Infected IRP Hook ->HIDCLASS.SYS +0x2710

[irishluck]

SOO my avg detected 9 threats on my bosses computer.

ISP hook, C:\windows\system32\drivers\hidusb.sys IRP_MJ_WRITE ->HIDCLASS.SYS +0x2710

There are multiple different ones:

hidusb.sys IRP_MJ_CLOSE->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_CREATE->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_DEVICE_CONTROL->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_INTERNAL_DEVICE_CONTROL->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_PNP->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_POWER->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_READ->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_SYSTEM_CONTROL->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_WRITE->HIDCLASS.SYS +0x2710

AVG says these are all infected and honestly I'm not sure what exactly this even is.

Ontop of that, Malwarebytes detects 3 Registry Key infections.
One of them I can figure out
But the other two are this:

PUP.Optional.DataMngr.A HKCU\SOFTWARE\Datamngr_Toolbar
PUP.Optional.DataMngr.A HKCU\Software\DataMngr

What going on here?

 

[johnb35]

The bottom 2 are just minor. Lets do the following.

1.

Please download and run TDSSkiller

When the program opens, click on the start scan button.

TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.

After trying to clean them it will pop up with the results of the scan and its actions.

Please reboot the system if asked to do so.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example, C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please open the log and copy and paste it back here.

2.

Please download AdwCleaner by Xplode onto your Desktop.



•Please close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Scan.
•After the scan you will need to click on clean for it to delete the adware.
•Your computer will be rebooted automatically. A text file will open after the restart.
•Please post the content of that logfile in your reply.
•You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.

 

[irishluck]

The TDSSKiller did not detect anything, but AVG and Malware Bytes still does.

 

[irishluck]

Here is also a report from ADWcleaner.
It did detect some items. After it cleaned the computer, AVG still detects the same stuff from original post.

 

[johnb35]

Alright then. Do the following and post the log.

Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

• Download this file here :
  
  Combofix
  
  
• When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
• Save the file to your windows desktop. The combofix icon will look like this when it has downloaded to your desktop.
  
  
  
• We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:
  
  
• Close all open Windows including this one.
  
• Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found here.
  Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.
  
• Please click on I agree on the disclaimer window.
• ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.
  
  
  
  
  
• ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.
  
  
  
  
  
• Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:
  
  
  
  
  
• At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.
  
• Please click on yes in the next window to continue scanning for malware.
  
• ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.
  
• ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.
  
• While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.
  
  
  
  
  
• When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
  
• This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.
  
• When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.
  
• Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy. Then come to the forum in your reply and right click on your mouse and click on paste.
  

If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine.


In your next reply please post:

• The ComboFix log
• A fresh HiJackThis log
• An update on how your computer is running

 

[irishluck]

Alright im doing this now.

Its stuck on the system restore point and has been there for like 20 minutes.

Ill be back soon with a log.

 

[johnb35]

If there are rootkits then it may take a while at the beginning and it asks you to restart then please do so.

 

[irishluck]

Well here is the log file for the combofix and the hijackthis.

ALso computer doing okay except about 45 minutes ago it blue screened with a Local ID: 1033 BCCode: 1000009f

 

[johnb35]

This may be from a particular setting within AVG. So it may be false per say. But lets run some other scans to be safe.

1.

Please download and run roguekiller from here.

http://www.bleepingcomputer.com/download/roguekiller/dl/121/

Close all open programs
Remember to right click -> run as administrator, and click the downloaded file.
When prompted, type 1, and press Enter.
A RKreport.txt will be created in the same location as the RogueKiller file.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe, and try again.

Please post the contents of the RKreport.txt.


Then do the following.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats
Accept any security warnings from your browser.
Check Scan archives
Click Start
ESET will then download updates, install and then start scanning your system.
When the scan is done, push list of found threats
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply.
If no threats are found then it won't produce a log.

 

[irishluck]

alright ill do this in the morning. The thing I dont understand though is why it keeps on popping a blue screen on me

 

[irishluck]

report attached from roguekiller

UPDATE:

Also I am adding an image of the Blue screen viewer i downloaded and scanned.

 

[irishluck]

Im kida giving up on this computer.

I think im just going to wipe it.

NO other scans except AVG is picking up detections. Its still going into the Blue Screen mode.

Im being told by AVG its now the HIDCLASS.SYS driver that is infected.

I also now cannot connect to the internet, and the wireless will not work.

 

[johnb35]

Before you do that, do the following.

Download MBRCheck to your desktop.

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  
  Done! Press ENTER to exit...
  
  
• Or you will see more information like below if a problem is found:
  
  Found non-standard or infected MBR.
  Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
  
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message.

 

[irishluck]

Before you do that, do the following.

Download MBRCheck to your desktop.

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  
  Done! Press ENTER to exit...
  
  
• Or you will see more information like below if a problem is found:
  
  Found non-standard or infected MBR.
  Enter 'Y' and hit ENTER for more options, or 'N' to exit:
  
  
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
• Attach this log to your next message.

okay it did detect something.
here is the log.

 

[johnb35]

Since this is an HP system I don't want you to fix this just yet. Please do the following for a second opinion.

Download and run aswmbr and post the logfile from it. Open the program, click on scan and let it run. After its done, click on save log and then copy and paste that log back here.

http://www.bleepingcomputer.com/download/aswmbr/dl/1/

 

[irishluck]

Here is the log from there

 

[johnb35]

Just for verification purposes, this is an HP computer correct?

If we fix the unknown mbr code it may stop you from booting into the HP recovery process. If thats not an issue then you may go ahead and open aswmbr again and click on the fixmbr button.

 

[irishluck]

Just for verification purposes, this is an HP computer correct?

If we fix the unknown mbr code it may stop you from booting into the HP recovery process. If thats not an issue then you may go ahead and open aswmbr again and click on the fixmbr button.

Yes its an HP G72-261US Notebook

Honestly I'm not to worried about screwing up the recovery process in the HP tools.

We do regular backups anyways.

 

[irishluck]

I did the fix MBR and it said it fixed " Disk 0 windows 601 MBR fixed successfully"

After I did that, I ran avg like 3 times, nothing came up but on the 4th time it blue screened again and the error was:

Locale ID: 1033
BCCode: 124

This was the same as before. Im not sure if there is another hardware error or what but Im thinking of just wiping it this time.

EDIT:

You know what else is odd, I cant check for windows updates, or download them or anything. I cant activate or turn on windows defender or anything as well.
This computer is way out of whack.

@nd edit: Tried to restart computer and shut it down, it froze in the shut down screen. All blue with "Shutting down..." on the screen and has been like that for 15 min and the little waiting symbol is froze

 

[johnb35]

I would say wipe it and reinstall, without knowing whats going on with it. I mean if you can get into windows and run a program we can see what the new bluescreen is by doing the following.

Download BlueScreenView
No installation required.
Unzip downloaded file and double click on BlueScreenView.exe file to run the program.
When scanning is done, go Edit>Select All.
Go File>Save Selected Items, and save the report as BSOD.txt.
Open BSOD.txt in Notepad, copy all content, and paste it into your next reply.