Over 1 million tech questions and answers.

Please help with NTOSKRNL-HOOK Generic Rootkit.d!rootkit

Q: Please help with NTOSKRNL-HOOK Generic Rootkit.d!rootkit

My computer has been afflicted with a rootkit and associated malware according to McAfee Virusscan Version 13.3, Build 13.3.115. The DAT files used in the scan are version 5560.0000 and were created on 3/21/2009.

My computer is running XP Home Edition, with SP3 installed

The following is found when a scan is performed in SAFE MODE only. This does not show up in normal mode.


"NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
3/21/2009 6:50:16 AM "C:\WINDOWS\SYSTEM32\UACTOHUVLQF.DLL" "Generic FakeAlert.k" "5"
3/21/2009 6:50:21 AM "C:\WINDOWS\system32\UACtohuvlqf.dll" "Generic FakeAlert.k" "5"
3/21/2009 6:50:21 AM "C:\WINDOWS\SYSTEM32\UACUDRIREJN.DLL" "DNSChanger.r" "5"
3/21/2009 6:50:26 AM "C:\WINDOWS\system32\UACudrirejn.dll" "DNSChanger.r" "5"
3/21/2009 9:11:19 AM "C:\WINDOWS\SYSTEM32\UACTOHUVLQF.DLL" "Generic FakeAlert.k" "5"
3/21/2009 9:11:24 AM "C:\WINDOWS\SYSTEM32\UACtohuvlqf.dll" "Generic FakeAlert.k" "5"
3/21/2009 9:11:24 AM "C:\WINDOWS\SYSTEM32\UACUDRIREJN.DLL" "DNSChanger.r" "5"
3/21/2009 9:11:29 AM "C:\WINDOWS\SYSTEM32\UACudrirejn.dll" "DNSChanger.r" "5"


Viruscan indicates that the rootkit is cleaned. In the quarantine area, two files show up UACTOHUVLQF.DLL and UACUDRIREJN.DLL. When I ask Viruscan to delete them, it indicates that it does. However the DLL files persist and after re-booting and coming back up in SAFE MODE, the same results are obtained with Virusscan, indicating the rootkit and malware are still on the computer. Please let me know, if any other information is needed for a diagnosis. The report below and the zip files attached were created with windows running in normal mode


DDS (Ver_09-03-16.01) - NTFSx86
Run by David at 20:19:12.17 on Sat 03/21/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.84 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\Iexplore.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Secure Online Account Numbers\SOAN.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\PhoTags Express\Photags AutoDetect.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\David\Desktop\dds.scr
C:\PROGRA~1\LINKSY~1\LinksysAdvisor.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe

============== Pseudo HJT Report ===============

uDefault_Page_URL = hxxp://www.dellnet.com
uStart Page = hxxp://home.knology.net/
uWindow Title = Internet Explorer Provided by BellSouth? Dial Internet Service
uInternet Connection Wizard,ShellNext = hxxp://landingstrip.dell.com/landingstrip/ls.asp?CID=1028&LID=27630&DGC=JP&DGStor=DHS&DGSite=Redirect&K=6Vp94&DURL=http://www.dell.com/us/en/dhs/default_dual_desktops.htm?rpo%3Dtrue%26keycode%3D6Vp94%26DGVCode%3DJP
uInternet Settings,ProxyOverride = <local>
mWinlogon: userinit=userinit.exe
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\digital imaging\smart web printing\hpswp_printenhancer.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {243b17de-77c7-46bf-b94b-0b5f309a0e64} - c:\program files\microsoft money\system\mnyside.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: DeskshopBrowserHelper Class: {8db3d69d-da5e-4165-b781-72a761790672} - c:\windows\system32\BhoDshop.dll
BHO: McAfee SiteAdvisor BHO: {b164e929-a1b6-4a06-b104-2cd0e90a88ff} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
BHO: BHO: {c9c42510-9b21-41c1-9dcd-8382a2d07c61} - c:\windows\system32\iehelper.dll
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
BHO: HP Smart BHO Class: {ffffffff-cf4e-4f2b-bdc2-0e72e116a856} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
TB: McAfee SiteAdvisor Toolbar: {0ebbbe48-bad4-4b4c-8e5a-516abecae064} - c:\progra~1\mcafee\sitead~1\mcieplg.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EasyLinkAdvisor] "c:\program files\linksys easylink advisor\LinksysAgent.exe" /startup
uRun: [Adware_ProMFCT] c:\program files\adware_pro\Adware_Pro.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [StorageGuard] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [DVDSentry] c:\windows\system32\DSentry.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [diagent] "c:\program files\creative\sblive\diagnostics\diagent.exe" startup
mRun: [UpdReg] c:\windows\UpdReg.EXE
mRun: [DwlClient] c:\program files\common files\dell\eusw\Support.exe
mRun: [Microsoft Works Update Detection] c:\program files\common files\microsoft shared\works shared\WkUFind.exe
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [SecureOnlineAccountNumbers] c:\program files\secure online account numbers\SOAN.exe /dontopenmycards
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [WinampAgent] c:\program files\winamp\winampa.exe
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [McENUI] c:\progra~1\mcafee\mhn\McENUI.exe /hide
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [hpqSRMon] c:\program files\hp\digital imaging\bin\hpqSRMon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\digita~1.lnk - c:\program files\digital line detect\DLG.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photag~1.lnk - c:\program files\photags express\Photags AutoDetect.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~2.lnk - c:\program files\sony corporation\picture package\picture package menu\SonyTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\pictur~1.lnk - c:\program files\sony corporation\picture package\picture package applications\Residence.exe
mPolicies-explorer: <NO NAME> =
IE: E&xport to Microsoft Excel - c:\progra~1\micros~4\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {F74E75A5-96BF-40ef-A1C8-88EAEBB82AB6} - c:\program files\secure online account numbers\SOAN.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~4\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DDE87865-83C5-48c4-8357-2F5B1AA84522} - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - c:\program files\hp\digital imaging\smart web printing\hpswp_BHO.dll
IE: {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - {DD6687B5-CB43-4211-BFC9-2942CCBDCB3E} - c:\program files\microsoft money\system\mnyside.dll
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/sw.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://go.microsoft.com/fwlink/?linkid=39204
DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://edownload.grisoft.cz/ewidoOnlineScan.cab
DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} - hxxp://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} - hxxp://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1193631620796
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://targetphoto.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - hxxp://download.mcafee.com/molbin/shared/mcgdmgr/en-us/1,0,0,20/mcgdmgr.cab
DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} - hxxps://nasa.webex.com/client/T26L/webex/ieatgpc.cab
DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} - hxxps://securemeeting.grc.nasa.gov/dana-cached/setup/JuniperSetupSP1.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Handler: sacore - {5513F07E-936B-4E52-9B00-067394E91CC5} - c:\progra~1\mcafee\sitead~1\McIEPlg.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599-0008c7d3b6f8} - c:\program files\qualcomm\eudora\EuShlExt.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\david\applic~1\mozilla\firefox\profiles\wf08v52o.default\
FF - prefs.js: browser.startup.homepage - hxxp://home.knology.net/
FF - component: c:\program files\mcafee\siteadvisor\components\McFFPlg.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 Achernar;Achernar - SCSI Command Filters;c:\windows\system32\drivers\Achernar.sys [2007-12-25 16855]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2007-4-15 213640]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\common files\intuit\update service\IntuitUpdateService.exe [2008-10-10 13088]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\mcafee\siteadvisor\McSACore.exe [2008-10-3 206096]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2007-11-6 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2007-4-15 144704]
R3 Aldebaran;Aldebaran - SCSI Command Filters;c:\windows\system32\drivers\Aldebaran.sys [2007-12-25 21808]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2007-4-15 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2007-4-15 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2007-4-15 35272]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2007-4-15 40552]
S3 DSCVc;Video Capture;c:\windows\system32\drivers\CoachVc.sys [2009-1-16 44256]
S3 JL2005C;Dual Mode Camera;c:\windows\system32\drivers\jl2005c.sys [2007-1-26 68954]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2007-4-15 34216]

