Windows 10: Rootkit Virus? Inline Hook Ntoskrnl.exe AVG

I basically downloaded the 1607 Windows update, the latest one. And one time, my AVG came up with 800 plus threats to do with a rootkit or something, and I think ntoskrnl.exe. I can't remember. Basically, the threats I think were hidden, and either way it couldn't delete them. I thought that it might of been to do with where I configured my boot settings to safe mode, as I sometimes go into that mode to be able to delete certain files I can't normally. But now, I've tried doing numerous scans with AVG, and everything seems clear and detected?? Any idea what it might of been? I haven't downloaded nothing 'bogus' since the update etc neither. Kinda worried, lol.

:)

 

I just got a report from AVG's Anti-rootkit that there's a threat in my operating system (W 10 Home) that cannot be removed

*Original Title: Inline hook ntoskrnl.exe

Hi,

I just got a report from AVG's Anti-rootkit that there's a threat in my operating system (W 10 Home) that cannot be removed:

"Inline hook ntoskrnl.exe HvilslommuInUse+0xCCE8 -> 0x35DC65A0"

(please note that I have retyped the name and I may have mistaken some "l" for capital "i", etc.)

Could anyone please tell me what to do about it? I don't dare continue using that computer until I resolve the issue.

Many thanks,

 

I have a virus "Inline hook ntoskrnl.exe HvilslommuInUse+0xCCE8 -> 0x35DC65A0"

Inline hook ntoskrnl.exe ExAcquireSharedStarveExclusive+0x390 -> 0xFFFFF80319758055

AVG has found this apparent -Medium threat level- virus. Within my OS -Windows 10. Is this a common false positive? Is AVG just not liking certain files within Windows?

Never seen this before, AVG always scans 0 threats on my computer.

Unsure whether to ignore it?

Thoughts?

 

If you're still concerned, which would be a valid concern when it comes to a rootkit, then run a scan with TDSSKiller which is designed to find/remove rootkits.

TDSSKiller Download



Note When running TDSSKiller, launch the program, click on the blue text "Change Parameters" & check the box marked "Detect TDLFS File system." Click OK & then run the scan.

A rootkit will create a hidden partition, at the end of the drive, 1 - 10 MB in size and set itself as the boot partition. Hence, the rootkit is already running before Windows loads. This hidden partition will not show up on Windows Disk Management in most cases.

Malwarebytes also includes a rootkit scan. The free version will work fine.

Malwarebytes | Free Anti-Malware & Malware Removal

Enable Rootkit Scan on Malwarebytes

 

Okay thanks! I'll give them a try. It was an 'Inline Hook' virus detected or something as well. I thought it might of been to do with a registry hack for Cortana http://www.howtogeek.com/265027/how-...in-windows-10/ but either way, AVG is now detecting no new threats, pretty strange! Unless it was a false positive or something.

 

It would be a good idea to run Malwarebytes & do a full system scan to see if it finds anything else. Viruses tend to invite others to the party. Malwarebytes will not cause a conflict with AVG & it's suggested you add this to your arsenal of malware scanners. You will need to update the definitions manually every time you scan unless you opt for the Pro version.

Be aware that the free version is a "on demand" scanner & does not run active background scanning. The Pro version however does.

 

I'll see what Malwarebytes does. I already have it, but just waiting for AVG to finish another scan. I also have a third 'volume' disc showing under my optimise drives settings. Anyway of me finding out what that is? Although it might be where I sometimes connect an external hard-drive to my computer. Getting paranoid now, lol.

 

Malwarebytes hasn't detected anything thus far. If that's the case, what do you think it was previously? I mean, to detect 800 odd threats is a heck of a lot! Seems strange. Should I do a clean install or something, or you think that I'm safe?

 

800 does sound like a lot. That is always the safest option, a clean install. It's up to you, most people try to avoid this as it involves setting everything up again from scratch. Be sure to wipe the entire drive if you opt for this action as some rootkits can survive a re-installation.

Reset Windows 10 - Windows 10 Forums

Refresh Windows 10 - Windows 10 Forums

Windows 10 - Clean Install - Windows 10 Forums

You will find links to other options & related tutorials at the bottom of the page on all of these tutorials.

 

Yeah. I hate having to install everything. Pain in the arse lol. I'll see how things go. Hopefully it might not of been anything.

 

Yeah, it is a PIA but the best way when in doubt.

See what Malwarebytes as well as TDSSKiller says. Other good malware scanners are AdwCleaner & SuperAntiSpyware Portable.

There is another way to confirm if you do have a hidden partition on your HDD that might be hiding from Windows. GParted is a bootable partition manager that you can use to look at your HDD. Since it runs at boot up, you can get a good look at what exists on your drive before windows engages.

As I stated earlier, a rootkit will show as a hidden boot partition, usually at the end of the drive, 1 - 10 MB in size, depending on the variant.

You can d/l it here & make a boot disk/USB.

http://gparted.org/

GParted -- Documentation

 

This is why you should have your system backup. Also, some rootkit has the ability to modify MBR.

 

Basically done all searches with numerous software scans, and nothing is no longer detected. Could of just been a temp thing with AVG!

 

I don't know much about this virus but generally, you can restart your computer, and go to Safe Mode, and from Safe Mode download Microsoft's Security Essentials and Malwarebytes Anti-Malware--Yes, you can use the trial--and run them one by one.--The order doesn't matter, just don't run them at the same time.--After they are done delete anything that appears on both MSE and MAM. Then power it off and back on, and see if it is gone. My father taught me this.

 

I did an AVG root-scan last night. It picked up 20 'Inline hook ntoskrnl.exe' threats. I did a fresh install and kept my files of Windows 10, did a scan and it was fine. Now, it's found one again! Getting pissed off with this. No idea if it's a false positive etc, and has something to do with the recent 1607 update!