D Sas, Suspecting a false detection?.. Have a look @ this article (https://support.avg.com/SupportArticleView?urlname=How-to-report-a-false-incorrect-detection).
AVG Guru
2015 free edition of AVG is reporting 11 rootkit violations in my Vaio laptop running Windows 7 Home Premium Edition. However AVG is not allowing me to remove the violations - "Remove Selected" or "Remove All" is not clickable. Neither TDSSKiller nor GMER is complaining. Could this just be a false positive by AVG. Please help.
Thanks,
Debasish
Below is the AVG Report:
Name;"Description";"Status";"Status";"Priority"
<unknown>;"Service function NtReadVirtualMemory hook -> 0xFFFFFFFF8646BCD8";"Unresolved";"Unresolved";"Medium"
<unknown>;"Service function NtSetContextThread hook -> 0xFFFFFFFF8646BF30";"Unresolved";"Unresolved";"Medium"
<unknown>;"Service function NtAllocateVirtualMemory hook -> 0xFFFFFFFF8646BDC8";"Unresolved";"Unresolved";"Medium"
<unknown>;"Service function NtSetInformationThread hook -> 0xFFFFFFFF8646BFA8";"Unresolved";"Unresolved";"Medium"
<unknown>;"Service function NtSetInformationProcess hook -> 0xFFFFFFFF864962C0";"Unresolved";"Unresolved";"Medium"
<unknown>;"Service function NtCreateThreadEx hook -> 0xFFFFFFFF8646BBE8";"Unresolved";"Unresolved";"Medium"
<unknown>;"Service function NtCreateUserProcess hook -> 0xFFFFFFFF8646BC60";"Unresolved";"Unresolved";"Medium"
<unknown>;"Service function NtCreateThread hook -> 0xFFFFFFFF864961D0";"Unresolved";"Unresolved";"Medium"
<unknown>;"Service function NtCreateProcessEx hook -> 0xFFFFFFFF864963B0";"Unresolved";"Unresolved";"Medium"
<unknown>;"Service function NtQueueApcThread hook -> 0xFFFFFFFF8646BE40";"Unresolved";"Unresolved";"Medium"
<unknown>;"Service function NtCreateProcess hook -> 0xFFFFFFFF864965B8";"Unresolved";"Unresolved";"Medium"
Below is the GMER report:
GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-01-06 23:34:54
Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000073 WDC_WD50 rev.01.0 465.76GB
Running: x9dezurx.exe; Driver: C:\Users\Sasmal\AppData\Local\Temp\uwdirpoc.sys
---- System - GMER 2.1 ----
SSDT 86474B70 ZwAllocateVirtualMemory
SSDT 86497338 ZwCreateProcess
SSDT 86474020 ZwCreateProcessEx
SSDT 86474E40 ZwCreateThread
SSDT 86474990 ZwCreateThreadEx
SSDT 86474A08 ZwCreateUserProcess
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x936DE6E0]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x936DE800]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x936DE010]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x936DE4D0]
SSDT 86474BE8 ZwQueueApcThread
SSDT 86474A80 ZwReadVirtualMemory
SSDT 86474CD8 ZwSetContextThread
SSDT 86474F30 ZwSetInformationProcess
SSDT 86474D50 ZwSetInformationThread
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x936DE300]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x936DE3E0]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x936DE120]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x936DE210]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x936DE5E0]
---- Kernel code sections - GMER 2.1 ----
.text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 83089A35 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830C3392 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, …] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 830CA5D8 4 Bytes [70, 4B, 47, 86]
.text ntkrnlpa.exe!KeRemoveQueueEx + 11E3 830CA6C8 8 Bytes [38, 73, 49, 86, 20, 40, 47, …]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1203 830CA6E8 8 Bytes [40, 4E, 47, 86, 90, 49, 47, …]
.text ntkrnlpa.exe!KeRemoveQueueEx + 121B 830CA700 4 Bytes [08, 4A, 47, 86]
.text ntkrnlpa.exe!KeRemoveQueueEx + 1357 830CA83C 8 Bytes [E0, E6, 6D, 93, 00, E8, 6D, …] {LOOPNZ 0xffffffe8; INS DWORD [ES:EDI], DX; XCHG EBX, EAX; ADD AL, CH; INS DWORD [ES:EDI], DX; XCHG EBX, EAX}
.text …
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9480E000, 0x353030, 0xE8000020]
---- Devices - GMER 2.1 ----
AttachedDevice \FileSystem\Ntfs \Ntfs ssfs0bbd.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys
AttachedDevice \Driver\tdx \Device\Tcp NEOFLTR_700_19821.SYS
AttachedDevice \Driver\tdx \Device\Udp NEOFLTR_700_19821.SYS
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys
---- Threads - GMER 2.1 ----
Thread System [4:4772] B4847F2E
---- Registry - GMER 2.1 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90004ef797e3
Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90004ef797e3 (not active ControlSet)
Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{D12CCB9F-2711-11E0-B695-806E6F6E6963} 3973734960
---- EOF - GMER 2.1 ----
D Sas, Suspecting a false detection?.. Have a look @ this article (https://support.avg.com/SupportArticleView?urlname=How-to-report-a-false-incorrect-detection).
AVG Guru