=============== Created Last 30 ================

2009-03-21 20:16 0 a------- c:\windows\system32\MSVolume.dll
2009-03-21 14:00 103,331,743 a------- C:\sdat5559.exe
2009-03-21 13:01 138,384 a------- c:\windows\system32\drivers\tmcomm.sys
2009-03-21 12:19 2,126 a------- c:\windows\system32\wpa.dbl
2009-03-21 12:19 17,383 a------- c:\windows\system32\Config.MPF
2009-03-21 11:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-21 11:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-21 11:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-21 10:39 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2009-03-21 03:20 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-03-21 03:17 <DIR> --d----- c:\program files\Adware_Pro
2009-03-15 13:18 50 a------- C:\autoexec.bak
2009-03-14 03:14 <DIR> --d----- c:\documents and settings\david\.housecall6.6
2009-03-14 00:27 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-03-13 19:40 <DIR> --d----- C:\SDAT
2009-03-13 19:17 <DIR> --d----- c:\windows\SxsCaPendDel
2009-03-13 19:10 <DIR> --d----- c:\docume~1\alluse~1\applic~1\SITEguard
2009-03-13 19:08 <DIR> --d----- c:\program files\common files\iS3
2009-03-13 19:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-03-13 17:52 <DIR> --d----- C:\a078c7f6f8b0a7a524
2009-03-13 17:31 <DIR> --dsh--- c:\windows\system32\lowsec
2009-03-11 21:14 <DIR> --d----- c:\program files\common files\AnswerWorks 5.0

==================== Find3M ====================

2009-02-09 06:13 1,846,784 -------- c:\windows\system32\win32k.sys
2009-02-09 06:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2009-01-17 13:08 118,784 a------- c:\windows\SeaMonkeyUninstall.exe
2009-01-17 13:08 27,779 a------- c:\windows\mozver.dat
2009-01-17 13:07 118,784 a------- c:\windows\GREUninstall.exe
2009-01-16 22:35 3,594,752 -------- c:\windows\system32\dllcache\mshtml.dll
2005-01-18 23:14 63,368 a------- c:\docume~1\david\applic~1\GDIPFONTCACHEV1.DAT
2008-09-10 11:31 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091020080911\index.dat

============= FINISH: 20:21:36.26 ===============

RELEVANCY SCORE 200
Preferred Solution: Please help with NTOSKRNL-HOOK Generic Rootkit.d!rootkit

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Please help with NTOSKRNL-HOOK Generic Rootkit.d!rootkit

Hello dgwaltney,

Read through this entire procedure and if you have any questions, please ask them before you begin. Then either print out, or copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.


***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3


* IMPORTANT- Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications McAfee in particular, will interfere with ComboFix's removal of the rootkit.

Double click on combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Read other 7 answers
RELEVANCY SCORE 137.2

A. McAfee scan has found multiple instances of a ?Generic Rootkit.d!rootkit?, which it calls NTOSKRNL-HOOK, and classifies as a Trojan. It has both eliminated and quarantined them.
1) As many as 2 to 5 have been found at once.
2) Once ?removed,? they appear again in no time.
B. McAfee ? Update Error
?An error occurred in updating. Please reinstall these programs:
- McAfee Security Center?
NOT DONE ? Expected to be repetitive.
C. Defrag ? no access
1) Norton Speed Disk won?t start. Error Message:
?An unexpected error occurred while communicating with the Speed Disk Service (NOPDB.EXE). Please exit Speed Disk, restart the Speed Disk Service, and try again. If the problem persists, reinstall Speed Disk.?
Reinstalled Speed Disk. Same result.
2) Windows XP Accessories Disk Defragmenter Error message:
?Disk Defragmenter could not start.?
D. Backup ? presently unable to back up.
1) My backup utility, XXCLONE, will not start. (Last backup was WAY too old.) It returns following Error Message from its initial disk scan:
?The source volume (C:) specified in the command line does not exist, or the volume label does not match. Therefore, it will be ignored.?
2) Windows XP Accessories backup component refused to start as well. Error message:
?The Backup Utility cannot connect to the Removable Storage service. This service is required for use of tape drives and other backup devices. Please exit and start the Removable Storage service using the System Services function of the Management ... Read more

A:Hijacked; Generic Rootkit.d!rootkit (NTOSKRNL-HOOK); certainly other probs.

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 1 answers
RELEVANCY SCORE 137.2

Hello to any and all helpers,
I am new to this forum, so please help me follow the rules. I downloaded/ran the scans on the "new instructions" thing and will connect them to this post. 2 wks ago Friday I checked "the official" website of St. Exupery to see if one book was written before the other and up pops McAfee saying it identified 2 instances of the trojan named in the title of this thread. I was already late to class so I closed the window (IE7) and shut down the comuter, hoping it would be better later(bad move!). When I got home.. I'm trying to remember, I believe the computer started up ok to run the scan, somewhere in that day I had to restart several times because it stalled (windows was open but wouldn't do anything). I did run the McAfee scan and delete the trojans, but my computer wouldnt restart fully until the next day, when I discovered that my internet connection would no longer work (it may not have been working right away, I'm sorry I dont remember). It said it was connected but no pages would load. Since then it has not worked, even though I tried to reconfigure the connection (and my IP address). I would say that this is a problem with the modem/router, but my bf's computer is connected to the same and it works fine (this is the computer Im writing from btw, and he has no antivirus and is resolutely against it and so I can do nothing about it. I wanted to try to reestablish my internet connection before starting a thread so that I do... Read more

A:NTOSKRNL-HOOK, Generic Rootkit.d!rootkit & NO INTERNET CONNECTION

Hello, Exams+this :)
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:In the meantime, please refrain from making any changes to your computer.
Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
Finally, please reply using the button in the lower left hand corner of your screen.
Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it'... Read more

Read other 19 answers
RELEVANCY SCORE 137.2

Dear Folks,

It looks like my computer is infected with Generic Rootkit.d!rootkit (Trojen) - File: NTOSKRNL-HOOK

I use McAfree Antivirus. Whenever I scan, it shows the following log and it says detected 1 and fixed 1.

8/1/2009 10:24:13 PM Scan Started: 08/01/2009 10:24:13 PM
8/1/2009 10:24:59 PM Scan Started: 08/01/2009 10:24:59 PM
8/1/2009 10:25:44 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/1/2009 10:29:00 PM Total objects scanned: 12981
8/1/2009 10:29:00 PM Objects detected: 1
8/1/2009 10:29:00 PM Scan Done: 08/01/2009 10:29:00 PM

Also I get BLUE Screen very often and my system gets rebooted automatically (screenshot attached).

Please help me in resolving this issue.

I downloaded "ComboFix.exe" from your website but didn't run it as I saw many times that I should not be run without the proper instruction / help from Technical Folks.

I'm just waiting for your response. Please help..!!

Thanks in advance.

Cheers,
Siraj

A:Generic Rootkit.d!rootkit (Trojen) - File: NTOSKRNL-HOOK

Hi Folks,Thanks for responding for my "Personal Message" from Orange Blossom ~ forum moderator and email from Administrator.As mentioned in the email, I followed the steps mentioned in the following "Preparation Guide For Use Before Using HijackThis and other Malware Removal Tools" which is located @ http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/1. Data Backup - Done2. Verified that my computer is infected by NTOSKRNL-HOOK trojan3. Steps 3, 4 & 5 are also done6. Downloaded DDS and scanned my computer. When I tried to run this scan, I got the warning in the same Command Prompt with the message three times like "Not enough memory to complete the sort.". After that the scan has produced two files (DDS.txt and Attach.txt).7. Responded to my own topic which I've created on Aug 2nd, 2009. Please help me out in resolving this issue ASAP.Please find the log from DDS.txt file which is pasted at the bottom of this message.I'll upload the Attach.txt file, if you want. Please let me know.Problem with my computer is that - I get blue screen often and gets rebooted by itself (I'm loosing all the data). - System hangs when Windows Logon Screen appears (only sometimes); I'm not able to login. I've to hardboot.Just curious: When DDS.scr was scanning, I found that the following EXE files processing in the background in "TASK MANAGER". Please confirm are they genuine.fi.exewregs.exefindstr.exedds.screds.execs... Read more

