Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit Scan


  • Please log in to reply
12 replies to this topic

#1 yabbadoo

yabbadoo

  • Banned
  • 510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 AM

Posted 10 July 2013 - 07:23 AM

I have had AVG for many years and now use AVG 2013 Free version 2013.0.3349.

On previous AVG Rootkit scans there have never been any infections detected. On a Rootkit scan 9 July 13, there were 80 detections listed. I cannot believe this is true. It looks a most dangerous and deceptive output.

Separate scans with MBAM, Emsisoft AM, Rootkit Revealer and Kaspersky TDSSKiller showed up nothing - a clean sheet. This situation wrecks my confidence in AVG and I really would like to know what this incredible result means.

As I am a very experienced user, I dismissed the result simply because 80 infections made no sense in view of the other checks being negative. If it had been a just a few, I may have taken some action and been in big trouble, glad I never. Inexperienced users would have had the lot deleted and probably wrecked their computer completely.

 

I have posted this matter on the AVG Forum, but nobody has cared to answer it yet. I hope that BC may give me a clue. The AVG Forum segregates the "Free" version enthusiasts into a separate section, giving the impression of being channeled into a poor man`s residual charity dumping ground.. I can see no means on their Freebie to submit suspicious output data to them for examination. How tremendously helpful.

Can anybody please explain this extraordinary fascination of AVG`s for listing Rootkit infections that are not there ? A screenshot of the first few "infections" is shown below :- There are 80 of these !

untitled_zpsc28fc4df.jpg


Edited by yabbadoo, 10 July 2013 - 08:27 AM.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:45 PM

Posted 10 July 2013 - 09:23 AM

ntkrnlpa.exe is a core system component of Windows located in the system32 folder. This is not the first time AVG has detected a problem with ntkrnlpa.exe. The other displayed detections are also for files within that folder.

Based on the limited information in the screenshot, we cannot answer why these files have been detected as a threat. would ignore them for now and wait on a reply in the topic you posted at the AVG forum or contact AVG Free Support directly.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 yabbadoo

yabbadoo
  • Topic Starter

  • Banned
  • 510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 AM

Posted 10 July 2013 - 11:40 AM

ntkrnlpa.exe is a core system component of Windows located in the system32 folder. This is not the first time AVG has detected a problem with ntkrnlpa.exe. The other displayed detections are also for files within that folder.

Based on the limited information in the screenshot, we cannot answer why these files have been detected as a threat. would ignore them for now and wait on a reply in the topic you posted at the AVG forum or contact AVG Free Support directly.

Thanks for the constructive reply.

 

The list of 80 items are all this kind of thing. I intended to save the data, not to delete any of it for reference and hit "Archive results". They all went somewhere, but I cannot find them.

 

Browsing this on the AVG Forum, somebody made a comment that Archive = Delete. Well in simple English it sure does not to me, but I am concerned that these files have been deleted or tucked away somewhere in a non-operative box. If Windows needs these files and they have been lost or restricted in some way, what happens then ?

 

What do you think has happened to these files ? I would really appreciate your comments.

Thanks 

Yabba



#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:45 PM

Posted 10 July 2013 - 12:34 PM

In computing, archives are generally considered .zip. .rar, .cab files and some anti-virus engines have trouble scanning them.

In dictionary terms, archive is a dispository containing historical records and documents...in other words a way of storing data. I have never heard the term used in conjunction with delete.

I just looked throught the current AVG Antivirus 2013 User Guide which confirms that's how they view the term. There is no mention of "Archive results".

When AVG removes detected threats they are sent to the Virus Vault and safely held there. The section of the manual explainging the Virus vault indicates "Messages" in rare situations, some notes may occur in this column providing detailed comments on the respective detected threat. I'm not familiar with what messages they are referring to since I don't use AVG.

In any case if all those systems files had been removed, I doubt you would be able to use/boot your computer. I suspect the "Archive results" means to store them somewhere...where I don't know because their documentation does not say.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 yabbadoo

yabbadoo
  • Topic Starter

  • Banned
  • 510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 AM

Posted 10 July 2013 - 01:38 PM

In computing, archives are generally considered .zip. .rar, .cab files and some anti-virus engines have trouble scanning them.

In dictionary terms, archive is a dispository containing historical records and documents...in other words a way of storing data. I have never heard the term used in conjunction with delete.

I just looked throught the current AVG Antivirus 2013 User Guide which confirms that's how they view the term. There is no mention of "Archive results".

When AVG removes detected threats they are sent to the Virus Vault and safely held there. The section of the manual explainging the Virus vault indicates "Messages" in rare situations, some notes may occur in this column providing detailed comments on the respective detected threat. I'm not familiar with what messages they are referring to since I don't use AVG.

In any case if all those systems files had been removed, I doubt you would be able to use/boot your computer. I suspect the "Archive results" means to store them somewhere...where I don't know because their documentation does not say.

That was a wonderful reply and explained quite a bit.

 

It made me feel better knowing that "Archive" in my language conforming to the definition of "Store" means the same as in the Czech Republic and not "Delete".

 

I don`t know where they have tucked these files, I have searched all over with no luck, but my system is working perfectly, so whatever needs them has found them. They are not in the Virus Vault.

 

My confidence in AVG has been severely dented and I am considering changing to another AV program, but apart from this matter, AVG works superbly with no trouble at all. It seems to do a good general job. The point is that if AVG picks up erroneous Rootkit files, it may well behave the same with normal scan threat searches.

 

I reckon you have most likely done as much as can be done for me, but perhaps somebody else may come in with an opinion.

 

My need to post this thread using the Free AVG version is bad enough,  but had I paid $45-60 for their upgraded version, I reckon my cork would have popped.

