Adlice forum

General Category => Malware removal help => Topic started by: AnnaJohansen on September 20, 2016, 08:55:03 PM

Title: IRPhook - need help to determine if i am infected
Post by: AnnaJohansen on September 20, 2016, 08:55:03 PM

Hi.
I ran hitmanpro the newest version. It says that: IRP_MJ_SCSI kernel-mode hook on storahci.sys is detected but buypassed. So it does nothing. Need to understand if i am infected or not. I am new here and ran a scan with roguekiller and the report says:

RogueKiller V12.6.3.0 (x64) [Sep 19 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/download/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 10 (10.0.14393) 64 bits version
Started in : Normal mode
User : anna_ [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Mode : Scan -- Date : 09/20/2016 20:03:51 (Duration : 00:16:58)

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 0 ¤¤¤

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ WMI : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST500LM000-1EJ162 +++++
--- User ---
[MBR] 430dacb610bb4291d93a8ad39a496e2b
[BSP] 04c71dbfd7dd0c0bbbbc94c240e08e55 : Empty|VT.Unknown MBR Code
Partition table:
0 - [SYSTEM][MAN-MOUNT] Basic data partition | Offset (sectors): 2048 | Size: 450 MB
1 - [MAN-MOUNT] EFI system partition | Offset (sectors): 923648 | Size: 100 MB
2 - [MAN-MOUNT] Microsoft reserved partition | Offset (sectors): 1128448 | Size: 16 MB
3 - Basic data partition | Offset (sectors): 1161216 | Size: 476373 MB
User = LL1 ... OK
User = LL2 ... OK

It seems that everything is ok.

Can you help with my next step further or should i just let this go. ?

thank you

Title: Re: IRPhook - need help to determine if i am infected
Post by: Curson on September 21, 2016, 02:21:14 AM

Hi Anna,

Welcome to Adlice.com Forum.

Your computer is likely not infected but I'd like to see HitmanPro report.
Could you please attach it with your next reply ?

Regards.

Title: Re: IRPhook - need help to determine if i am infected
Post by: AnnaJohansen on September 23, 2016, 10:29:06 AM

Hi. thanks for answering. the report is a earlywarning scoring, but it removes malware and stuff if it finds some.

hitmanpro log is attached

Title: Re: IRPhook - need help to determine if i am infected
Post by: Curson on September 25, 2016, 11:41:53 PM

Hi Anna,

The IRP hooks detected on storahci.sys are false positives.
You don't need to worry about them.

Regards.

Title: rootkit/hook help?
Post by: AnnaJohansen on October 08, 2016, 08:22:48 AM

Hitman registers this as IRP-MJ-SCSI-KERNELMODE-HOOK  on storahci.sys driver, and says it has been detected and buypassed. am i infected, what does it mean?

Miniport ____________________________________________________________________

   Primary
      DriverObject . . . : FFFFC705C48F9730
      DriverName . . . . : \Driver\storahci
      DriverPath . . . . : \SystemRoot\System32\drivers\storahci.sys
      StartIo  . . . . . : 0000000000000000 +0
      IRP_MJ_SCSI  . . . : FFFFF80C94AD2670 \??\C:\Windows\system32\drivers\hmpalert.sys+140912
   Solution
      DriverObject . . . : FFFFC705C48F9730
      DriverName . . . . : \Driver\storahci
      DriverPath . . . . : \SystemRoot\System32\drivers\storahci.sys
      StartIo  . . . . . : 0000000000000000 +0
      IRP_MJ_SCSI  . . . : FFFFF80C8C6D3840 \SystemRoot\System32\drivers\storport.sys+14400

Title: Re: IRPhook - need help to determine if i am infected
Post by: Curson on October 09, 2016, 02:21:05 PM

Hi Anna,

Please refer to my previous reply.

Regards.

Title: Re: IRPhook - need help to determine if i am infected
Post by: AnnaJohansen on October 12, 2016, 12:51:31 AM

thank you so much

Title: Re: IRPhook - need help to determine if i am infected
Post by: Curson on October 12, 2016, 12:41:10 PM

Hi Anna,

You are very welcome.

Regards.