Read other 13 answers
RELEVANCY SCORE 137.2

 Attach.zip   4.33KB
  1 downloadsThis was a redirect by OBlossom,Hi Hope you can help. I clicked on a link to a web page that I shouldn't have and got a popup saying I needed to update my Adobe, thinking all was ok! When I did that another popup came and said I may be infected and it wanted me to click on their link. Which I didn't, instead I tried closing the windows, even with Ctrl-Alt-Del, it wouldn't let me. Then returning to desktop, McAfee said something wanted access and if I allowed. Again, no! The only way out was a reboot, which took some time to shutdown. When the system came back on I got a window saying Google installer had a problem and had to close, never had that before. It did have a "more info" link, which I clicked and a new window opened up saying something about UACD.SYS & WJQS.EXE! I found them in the registry, I knew I had a problem. After running McAfee it said something about NTOSKRNL-HOOK and Generic RootKit.d!RootKit. Needless to say I am here. I would continue to get that popup, about Google Installer needing to close. Also when I did a search and would click on a link I would get the "WindowsClick" and was redirected to another web page. Ok, try to shorten it, I tried a lot and nothing seemed to help. Until I read here and ran ComboFix, it seemed to work! Had to make note of some files "UAC******.dll and one UAC******.dat another was Service_Uac.sys, ... Read more

A:NTosKrnl-Hook UACD.SYS WJQS.EXE Generic RootKit.d!RootKit

I just wanted to mention an oddity I've noticed, my msn.com link in favorites keeps disappearing, I've saved it then, it's gone again! I'm not proceeding with anything else until told to do so. Though I do hope to understand this soon and rectify its problems!?thanks again,Hello RikCab,We ask that once you have posted your log and are waiting, please DO NOT "bump" your thread or make further replies until it has been responded to by a member of the HJT Team. The reason we ask this or do not respond to your requests is because that would remove you from the active queue that Techs and Staff have access to. The malware staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response, there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.That is why I have made an edit to your last post, instead of a reply. Please do not multiple post here, as that only pushes you further down the queue and causes confusion to the staff.Please be patient. It may take a while to get a response but your log will be reviewed and answered as soon as possible.Thank you for understanding.Regards,The weatherman (Moderator)Thanks weatherman, I did just read about that while scanning another's post. I was going to make a note of it here, but you beat me to it, lol. I did try to edit m... Read more

Read other 17 answers
RELEVANCY SCORE 135.6

Currently system shows to have ntoskrnl-hook - generic rootkit.d!rootkit 5. The only AV that seems to detect it is Mcafee. It states that it has removed it and it keeps coming back. System restore is off. The different scans I have ran have seemed to taken most of it out but it just starts over and infects more. Below are the reports. Thanks for any and all help in advance. Below is DDS and I have attached the other DDS "Attach" and the RootRepeal report "ark".
DDS (Ver_09-07-30.01) - NTFSx86
Run by Bryan Miller at 20:30:32.37 on Tue 08/18/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_15
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1023.399 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\Explorer.EXE
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\1.2.183.7\GoogleCrashHandler.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Microsoft Offi... Read more

A:Infected with ntoskrnl-hook - generic rootkit.d!rootkit 5

Hello.One of the infection is a rootkit.Rootkits and backdoor Trojans are very dangerous because they use advanced techniques (backdoors) as a means of accessing a computer system that bypasses security mechanisms and steal sensitive information which they send back to the hacker. Many rootkits can hook into the Windows 32-bit kernel, and patch several APIs to hide new registry keys and files they install. Remote attackers use backdoor Trojans and rootkits as part of an exploit to gain unauthorized access to a computer and take control of it without your knowledge.If your computer was used for online banking, has credit card information or other sensitive data on it, you should immediately disconnect from the Internet until your system is cleaned. All passwords should be changed immediately to include those used for banking, email, eBay, paypal and online forums. You should consider them to be compromised. You should change each password by using a different computer and not the infected one. If not, an attacker may get the new passwords and transaction information. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connect again. Banking and credit card institutions should be notified of the possible security breach. Because your computer was compromised please read How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?Although the rootkit has been identified and may be removed, your PC has l... Read more

Read other 11 answers
RELEVANCY SCORE 135.6

I've tried almost everything to get rid of this trojan and I alway end up with one of two results. First either when the computer reboots it automatically reboot through a continous cycle once it hits the window screen. Second, I log onto windows and start to run a program, a physical memory dump occurs. I also think my external hard drive has the virus on it, although none of the hundreds of virus scans I've completed show a virus on the drive. Please give me some insite on what to do. Thanks



DDS (Ver_09-07-30.01) - NTFSx86
Run by paul at 19:41:12.95 on Sat 08/01/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.527 [GMT 4.5:30]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\SiteAdvisor\McSACore.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\WINDOWS\system32\ZuneBusEnum.exe ... Read more

A:generic rootkit.d rootkit NTOSKRNL-HOOK problems

Hi there,

Looks a lot better, but lets run a few more checks.

1. Please open Notepad Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:


Code:
FileLook::
c:\windows\S0A0D9E6F.tmp
c:\users\paul\cc_20090725_201550.reg

DirLook::
c:\program files\My-Proxy
c:\users\paul\APPLIC~1\lsptttiq
c:\users\NetworkService\Application Data\lsptttiq

RegNull::
[HKEY_USERS\S-1-5-21-436374069-1715567821-1801674531-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{52432C9E-AC35-115A-59A8-20D2B4352033}*]

RegLock::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}]

RegLockDel::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{d620a955-eb2d-4b83-8024-1840b1f2d536}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



5. After reboot, (in case it asks to reboot), please post the Combofix.txt report into your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download RegQuery by Noviciate to your desktopCopy the following registry keypath by highlighting the text an pressing CTRL and C at the same time
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogonDouble click RegQuery.exe to run the program
Paste the text you have copied using CRTL and V, into the textbox
Cli... Read more

Read other 5 answers
RELEVANCY SCORE 135.6

Yes I've tried running almost every possible program in safe mode to remove this trojan, but everytime I reboot I get either continuious cycle of reoccuring blue screens that reboot the computer or anytime I trying running a program the a physical memory dump occurs and the computer restarts this way. I've been working on this for about 2 weeks now and its really starting to get annoying. Please help.

A:Can't remove generic rootkit.d rootkit NTOSKRNL-HOOK

Hello and Welcome to TSF.

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

Read other 1 answers
RELEVANCY SCORE 135.6

Hi,

I am here to ask for help with removing NTOSKRNL-HOOK Generic Rootkit.d!rootkit infection that appears to be redirecting most browser search attempts indicating 'www.clickover.cn' within the url.

I have run DDS and included the resulting .txt and Attach as instructed.

Thank you for your support!

Regards

DDS (Ver_09-06-26.01) - NTFSx86
Run by Norm at 1:38:45.54 on Thu 07/30/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1287 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\p... Read more

A:Please Help Removing NTOSKRNL-HOOK Generic Rootkit.d!rootkit

Hello and welcome to TSF!

Regarding the rootkit and backdoors in general:

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


----

If you wish to continue follow the steps below, otherwise let me know



We are going to start with Combofix.

Download and Run ComboFix

Note to readers of t... Read more

Read other 19 answers
RELEVANCY SCORE 133.2

On startup:

Webroot Spysweeper gives a popup error:
"The installation has been damaged. Please reinstall the product. (105)

Followed by another popup error:
The connection to the program engine has been lost or terminated.
The program will now close and restart.
If you experience and problems please contact ....

MCAfee Security Center gives a popup error:
McAfee Virus Scan On Demand Scan has encountered a problem and needs to close. We are sorry for the inconvience ....

Followed by another popup error:
Scanning has encountered a problem from which it can not recover.
Here are the problem details:
-Error getting scan progress.
When finished you will return to the home window.

After startup:

1. I can not launch Spysweeper at all.
2. I can open McAfee and can sometimes run a scan which reports:
NTOSKRNL-HOOK Generic Rootkit.d!rootkit
3. Google searches return entries which are redirected to different sites when selected.

I was able to complete a DDS scan but not the GMER scan which would not open a user window once I downloaded it and unzipped it. It did run in the background and I could not find an ark file.

DDS (Ver_09-07-30.01) - NTFSx86
Run by warrenb at 15:42:18.87 on Tue 08/18/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.535 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FA... Read more

A:NTOSKRNL-HOOK Generic Rootkit.d!rootkit

Hello.

