Strange result after AV scanning

[HarryTri]

I downloaded and installed AVG Free 2014 and it performed a first-time optimization scan. Here is the result (copied to a text file):

"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_CLEANUP -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_CLOSE -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_CREATE -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_DEVICE_CONTROL -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_DIRECTORY_CONTROL -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_FILE_SYSTEM_CONTROL -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_FLUSH_BUFFERS -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_LOCK_CONTROL -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_PNP -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_QUERY_EA -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_QUERY_INFORMATION -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_QUERY_QUOTA -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_QUERY_SECURITY -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_QUERY_VOLUME_INFORMATION -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_READ -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_SET_EA -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_SET_INFORMATION -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_SET_QUOTA -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_SET_SECURITY -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_SET_VOLUME_INFORMATION -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_SHUTDOWN -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"
"";"IRP hook, C:\WINDOWS\system32\drivers\Ntfs.sys IRP_MJ_WRITE -> 0xFFFFFFFF825A21F8, <unknown>";"Infected"

Does anyone know what these IRP hooks are? The file is the one of SP3, version 5.1.2600.5512, size 574,976 bytes, CRC32 for data 84B0A6F3 (by 7-zip). I performed a shell extension scan and a command line single file scan (with avgscanx.exe) afterwards that showed no infection.

[vinifera]

personally I always avoided AVG, it was trash in past, doubt its better now

[Tripredacus]

Well you'd normally see things like that in ProcMon with the advanced filter set. They are basically just operations that are performed. I think maybe AVG is marking them just because of the unknown aspect to them, but that is hardly a cause for alarm. You can maybe try running Gmer on the system to scan for rootkits. Note: Gmer doesn't specifically know if something is bad, so some things show up as rootkits that are actually OK. For example, a computer with Sentinel HASP driver installed will show a false-positive result for a rootkit infection.

http://www.gmer.net/

[HarryTri]

Sorry for the delayed response, I was out of the web for some days. Thanks for the information Tripedacus, I also don't think that it is something bad, it mostly looked weird to me. AVG also scans for rootkits, the whole thing seems to be benign anyway.

[Andromeda43]

I've used nothing but AVG FREE both professionally and personally since it's early days. It's definitely NOT Trash, Crap or any of that negative stuff. It does things and finds problems that other AV programs totally miss.

But AVG 2014 is a Beta Test version, not a formal release, so don't expect any miracles. I did install it on my Windows 8 hard drive and there were problems. I don't remember the details but I wound up removing it and replacing it with AVG 2013 FREE, which works just fine.

That would be my suggestion here too.

B)

[Tarun]

AVG is known for having issues. It's wiped system32 several times in the past. This looks like a false positive, and yet another dangerous one by AVG.

I honestly would recommend uninstalling AVG completely and using the AVG Uninstall Tool afterwards.

Use something like MSE or Avast and see how you fair with that.