 

You have been extremely helpful and I am very grateful. Thank you.

 

Yabba

 

PS - A new scan by AVG comes up clean - no "Rootkits" listed. So it looks as if AVG does not scan archived files, otherwise the 80 "offending" files would be picked up again by the new scan.


Edited by yabbadoo, 10 July 2013 - 02:06 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:45 PM

Posted 10 July 2013 - 05:12 PM

AVG should scan archive files. I think you may have misunderstood me. When I said AVG must store them somewhere I meant it was storing the results not the actual files.

Since the scan came up clean this time, I suspect they updated their database to correct whatever was causing the detections.

In any event, let us know what AVG has to say.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 yabbadoo

yabbadoo
  • Topic Starter

  • Banned
  • 510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 AM

Posted 10 July 2013 - 07:06 PM

AVG should scan archive files. I think you may have misunderstood me. When I said AVG must store them somewhere I meant it was storing the results not the actual files.

Since the scan came up clean this time, I suspect they updated their database to correct whatever was causing the detections.

In any event, let us know what AVG has to say.

I posted the same example as here on the AVG Forum, but no reply yet. As expected, quite a few views but no replies. 

 

Yes, AVG does scan archive  files. I have just scanned again for Rootkits and made sure archive  files were checked. The scan came up clean - none of those 80 files/results were listed.

the 80 results for that particular scan are still shown on the scan history records, but all you can do is look at them, there si no means of doing anything like reinstating them.

 

I do not know where they have gone. Maybe the guy was right that Archive = Delete, (I never deleted anything, only archived the results), or the AVG program disinfected them before archiving them. Either way, they are gone from being threats on the new scan. They were listed as being infected on the initial scan. There was no Delete or Disinfect facility given, just Archive.

 

Everything seems to be working OK, so if they are gone and they were vital Windows files, how  come Windows is not paralysed by these missing files ?

 

It is a puzzling and worrying mystery to me. You have helped enormously, but I now feel as helpless as a one legged brainless spider.


Edited by yabbadoo, 10 July 2013 - 07:09 PM.


#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:45 PM

Posted 10 July 2013 - 07:16 PM

According to the AVG user manual there are ways to check the status of detections and what action was taken with them. If moved to quarantine, if disinfected, if deleted...there should be a record. I still suspect the action you choose was to archive (save) the results of the scan, not remove the actual files.

Since no one is answering at the AVG forum you probably should contact AVG Free Support directly.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 yabbadoo

yabbadoo
  • Topic Starter

  • Banned
  • 510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 AM

Posted 11 July 2013 - 03:57 AM

According to the AVG user manual there are ways to check the status of detections and what action was taken with them. If moved to quarantine, if disinfected, if deleted...there should be a record. I still suspect the action you choose was to archive (save) the results of the scan, not remove the actual files.

Since no one is answering at the AVG forum you probably should contact AVG Free Support directly.

I can only stress how helpful you have been on this matter. Without your informative comments, I would have had nothing from anybody.

 

Contact AVG ? You must be joking. Even if I  could get past their restrictive online message form,  I would get more help from.the local Salvation Army. I tried to contact them with the details, but they wanted a URL. I have no URL, I am just a little old user. 



#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,613 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:09:45 PM

Posted 11 July 2013 - 06:56 AM

Looks like I will have to add lack of adequate Customer support to my list of reasons for no longer recommending AVG Anti-virus.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 blueicetwice

blueicetwice

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St Paul & Mpls - Maoisota
  • Local time:07:45 PM

Posted 14 July 2013 - 09:24 AM

Yabbadoo, love that user name!  I use to have AVG installed on my rig and in general

when I ran a scan, it never found anything...

 

Recently, I ran a series of other scanners and found badware but again a scan by

AVG found the machine free and clear...

 

We no longer have AVG installed, because we strongly feel that there are many other

better scanners available in the marketplace... 



#12 yabbadoo

yabbadoo
  • Topic Starter

  • Banned
  • 510 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:45 AM

Posted 14 July 2013 - 01:07 PM

Yabbadoo, love that user name!  I use to have AVG installed on my rig and in general

when I ran a scan, it never found anything...

 

Recently, I ran a series of other scanners and found badware but again a scan by

AVG found the machine free and clear...

 

We no longer have AVG installed, because we strongly feel that there are many other

better scanners available in the marketplace... 

Fantastic reply, I am so confused now that I reckon I`ll go and poke that bad tempered T-Rex living just at the back of my cave just to calm the adrenaline down.

 

AVG comes up with 80 Windows Driver files that are supposed to be infected and scare the crap out of me. Delete that lot and I`ll have a blank screen

Then, AVG  comes up clean on your scans whilst other programs come up with infections.

 

What have I ever said or done against the Czech Republic ?

At this mentally contortional stage, I reckon I`ll go get Wilma to whack me on the head with my club. maybe that`ll ring a few bells.

 

YABBA-DABBA-DOO !

PS - But old Yabbadoo ain't all that senile, he`s got MBAM, Emsisoft AM and Kaspersky TDSSKiller tucked away under his Mammoth skin underwear,  just for kicks and self survival.


Edited by yabbadoo, 14 July 2013 - 01:09 PM.


#13 blueicetwice

blueicetwice

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:St Paul & Mpls - Maoisota
  • Local time:07:45 PM

Posted 15 July 2013 - 08:56 AM

Fred, oh I mean, Yabbadoo, a funny and delightful reply!  Feed your AVG to your 

personal T-Rex...I heard they love human malware...

 

Thanks for the picture of your findings...If you were to have found several reported

alerts that would be one thing but 80!  

 

If I have any scanner, paid or free, do this it would find itself in a deep dumpster...






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users