I have Windows 7 and AVG Anti-Virus 2011 installed.
I have just run an anti-rootkit scan and the following rootkits were identified:
"";"<unknown>";"Inline hook ntdll.dll ZwAccessCheckByType -> 0x20C78791";"Object is hidden"
"";"<unknown>";"Inline hook ntdll.dll ZwAlpcImpersonateClientOfPort -> 0x20C78DD9";"Object is hidden"
"";"<unknown>";"Inline hook ntdll.dll ZwImpersonateClientOfPort -> 0x20C78D58";"Object is hidden"
"";"<unknown>";"Inline hook ntdll.dll ZwSetInformationProcess -> 0x20C789AB";"Object is hidden"
Following the scan i selected the 'remove all unhealed infections' option and was then informed that a computer restart was required. Following the restart i ran the rootkit scan again and the same information is displayed. I have carried out this operation several times all with the same end result.
I have run Spybot and Windows Defender (usually disabled) but they do not identify any problems.
Can you tell me the following:
1. Are these rootkits dangerous/ should i be concerned?
2. What are they/what do they do?
3. How do i remove them?
Its always nice to see the AVG staff replying to worried users in a timely manner
Im using Windows 7 and AVG Free 2011.
Anyway, I had exactly the same issue yesterday, I had 4 <unknown> rootkit inline hook ntldll.dll with the same names, but the hex addresses where a little different. AVG couldnt (or wouldnt) remove them even in power user mode and no other scanners reported any problems. So I was left high and dry. I was asking myself is it a rootkit or is it not? WTF is going on. I spent the first hour in panic mode changing my passwords and checking my paypal and bank accounts. Then I spent then next 4 HOURS formatting, reinstalling and updating.
I think reformatting the hard drive may be a bit of an over-reaction. The AVG reporting looks like a heuristic to me – that is, it’s reporting something that is common to viruses, rather than explicitly identifying an actual infection. This is an important feature of any anti-virus software so that fast spreading viruses can be caught before an explicit definition update is produced but it can lead to “false positives” – ie the incorrect identification of safe file as a possible infection.
ntdll.dll is a core Windows system file. Windows 7 is much better than earlier versions of Windows at preventing these files from being replaced or corrupted. That is probably why AVG can’t remove it – which is also probably a good thing as successfully deleting this file would probably cause serious damage to Windows.
There was a set of updates to Windows 7 through Windows Update on Tuesday, so I guessed that these may have updated ntdll.dll in a way that has caused AVG to report a false positive. I confirmed this by rolling Windows back to before the Windows Update was applied using System Restore. AVG then reported my PC as clean. Simply re-applying the Windows Update caused AVG to report the possible rootkit again. For me, this pretty much confirms a false positive.
So, I think there is actually no infection. My guess would be that AVG will produce an update soon that removes the false positive.
For the guy that already seems to have reformatted his hard drive, the confirmation of my conclusion would be that after completely re-installing Windows and AVG and then applying all of the Windows Update patches, the rootkit report from AVG comes back. This would clearly show that AVG is reporting a rootkit on a clean system.
Well, I ran a AVG Recovery CD scan and it came up with zero infections. But I noticed it was using a database dated today, so after that I updated AVG in the normal way and re-ran a normal root-kit scan. This also came up with zero infections.
So in conclusion: it was a false positive that AVG have now addressed. Case closed.