Solved

rootkit?

Posted on 2013-12-28
8
133 Views
Last Modified: 2014-01-08
I'm not sure if it is a problem, avg suggests it might be but might not.
Jow can I tell?

WindowsXP (ok I know, but I can't afford a new one)
First mention is IRP hook...sys...drivers...pciidex.sys


Avg says it can't remove it, but looking on tbe avg site it also says it mihht be repotted in error.
How can I tell?
How can I remove it if it needs removing?
What does it do that I should look out for?
0
Comment
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 17
ID: 39743807
That line should say 'might be reported in error'
0
 
LVL 62

Assisted Solution

by:☠ MASQ ☠
☠ MASQ ☠ earned 250 total points
ID: 39743842
Likely false positive - see this link

You might want to create an offline scanner to check.  Burn the downloaded .iso to a CD and then change the boot order on your PC so the CD drive boots first.  Then just follow the on-screen instructions.
0
 
LVL 38

Accepted Solution

by:
BillDL earned 250 total points
ID: 39744552
Robin, what a lot of people aren't aware of, or forget, is that often it's the process as it exists while loaded into memory that is infected rather than the actual file(s) on your hard drive.  In these instances you can subject the actual file to a scan by multiple AV applications (eg. via VirusTotal online scanner) and it will come back clean for all, but your installed application will keep on detecting the named file - in memory.

It's important to read the detection log to see whether it is referring to an infection in the memory area or in the file it names.

If this is an infection, then something is injecting it into this low-level driver process each time the system boots.  Often it is a rootkit in the MBR (Master Boot Record), but it can easily also be something as simple as an entry in one of your "Run" registry keys.

Start with the obvious.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

Ensure all of the entries in these keys are legitimate ones that can be identified.  Of course, the MSCONFIG "startup" tab can be used to temporarily disable a startup.

Nothing suspicious in there?

RKill (terminates known malware processes):
http://www.bleepingcomputer.com/download/rkill/
(use download links further down the page)

Rogue Killer (same as RKill but more):
http://tigzy.geekstogo.com/roguekiller.php

TDSSKiller by Kaspersky:
http://support.kaspersky.co.uk/viruses/disinfection/5350
http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe

Avast MBR Scanner:
http://public.avast.com/~gmerek/aswMBR.htm
0
 
LVL 17
ID: 39752233
Just had a reminder about this. Sorry I haven't been back.
I am slowly working through the suggested solutions in the links supplied so far, but at the moment everything is saying it's clean except avg.
I'll take another look at the weekend, but won't be able to until then.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 20

Expert Comment

by:viki2000
ID: 39761353
I would suggest to clean uninstall and reinstall AVG.
That means you should use a monitoring software for install/uninstall process.
You need something like Total Uninstall or similar.
Just consider that might be AVG itself a  problem, if all the other anti viruses do not find the problem reported by AVG.

Additional to the anti-virus I always use antispyware and antiadware programs.
First I clean the temporary files with CClean.
Then I scan with some programs as: Spybot - Search & Destroy, SyHunter, Malwarebytes.
As antivirus I use the free Avast edition.
During years I found, at least in the past, that Avast consumes less resources than AVG. I do not know how is it now, because many years I used AVG, then I switched to Avast and I remained with it.
For special situations I use Kaspersky Rescue Disk http://support.kaspersky.com/viruses/rescuedisk#downloads or other similar form different companies as Avira, AVG..., but Kaspersky is good.
0
 
LVL 17
ID: 39765346
it ate my comment, briefly I'm closing this so it doesn't become a collection of helpful hints that I haven't tried yet.
I don't think removing the tool that reports the problem and replacing it with one that gives a clean report is a very ideal solution. I would like to remove the problem, not the tool that can see it.
0
 
LVL 20

Expert Comment

by:viki2000
ID: 39765502
but you could try to reinstall your AVG with clean install/uninstall using monitoring software
0
 
LVL 38

Expert Comment

by:BillDL
ID: 39765766
Thank you Robin.

It's most likely to be an AVG-centric "heuristics" detection, but you can never be too sure if it's a "red herring" or not, just like the Engine Warning light in my car.  I suspect it's the Lambda (O2) sensor at my cat, but could equally just be a leftover from when the exhaust blew ages ago and simply needs to be reset.  I cut the wires to the dashboard lights to make it go away, but now I can't see how fast I'm going, and when I blinded traffic cops while driving on full beam at 95mph on the M74 with my hazard lights blinking, I was pulled over and done ;-)
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VTP LOG RUNTTIME ERROR 31 125
Logarithms 2 51
Will This Course prepare me to get the SAP Business One cert? 1 62
Need more details 5 82
Phishing is at the top of most security top 10 efforts you should be pursuing in 2016 and beyond. If you don't have phishing incorporated into your Security Awareness Program yet, now is the time. Phishers, and the scams they use, are only going to …
If you want to move up through the ranks in your technology career, talent and hard work are the bare necessities. But they aren’t enough to make you stand out. Expanding your skills, actively promoting your accomplishments and using promotion st…
Notifications on Experts Exchange help you keep track of your activity and updates in one place. Watch this video to learn how to use them on the site to quickly access the content that matters to you.
Saved searches can save you time by quickly referencing commonly searched terms on any topic. Whether you are looking for questions you can answer or hoping to learn about a specific issue, a saved search can help you get the most out of your time o…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now