Jump to content

AVG reporting "prodrv06 IRP_MJ_CREATE" rootkit


Recommended Posts

Hi Folks,

At the suggestion of contributors to the AVG Forums, I just purchased Malwarebytes and am running a FULL scan as I write this.

AVG is reporting a series of rootkit files:

"Detection name";"IRP hook, \Driver\prodrv06 IRP_MJ_CREATE -> 0xE22B2008"

"Detection name";"IRP hook, \Driver\prodrv06 IRP_MJ_CLOSE -> 0xE22B2008"

"Detection name";"IRP hook, \Driver\prodrv06 IRP_MJ_DEVICE_CONTROL -> 0xE22B2008"

"Detection name";"IRP hook, \Driver\prohlp02 IRP_MJ_CREATE -> 0x7B324A41"

"Detection name";"IRP hook, \Driver\prohlp02 IRP_MJ_CLOSE -> 0x7B324A41"

"Detection name";"IRP hook, \Driver\prohlp02 IRP_MJ_DEVICE_CONTROL -> 0x7B324A41"

with, of course, no solutions in the AVG app (nor on their Site) for removal.

After Googling the drivers' name, I am lead to believe theses files were installed at sometime with a game and are an anti-theft program popular with some game authors. Any thoughts by you folks on this??

Malwarebytes results:

Files Infected:

c:\documents and settings\all users\documents\acronis.true.image.home.v10.0.4942.incl.keymaker-core\keygen-core.exe (Trojan.Dropper.PGen) -> Quarantined and deleted successfully.

c:\program files\GetRight\patch_52d.exe (Trojan.Bancos) -> Quarantined and deleted successfully.

c:\program files\CoolPix\ColorPix.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

Are my immediate assumptions probably right... that AVG is definitely proclaiming a false positive??

Many thanks in advance.....

Link to post
Share on other sites

  • Staff


AVG just enumerates certain hooks which are also used by rootkits. This doesn't always mean you are dealing with a rootkit. In many cases, legitimate files, as in your case, act the same.

What AVG sees here are the hooks set by the StarForce Protection Helper: http://www.star-force.com/

So, as you already mentioned, they are indeed installed with a certain game. So you don't have to worry here and you can safely ignore the AVG detection. :)

Link to post
Share on other sites

  • 2 weeks later...
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.