Try RootRepeal instead:

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.
Direct Download (Recommended)Primary Mirror
Secondary Mirror
Secondary Mirror
Secondary Mirror

Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)Primary Mirror
Secondary Mirror
Secondary Mirror

Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
Physically disconnect your machine from the internet as your system will be unprotected.
Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
Click the tab at the bottom.
Now press the button.
A box will pop up, check the boxes beside All Seven options/scan area

Now click OK.
Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
The scan will take a little while to run, so let it go unhindered.
Once it is done, click the Save Report button.
Save it as RepealScan and save it to your desktop
Reconnect to the internet.
Post the contents of that log in your reply please.

~Extremeboy

Read other 15 answers
RELEVANCY SCORE 133.2

Initially got a System Security virus that was removed using Malwarebytes. Subsequently got several other virus all removed with Malwarebytes. Got a variety of BSOD's. Right now appear to have everything cleaned except a root kit since McAfee consistently reports a NTOSKRNL-HOOK Generic Rootkit.d!Rootkit that it consistently says removed but is actually not removed. Also Malwarebytes reports a \\?\globalroot\systemroot\ssytem32\geyekrlcbmkryv.dll (Trojan.TDSS) that it reports removed but is not actually removed. I suspect these are related. Also cannot start in Safe Mode right now. Additionally when running RootRepeal I got the following message "Could Not Read Boot Sector. Try Adjusting the Disk Acess Level in the Options Dialog." I tried with several different settings and got the same message. I also got the following message on RootRepeal "Could Not Read Sstem Registry! Please Contact the Author!" The details showed Unrecognized Partition Type 6 (0x6)!.
See DDS.txt, ark.txt files below and Attach.txt attached.
Thanks for your help.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Elaine at 18:27:20.10 on Fri 08/28/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2558.1839 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning enabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA0... Read more

A:NTOSKRNL-HOOK Generic Rootkit.d!Rootkit

Hello PonchyRCA,Has your McAfee SecurityCenter (Antivirus) expired? Lets try running RootRepeal a different way.Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.Physically disconnect your machine from the internet as your system will be unprotected.Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...Click the tab at the bottom. Now press the button.A box will pop up, check the box beside Drivers area (leave the others unchecked). Now click OK.Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.The scan will take a little while to run, so let it go unhindered.Once it is done, click the Save Report button. Save it as RepealScan and save it to your desktopReconnect to the internet.Post the contents of that log in your reply please.Post those logs back in your next reply.

Read other 40 answers
RELEVANCY SCORE 133.2

I appear to have picked up this NTOSKRNL-HOOK Generic Rootkit.d!rootkit virus whilst sufing the net yesterday. My computer is/should be protected by the McAfee Security Center, however, it hasn't stopped this one and clogged my computer.

Whenever I try to start Windows normally, I get the Blue Screen error, I cannot turn off the restore system points either. I have run the virus scanner numerous times, which has alledgedly removed the infection, however, it normally reappears after the restart.

I have done the reports that you have requested, which now follow.

A:NTOSKRNL-HOOK Generic Rootkit.d!rootkit

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------

Read other 5 answers
RELEVANCY SCORE 124.4

hi everytime i run mcafee scans the scan results in 1 repaired trojan. it says that Ntoskrnl-hook has been resolved buy it is there everytime i scan it comes back it redirects the page when i click the links. i've tried to run mcafee in safe mode. I also downloaded anti malware hardware, but it won't run the programs. any help would be greatly appreciated









DDS (Ver_09-05-14.01) - NTFSx86
Run by cmwebb at 23:43:01.03 on Sat 06/13/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.639.93 [GMT -7:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Fisher-Price\Easy-Link internet launch pad\Easy-Link internet launch pad.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac... Read more

A:Ntoskrnl-hook, generic rootkid.d!rootkit

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------
Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3 ... Read more

Read other 7 answers
RELEVANCY SCORE 124.4

I have this rootkit trojan "NTOSKRNL-HOOK'' and cannot get rid of it. McAfee finds it says it deletes it but it is still there. It keeps changing my security settings. I am having to use my old computer to access the internet because internet explorer has stopped working. Installed firefox but this virus won't allow it to run either. I have included the DDS. txt log but when i tried to run the ROOTREPEAL program it just kept locking up and wouldn't respond. Any help would be greatly appreciated, thanks in advance.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Shaun at 15:56:21.16 on Sun 09/06/2009
Internet Explorer: 8.0.6001.18813
Microsoft? Windows Vista? Home Basic 6.0.6002.2.1252.1.1033.18.1790.901 [GMT -4:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C... Read more

A:NTOSKRNL-HOOK TROJAN generic rootkit

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 124.4

Im working on my dad?s computer. It seems to have a nroskrnl-hook generic rootkit virus. I have run combofix. My report is listed below. I then tried to run kaspersky, but the downloading was interrupted and the dialogue box told me to download it from kaspersky labs. It didn?t give any instructions on how to download it or even what website to go to. I then rebooted into normal mode (had been in safe mode before). The boot up was successful. I ran malware bytes (which I hadn?t been able to run before I ran combofix). It ran successfully and found 23 infected objects (I removed the all. Most were from the vendor AdWare others were labeled Trojan). Just wondering what steps I should take next (besides bringing my dad to the apple store). He?s using the computer as normal and is going to report back any thing strange. Before combofix it would not boot properly, a radio station would play randomly, and as the virus progressed the computer would just freeze up. Hopefully those problems have been solved with combofix.

Below are the logs for both Combofix and Malware Bytes

Here is the log generated by combofix:
ComboFix 09-10-24.06 - Administrator 10/25/2009 10:56.1.2 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.797 [GMT -5:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix2.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *e... Read more

Read other answers
RELEVANCY SCORE 124

Please help me get back my laptop. I can not log onto to my laptop regular anymore, everytime i do i get a blue error screen. I can log on to it in safe mode only and when im the internet it take me sites i wasnt going to. I did a scan in Mcafee and it showed that i had 2 trojan viruses(NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit) and it says that its removed. But when i do another scan there both there again and they won't go away. So can someone please help me get rid of this and get back my laptop. Thankyou

A:Virus Help NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit

Hello and welcome to TSF.

If you can boot into Safe Mode with internet, use that option to download the required tools. Otherwise, download the tools needed to a flash drive or other removable media, and transfer them to the infected computer.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 1 answers
RELEVANCY SCORE 124

Please help me get back my laptop. I can not log onto to my laptop regular anymore, everytime i do i get a blue error screen. I can log on to it in safe mode only and when im the internet it take me sites i wasnt going to. I did a scan in Mcafee and it showed that i had 2 trojan viruses(NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit) and it says that its removed. But when i do another scan there both there again and they won't go away. So can someone please help me get rid of this and get back my laptop. Thankyou

DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by B-FRESH at 18:22:46.78 on Tue 05/12/2009
Internet Explorer: 7.0.6001.18000
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.3002.2330 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc... Read more

A:Virus Help NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit

Hello and welcome to TSF

Backdoor Threat

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

IF you wish to continue follow the instructions below please.

Install Recovery Console and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Please download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3
Close/disa... Read more

Read other 19 answers
RELEVANCY SCORE 106.4

I recently downloaded what McAfee said was a clean file. NOT! I ended up getting a Rootkit called NTOSKRNL-ROOT. I don't know what exactly it is doing in there, but I cannot get into the normal OS (Win Vista Business) because of a blue screen of death everytime I try to boot. The bluescreen reads as follows:*** STOP: 0x0000008E (0xC0000005, 0x823E6E7E, 0x9D777010, 0x00000000) I can only get into safe mode. I did run ComboFix before I read that I shouldn't do that. Doesn't seem like I screwed anything up worse than it already is. McAfee is friggin' useless because it detects NTOSCRNL-HOOK twice and says it has removed it, but it didn't. Here is my DDS log (again, this is from a safe mode - no networking boot):DDS (Ver_09-03-16.01) - NTFSx86 MINIMAL Run by Dave at 19:00:49.15 on Tue 05/05/2009Internet Explorer: 8.0.6001.18702Microsoft? Windows Vista? Business 6.0.6001.1.1252.1.1033.18.3070.2599 [GMT -5:00]============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k secsvcsC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows\Explorer.EXEC:\PROGRA~1\Mc... Read more

A:NTOSKRNL-ROOT (Generic Rootkit.d!rootkit) - HELP!

