Page 1 of 2 12››
October 8, 2013 21:30 IRP Rootkits, Help? #234867
Reply with Quote | Quick Reply | Top
Fataldart

Avatar

Novice
Join Date: 8.10.2013
Posts: 10
so last night, my computer got infected, have no idea how as i have gone onto no site that i haven't been on before and my AVG has picked up 9 Rootkits all in the one file as seen below.
Anti-Rootkit scan
Medium priority;"9";"0";"9"
Started:;"10/9/2013, 6:59:42 AM"
Finished:;"10/9/2013, 7:01:19 AM"
Total object scanned:;"176545"
User who launched the scan:;"User"

Status;"Priority";"Name";"Description";"Result"
Infected;"Medium";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_CREATE -> HIDCLASS.SYS +0x2A8C";"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"Cannot be removed
Incorrect function."
Infected;"Medium";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_INTERNAL_DEVICE_CONTROL -> HIDCLASS.SYS +0x2A8C";"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"Cannot be removed
Incorrect function."
Infected;"Medium";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_DEVICE_CONTROL -> HIDCLASS.SYS +0x2A8C";"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"Cannot be removed
Incorrect function."
Infected;"Medium";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_SYSTEM_CONTROL -> HIDCLASS.SYS +0x2A8C";"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"Cannot be removed
Incorrect function."
Infected;"Medium";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_READ -> HIDCLASS.SYS +0x2A8C";"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"Cannot be removed
Incorrect function."
Infected;"Medium";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_WRITE -> HIDCLASS.SYS +0x2A8C";"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"Cannot be removed
Incorrect function."
Infected;"Medium";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_PNP -> HIDCLASS.SYS +0x2A8C";"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"Cannot be removed
Incorrect function."
Infected;"Medium";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_POWER -> HIDCLASS.SYS +0x2A8C";"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"Cannot be removed
Incorrect function."
Infected;"Medium";"IRP hook, C:\Windows\system32\DRIVERS\hidusb.sys IRP_MJ_CLOSE -> HIDCLASS.SYS +0x2A8C";"C:\Windows\system32\DRIVERS\HIDCLASS.SYS";"Cannot be removed
Incorrect function."

and i am working on getting a report for GMER but it keeps crashing / not responding half way through... but as you can see it seems to be my usb drivers that is infected? idk, or is this a false report?
October 8, 2013 21:36 Re: IRP Rootkits, Help? #234868
Reply with Quote | Quick Reply | Top
Fataldart

Avatar

Novice
Join Date: 8.10.2013
Posts: 10
extra info..

luckily i posted that before my laptop crashed due to GMER

system operation specs
Windows 7 Basic
version of AVG 2014
2014 Build 4142

GMER is still scanning again.
October 8, 2013 21:59 Re: IRP Rootkits, Help? #234871
Reply with Quote | Quick Reply | Top
Fataldart

Avatar

Novice
Join Date: 8.10.2013
Posts: 10
GMER report..

GMER 2.1.19163 - http://www.gmer.net
Rootkit scan 2013-10-09 07:58:36
Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HGST_HTS rev.GG2O 465.76GB
Running: tool.exe; Driver: C:\Users\User\AppData\Local\Temp\uwldypow.sys


---- System - GMER 2.1 ----

SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x90EE7690]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x90EE77B0]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x90EE7010]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x90EE7490]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x90EE72D0]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x90EE73B0]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x90EE7110]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x90EE71F0]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x90EE7590]

