1
   

IRP Hook Rootkit, Or No Rootkit - Which Is It?

 
 
CDobyns
 
Reply Thu 22 Nov, 2012 11:36 am
I recently reinstalled the OS (Windows XP Professional) on my laptop (Dell Latitude D600), after many multiple years, and where it had just become a jumbled and slow-moving mess. It's now working like a spring lamb (a reasonably clear metaphor - I hope).

I reinstalled my anti-virus program (AVG Free) and a few of others, and a couple of days later I noticed that AVG was returning a notification that it had identified a IRP Hook rootkit was present - which is guaranteed to the suck the fun out of a room pretty quick, especially after just reinstalling everything.

I've done some research about the IRP Hook rootkit, but have not taken any of the various steps that are suggested for removing it from the Master Boot Record (MBR). However, today when I looked at the virus scan from last night (and a couple of nights prior), AVG is reporting that the rootkit is no longer detected. Now I know that these kind of programs can demonstrate an almost AI capability to transform themselves - but this doesn't seem like a reasonable explanation, even to me.

Here are a couple of Before and After screenshots of the AVG report summaries (and yes, today's summary shows no viruses other infections present). Could this just be AVG reflecting a "false positive"?

Before:
http://i195.photobucket.com/albums/z319/CGDobyns/Rootkit.jpg

After:
http://i195.photobucket.com/albums/z319/CGDobyns/NoRootkit.jpg
  • Topic Stats
  • Top Replies
  • Link to this Topic
Type: Question • Score: 1 • Views: 4,266 • Replies: 2
No top replies

 
BillRM
 
  1  
Reply Thu 22 Nov, 2012 11:42 am
First look at the avg log file and see if it is claiming to had removed the virus but in any case I would strongly suggest you go to Microsoft and download the stand alone defender software and following directions burn in onto a boot CD.

Boot from the CD and let is do a scan of your hard drive.

Root kits are bad as they can use the system to hide from anti-virus softwares however by booting from a cd you take away such viruses ability to hide as the OS never come on line.
CDobyns
 
  1  
Reply Sun 25 Nov, 2012 10:12 pm
@BillRM,
Without availing myself of the boot CD suggestion (which seems like an eminently good idea to do in any event . . .) - I believe we can pretty much answer this posting. Well, this is by direct inference, but I think it's pretty solid.

It was a couple of days after de-installing my GoBack application - that AVG finally gave the clean bill of health report above. After re-installing GoBack today, AVG replicated the original IRP hook rootkit detection report again. Since many anti-virus applications frequently rely on a heuristics strategy to detect computer viruses - which seems to suggest that something about GoBack must bear some characteristics to the IRP hook rootkit. So, I'm about 100% certain that we're dealing with a "false positive" on this detection (although it's still a little unnerving). Unless someone suggests otherwise, I think we'll mark this one Solved - and leave it here for the benefit of others.
0 Replies
 
 

Related Topics

 
  1. Forums
  2. » IRP Hook Rootkit, Or No Rootkit - Which Is It?
Copyright © 2024 MadLab, LLC :: Terms of Service :: Privacy Policy :: Page generated in 0.03 seconds on 12/25/2024 at 08:03:16