Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

AVG detects 9 IRP hooks. Possible false positive?


  • Please log in to reply
1 reply to this topic

#1 doglah

doglah

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:02 PM

Posted 05 January 2016 - 09:07 AM

A few days ago I ran a whole computer scan in AVG and it detected 9 IRP hooks. I removed the 9 threats in AVG. I've run the same scan again today and the 9 IRP hooks are back! AVG is showing me the following:

"";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_WRITE -> HIDCLASS.SYS +0x2710, C:\Windows\System32\drivers\HIDCLASS.SYS";"Unresolved"
"";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_SYSTEM_CONTROL -> HIDCLASS.SYS +0x2710, C:\Windows\System32\drivers\HIDCLASS.SYS";"Unresolved"
"";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_READ -> HIDCLASS.SYS +0x2710, C:\Windows\System32\drivers\HIDCLASS.SYS";"Unresolved"
"";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_POWER -> HIDCLASS.SYS +0x2710, C:\Windows\System32\drivers\HIDCLASS.SYS";"Unresolved"
"";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_PNP -> HIDCLASS.SYS +0x2710, C:\Windows\System32\drivers\HIDCLASS.SYS";"Unresolved"
"";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_INTERNAL_DEVICE_CONTROL -> HIDCLASS.SYS +0x2710, C:\Windows\System32\drivers\HIDCLASS.SYS";"Unresolved"
"";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_DEVICE_CONTROL -> HIDCLASS.SYS +0x2710, C:\Windows\System32\drivers\HIDCLASS.SYS";"Unresolved"
"";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_CREATE -> HIDCLASS.SYS +0x2710, C:\Windows\System32\drivers\HIDCLASS.SYS";"Unresolved"
"";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_CLOSE -> HIDCLASS.SYS +0x2710, C:\Windows\System32\drivers\HIDCLASS.SYS";"Unresolved"
 
I've copied the file hidusb.sys to my desktop and uploaded it to VirusTotal. This gets 0/56 detections (including with AVG). When I run a scan with avg of just the system32 folder I also get no detections. Malwarebytes and SUPERAntiSpyware both don't find anything either. Does this mean this detection is a false positive?
 
Thanks for any help.


BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,277 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:02 AM

Posted 05 January 2016 - 01:45 PM

hidusb.sys is related to Microsoft HID Class Driver. See USB device class drivers included in Windows

Most of the time, IRP hooks are made by legit drivers to filter IRPs. Most scanners do not differentiate between what is good and what is bad...they only report what is found.

If you suspect a file was falsely detected (a false positive) or appears suspicious, then you should submit a sample to AVG so they can investigate and take corrective action if confirmed.

If you think AVG wrongly detected a file, URL or Tracking as harmfulor if you have a virus sample that AVG failed to detectplease submit it to us for analysis. Please note that we do not answer back with results as the files are being checked automatically.

AVG: Send us a sample
AVG FAQ 2343: How to report an incorrect detection by AVG?
Report a false (incorrect) detection to AVG

Once a file is received, a technician can examine it in more detail and provide a report letting you know the results. You should also contact and advise the program vendor that one of their files is being detected as a threat. In many cases they will work with the anti-virus techs in an attempt to resolve the detection.

You can also report such issues at the AVG Support Community Forums.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users