---- Kernel code sections - GMER 2.1 ----

.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E5C579 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E80F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text ntkrnlpa.exe!RtlSidHashLookup + 4A0 82E889A0 8 Bytes [90, 76, EE, 90, B0, 77, EE, ...] {NOP ; JBE 0xfffffff1; NOP ; MOV AL, 0x77; OUT DX, AL; NOP }
.text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82E889E8 4 Bytes [10, 70, EE, 90] {ADC [EAX-0x12], DH; NOP }
.text ntkrnlpa.exe!RtlSidHashLookup + 508 82E88A08 4 Bytes [90, 74, EE, 90] {NOP ; JZ 0xfffffff1; NOP }
.text ntkrnlpa.exe!RtlSidHashLookup + 7A8 82E88CA8 8 Bytes [D0, 72, EE, 90, B0, 73, EE, ...] {SAL BYTE [EDX-0x12], 0x1; NOP ; MOV AL, 0x73; OUT DX, AL; NOP }
.text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82E88CB8 8 Bytes [10, 71, EE, 90, F0, 71, EE, ...] {ADC [ECX-0x12], DH; NOP ; JNO 0xfffffff5; NOP }
.text ...

---- Devices - GMER 2.1 ----

AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys

Device \Driver\iaStor \Device\Ide\iaStor0 dvd43llh.sys
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 dvd43llh.sys
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 dvd43llh.sys

AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys

---- EOF - GMER 2.1 ----
October 8, 2013 22:26 Re: IRP Rootkits, Help? #234873
Reply with Quote | Quick Reply | Top
BIG AL 43

Avatar

Moderator
Join Date: 19.6.2014
Posts: 0
@ Fataldart

Have a look @ Weekly Overview: 37/2013 (Scroll Down).. Rootkits detected after upgrade. Subscribe to this RSS feed if you want to be notified about new Weekly Overviews.


AVG Forums Volunteer ModeratorAVG Forum member since - Nov. 27, 2004My total posts on the Old AVG Free Forum - 27,063
Alan
How-To Articles | FAQ | Free Support
October 9, 2013 03:17 Re: IRP Rootkits, Help? #234882
Reply with Quote | Quick Reply | Top
Fataldart

Avatar

Novice
Join Date: 8.10.2013
Posts: 10
confused still..

i read through it all, but i am still unsure whether what is showing up is safe or not? and i know one thing is, is that the AVG scan can not remove it?

so is this nothing to be worried about or is it something i should get fixed?

also, it isnt just AVG 2014 that picked it up as i updated it last night and before i updated it i had AVG 2013, and the reason i updated it was because AVG 2013 couldn't fix the problem so i was hoping the update would fix it, but it didn't..
October 9, 2013 04:00 Re: IRP Rootkits, Help? #234885
Reply with Quote | Quick Reply | Top
HectorII

Avatar

Novice
Join Date: 15.10.2010
Posts: 153
Hi Fataldart,

Did you update the STPD driver as highly recommended at the link Big Al posted? Others have reported no more IRP Hook detections after doing so.
October 9, 2013 05:26 Re: IRP Rootkits, Help? #234886
Reply with Quote | Quick Reply | Top
Fataldart

Avatar

Novice
Join Date: 8.10.2013
Posts: 10
SPTD..

so i just got home, tried downloading and installing the newer update and it says the follow message:
C:\Users\User\Downloads\SPTDinst-v184-x86.exe is not a valid Win32 Application.

and yes i am running a 32 bit window 7 operating system.
October 9, 2013 05:42 Re: IRP Rootkits, Help? #234888
Reply with Quote | Quick Reply | Top
Fataldart

Avatar

Novice
Join Date: 8.10.2013
Posts: 10
SPTD..

So i managed to install it and update it, however AVG scan is still picking up the exact same 9 rootkits?
October 9, 2013 05:56 Re: IRP Rootkits, Help? #234890
Reply with Quote | Quick Reply | Top
Fataldart

Avatar

Novice
Join Date: 8.10.2013
Posts: 10
umm..

So i unplugged my wireless mouse and my plug in keyboard and guess what? the 9 rootkits are gone? could it be they are infected? or the usb ports are infected maybe?

i plug them back in and AVG grabs them straight away and says they are infected?
October 10, 2013 00:02 Re: IRP Rootkits, Help? #234962
Reply with Quote | Quick Reply | Top
Fataldart

Avatar

Novice
Join Date: 8.10.2013
Posts: 10
bump..

still need help..
Page 1 of 2 12››