# Infected IRP Hook ->HIDCLASS.SYS +0x2710



## irishluck

SOO my avg detected 9 threats on my bosses computer.

ISP hook, C:\windows\system32\drivers\hidusb.sys IRP_MJ_WRITE ->HIDCLASS.SYS +0x2710

There are multiple different ones:

hidusb.sys IRP_MJ_CLOSE->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_CREATE->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_DEVICE_CONTROL->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_INTERNAL_DEVICE_CONTROL->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_PNP->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_POWER->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_READ->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_SYSTEM_CONTROL->HIDCLASS.SYS +0x2710
hidusb.sys IRP_MJ_WRITE->HIDCLASS.SYS +0x2710

AVG says these are all infected and honestly I'm not sure what exactly this even is.

Ontop of that, Malwarebytes detects 3 Registry Key infections.
One of them I can figure out
But the other two are this:

PUP.Optional.DataMngr.A HKCU\SOFTWARE\Datamngr_Toolbar
PUP.Optional.DataMngr.A HKCU\Software\DataMngr

What going on here?


----------



## johnb35

The bottom 2 are just minor.  Lets do the following.

1.

Please download and run TDSSkiller

When the program opens, click on the start scan button.






TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.






To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.

After trying to clean them it will pop up with the results of the scan and its actions.






Please reboot the system if asked to do so. 

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example,  C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt  

Please open the log and copy and paste it back here.

2.

Please download* AdwCleaner* by Xplode onto your Desktop.



•Please close all open programs and internet browsers.
•Double click on adwcleaner.exe to run the tool.
•Click on Scan.
•After the scan you will need to click on clean for it to delete the adware.
•Your computer will be rebooted automatically. A text file will open after the restart.
•Please post the content of that logfile in your reply.
•You can find the logfile at C:\AdwCleaner[Sn].txt as well - n is the order number.


----------



## irishluck

The TDSSKiller did not detect anything, but AVG and Malware Bytes still does.


----------



## irishluck

Here is also a report from ADWcleaner.
It did detect some items. After it cleaned the computer, AVG still detects the same stuff from original post.


----------



## johnb35

Alright then.  Do the following and post the log.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

*Combofix*


When the page loads click on the blue combofix download link next to the BleepingComputer Mirror.
Save the file to your windows desktop.  The combofix icon will look like this when it has downloaded to your desktop.




We are almost ready to start ComboFix, but before we do so, we need to take some preventative measures so that there are no conflicts with other programs when running ComboFix. At this point you should do the following:


Close all open Windows including this one. 

Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix. Instructions on disabling these type of programs can be found *here*.
Once these two steps have been completed, double-click on the ComboFix icon found on your desktop. Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all. The scan could take a while, so please be patient.

Please click on I agree on the disclaimer window.
ComboFix will now install itself on to your computer. When it is done, a blue screen will appear as shown below.





ComboFix is now preparing to run. When it has finished ComboFix will automatically attempt to create a System Restore point so that if any problems occur while using the program you can restore back to your previous configuration. When ComboFix has finished creating the restore point, it will then backup your Windows Registry as shown in the image below.





Once the Windows Registry has finished being backed up, ComboFix will attempt to detect if you have the Windows Recovery Console installed. If you already have it installed, you can skip to this section and continue reading. Otherwise you will see the following message as shown below:





At the above message box, please click on the Yes button in order for ComboFix to continue. Please follow the steps and instructions given by ComboFix in order to finish the installation of the Recovery Console.

Please click on yes in the next window to continue scanning for malware.

ComboFix will now disconnect your computer from the Internet, so do not be surprised or concerned if you receive any warnings stating that you are no longer on the Internet. When ComboFix has finished it will automatically restore your Internet connection.

ComboFix will now start scanning your computer for known infections. This procedure can take some time, so please be patient.

While the program is scanning your computer, it will change your clock format, so do not be concerned when you see this happen. When ComboFix is finished it will restore your clock settings to their previous settings. You will also see the text in the ComboFix window being updated as it goes through the various stages of its scan. An example of this can be seen below.





When ComboFix has finished running, you will see a screen stating that it is preparing the log report.

This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When ComboFix has finished, it will automatically close the program and change your clock back to its original format. It will then display the log file automatically for you.  

Now you just click on the edit menu and click on select all, then click on the edit menu again and click on copy.  Then come to the forum in your reply and right click on your mouse and click on paste.  


If for some reason, if you try to run a program or open a file and you get an error message saying "illegal operation attempted on a registry key that has been marked for deletion", please just reboot your pc and you'll be fine. 


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## irishluck

Alright im doing this now.

Its stuck on the system restore point and has been there for like 20 minutes.