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.comDDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the resul... Read more

Read other 2 answers
RELEVANCY SCORE 103.2

Hi,

I'm getting a blue screen error when logging on to my computer in normal mode, and then it shuts it self down to prevent harm to my computer it says.

My PC will not boot in normal mode. I am able to boot it in Safe Mode. The operating system is Windows Vista Home Premium (SP1) which has been updated through Automatic Update regularly.

When I run McAfee Virus Scan while in Safe Mode it indicates that it has found and fixed 2 instances of ?NTOSKRNL-HOOK? ?Generic Rootkit.d!rootkit??5?. While McAfee indicates that this has been fixed, every time I try to boot the computer the same thing happens (e.g. fails to boot in normal mode, only boots in safe mode) and McAfee finds the same rootkit issue when I run it while the PC is in safe mode. McAfee seems to be incapable of fixing the issue despite the indication that it has done so. Any help on this will be very much appreciated

Below is the DDS info and the zipped Attach and Ark file are attached.




DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by Tushar at 10:15:32.41 on 22-04-2009
Internet Explorer: 7.0.6001.18000
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.91.1033.18.3061.2181 [GMT 5.5:30]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRe... Read more

A:"NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"

Hello and welcome to TSF


Please visit this webpage for download links, and instructions for running combofix:

http://www.bleepingcomputer.com/comb...o-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply for further review.

You can download Combofix via Safe Mode with Networking if you are still unable to boot into normal mode.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

Read other 2 answers
RELEVANCY SCORE 101.2

Please help me get back my laptop. I can not log onto to my laptop regular anymore, everytime i do i get a blue error screen. I can log on to it in safe mode only and when im the internet it take me sites i wasnt going to. I did a scan in Mcafee and it showed that i had 2 trojan viruses(NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit) and it says that its removed. But when i do another scan there both there again and they won't go away. So can someone please help me get rid of this and get back my laptop. Thankyou









DDS (Ver_09-03-16.01) - NTFSx86 NETWORK
Run by B-FRESH at 18:22:46.78 on Tue 05/12/2009
Internet Explorer: 7.0.6001.18000
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.3002.2330 [GMT -7:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\PROGRA~1\McAfee... Read more

A:NTOSKRNL-HOOK ROOTKIT help

Hello and welcome to TSF.

Please don't start a new thread for the same issue. Also, bumping your thread multiple times ensures to get your thread overlooked. We ask that no one bump a thread before 72 hrs have passed, and then, only once.

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help


Quote:




If no one has replied to your thread within 72hrs after you posted, please reply in your thread with the words "BUMP, please" to move it forward. Do NOT bump the thread unless 72 hours has passed. We try to work from oldest to newest posts so your wait will be longer if you bump it forward before the 72 hours is up. When looking threads to respond to, we look for thread with 0 reply, or 1 reply. So, do not bump more than once. If you do, it may appear as though the thread is being handled, and it may be overlooked. Early bump posts will be deleted.




Please be patient. If there is an immediate need, you can take the machine to a local technician.


Quote:




Please be considerate of the fact that the people helping you are all volunteers, and in many cases usually have a job, and a limited amount of time to help, and therefore can only do so much. Also please note that there are many more people in need of assistance than there are trained staff members who may assist. Patience for this free assistance is required. If there is an immediate need, please take the machine to a local technici... Read more

Read other 1 answers
RELEVANCY SCORE 100.4

I have ran multiple McAfee virus scans which have shown positive with the NTOSKRNL virus, supossedly removing them. Yet, when I run the scan again, the virus is still there. In addition, whenever I try to open up my laptop normally, (running Vista) the login screen crashes and shows a blue screen talking about a crash dump. Then the laptop restarts again. At the moment I am in safe mode. Please help me fix this problem.

Here is the DDS.txt
DDS (Ver_09-06-26.01) - NTFSx86 NETWORK
Run by kevin at 10:37:42.75 on Wed 07/15/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_13
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.3069.2511 [GMT -5:00]

SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\McAfee\MPF\MPFSrv.ex... Read more

A:Infected with a NTOSKRNL-HOOK rootkit

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 59 answers
RELEVANCY SCORE 100.4

Hi,I have Mcafee installed on my PC and it is updated daily. A couple of days back, when I came back home, there was a popup of Malware detector on my machine. I quickly uninstalled it and ran a quick scan of my PC. During the first scan, my PC got rebooted automatically. I ran another scan and it gave some infections (around 15-18). Mcafee managed to remove all the infections except one. Now, whenever I scan my PC, I always get a rootkit trojan d!rootkit NTOSKRNL-HOOK. Every time Mcafee says that it has deleted this infection, but with the next scan I can still see the infection. There is no file path mentioned in the scan result.Now, I can see IExplorer.exe lauched everytime in the task manager (there is no IE instance opened on GUI, its only on the background).I have a securom service active on my PC which I believe to be the cause of this trojan? I want to remove securom and all related services.Can someone please help me remove this trojan? RegardsInfectedWithVirusDDS.txt logDDS (Ver_09-12-01.01) - NTFSx86 Run by KAB at 22:52:26.92 on Fri 01/15/2010Internet Explorer: 6.0.2900.2180Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1994.1410 [GMT 5.5:30]AV: Malware Defense *On-access scanning enabled* (Outdated) {28e00e3b-806e-4533-925c-f4c3d79514b9}AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k Dcom... Read more

A:Problem with d!rootkit NTOSKRNL-HOOK

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 100.4

Hi,

I have Mcafee installed on my PC and it is updated daily. A couple of days back, when I came back home, there was a popup of Malware detector on my machine. I quickly uninstalled it and ran a quick scan of my PC. During the first scan, my PC got rebooted automatically. I ran another scan and it gave some infections (around 15-18). Mcafee managed to remove all the infections except one. Now, whenever I scan my PC, I always get a rootkit trojan d!rootkit NTOSKRNL-HOOK. Every time Mcafee says that it has deleted this infection, but with the next scan I can still see the infection. There is no file path mentioned in the scan result.

Now, I can see IExplorer.exe lauched everytime in the task manager (there is no IE instance opened on GUI, its only on the background).

I have a securom service active on my PC which I believe to be the cause of this trojan? I want to remove securom and all related services.

Can someone please help me remove this trojan?

Regards
InfectedWithVirus

A:Problem with d!rootkit NTOSKRNL-HOOK

Hello and welcome to TSF.

We want all our members to perform the steps outlined in the link given below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Read other 1 answers
RELEVANCY SCORE 98.4

... and a partridge in a pear tree. Hello and thank you in advance for your help. The following applies to my Win7 PC running the IE9 browser.

I need assistance in order to remove a rootkit IRP Hook\Driver\iaStor IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0xFFFFFA8005F965A4 (the numbers after the the first A vary with each scan) and Trojan horse downloaders Generic25.BCBS C:\Windows\System32\svchost.exe (1688):\memory_00d00000 and Generic13.CAM C:\Windows\System32\svchost.exe (1688):\memory_00a00000 (the numbers after svchost.exe and memory vary with each scan). I cannot get rid of these three.

I tried MS Security Essentials first, MS Defender, then AVG, including the rescue CD, and Malwarebytes. I have also run rkill. AVG was the only one to even pick them up. I'm told to reboot and all would be well, alas, that is not so. The three apps removed many other viruses found, such as Exploit.Kit.AI and Win32/Heur.dropper but not these three buggers. TDSSKiller will not run, even after renaming, nor will aswMBR - though I didn't rename that as I don't believe I saw that as an option. I have uninstalled and reinstalled Java and Adobe (haven't reinstalled the Reader yet and just reinstalled Flash from this site when registering) and have used the Intel utility driver update check to attempt a fix for iastor.exe. (nothing major there - just optional display update available).

Love an IT puzzle - but I've about ha... Read more

A:IRP Hook Rootkit, Trojan Downloader Generic, IE9 redirects, pop ups

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your malware problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the top o... Read more

Read other 32 answers
RELEVANCY SCORE 98.4

I'm running XP with McAfee Virus Scan on high-speed internet connection. I frequently download from the Japan Megaupload and the main infestation occured after I downloaded a 16-part Mega download two days ago. I first noticed that the drop down history on IE7 had disappeared and been replaced with just these last 16 Mega site addresses. Then I noticed all the hypertext in searches on IE were misdirected and I could only get to the site by pasting in the site address from the search. With Chrome, I would just get broken link errors on most search hyperlinks.

