Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG detects Inline hook win32k.sys (part of operating system) - false positive?


  • Please log in to reply
13 replies to this topic

#1 ddrz

ddrz

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 23 September 2015 - 08:08 PM

Hi,

 

I got a slight shock when I did a scan with AVG today and found what's stated in the title above. See attached pictures of log from AVG:

 

http://imgur.com/a/PLKzE

 

After google failing to give me a good answer (mainly a lot of "blogs" recommending downloading anti spyware-something something and delete some winreg entries), I tried to locate all files named win32k.sys and uploading them to virustotal.com. Think I uploaded about 6-9 now, with no threats detected.

 

I don't have any funny or odd looking services running in task manager as far as I've can tell (checked off show all users and googled some of the processes). My CPU-usage as I write this is between 2-10 %, staying mostly around 2-4 %. 

 

That is how far I got on my own, and to be honest I'm a bit lost now. I suspect that this is a false positive. At the same time, if I'm wrong, inline hook seems like some nasty business. Also I'm confused by the "part of operating system".

 

For information, the ESEA client is a 3rd party client used to play Counter-strike: Global Offensive. It's a really intrusive anti cheat, and has been known to get detected as malware/trojan/virus by other anti virus programs.

 

Please note that the 2nd detection, ESEA, only appeared after i ran CCleaner (and did a re-scan in the hope that inline hook would go away).

 

So my question is, should I not worry about this? Or should i dig deeper? I apologize if I miss any information needed. 

 

Thank you for all help.

 

Best regards,

 

D

 

 

Operating system: Win 7 64-bit.


Edited by ddrz, 23 September 2015 - 08:10 PM.


BC AdBot (Login to Remove)

 


#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 23 September 2015 - 08:38 PM

Hi ddrz :)

Personally for me, you answered your own question.

For information, the ESEA client is a 3rd party client used to play Counter-strike: Global Offensive. It's a really intrusive anti cheat, and has been known to get detected as malware/trojan/virus by other anti virus programs.


Take a look at the thread below.

https://www.reddit.com/r/GlobalOffensive/comments/1r2uca/how_to_uninstall_esea_client_remove_kernal_driver/

ESEA is indeed knowns to use very, very intrusive methods to prevent you from cheating on CS:GO, so it doesn't surprise me that AVG would detect it as being malicious. If I didn't know what ESEA is and how it works, I would suspect it of being malicious as well.

Is it possible for you to upload the file below to VirusTotal and post the URL to the results here?

C:\Users\$USERNAME\AppData\Local\Temp\ESEADriver2.sys

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 ddrz

ddrz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 23 September 2015 - 09:00 PM

Thank you for your quick reply and help Aura.

As a starting point I would prefer not to delete ESEA, as they provide great servers and no one wants to play with cheaters. Also, due to a long story with ESEA and the US gov, I dont think they will try anything stupid.

What I didnt understand is why the ESEA-path did not get detected before the 2nd scan. And I can't upload the file in question because I can't find it. Its not in the folder (show hidden files on, even tried showing system files). Will try and examine this closer tomorrow.

Sorry for any spelling mistankes, I'm writing this on an iphone with a foreign languange auto-correct, a bit of a challenge.

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 24 September 2015 - 05:18 AM

What I didnt understand is why the ESEA-path did not get detected before the 2nd scan


I see two possibilities for that. The first one being that the CCleaner scan which empty the content of the Temp folder, deleted the current copy of ESEADriver2.sys in use, forcing the ESEA program to recreate it and AVG caught it. The second one being that the ESEADriver2.sys wasn't deleted by CCleaner (since it was in use), and AVG's attention was shifted to the Temp folder because of a the large scale operation CCleaner was executing and it caught it there.

And I can't upload the file in question because I can't find it. Its not in the folder (show hidden files on, even tried showing system files). Will try and examine this closer tomorrow.


Is it not there when you try to upload it, or is it not there when you try to find it via the Windows Explorer?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 ddrz

ddrz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 24 September 2015 - 09:30 AM

 


And I can't upload the file in question because I can't find it. Its not in the folder (show hidden files on, even tried showing system files). Will try and examine this closer tomorrow.


Is it not there when you try to upload it, or is it not there when you try to find it via the Windows Explorer?

 

 

I'm pretty sure I could not find it when i tried to upload it. What I am sure of is that it's not in the folder (i.e. I can't find it) when I try to find it via the Windows Explorer. 



