Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG rootkit detection


  • Please log in to reply
6 replies to this topic

#1 Ellinas

Ellinas

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:01:55 PM

Posted 29 October 2010 - 02:23 PM

I'm running Windows 7 Home Premium, and have just completed a rootkit scan with AVG 2011 free edition. It's thrown up the following:

Object name: C:\WINDOWS\assembly\ngenlock.dat
Detection name: Hidden file
Object type: file
SDK type: Rootkit
Result: Object is hidden

Anyone got any idea what this is? I gather that AVG does detect non malicious stuff as well as malicious, so hopefully this is in that category.

By the way, I've just done a Malwarebytes scan, which found no infection.


Thanks.

Edited by Ellinas, 29 October 2010 - 02:38 PM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 PM

Posted 29 October 2010 - 03:28 PM

It looks to be a data file. Some types of malware use data files as part of the infection and they may contain all autocomplete login names and passwords for web sites visited, including e-mail accounts. However, not all hidden components detected by ARKs are malicious.

The only thing I can find on ngenlock.dat is here.

What did AVG do with the file?

Anytime you come across a suspicious file or suspect a detection may be a false positive, submit it to AVG for further analysis.
If the file has been placed in the Virus Vault, then follow these directions:-- Even though the instructions say if you suspect the file is clean but you still have doubts, submit them anyway using this method.

Chapter 10.8 of the AVG Anti-Virus 2011 User Manual and Chapter 9.5 of the AVG Internet Security 2011 User Manual explain more detail about the virus vault. These manuals are also a good resource for explaining components, settings, and other information.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Ellinas

Ellinas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:01:55 PM

Posted 30 October 2010 - 03:32 PM

Thanks. AVG detected but did not do anything else with the file. I'll try to get my head around the submission directions!

Edited by Ellinas, 30 October 2010 - 03:33 PM.


#4 Ellinas

Ellinas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:01:55 PM

Posted 30 October 2010 - 04:38 PM

I've failed to find the offending file via Windows Explorer (having altered the settings to reveal hidden files) and the GMER tool, after a full scan, indicates that it cannot find any system modification, and lists no files.

Does that allow me to take it that AVG has identified some sort of legitimate file?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 PM

Posted 31 October 2010 - 06:57 AM

I have no way of know exactly what AVG found. Did you rescan to see if AVG found it again?

Are you having any specific issues, symptoms of infection or was this just the result of a routine scan you performed?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 Ellinas

Ellinas
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Wales
  • Local time:01:55 PM

Posted 31 October 2010 - 09:19 AM

I've just done a re-scan. No, it did not find the item again.

I had no "symptoms" - I performed the first scan because I had updated to A.V.G 2011 Free, which for the first time has a rootkit detection facility. The machine is a secondary computer which I use for limited purposes (specific websites and e-mails) and I'm pretty fastidious over not taking risks, so I was surprised when the offending file was found. I've always used F-Secure Blacklight for rootkit scans on my main computer (an XP Machine) which has never found anything save on one occasion when there was a genuine problem - which, incidentally, was successfully sorted via this forum about a year ago. I understand Blacklight to be better at ignoring false positives, but I don't think it's ever been made Windows 7 compatible.

Anyhow,the problem seems to be practically unidentifiable, so I suppose there's not a lot more to be done at this stage. Thanks for your time and help - I'll post again if anything more comes to light.

Edited by Ellinas, 31 October 2010 - 09:20 AM.


#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,388 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:55 PM

Posted 31 October 2010 - 09:21 AM

You're welcome. Safe surfing and have a malware free day.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users