I ran McAfee manually and it came up with the NTO SKRNL-HOOK rootkit trojan which it said it had removed, but everytime I run McAfee it comes up with the same Trojan in the Windows folder so it is always reinfecting. McAfee also found trojans in the autorun.inf files (Generic !atr, Generic !atr trojans) for each of my external and secondary internal harddrives which it quarantined. It also quarantined two Generic Downloader X trojans connected with the Wondershare YouTube Downloader I purchased a few weeks ago -- IS-E4TS2.tmp and IS-POUL4.tmp. This is where I'm sure the infestation started. Also quarantined were HTML/FAKE AV, VUND.GEN.A! and OBFUSCATED HTML.

I was finally able to run Anti-Malware by changing the extension to COM instead of EXE per one of the postings I read here. It found 6 or 7 trojans on teh Quick Scan which I deleted and then ran a full scan and it found nothing:
Malwarebytes&#... Read more

A:Severe infection with NTO SKRNL-HOOK Generic Rootkit

Your MBAM scan results says "no action taken". If you haven't allowed it to remove what it found, do that and then reboot.Super Antispyware finds and removes a lot of rootkits. Follow the instructions in the link below.http://www.bleepingcomputer.com/forums/ind...t&p=1040160You will have better results scanning with SAS in safe mode. Be sure to UPDATE SAS after downloading, installing andbefore booting into safe mode to run the scan. You should read these comments concerning rootkits.http://www.dslreports.com/faq/10063

Read other 3 answers
RELEVANCY SCORE 98

Hi,I was referred here by a moderator in the Am I infected? boards (username: garmanma). McAfee kept detecting NTOSKRNL-HOOK every time I ran it, and Root Repeal has detected ESQULserv.sys Trojan downloader. I do not know how to remove any of this stuff. BTW, I have uninstalled Vuze and I will never use P2P again! It's not worth it! My IE7 does not work anymore (crashes on startup), and I get blue screens when activating my xBOX 360 controller. I also cannot use Windows or iTunes to burn CDs/DVDs anymore (only Roxio works). Thanks in advance for your help! DDS (Ver_09-10-26.01) - NTFSx86 Run by Ryan at 22:16:31.04 on 15/11/2009Internet Explorer: 8.0.6001.18828Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.2.1033.18.3069.1419 [GMT -5:00]SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}============== Running Processes ===============C:Windowssystem32wininit.exeC:Windowssystem32lsm.exeC:Windowssystem32svchost.exe -k DcomLaunchC:Windowssystem32svchost.exe -k rpcssC:WindowsSystem32svchost.exe -k secsvcsC:WindowsSystem32svchost.exe -k LocalServiceNetworkRestrictedC:WindowsSystem32svchost.exe -k LocalSystemNetworkRestrictedC:Program FilesCommon FilesLogiShrdLVMVFMLVPrcSrv.exeC:Windowssystem32svchost.exe -k netsvcsC:Windowssystem32svchost.exe -k GPSvcGroupC:Windowssystem32SLsvc.exeC:Windowssystem32svchost.exe -k LocalServiceC:Windowssystem32svchost.exe -k NetworkServiceC:WindowsSystem32spoolsv.exeC:Windowssystem32svchost.exe... Read more

A:Infected with ESQUL Trojan &/or NTOSKRNL-HOOK rootkit

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.Please download OTL from following mirror:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.Push the button.Two reports will open, copy and paste them in a reply here:OTL.txt <-- Will be openedExtra.txt <-- Will be minimizedIn the upper right hand corner ... Read more

Read other 14 answers
RELEVANCY SCORE 98

Hello,
Every time I run McAfee it finds NTOSKRNL-HOOK and says that it is removed, but it still finds it every time I scan. Possible related issues: 1) My IE7 doesn't work anymore (crash on startup), and 2) I occasionally get blue screen shutdowns (esp when I use my XBOX 360 controller). I need help to remove this trojan from the computer.

A:McAfee cannot remove NTOSKRNL-HOOK rootkit trojan

Ran Root Repeal after reading some other posts. I'm not sure what any of it means or what to do next. Help!
Here's my report:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/11/12 13:47
Program Version: Version 1.3.5.0
Windows Version: Windows Vista SP2
==================================================

Drivers
-------------------
Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x90BA8000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\ProgramData\Favorites
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3030a0ba-c61a-11de-b1f1-a5cc7322c75a}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3030a0c5-c61a-11de-b1f1-a5cc7322c75a}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3030a0f6-c61a-11de-b1f1-e33b7713eb25}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3030a117-c61a-11de-b1f1-e33b7713eb25}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3030a11f-c61a-11de-b1f1-e33b7713eb25}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows AP... Read more

Read other 6 answers
RELEVANCY SCORE 96

I'm not sure how my DELL XPS M1530 laptop got the NTOSKRNL-HOOK Trojan, but it might have been from repeatedly downloading different versions of the same game in order to extend the free trial. I downloaded Family Feud, MahJongg, and The Price Is Right from the iWin.com and Jenkat Games programs, as well as from other Web sites, some of which, in hindsight, may not have been legitimate.

The irony is that right before my computer first crashed, I'd just finished a scan with McAfee and no problems showed up. About 10 minutes after the scan, in the middle of playing an online game and talking on Yahoo Messenger, the dreaded blue screen of death popped up!

Since then, I have not been able to start up Windows in Normal Mode. Every time I try to do a System Restore, the blue screen appears immediately after I type in my user name and password when the computer restarts.

After starting up in Safe Mode and performing a Quick Scan with McAfee, my laptop finally found the NTOSKRNL-HOOK Trojan and supposedly removed it. A subsequent Full Scan right after the first showed that the NTOSKRNL-HOOK Trojan was still on my computer, but claimed that, once again, it was removed. However, all other scans from that point on have found and "removed" this pesky trojan, but it still persists.

I really want to backup my files or salvage whatever data I can, but I have had many problems trying to do so! Since the trojan has taken my laptop over, I can no longer see my external h... Read more

A:NTOSKRNL-HOOK Trojan: my laptop can't complete the GMER Rootkit scan!

Hi,

See if you can get GMER to run in safe mode...close down all other programs while it scans.

Also, see if this program will run and post the logs


Please download Sysprot Antirootkit from >>>HERE<<<

Unzip it into a folder on your desktop.
Double click Sysprot.exe to start the program.
Click on the Log tab.
In the Write to log box select ALL ITEMS
Look near the bottom left, and Check Hidden Objects Only
Click on the Create Log button on the bottom right.
After a few seconds a new window should appear.
Select Scan Root Drive. Click on the Start button.
When it is complete a new window will appear to indicate that the scan is finished.
The log will be saved automatically in the same folder Sysprot.exe was extracted to.
Open the text file and copy/paste the log here.

Read other 19 answers
RELEVANCY SCORE 86.4

I need help removing Generic Rootkit.d!rootkit from my computer using Windows 2000. My McAfee virus scanner is erasing it but it keeps coming back. I've tried to run McAfee in Safe Mode but it won't run. I've also tried to install and run Malwarebytes' Anti-Malware but it won't run. I was able to run Stopzilla in Safe Mode but it didn't do anything. Can't get PC Tools to run either.

Any help would be appreciated.

My other 2 laptops were infected also but they utilize Windows XP and I was able to get rid of this trojan/virus on those computers. Right clicked on My Computer and disabled system restore. Then ran Malwarebytes' Anti-Malware program which seemed to do the job.

Looking for something free to download and get rid of this.

Was afraid to try ComboFix.exe due to posts warning about this program

Read other answers
RELEVANCY SCORE 85.2

I've already run malwarebytes, combofix, Spybot.

The winfiles and Pe-files attachments are from rootkitty running on ubcd4win, although they could possibly have been modified by the rootkit before uploading, as I uploaded them from the infected machine.