Ill be back soon with a log.


----------



## johnb35

If there are rootkits then it may take a while at the beginning and it asks you to restart then please do so.


----------



## irishluck

Well here is the log file for the combofix and the hijackthis.

ALso computer doing okay except about 45 minutes ago it blue screened with a Local ID: 1033 BCCode: 1000009f


----------



## johnb35

This may be from a particular setting within AVG.  So it may be false per say.  But lets run some other scans to be safe. 

1.

Please download and run roguekiller from here.

http://www.bleepingcomputer.com/download/roguekiller/dl/121/

Close all open programs
Remember to right click -> run as administrator, and click the downloaded file.
When prompted, type 1, and press Enter.
A RKreport.txt will be created in the same location as the RogueKiller file.
If the program is blocked, do not hesitate to try several times. If it really does not work (it could happen), rename it to winlogon.exe, and try again.

Please post the contents of the RKreport.txt.


Then do the following.

Please download and run the ESET Online Scanner
Disable any antivirus/security programs.
IMPORTANT! UN-check Remove found threats 
Accept any security warnings from your browser. 
Check Scan archives 
Click Start 
ESET will then download updates, install and then start scanning your system. 
When the scan is done, push list of found threats 
Click on Export to text file , and save the file to your desktop using a file name, such as ESETlog. Include the contents of this report in your next reply. 
If no threats are found then it won't produce a log.


----------



## irishluck

alright ill do this in the morning. The thing I dont understand though is why it keeps on popping a blue screen on me


----------



## irishluck

report attached from roguekiller

UPDATE:

Also I am adding an image of the Blue screen viewer i downloaded and scanned.


----------



## irishluck

Im kida giving up on this computer.

I think im just going to wipe it.

NO other scans except AVG is picking up detections. Its still going into the Blue Screen mode.

Im being told by AVG its now the HIDCLASS.SYS driver that is infected.

I also now cannot connect to the internet, and the wireless will not work.


----------



## johnb35

Before you do that, do the following.

Download *MBRCheck* to your desktop.


Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator) 
It will show a Black screen with some information that will contain either the below line if no problem is found:

Done! Press ENTER to exit... 


Or you will see more information like below if a problem is found:

Found non-standard or infected MBR. 
Enter 'Y' and hit ENTER for more options, or 'N' to exit: 


Either way, just choose to exit the program at this point since we want to see only the scan results to begin with. 
MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time. 
Attach this log to your next message.


----------



## irishluck

johnb35 said:


> Before you do that, do the following.
> 
> Download *MBRCheck* to your desktop.
> 
> 
> Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
> It will show a Black screen with some information that will contain either the below line if no problem is found:
> 
> Done! Press ENTER to exit...
> 
> 
> Or you will see more information like below if a problem is found:
> 
> Found non-standard or infected MBR.
> Enter 'Y' and hit ENTER for more options, or 'N' to exit:
> 
> 
> Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
> MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.
> Attach this log to your next message.



okay it did detect something.
here is the log.


----------



## johnb35

Since this is an HP system I don't want you to fix this just yet.  Please do the following for a second opinion.

Download and run aswmbr and post the logfile from it.  Open the program, click on scan and let it run.  After its done, click on save log and then copy and paste that log back here.

http://www.bleepingcomputer.com/download/aswmbr/dl/1/


----------



## irishluck

Here is the log from there


----------



## johnb35

Just for verification purposes, this is an HP computer correct?

If we fix the unknown mbr code it may stop you from booting into the HP recovery process.  If thats not an issue then you may go ahead and open aswmbr again and click on the fixmbr button.


----------



## irishluck

johnb35 said:


> Just for verification purposes, this is an HP computer correct?
> 
> If we fix the unknown mbr code it may stop you from booting into the HP recovery process.  If thats not an issue then you may go ahead and open aswmbr again and click on the fixmbr button.




Yes its an HP G72-261US Notebook

Honestly I'm not to worried about screwing up the recovery process in the HP tools.

We do regular backups anyways.


----------



## irishluck

I did the fix MBR and it said it fixed " Disk 0 windows 601 MBR fixed successfully"

After I did that, I ran avg like 3 times, nothing came up but on the 4th time it blue screened again and the error was:

Locale ID: 1033
BCCode: 124

This was the same as before. Im not sure if there is another hardware error or what but Im thinking of just wiping it this time.

EDIT:

You know what else is odd, I cant check for windows updates, or download them or anything. I cant activate or turn on windows defender or anything as well.
This computer is way out of whack.

