Author Topic: IRP hooks found by Roguekiller  (Read 9114 times)

0 Members and 2 Guests are viewing this topic.

April 18, 2016, 03:24:27 AM

Howard the Duck

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
IRP hooks found by Roguekiller
« on: April 18, 2016, 03:24:27 AM »
I had an infection that was in a dll file originally - there was a lot of CPU slowdown until I was able to remove it - and since then have had to remove a number of things with Roguekiller. For a time there was nothing else showing up on subsequent scans except a PUM on my homepage that would return immediately on the next scan whenever I removed it. Now I'm getting a number of IRP hooks that are (as documented) not removable. They were not appearing before, which leads me to believe I'm still infected. I do not have the technical know-how to remove them without some advice, so any help would be greatly appreciated. I have attached my latest log as a text file.
« Last Edit: April 19, 2016, 09:25:16 PM by Howard the Duck »

Reply #1April 18, 2016, 03:08:47 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IRP hooks found by Roguekiller
« Reply #1 on: April 18, 2016, 03:08:47 PM »
Hi Howard,

Which security softwares are you using ?
Do you use CD/DVD drive emulator, like DAEMON Tools or similar ?

Regards.

Note : This thread has been moved to the "RogueKiller" section for clarity.

Reply #2April 18, 2016, 04:45:48 PM

Howard the Duck

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: IRP hooks found by Roguekiller
« Reply #2 on: April 18, 2016, 04:45:48 PM »
I use MalwareBytes Anti-Malware Premium for scanning and protection. When I first got infected I believe I removed the dll file with MalwareBytes but I was still getting a lot of CPU slowdown so I googled it and found someone who had the same problem (an infection in mdi064.dll). Someone replied recommending running both Roguekiller and Combofix (which I have used before) and after running both successfully, it seemed the infection was dealt with, aside from that PUM on my homepage. But then on a more recent scan those IRP hooks suddenly appeared (they hadn't been there previously).

I do use DAEMON Tools quite regularly. However I'd had it installed for a long time and only recently found these IRP hooks.

Thank you for moving this to the correct subforum.
« Last Edit: April 18, 2016, 04:52:09 PM by Howard the Duck »

Reply #3April 18, 2016, 07:19:01 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IRP hooks found by Roguekiller
« Reply #3 on: April 18, 2016, 07:19:01 PM »
Hi Howard,
Quote from: Howard
I use MalwareBytes Anti-Malware Premium for scanning and protection. When I first got infected I believe I removed the dll file with MalwareBytes but I was still getting a lot of CPU slowdown so I googled it and found someone who had the same problem (an infection in mdi064.dll). Someone replied recommending running both Roguekiller and Combofix (which I have used before) and after running both successfully, it seemed the infection was dealt with, aside from that PUM on my homepage.
Did you follow a removal process on a security forum ? Could you please copy/paste MalwareBytes Anti-Malware report in your next reply ?

Quote from: Howard
I do use DAEMON Tools quite regularly. However I'd had it installed for a long time and only recently found these IRP hooks.
The hooks may change depending of the version used.

Regards.

Reply #4April 18, 2016, 08:21:36 PM

Howard the Duck

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: IRP hooks found by Roguekiller
« Reply #4 on: April 18, 2016, 08:21:36 PM »
Thank you very much for your continued help.

This is the removal process I followed: http://www.bleepingcomputer.com/forums/t/509791/dwmexetrojanbitcoinminer-detected-by-malwarebytes/ I'm not the person who made that thread, I just followed the instuctions because it seemed like a similar infection.

As for the original MalwareBytes log, I had to do some digging through old results to find it, as I've done a number of scans with MalwareBytes since and they have all come back clean. The original scan (done on the 7th) found a virus in dwm.exe.

I then used Roguekiller and found more infected files, including mdi064.dll, which I also was able to remove. I included that log from Roguekiller as well.

The only thing things that are still showing up in Roguekiller are the IRP hooks, and MalwareBytes isn't showing any infected files in scans currently.

As for Daemon Tools, I have not recently updated it or reinstalled it or anything like that, and it doesn't appear to be running currently. Do you think that it could still be causing those hooks to show up? BTW the version of Daemon Tools is the 4.47 Lite version.

« Last Edit: April 19, 2016, 09:25:34 PM by Howard the Duck »

Reply #5April 18, 2016, 09:24:47 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IRP hooks found by Roguekiller
« Reply #5 on: April 18, 2016, 09:24:47 PM »
Hi Howard,
Quote from: Howard
This is the removal process I followed: http://www.bleepingcomputer.com/forums/t/509791/dwmexetrojanbitcoinminer-detected-by-malwarebytes/ I'm not the person who made that thread, I just followed the instuctions because it seemed like a similar infection.