Here's dds.txt,
DDS (Ver_09-07-30.01) - NTFSx86
Run by Winxp at 9:13:45.14 on Sun 08/30/2009
Internet Explorer: 6.0.2800.1106
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.511.182 [GMT -5:00]
============== Running Processes ===============

C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\avgas\guard.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C... Read more

A:Rootkit, Vundo.h, Rootkit.agent, Rootkit.Rustock, Rootkit.Dropper, Slenugga, FakeAlert, WinWebSec, etc....

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 3 answers
RELEVANCY SCORE 84.8

I have scanned over and over again, and McAfee says it is removed, but it reappears so it is not getting resolved. The browser (IE has difficulty opening and Firefox is redirected) is difficult to use. I am getting an excessive amount of popups, though the blocker is activated. The advertisements on webpages are for some sexual enhancements. Martha Stewart would have a fit if she knew about them on her site, I am sure. I ran through some preliminary steps from McAfee support by erasing cookies, temp files, history and pws. Restore will not run. Also seems to show up with NTOSKRNL-HOOK and Generic Artemis which the latter showing as potentially unwanted program. Please advise. I have taken the first steps and the information is as follows:




DDS (Ver_09-03-16.01) - NTFSx86
Run by Ann at 23:12:26.77 on Sat 03/28/2009
Internet Explorer: 7.0.6001.18000 BrowserJavaVersion: 1.6.0_12
Microsoft? Windows Vista? Home Premium 6.0.6001.1.1252.1.1033.18.3317.2260 [GMT -4:00]


============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\System32\svchost.exe -k NetworkService
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\SLsvc.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
... Read more

A:Generic Rootkit.d!rootkit (Trojan) Infection

Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

----... Read more

Read other 16 answers
RELEVANCY SCORE 84.8

Hi All,

My laptop had some unwanted pop-ups from FireFox so I scanned the whole system using McAfee and it found bunch of virus, all of which were said to be either cleaned or deleted by McAfee. I then rescanned it few times afterward and each time I get the following:

Name is "NtQueryDirectoryFile"
Detected As "Generic Rootkit.d!rootkit"
Detection Type "Trojan".

McAfee always says it is "cleaned" but it shows up each scan.

I would appreciate it if someone could help me clean it. Thanks in advance!

A:my laptop is infected with Generic Rootkit.d!rootkit

Hi and welcome to BleepingComputer The process of cleaning your computer may require temporarily disabliling some security programs. If you are using SpyBot Search and Destroy, please refer to Note 2 at the bottom of this page.Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself.Press the OK button to close that box and continue.If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Result... Read more

Read other 6 answers
RELEVANCY SCORE 83.2

Each time I boot my computer, McAfee finds the Trojans NTOSKRNL-Hook and deletes it. It also finds two Generic.dx!dgz Trojans attached to DLLs, but does not delete them, says "Scan after restart". I installed Malawarebytes and ran it, and it does not find anything. Nor does CyberDefender. I have saved HijackThis to the C: drive along with the log below. If you could help me remove this, I would appreciate it!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:08:00 AM, on 8/25/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C... Read more

A:NTOSKRNL-Hook and Generic.dx

bump
 

Read other 1 answers
RELEVANCY SCORE 82

Hi All,

My Computer is infected with the Trojan "Generic Rootkit.d!rootkit" "5"

Here is a copy of the McAfee Scan. It claims to find and remove each time but as others have found it is still there.

8/24/2009 5:31:07 PM "NTOSKRNL-HOOK" "Generic Rootkit.d!rootkit" "5"
8/24/2009 5:31:12 PM Total objects scanned: 23
8/24/2009 5:31:12 PM Objects detected: 1
8/24/2009 5:31:12 PM Scan Done: 08/24/2009 05:31:12 PM

I have tried to follow the Preparation Guide to the best of my limited computer ability.

The symptoms I have had are the Blue screen and a Reboot in normal mode. I have to run in Safe mode with networking to be able to work.

Any help you can provide is much Appreciated

Many thanks

Jonathan
DDS (Ver_09-07-30.01) - NTFSx86 NETWORK
Run by Jonathan at 18:10:07.03 on Mon 24/08/2009
Internet Explorer: 7.0.6001.18000
Microsoft? Windows Vista? Ultimate 6.0.6001.1.1252.1.1033.18.3069.2218 [GMT 2:00]

SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\system32\svchost.ex... Read more

A:Infected with "Generic Rootkit.d!rootkit" "5"

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 82

Hello. I've managed to get infected with the above Trojan.
I am running McAffe which continually picks it up, says it removes it but it returns straight away. i've run in safe mode and have system restore switched off.
McAffe identifies it as file NTOSKRNL-HOOK.
So far it seems to Hijack IE7 links in google.
Could anyone help?

Many thanks



DDS (Ver_09-03-16.01) - NTFSx86
Run by Russell at 17:32:28.67 on 27/03/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.2406 [GMT 0:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Intel\WiFi\bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\WiFi\bin\EvtEng.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\VirusScan\McShield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\S... Read more

A:Generic Rootkit.d!.rootkit Trojan Win XP SP3

Hello, or8it.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usua... Read more

Read other 7 answers
RELEVANCY SCORE 82

Currently running XP media addition with service pack 3. Using McAfee security centre. McAfee identifies Trojan Generic Rootkit.d!Rootkit Filename NTOSKRNL-HOOK claims to have removed but if rescan same Trojan found. Effect at moment is that when using google to search for information when click on suggested website it redirects elsewhere.

See DDS log below and files attached:

DDS (Ver_09-07-30.01) - NTFSx86
Run by Steve at 8:36:45.14 on 31/08/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.417 [GMT 1:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:... Read more

A:infected with Generic Rootkit.d!rootkit

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 19 answers
RELEVANCY SCORE 79.2

Hi there! Thanks for taking the time to help me out.

Yesterday, McAfee started detecting trojans in my system: Generic!Artemis, Generic.dx and Generic Rootkit.w

I don't know if these are three different trojans or one and the same. I'm not getting any pop-ups (apart from the mcafee warnings), but it is making my computer run slower and me very worried.

I'm running Windows XP Pro.

Any help most appreciated.

I can post a hijack this log if that's of any use.

A:Trojan: Generic!Artemis, Generic.dx and Generic Rootkit.w infection

Here are some of the details from the McAfee detection log ((I haven't listed all the files here because there are too many, so I'll just provide one example of each):

Detection name: Generic.dx (Trojan), Generic.dx (Trojan)

File: C:\Windows\system32\drivers\109.exe
Process: C:\windows\system32\svchost.exe
process description: generic host process for win 32 services

Detection Name: Generic!Artemis (Trojan)

File: E:\system volume information\_restore{5E0A6BCC-1246-45C3-BBAA-DBEC343BA767}\RP173\A0131417.exe
Process: C:\Program Fioles\Malwarebytes' Anti-Malware\mbam.exe
Process description: Malwarebytes' Anti-Malware

Detection name: Generic Rootkit.w (Trojan), Generic Rootkit.w (Trojan)
File: C:\Windows\system32\drivers\netsik.sys
Process: C:\Docume~1\Mike\Locals~1\Temp\BN7.tmp
Process description: (as process)

The generic.dx has been repaired and removed from 12 files so far by mcafee

The Generic!Artemis one has been quarantined from 7 files so far

The rootkit.w one has been repaired and removed from three files so far

Read other 2 answers
RELEVANCY SCORE 77.2

My PC recently became infected with the "Generic Rootkit.d!rootkit" trojan. I use the McAfee Internet Security Suite through my local ISP. McAfee seems able to detect and remove the trojan temporarily. However, the trojan seems to reappear immediately. I downloaded Malwarebytes but it won't run on my PC even in safe mode. I am not able to use the results of search engines normally, also. If I click on a link in the results page of a search engine, then I am redirected to other search sites. My circumstances appear very similar to another forum member, bklane01, who received help this week from Ried. Please help me to remove this trojan from my computer. Please be aware that I will only be able to respond to this thread in the evenings normally. I will do my best to make myself available to help with the resolution of this problem.

A:Unable to Remove "Generic Rootkit.d!rootkit". Please Help.

Hello and welcome to TSF

We want all our members to perform the steps outlined in the link I'll give you below, before posting for assistance. There's a sticky at the top of this forum, and a
Quote:




Having problems with spyware and pop-ups? First Steps




link at the top of each page.

