Ok here is the situation. I got infected with flystudio plus a couple of generic worms on either a driveby exploit from a website or from Freemake Video Downloader, the only two things I've done lately. I ran Malwarebytes right away and it rebooted and removed them. After that removal process I started scanning with various rootkit detectors to make sure there wasn't something nastier dropped into my system. Nothing was found by a whole host of programs I tried, except for adwcleaner, JRT, aswMBR, combofix, and GMER. Ran sfc scannow in safe mode, because it wouldn't run in WinRE for some reason, and it healed a few files, or so it said. Logs revealed that it healed netbios.sys Anyways, aswMBR detected some hooks which wouldn't go away, and GMER listed even more, a bunch of IRP hooks on atapi.sys. Even after running all the other tools, GMER continued to detected a hidden process and a couple of devices as possible rootkit, namely wdf01000.sys and kbdclass, which combofix did not touch. Well I took care of the wdf01000 and kbdclass, I replaced them with original versions off of the install CD using DOS in WinRE. Now those don't show up anymore in the GMER scan, but the Trace IO hooks continued to show up and that hidden process. THere was no option to restore code, and no services or files to disable or delete. I could kill the process, and it did not impact my system negatively at all. At this point I came to find the bleeping computer forum, ran defogger, and most of the list of rootkit/drivers/trace IO's completely disappeared, except for about 10 registry lines most likely related to alcohol 120% and a bunch of .text lines that show up only when firefox is running. Those all relate to a file named xul.dll.
So, it's down to this hidden process and a bunch of .text reports in firefox, and the million dollar question is, is it a rootkit/malware?
As one of it's threads, it lists Gmer's driver, kgrcrpow.sys located in the appdata\local\temp folder.
And the second question is, could perhaps a rootkit be hiding in one of the cd emulation drivers and is just hiding until defogger re-enables them again?
All logs are attached to this thread, the hidden process and stuff attached to firefox is just bugging me, but I want to know if they are legit or not.
logs.zip 16.01KB 3 downloads