@nd edit: Tried to restart computer and shut it down, it froze in the shut down screen. All blue with "Shutting down..." on the screen and has been like that for 15 min and the little waiting symbol is froze


----------



## johnb35

I would say wipe it and reinstall, without knowing whats going on with it.  I mean if you can get into windows and run a program we can see what the new bluescreen is by doing the following.

Download *BlueScreenView*
No installation required.
Unzip downloaded file and double click on *BlueScreenView.exe* file to run the program.
When scanning is done, go *Edit>Select All*.
Go *File>Save Selected Items*, and save the report as *BSOD.txt*.
Open *BSOD.txt* in Notepad, copy all content, and paste it into your next reply.


----------



## irishluck

johnb35 said:


> I would say wipe it and reinstall, without knowing whats going on with it.  I mean if you can get into windows and run a program we can see what the new bluescreen is by doing the following.
> 
> Download *BlueScreenView*
> No installation required.
> Unzip downloaded file and double click on *BlueScreenView.exe* file to run the program.
> When scanning is done, go *Edit>Select All*.
> Go *File>Save Selected Items*, and save the report as *BSOD.txt*.
> Open *BSOD.txt* in Notepad, copy all content, and paste it into your next reply.



Oh I can get you that not a problem. Ive been using that this whole time to view the errors.

Here you go!

==================================================
Dump File         : 101413-35256-01.dmp
Crash Time        : 10/14/2013 12:45:04 PM
Bug Check String  : 
Bug Check Code    : 0x00000124
Parameter 1       : 00000000`00000000
Parameter 2       : fffffa80`059ea8f8
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`00000000
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+4ade7c
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7601.18229 (win7sp1_gdr.130801-1533)
Processor         : x64
Crash Address     : ntoskrnl.exe+4ade7c
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\101413-35256-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 262,144
Dump File Time    : 10/14/2013 12:45:21 PM
==================================================

==================================================
Dump File         : 101013-33992-01.dmp
Crash Time        : 10/10/2013 4:43:49 PM
Bug Check String  : DRIVER_POWER_STATE_FAILURE
Bug Check Code    : 0x1000009f
Parameter 1       : 00000000`00000004
Parameter 2       : 00000000`00000258
Parameter 3       : fffffa80`03b7f660
Parameter 4       : fffff800`00b9c510
Caused By Driver  : WudfPf.sys
Caused By Address : WudfPf.sys+6500
File Description  : 
Product Name      : 
Company           : 
File Version      : 
Processor         : x64
Crash Address     : ntoskrnl.exe+78a8a
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\101013-33992-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 458,992
Dump File Time    : 10/10/2013 4:45:37 PM
==================================================

==================================================
Dump File         : 100313-96533-01.dmp
Crash Time        : 10/3/2013 12:43:07 PM
Bug Check String  : 
Bug Check Code    : 0x00000124
Parameter 1       : 00000000`00000000
Parameter 2       : fffffa80`059ae038
Parameter 3       : 00000000`fe000000
Parameter 4       : 00000000`00800400
Caused By Driver  : hal.dll
Caused By Address : hal.dll+12a3b
File Description  : 
Product Name      : 
Company           : 
File Version      : 
Processor         : x64
Crash Address     : ntoskrnl.exe+75b80
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\100313-96533-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 278,512
Dump File Time    : 10/3/2013 12:50:12 PM
==================================================

==================================================
Dump File         : 100213-47970-01.dmp
Crash Time        : 10/2/2013 1:51:34 PM
Bug Check String  : 
Bug Check Code    : 0x00000124
Parameter 1       : 00000000`00000000
Parameter 2       : fffffa80`059dc038
Parameter 3       : 00000000`fe000000
Parameter 4       : 00000000`00800400
Caused By Driver  : hal.dll
Caused By Address : hal.dll+12a3b
File Description  : 
Product Name      : 
Company           : 
File Version      : 
Processor         : x64
Crash Address     : ntoskrnl.exe+75b80
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\100213-47970-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 278,512
Dump File Time    : 10/2/2013 2:00:21 PM
==================================================

==================================================
Dump File         : 091013-93912-01.dmp
Crash Time        : 9/10/2013 10:39:47 AM
Bug Check String  : 
Bug Check Code    : 0x00000124
Parameter 1       : 00000000`00000000
Parameter 2       : fffffa80`059da038
Parameter 3       : 00000000`00000000
Parameter 4       : 00000000`00000000
Caused By Driver  : ntoskrnl.exe
Caused By Address : ntoskrnl.exe+4ade7c
File Description  : NT Kernel & System
Product Name      : Microsoft® Windows® Operating System
Company           : Microsoft Corporation
File Version      : 6.1.7601.18229 (win7sp1_gdr.130801-1533)
Processor         : x64
Crash Address     : ntoskrnl.exe+4ade7c
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\091013-93912-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 262,144
Dump File Time    : 9/10/2013 10:40:10 AM
==================================================

