I could not close media player, and I could not turn down or mute the volume, in media player.
I opened the task manager to kill the process and noticed that there was a media player classic (MPC-HC) process still running from a Penn and Teller BS video I had watched earlier. I could "end process" on windows media player but could not end process or end process tree on media player classic.
I tried to terminate MPC with several 3rd party apps like the old APT from Diamond CS, Killbox, Daphne, System Explorer, Process Explorer, SpyDllRemover, and even Radix. Nothing worked. SpyDllRemover and Radix both claimed to have killed the resilient MPC, but when I would refresh my list it was really still there, which I confirmed by cross referencing with taskmanager. (Bill should have used MPC for the windows shell, rather than explorer.)
I ran several malware scans, which all came up clean. (All but SpyDllRemover, which reported 53 hidden rootkit processes, that I simply dismissed as false positives because I have never heard of anyone having so many before) After that I ran a few of the log file generators too and came up with some suspicious files running from the appdata\local\temp folder that I think were created by rkill, but I am not 100% on that. I should have run rkill in a clean sandbox to see what files and folders were created first, but I didn't, so now I am left with uncertainty.
Can anyone confirm? Are these related to rkill?
Suspicious Files in temp folder list:
and an empty folder located at:
I did see several processes (not related to MPC) listed on the "process viewer" tab of SpyDllRemover, in the lower pane when I selected MPC's process and when I selected the svchost.exe process that was using the most memory. When I started to look these up on google I found many of the same files listed on a site called Exploit-ID.com (Exploit Information Disclosure) Link: http://www.exploit-id.com/dospoc/windows-media-player-with-k-lite-codec-pack-dos-poc. (I do have the k-lite codec pack installed, as an alternative to real player and quicktime) While comparing the list there with my list, I finally spotted this (Link: http://www.exploit-id.com/news/lulzsec-take-down-cia-website?) in an article to the right of the main story. When I read it, I saw that it said "2 hours ago" which was about the same time windows media player decided it wanted to play my entire music collection all at once. (Then I Totally Freaked Out) I was really shocked to think that my machine might have participated as a zombie\bot in a ddos attack on the CIA's website. (I am far from certain that this is what happened but, it is not out of the range of possibilities either) I got an update that had just been released for the k-lite codec pack from filehippo.com and applied it immediately. Thinking everything was cool now, I let it go for rest of the night. I had other things to do on the 18th and 19th so I didn't get a chance to look into it again until the 20th. I ran SpyDllRemover again and saw that the 53 hidden rootkit processes had multiplied into 114. I knew I had to get to the bottom of this so I started to run some full scans of everything I have. (I usually use the quick scan option or only scan my C: drive) That is just over 3.5TB spread across 8 drives and takes 40 forevers to complete. (actually it takes about 50 hours or so, depending on what else I am doing with the computer at the time) Sometime in the afternoon on the 22nd I walked into my office\shop\garage and found a BSOD. I restarted the computer into safemode, opened windows explorer and saw that where there were once 8 hard drives, there were now just 2.
I was about as bummed as you would imagine I would be, so after ranting around the house for several minutes, some choice words, and a few door slams, I went back to my garage, restarted my computer into safemode again and my drives were back. (whew) I then opened the MMC and went to the device manager.
As referenced in the topic title there is a new and VERY suspicious "unknown" entry in the device manager that I have never seen on my machine or any other machines that I have ever worked on.
It makes reference to multiple hardware devices and even some (but not all) of the scan tools I ran. I have NEVER seen an instance of software (other than drivers, of course) showing up in the device manager as a "sibling" of a hardware device. This is the first time I have ever seen multiple (unrelated) devices showing up under a single entry together too, although they are listed only as "siblings" on the details tab.
Here is the list:
Device Instance Path
Physical Device Object Name
Base Container ID
There is no driver selected for the device information set or element.
Class Default Security
00 0C 90 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00
00 5C 00 04 00 00 00 00 00 14 00 00 00 00 10 01 01 00 00
00 00 05 12 00 00 00 00 00 18 00 00 00 00 E0 01 02 00 00
00 00 05 20 00 00 00 20 02 00 00 00 00 14 00 00 00 00 C0
01 00 00 00 00 00 01 00 00 00 00 00 00 14 00 00 00 00 80
01 00 00 00 00 00 05 0C 00 00 00
Class Default Security SDS
Class Long Name
Class Short Name
Has anyone else ever even heard of such a thing? I am completely confuzzled by this "unknown device."
I have never, EVER seen anything even remotely like it. Maybe that just reflects a lack of experience on my part, or maybe I have something new.
Google would not accept a query of that length, so I was hoping someone here could advise me on how to approach this thing. I would also like to submit a sample but I'm not sure exactly what to submit or where to go to find it. (I do have a 1.99GB memory dump, if that helps)
ANY advice at all would really be appreciated.
(sorry if I rambled on too much, I have not gotten much good restful sleep for the past several days)
I'm feeling like I am in a little over my head this time.
Thanks for your time,
Edited by ATGUNWAT, 24 June 2011 - 07:07 PM.