We think this may be a false positive as I have renamed the ntkrnlpa.exe to ntkrnlpa.old and copied a replacement from a different computer (same service pack). The computer it is affecting is a Windows XP Service Pack 3 Professional.
Given the forum replies here I am more convinced that it is a false positive.
I thought it might be a false positive before I came here. A scan of ntkrnlpa.exe with AVG showed no infection, and I got the same result with VirusTotal and Jotti's. However, I'm not technically savvy enough to be confident, especially when the AVG message was hard to interpret. After all, is the suspected 'infection' in ntkrnlpa.exe or in the IDT? There does seem to be something going on with the MBR, even if it's benign. I ran Avast's rootkit scan because of the problems I was having with GMER 2.1 and have attached the results (MBR.dat has been zipped because the editing window didn't seem to like something in the .dat file).
Correct me if I'm wrong, but the only logfile showing an unknown MBR code message was the output from AVAST's aswMBR scanner. I realised yesterday that this was being reported for Disk 1, not Disk 0. I installed a second drive a couple of weeks ago and installed Linux (Kubuntu 12.04) on it. To confirm that this was the source of the message, I disconnected the new drive and did another scan - no more 'unknown MBR code'! Since aswMBR is intended to scan a Windows environment, I assume the code relates to the Linux environment and is entirely normal. My apologies if I have caused any confusion. :frowning:
Also, before I made this discovery, I did some research on the blue screens that I had been getting during the GMER scan, and found that some people had been experiencing these BSOD's a couple of years ago in connection with ntkrnlpa.exe. Following up a suggestion I found here, I used Microsoft's verifier.exe to verify all non-Microsoft drivers and found two drivers flagged as 'never loaded': aksfridge.sys and hardlock.sys. This rang bells, as these two drivers had come up in connection with ntkrnlpa.exe in my GMER scan.
Again, following advice I found here, I downloaded autoruns.exe and disabled these two drivers to see what would happen. After rebooting, I ran the AVG scan and found that the two IDT entry #03 hook warnings no longer came up.
Could these two drivers be the cause of the false positive?
I have the same issue. A scan with AVG rescue disk finds nothing. I have fixed the MBR but a rootkit skan still finds this. How do I get rid of it? Attached is a zip containing the avg output, msinfo output and gmer output.
Please use AVG Rescue CD and restore your MBR as described here (refer to Offline mode using AVG Rescue CD). Then, scan the system using AVG Rescue CD and remove detected threats.
Should the infection be still present after restart, please provide us with new GMER anti-rootkit scan result and new AVG full computer scan result export. Also, please provide us with a screenshot of your partition table listing as follows:
1. Run the AVG Rescue CD.
2. Switch to the linux terminal by the left ALT + F2 key combination.
3. Login as the root user.
4. Execute the fdisk -l command.
5. Take a picture of your screen and attach it to your reply.
6. Use the left ALT + F1 key combination to switch back to the AVG Rescue CD menu.