IRP hook

[tbonez1376]

I did a scan using AVG. As I've been suspecting possible rootkits on my laptop, I ran the rootkit scan. AVG tells me there are 28 rootkits on my computer. This is a C&P copy of the log from the scan. Message continues below....



"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_CREATE -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_CREATE_NAMED_PIPE -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_CLOSE -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_READ -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_WRITE -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_QUERY_INFORMATION -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_SET_INFORMATION -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_QUERY_EA -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_SET_EA -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_FLUSH_BUFFERS -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_QUERY_VOLUME_INFORMATION -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_SET_VOLUME_INFORMATION -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_DIRECTORY_CONTROL -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_FILE_SYSTEM_CONTROL -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_DEVICE_CONTROL -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_SHUTDOWN -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_LOCK_CONTROL -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_CLEANUP -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_CREATE_MAILSLOT -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_QUERY_SECURITY -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_SET_SECURITY -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_POWER -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_SYSTEM_CONTROL -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_DEVICE_CHANGE -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_QUERY_QUOTA -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_SET_QUOTA -> 0xFFFFFA80067448DD";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\iaStor IRP_MJ_PNP -> 0xFFFFFA80067448DD";"Object is hidden"


When it comes time to remove them, AVG says: "The module is different," and it can't remove it.

Does anyone have anysuggestions for getting this crap out of my computer? And can anyone tell me what these things may be doing? This has been driving me nuts for about the last 2 days.

Any help would be HUGELY appreciated!!!

Thanks!

[Deks]

Remove AVG.
Pick either MSE, Avira or Avast (just one) and re-scan your computer (either one of those 3 is far better than AVG and won't really impact performance).

Or ... if you don't want to get rid of AVG, try running it in Safe Mode to get rid of the issue.
A lot of av's cannot get rid of some infections while in standard mode.

[tbonez1376]

I've removed AVG. I've scanned in Safe Mode with MSE, SuperAntiSpyware, and Malwarebyte's Anti-Malware. All three don't detect anything when I scan in either Safe Mode or a normal boot-up.

Why would AVG give me those results, but none of the other scans don't detect anything? Thant doesn't make any sense. Unless it's just AVG just trying to get me to buy their product(s).

[sarahlee]

Remove AVG.
Pick either MSE, Avira or Avast (just one) and re-scan your computer (either one of those 3 is far better than AVG and won't really impact performance).

Or ... if you don't want to get rid of AVG, try running it in Safe Mode to get rid of the issue.
A lot of av's cannot get rid of some infections while in standard mode.

how does one get into safe mode?

sps

[Deks]

You have to restart the computer and keep pressing F8 button until it gives you a selection screen.
From there, pick 'Safe Mode' and run the antivirus once there.

another recommendation would be to download/install/update Malwarebytes and also run it from Windows Safe Mode.

[MrDJ]

avg could be giving a false positive which isnt picked up with the others.
i used to use avg pro and am now on avast pro and its tons better and not had 1 false positive since.

[Major Wedgie]

I think deks the "notebook deity" has dispensed some shocking advice here. I think none of those products can detect a rootkit and you probably have a rootkit. I think AVG is by far one of the most accurate free scanners available.

My advice if you are in doubt is to go and confirm what AVG has already told you with a Kaspersky tool called TDSSKiller. If it's not that particular rootkit then you should confirm it with the free Kaspersky scanner. Better yet, just trust the AVG tool and remove the rootkit.

[DetlevCM]

I think deks the "notebook deity" has dispensed some shocking advice here. I think none of those products can detect a rootkit and you probably have a rootkit. I think AVG is by far one of the most accurate free scanners available.

My advice if you are in doubt is to go and confirm what AVG has already told you with a Kaspersky tool called TDSSKiller. If it's not that particular rootkit then you should confirm it with the free Kaspersky scanner. Better yet, just trust the AVG tool and remove the rootkit.

Actually, iastor ist the Intel Matrix/Rapid Storage driver -> so either a false positive or a well hidden one.
A simple test would be to uninstall the Intel Rapid/Matrix Storage driver if you have one -> Registry entries may remain though.

On this note though, there is a Sysinternals Rootkit revealer - Sysinternals Security Utilities
download it and run as admin, it will take quite some time.

-> It might give you entries as possible rootkits that aren't, so you will need to evaluate every entry, but I think that's the best tool available to you.

[mujtaba]

Rootkit revealer is useless, it has not been updated in a long time.
GMER is far better though.