Strange results from AVG

SoildSnake · 25 Feb 2011 at 22:42

I did a fresh install for dual boot purposes and AVG rootkit found 21 strange readings; are these false positives or what? And what do these things mean; is it a signifier of some backdoor/hack? They were found in "c drive / software distribution / microsoft-windows-netfix3-oc-package"

"Rootkits"
"";"File";"Infection";"Result"
"";"<unknown>";"IRP hook, \Driver\tdx IRP_MJ_CREATE_NAMED_PIPE -> 0xFFFFF80001091670";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\tdx IRP_MJ_SET_VOLUME_INFORMATION -> 0xFFFFF80001091670";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\tdx IRP_MJ_DIRECTORY_CONTROL -> 0xFFFFF80001091670";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\tdx IRP_MJ_FILE_SYSTEM_CONTROL -> 0xFFFFF80001091670";"Object is hidden"

These are a few of the entries

Puppetmaster · 26 Feb 2011 at 00:24

Firstly id suggest ditching AVG and installing Microsoft Security Essentials.

Second download:

Combo Fix (from bleeping computer, google it)
Malware Bytes
Emisoft A-Squared Portable
Spybot

That should get rid of anything you have.

KIA · 26 Feb 2011 at 10:33

Yes, ditch AVG and follow Puppet's suggestion.

SoildSnake · 26 Feb 2011 at 13:27

Hi, firstly i have malwebytes and iobit 360 security; which found nothing, neither did the avg normal scan; so would these seem to be false positives?

Also does anyone knwo what these "codes" mean like "MJ_DIRECTORY_CONTROL -"

I would probably use avast instead of security essentials; is that just as good if not better?

Thanks

theheyes · 26 Feb 2011 at 14:57

Is it finding these results on a fresh install?

demonix · 26 Feb 2011 at 15:25

Secondly I'd suggest you don't bother with anything from iobit since they have very little morals (they got caught out when they stole malwarebytes definition database to use on their own products).

Rainmaker · 26 Feb 2011 at 16:03

It's quite possibly a false positive, but to find those on a clean install would be very unusual. Perhaps best not to answer these questions out loud, but rather to give you food for thought...

Is the Windows install genuine? Or did you use a patch/crack/loader?

Did you install anything immediately after install (before the virus scan/warnings) even if it's so "innocent" you didn't think to suspect it?

If this is a legit install, with no extra installed software bar Windows + AVG then it's probably a FP. But as I said, FPs on the operating system itself are unusual to say the least.

The source of the 'rootkit' seems to be an MS update for .net - so this on the one hand indicates FP. However, a quick Google of some of the results you posted (the infected keys) brings up results for people with some confirmed hidden rootkits.

Personally I'd speak to AVG about it on their forum, or better yet if the install isn't as genuine as it could be... reinstall from trusted media, scan again to get a clean result (hopefully) and take it from there.

SoildSnake · 27 Feb 2011 at 15:54

Yes the install was with a 100% clean and genuine product. I found out that the issue was caused by online Armour firewall; i find it strange that no one else has had compatibility issues since i did not find any via Google. Any way thanks for the help