==================================================
Dump File         : 032113-35880-01.dmp
Crash Time        : 3/21/2013 9:11:01 AM
Bug Check String  : BAD_POOL_CALLER
Bug Check Code    : 0x000000c2
Parameter 1       : 00000000`00000007
Parameter 2       : 00000000`0000109b
Parameter 3       : 00000000`04040007
Parameter 4       : fffffa80`0658d080
Caused By Driver  : ndis.sys
Caused By Address : ndis.sys+8323
File Description  : 
Product Name      : 
Company           : 
File Version      : 
Processor         : x64
Crash Address     : ntoskrnl.exe+75c40
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\032113-35880-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 278,512
Dump File Time    : 3/21/2013 9:12:25 AM
==================================================

==================================================
Dump File         : 091212-67751-01.dmp
Crash Time        : 9/12/2012 10:20:54 AM
Bug Check String  : 
Bug Check Code    : 0x00000124
Parameter 1       : 00000000`00000000
Parameter 2       : fffffa80`059af038
Parameter 3       : 00000000`be000000
Parameter 4       : 00000000`00800400
Caused By Driver  : hal.dll
Caused By Address : hal.dll+12a3b
File Description  : 
Product Name      : 
Company           : 
File Version      : 
Processor         : x64
Crash Address     : ntoskrnl.exe+7f1c0
Stack Address 1   : 
Stack Address 2   : 
Stack Address 3   : 
Computer Name     : 
Full Path         : C:\Windows\Minidump\091212-67751-01.dmp
Processors Count  : 2
Major Version     : 15
Minor Version     : 7601
Dump File Size    : 278,512
Dump File Time    : 9/12/2012 10:23:34 AM
==================================================


----------



## johnb35

Stop code 124 is a general hardware error.  Please zip up the following files and attach them to your next post.

C:\Windows\Minidump\101413-35256-01.dmp
C:\Windows\Minidump\101013-33992-01.dmp


----------



## irishluck

johnb35 said:


> Stop code 124 is a general hardware error.  Please zip up the following files and attach them to your next post.
> 
> C:\Windows\Minidump\101413-35256-01.dmp
> C:\Windows\Minidump\101013-33992-01.dmp



the 33992 say the file cant be found for some reason but I have the 35256 zip


----------



## johnb35

Says intel hardware.  But its a general error.  Usually I would say this is due to overclocking but since this is a laptop, its ruled out.  

May just be time for a wipe and reinstall.


----------



## irishluck

johnb35 said:


> Says intel hardware.  But its a general error.  Usually I would say this is due to overclocking but since this is a laptop, its ruled out.
> 
> May just be time for a wipe and reinstall.



Yea that's what I'm going to go ahead and do because Ive already replaced the hard drive and it has tested good. I did a couple of mem test and all pass.

We'll just wipe and see what happens and Ill report back with any issues.


----------



## irishluck

just finished the windows install.

Is there really a way to test the computer to see if it fixed the issue? Or is it basically just running those scans again to see if anything comes up.  

Edit: Im adding a log file from aswMBR. I ran it just in case. so here it is, does everything look good?


----------



## johnb35

It says unknown mbr code but that could the be recovery partition.  As long as virus scan and malware scans come up clean, you should be good.  Once you perform a reinstall, it wipes everything.


----------



## irishluck

Well maybe I should of done a complete reinstall then?
I just used the recovery media for the computer. It said it formatted the whole driver partion and then reinstalled windows.
Usually I don't use recovery software. I usually just boot windows up with the boot cd, format it all and reinstall windows from there.
Is there a difference?


----------



## johnb35

Yeah, the recovery media would have reformatted the drive and made sure the recovery partition was back in order.  Either way, everything gets wiped and you start over.


----------



## irishluck

Well good.

So far so good.


I ran AVG, Malwarebytes and Kaspersky TDSSKiller and they all popped back with no threats.

Im wondering, when I first tested the original harddrive it tested with bad sectors. Maybe those sectors is what has caused all this, maybe those were some missing registry files and that's why I haven't been able to get this fully fixed. (Until now when I did the full wipe)


----------



## johnb35

I'm not sure if the recovery cd would actually detect bad sectors and mark them unuseable like a regular formatting utility would.


----------



## irishluck

Well I meant when the original harddrive was in there, I did a memtest and harddrive test. And so I used western digital software to test it which detected the bad sectors. Im just wondering if there were some type of registry file on that part of the hard drive that got wiped out which has cause all of this



I do wanna thank you for the help on this and also providing all those scans. Those will be helpful tools in the future!


----------

