057
Reply with Quote | Quick Reply | Top
Pokornyz

Avatar

Administrator
Join Date: 29.11.2010
Posts: 8235
Hello braddesu,

Your situation is exactly same virtual machine is clean and you don't need to worry about it.

Detection of "one bit corruption" should be removed in future versions of AVG.

2) Are the other 4 rootkits detected the results of GMER and can I ignore them?

Provided GMER output is clean -> 0 rootkits

Thank you



AVG Team
How-To articles | FAQ | Free Support

KW: 88054
June 29, 2012 19:02 Re: Rootkit Detection Virtual Machine #211154
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 18.6.2009
Posts: 23807
All Users

For the latest AVG Team info see Weekly Overview: 27/2012.. Anti-Rootkit scan detects a corrupted file. AVG 2013 is currently available in beta testing (Weekly Overview: 26/2012). Subscribe to this RSS feed if you want to be notified about new Weekly Overviews.


AVG Forums Volunteer ModeratorAVG Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To Articles | FAQ | Free Support