As for the original MalwareBytes log, I had to do some digging through old results to find it, as I've done a number of scans with MalwareBytes since and they have all come back clean. The original scan (done on the 7th) found a virus in dwm.exe.

I then used Roguekiller and found more infected files, including mdi064.dll, which I also was able to remove. I included that log from Roguekiller as well.
Thanks for your feedback. We are going to make sure the infection is now really gone.

Please download Farbar Recovery Scan Tool (x64) and save it to your Desktop.
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will produce a log called FRST.txt in the same directory the tool is run from.
  • Please attach log back here.
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST64.exe). Please also attach that along with the FRST.txt into your reply.
Quote from: Howard
As for Daemon Tools, I have not recently updated it or reinstalled it or anything like that, and it doesn't appear to be running currently. Do you think that it could still be causing those hooks to show up? BTW the version of Daemon Tools is the 4.47 Lite version.
According to the logs you just posted, you were using the 32 bits version of RogueKiller back then.
Quote
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
The antirootkit module was not working properly so the hooks weren't detected.

Regards.

Reply #6April 18, 2016, 10:27:35 PM

Howard the Duck

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: IRP hooks found by Roguekiller
« Reply #6 on: April 18, 2016, 10:27:35 PM »
I ran the Farbar Recovery tool and uploaded the logs.

As it turns out I was running Daemon Tools after all, and after closing it and running Roguekiller again those IRP hooks no longer showed up. However, the PUM on my homepage is still there - I'm still not sure what that is. I'm guessing it's most likely harmless?

« Last Edit: April 19, 2016, 09:25:49 PM by Howard the Duck »

Reply #7April 18, 2016, 11:55:31 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IRP hooks found by Roguekiller
« Reply #7 on: April 18, 2016, 11:55:31 PM »
Hi Howard,
Quote from: Howard
I ran the Farbar Recovery tool and uploaded the logs.
Leftovers of the infection are still present.
Download attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system !

Run FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please attach it to your reply.

Quote from: Howard
As it turns out I was running Daemon Tools after all, and after closing it and running Roguekiller again those IRP hooks no longer showed up.
I'm glad to hear that. :)

Quote from: Howard
However, the PUM on my homepage is still there - I'm still not sure what that is. I'm guessing it's most likely harmless?
Yes, it's perfectly harmless.
For more information about PUMs (Potentially Unwanted Modification), please read RogueKiller Documentation

Regards.

Reply #8April 19, 2016, 01:06:19 AM

Howard the Duck

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: IRP hooks found by Roguekiller
« Reply #8 on: April 19, 2016, 01:06:19 AM »
Thank you!

Yeah my computer did need a restart. I noticed in the log that the fixlist was looking for Combofix, but I had removed it after I used it the first time because that other forum thread suggested deleting it. Should I redownload Combofix and run the fixlist again?

Here's the log for now.

And thanks for the reassurance about the PUM.
« Last Edit: April 19, 2016, 09:25:58 PM by Howard the Duck »

Reply #9April 19, 2016, 01:23:11 AM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IRP hooks found by Roguekiller
« Reply #9 on: April 19, 2016, 01:23:11 AM »
Hi Howard,
Quote from: Howard
Yeah my computer did need a restart. I noticed in the log that the fixlist was looking for Combofix, but I had removed it after I used it the first time because that other forum thread suggested deleting it. Should I redownload Combofix and run the fixlist again?
No, you don't need to. The fix was looking for ComboFix to remove it.
You could now delete FRST and the files linked to it.

Quote from: Howard
Thank you!
And thanks for the reassurance about the PUM.
You are welcome.
Your computer is now clean.

Regards.

Reply #10April 19, 2016, 09:27:07 PM

Howard the Duck

  • Newbie

  • Offline
  • *

  • 6
  • Reputation:
    0
    • View Profile
Re: IRP hooks found by Roguekiller
« Reply #10 on: April 19, 2016, 09:27:07 PM »
Thank you so much for your help! It is greatly appreciated. Now I don't have to worry. :D

Reply #11April 19, 2016, 10:05:53 PM

Curson

  • Global Moderator
  • Hero Member

  • Offline
  • *****

  • 2809
  • Reputation:
    100
    • View Profile
Re: IRP hooks found by Roguekiller
« Reply #11 on: April 19, 2016, 10:05:53 PM »
Hi Howard,

You are very welcome.

Regards.