#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 24 September 2015 - 09:46 AM

Go on your C: drive, and search for "ESEADriver". Does it returns anything?

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 RolandJS

RolandJS

  • Members
  • 4,552 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Austin TX metro area
  • Local time:03:50 PM

Posted 24 September 2015 - 09:56 AM

If AVG has an exclusion panel, that driver and/or folder can be excluded, correct?

Addendum:  Aura [next post] is right as rain!


Edited by RolandJS, 24 September 2015 - 11:36 AM.

"Take care of thy backups and thy restores shall take care of thee."  -- Ben Franklin revisited.

http://collegecafe.fr.yuku.com/forums/45/Computer-Technologies/

Backup, backup, backup! -- Lady Fitzgerald (w7forums)

Clone or Image often! Backup... -- RockE (WSL)


#8 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 24 September 2015 - 10:28 AM

I wouldn't exclude the folder, since it's located in the "Temp" folder and you don't want to exlude it from your Antivirus' protection. It's possible to exclude the file, however I don't know if the file triggers that detection, or if the fact that it hooks after a system process does. If it does, you might be able to whitelist the process, but not the hook. I don't use AVG so it's hard to tell.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#9 ddrz

ddrz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 24 September 2015 - 04:44 PM

Searching C: for ESEAdriver did not return any results.

 

However, I think you were right with your first guess. Booted up the computer, scanned with AVG, found two tracking cookies that was fixed. Launched the ESEA client, and then exited it, before I did another scan. AVG now found the Inline hook win32k.sys. Did the same thing again, with the same result (apart from the tracking cookies in the first initial scan after restart).

 

Sorry, I should have done this yesterday instead of bothering you, but I was quite tired at the time. So thank you for all your kind help.

 

On a side note, seeing as you have way more knowledge than me about this, would you use AVG? Or would you recommend another anti virus program? (realizing I might be posting this in a wrong thread).



#10 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 24 September 2015 - 05:08 PM

I stopped giving any consideration to AVG the day the started pushing their programs like PC TuneUp and Web TuneUp on their users. And now this:

http://www.bleepingcomputer.com/forums/t/590780/avg-privacy-policy-update-allows-it-to-sell-your-browsing-history/

So I wouldn't go with AVG as a free Antivirus, but that's me.

Let's try something. Open a command prompt with Admin Rights (right-click on the command prompt icon and select Run as Administrator), then enter the following command:
copy C:\Users\$USERNAME\AppData\Local\Temp\ESEADriver2.sys "%userprofile%\Desktop"
Replace the $USERNAME by your userprofile name obviously. This should copy the ESEADriver2.sys file on your Desktop.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#11 ddrz

ddrz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 25 September 2015 - 12:30 PM

It worked! You're a wizard!

 

Did a scan on it, 0 results https://www.virustotal.com/nb/file/af5aec0d07174fc80c0492c35b38330747ea61353e9d10c558c1c8effa423cdd/analysis/1443201954/

 

Using the pro-version of AVG by the way, so hopefully my browsing history is safe... And as I'm working I have no issues paying for an anti-virus (or a total package with firewall, AV-scanner etc) if it's really good. Would you recommend buying something else than AVG?



#12 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 25 September 2015 - 12:38 PM

So basically, if AVG keeps on targetting it, it's because it doesn't like that particuliar file hooking to the win32k.sys process. There's only three paid Antivirus products that I recommend in the Internet Security suite.

Emsisoft Internet Security
Kaspersky Internet Security
ESET Nod32 Smart Security

These products are also often recommended here on BleepingComputer and they always achieve really good results in the benchmarks, on top of getting good reviews and being excellent overall.

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#13 ddrz

ddrz
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:11:50 PM

Posted 25 September 2015 - 07:02 PM

So basically, if AVG keeps on targetting it, it's because it doesn't like that particuliar file hooking to the win32k.sys process. There's only three paid Antivirus products that I recommend in the Internet Security suite.

Emsisoft Internet Security
Kaspersky Internet Security
ESET Nod32 Smart Security

These products are also often recommended here on BleepingComputer and they always achieve really good results in the benchmarks, on top of getting good reviews and being excellent overall.

 

Thank you so much for this, and all your other helpful answers Aura, very happy that I bumped into you =) 



#14 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,697 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:50 PM

Posted 25 September 2015 - 09:12 PM

No problem ddrz, you're welcome! :)

animinionsmalltext.gif
unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users