Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

rootkit?

Posted on 2013-12-28
8
Medium Priority
?
152 Views
Last Modified: 2014-01-08
I'm not sure if it is a problem, avg suggests it might be but might not.
Jow can I tell?

WindowsXP (ok I know, but I can't afford a new one)
First mention is IRP hook...sys...drivers...pciidex.sys


Avg says it can't remove it, but looking on tbe avg site it also says it mihht be repotted in error.
How can I tell?
How can I remove it if it needs removing?
What does it do that I should look out for?
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 17
ID: 39743807
That line should say 'might be reported in error'
0
 
LVL 63

Assisted Solution

by:☠ MASQ ☠
☠ MASQ ☠ earned 1000 total points
ID: 39743842
Likely false positive - see this link

You might want to create an offline scanner to check.  Burn the downloaded .iso to a CD and then change the boot order on your PC so the CD drive boots first.  Then just follow the on-screen instructions.
0
 
LVL 38

Accepted Solution

by:
BillDL earned 1000 total points
ID: 39744552
Robin, what a lot of people aren't aware of, or forget, is that often it's the process as it exists while loaded into memory that is infected rather than the actual file(s) on your hard drive.  In these instances you can subject the actual file to a scan by multiple AV applications (eg. via VirusTotal online scanner) and it will come back clean for all, but your installed application will keep on detecting the named file - in memory.

It's important to read the detection log to see whether it is referring to an infection in the memory area or in the file it names.

If this is an infection, then something is injecting it into this low-level driver process each time the system boots.  Often it is a rootkit in the MBR (Master Boot Record), but it can easily also be something as simple as an entry in one of your "Run" registry keys.

Start with the obvious.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

Ensure all of the entries in these keys are legitimate ones that can be identified.  Of course, the MSCONFIG "startup" tab can be used to temporarily disable a startup.

Nothing suspicious in there?

RKill (terminates known malware processes):
http://www.bleepingcomputer.com/download/rkill/
(use download links further down the page)

Rogue Killer (same as RKill but more):
http://tigzy.geekstogo.com/roguekiller.php

TDSSKiller by Kaspersky:
http://support.kaspersky.co.uk/viruses/disinfection/5350
http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe

Avast MBR Scanner:
http://public.avast.com/~gmerek/aswMBR.htm
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
LVL 17
ID: 39752233
Just had a reminder about this. Sorry I haven't been back.
I am slowly working through the suggested solutions in the links supplied so far, but at the moment everything is saying it's clean except avg.
I'll take another look at the weekend, but won't be able to until then.
0
 
LVL 21

Expert Comment

by:viki2000
ID: 39761353
I would suggest to clean uninstall and reinstall AVG.
That means you should use a monitoring software for install/uninstall process.
You need something like Total Uninstall or similar.
Just consider that might be AVG itself a  problem, if all the other anti viruses do not find the problem reported by AVG.

Additional to the anti-virus I always use antispyware and antiadware programs.
First I clean the temporary files with CClean.
Then I scan with some programs as: Spybot - Search & Destroy, SyHunter, Malwarebytes.
As antivirus I use the free Avast edition.
During years I found, at least in the past, that Avast consumes less resources than AVG. I do not know how is it now, because many years I used AVG, then I switched to Avast and I remained with it.
For special situations I use Kaspersky Rescue Disk http://support.kaspersky.com/viruses/rescuedisk#downloads or other similar form different companies as Avira, AVG..., but Kaspersky is good.
0
 
LVL 17
ID: 39765346
it ate my comment, briefly I'm closing this so it doesn't become a collection of helpful hints that I haven't tried yet.
I don't think removing the tool that reports the problem and replacing it with one that gives a clean report is a very ideal solution. I would like to remove the problem, not the tool that can see it.
0
 
LVL 21

Expert Comment

by:viki2000
ID: 39765502
but you could try to reinstall your AVG with clean install/uninstall using monitoring software
0
 
LVL 38

Expert Comment

by:BillDL
ID: 39765766
Thank you Robin.

It's most likely to be an AVG-centric "heuristics" detection, but you can never be too sure if it's a "red herring" or not, just like the Engine Warning light in my car.  I suspect it's the Lambda (O2) sensor at my cat, but could equally just be a leftover from when the exhaust blew ages ago and simply needs to be reset.  I cut the wires to the dashboard lights to make it go away, but now I can't see how fast I'm going, and when I blinded traffic cops while driving on full beam at 95mph on the M74 with my hazard lights blinking, I was pulled over and done ;-)
0

Featured Post

Hire Technology Freelancers with Gigs

Work with freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely, and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the shift in today’s hiring climate (http://blog.experts-exchange.com/ee-blog/5-tips-on-succeeding-in-the-new-gig-economy/?cid=Blog_031816), many companies are choosing to hire freelancers to get projects completed efficiently and inexpensively…
An introduction to the wonderful sport of Scam Baiting.  Learn how to help fight scammers by beating them at their own game. This great pass time helps the world, while providing an endless source of entertainment. Enjoy!
Notifications on Experts Exchange help you keep track of your activity and updates in one place. Watch this video to learn how to use them on the site to quickly access the content that matters to you.
Where to go on the main page to find the job listings. How to apply to a job that you are interested in from the list that is featured on our Careers page.

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question