Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG Results


  • Please log in to reply
4 replies to this topic

#1 daveo00_

daveo00_

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 09 March 2014 - 12:43 PM

Split from http://www.bleepingcomputer.com/forums/t/265568/ntoskrnlexe-attempting-to-access-internet/ - Hamluis.

 

I experienced a similar issue but not identical.  AVG reports "inline hook ntoskrnl.exe PsCreateSystemThread+0x455 -> 0x00000008".  This file has a history at Microsoft, but my version is 5.1.2600.6419 which is well past the previous problem files. I also have Avast anti-virus that has no issues with the file.  Should I be concerned?

 

Dave


Edited by hamluis, 09 March 2014 - 04:48 PM.
PM sent new OP - Hamluis.


BC AdBot (Login to Remove)

 


m

#2 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:00 PM

Posted 09 March 2014 - 08:17 PM

Hello -

If you have no current problems then it is just a notice (rather than problem).

 

Run a Full Scan with your Updated Antivirus, and we hope it is gone now . :)



#3 daveo00_

daveo00_
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:10:00 PM

Posted 10 March 2014 - 03:05 PM

Microsoft Knowledge Base reports that the routine is legitamate, but there are no example of the routing calling specific memory for the thread.  Due to other issues with data backup, I am not going to mess with the kernel until I have a complete backup created.

 

AVG full scan catches it every time, identifying it as a Medium risk through the AntiRoot kit;  However, it does not remove it sucessfully.

 

This seems to have corresponded to my latest upgrades for XP.   Looks like upgrading may happen faster that I had expected.

 

Any thoughts about what it is?



#4 noknojon

noknojon

  • Banned
  • 10,871 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:02:00 PM

Posted 10 March 2014 - 05:24 PM

AVG full scan catches it every time, identifying it as a Medium risk through the AntiRoot kit;

Hi -

Can you please list the exact name that is used by AVG to identify the infection.

 

This is our best chance to track it down -



#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,609 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:00 PM

Posted 11 March 2014 - 06:56 AM

What is ntoskrnl.exe

Not all hidden components detected by anti-rootkit (ARK) scanners and security tools are malicious. Most ARK tools check for rookit-like behavior which is not always indicative of a malware infection. It is normal for a Firewall, anti-virus and anti-malware software, CD Emulators, virtual machines, sandboxes and Host based Intrusion Prevention Systems (HIPS) to exhibit rootkit-like behavior or hook into the OS kernal/SSDT (System Service Descriptor Table) in order to protect your system. SSDT is a table that stores addresses of functions that are used by Windows. Whenever a function is called, Windows looks in this table to find the address for it. Both Legitimate programs and rootkits can hook into and alter this table.

API Kernel hooks are not always bad since some system monitoring software and security tools use them as well. If no hooks are active on a system it means that all system services are handled by ntoskrnl.exe which is a base component of Windows operating systems and the process used in the boot-up cycle of a computer. ARK scanners do not differentiate between what is good and what is bad...they only report what is found. Therefore, even on a clean system some hidden essential components may be detected when performing a scan to check for the presence of rootkits. As such, you should not be alarmed if you see any hidden entries created by legitimate programs after performing a scan.

In most cases further investigation is required after the initial ARK scan by someone trained in rootkit detection or with advanced knowledge of the operating system. Report logs need to be analyzed and detected components identified in order to determined if they are benign, system critical or malevolent before attempted removal. Using an ARK scanner without knowing how to tell the difference between legitimate and malicious entries can be dangerous if a critical component is incorrectly removed.

* AVG Forum: How To Handle Suspicious False Positive Detection - Anti-Rootkit False Positives?

Generally when a system is infected with a malicious rootkit, there are other indications (signs of infection) something is wrong such as very poor system performance, high CPU usage, browser redirects, BSODs, etc.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users