---------------------------------------------------------------------------------------------

Please follow our pre-posting process outlined here:

http://www.techsupportforum.com/f50/...lp-305963.html

After running through all the steps, you shall have a proper set of logs. Please post them in a new topic, as this one shall be closed.

If you have trouble with one of the steps, simply move on to the next one, and make note of it in your reply.

Please note that the Virus/Trojan/Spyware Help forum is extremely busy, and it may take a while to receive a reply.

Read other 1 answers
RELEVANCY SCORE 76.8

AVG rootkit scan found the following but said the file is hidden?

How i can remove?

"";"C:\Windows\System32\DRIVERS\dvd43llh.sys";"IRP hook, \Driver\iaStor IRP_MJ_INTERNAL_DEVICE_CONTROL -> dvd43llh.sys +0x1B20";"Object is hidden"

Also i'm getting warning on opening firefox from avg about tracking cookies in my cookies.sqlite file:
Found Tracking cookie.Serving-sys
Found Tracking cookie.Adtech
Found Tracking cookie.Revsci

thanks ; DSS log below

DDS (Ver_10-10-21.02) - NTFSx86
Run by udesmeister at 15:41:03.80 on 24/10/2010
Internet Explorer: 8.0.6001.18975 BrowserJavaVersion: 1.6.0_21
Microsoft? Windows Vista? Home Premium 6.0.6002.2.1252.44.1033.18.2045.1040 [GMT 1:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}

============== Running Processes ===============

C:\PROGRA~1\AVG\AVG10\avgchsvx.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\nvvsvc.exe
C:\Windows\system32\svchost.exe -k rpcss
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\... Read more

A:Rootkit IRP hook

Hi,

Welcome to TSF.

I'm K27 and I am currently reviewing your log.

Please DO NOT run any scans/tools/fixes on your own as this will conflict with the tools we are going to use.

Please Print or Save to Notepad all instructions and please follow them carefully and if there's something you don't understand or that will not work please let me know and we will go through it together.

Please DO NOT use this system for anything apart from visiting this forum and other sites I direct you too, as this will only make the cleanup process all the more difficult.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed. This is to free up my time so as to continue to help others. If you need longer to reply, then that is fine, but please to let me know.

Please be patient while I review you logs.

Thanks.

Read other 3 answers
RELEVANCY SCORE 76.8

I've been fighting an infection for a day or two now on a Windows 7 computer.  AVG identifies it as IRP Hook.  I believe it is responsible for shutting my computer down a few times during my removal attempts.  I've run MBAM, and it detects two infections (in svchost, I believe), but even after removal and reboot they always come back.  I jumped the gun and ran Combofix, which removed a few files, but MBAM is still detecting the infection.  Lastly, I tried running aswMBR, fixed the MBR, rebooted, and saw no change.
 
I don't know how else to attack this thing.  My logs:
 
DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 9.0.8112.16464  BrowserJavaVersion: 1.6.0_30
Run by Owner at 15:42:21 on 2013-03-06
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.3063.645 [GMT -5:00]
.
AV: AVG Internet Security 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Internet Security 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
.
C:\PROGRA~2\AVG\AVG2013\avgrsa.exe
C:\Program Files (x86)\AVG\AVG2013\avgcsrva.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\atiesrxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k Loca... Read more

A:Rootkit that will not die - IRP Hook

Hello  zoddie, Welcome to Bleeping Computer.
My name is fireman4it and I will be helping you with your Malware problem.

Please take note of some guidelines for this fix:
Refrain from making any changes to your computer including installing/uninstall programs, deleting files, modifying the registry, and running scanners or tools.
   If you do not understand any step(s) provided, please do not hesitate to ask before continuing.
   Even if things appear to be better, it might not mean we are finished. Please continue to follow my instructions and reply back until I give you the "all clean".
In the upper right hand corner of the topic you will see a button called Follow This Topic.I suggest you click it and select Immediate E-Mail notification and click on Follow This Topic. This way you will be advised when we respond to your topic and facilitate the cleaning of your machine.

   Finally, please reply using the Post  button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply, unless they do not fit into the post.
  I will be analyzing your log. I will get back to you with instructions.  Do you have a USb Flash Drive you can use?Please run MalwareBytes again and post its log.

Read other 10 answers
RELEVANCY SCORE 76.8

Okay Ill start with this.
I usually leave my computer on, but after some updates I had to reboot.
Upon rebooting, I noticed some things were going quite wrong with my computer.
I.e. No start bar upon boot (becomes visible 20-30 minutes later, but is smaller than usual) cannot copy/paste, cannot move icons/files, other mildly annoying things.

--What I did--
First, ran an anti-rootkit scan with AVG. About 17 results were found, but no option to heal or remove them.
I then ran a full computer scan and picked up about 27 problems, 17 of them being rootkits that were found in first scan, others were backdoors / trojans.
After some more infuriating scans and boots in safe mode, I installed Spybot Search&Destroy and ran it.
When I woke up I found about 10 infections. It said it had cleaned them, so I ran it again and nothing was found, but my problem persists.
I have also run TDSSKiller with all parameters checked and found over 200 problems.
These problems were with my crucial windows driver signatures such as (Unsignedfile.Multi.Generic) - Warning \ but made reference to some windows drivers.
I didnt know what to do after scan, so i hit copy to quarantine. After re-running the scan, I found all the same problems again.
I assume this is a trojan dropped or downloader or some kind of polymorphic virus that continuously infects my drivers with this 'hook'
I really need help with this guys, I really dont want to have to format my computer :c

==Additional informat... Read more

A:IRP hook rootkit (looks like it)

Can you post TDSSKiller log?

Read other 7 answers
RELEVANCY SCORE 76.4

Hello all,

McAfee keeps popping up a trojan alert every couple of minutes, and as I've watched them closely for the last few days, they seem to be the same 12 or so - over and over again. I have tried full scans using both McAfee and Spybot, and while they both indicate that they fix the problems, these trojan alerts keep showing up. My comp has become very sluggish, IE in particular.

Also, every time I restart after a scan requires it, I get the error message "Owner.exe - DLL initialization failed". I noticed that this process (Owner.exe) jumps around a bit in the task manager, especially when McAfee pops up with the alerts.

Below is my DDS. Please help!

-Jim

DDS (Ver_09-03-16.01) - NTFSx86
Run by Owner at 20:57:27.90 on Mon 04/20/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3327.2595 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\Photos... Read more

A:repeating trojan alerts - Generic rootkit, Generic!Artemis

Hi,* Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply along with a fresh HijackThis log.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Read other 14 answers
RELEVANCY SCORE 76

One of my machines at work is apparently infected
 
FRST.txt
 

Spoiler

Scan result of Farbar Recovery Scan Tool (FRST) (x86) Version: 11-03-2015
Ran by Mindy (administrator) on BACK on 19-03-2015 15:27:47
Running from E:\
Loaded Profiles: Mindy (Available profiles: Mindy & scanner & Guest)
Platform: Microsoft Windows 7 Professional Service Pack 1 (X86) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: Chrome)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
==================== Processes (Whitelisted) =================
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
(Microsoft Corporation) C:\Program Files\Microsoft Security Client\MsMpEng.exe
(Electronics for Imaging, Inc.) C:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Service.exe
(Electronics for Imaging, Inc.) C:\Program Files\Common Files\EFI\EFI ES-1000 Service\ES1000Server.exe
(FedEx Corporation) C:\Program Files\FedEx\ShipManager\BIN\FedEx.Gsm.Common.LoggingService.exe
(iAnywhere Solutions, Inc.) C:\Program Files\FedEx\ShipManager\SQLAnywhere\Bin32\dbsrv11.exe
(Intel Corporation) C:\Program Files\Intel\Services\IPT\jhi_service.exe
(TuneUp Software) C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
(Microsoft Corp.) C:\Program Files\Common Files\microsoft shared\Windows Live\WLID... Read more

A:SSDT hook + rootkit(s?)

Hello geordiecs and to BleepingComputer's Virus/Trojan/Spyware/Malware Removal forum
 
My name is Yılmaz and I'll help you with the cleanup of malware from your computer.
Before we move on, please read the following points carefully.
Please complete all steps in the specified order.
Even if tools don't find malware, I want you to post the logfiles anyway.
Please copy and paste the logfiles directly into your posts. Please do not attach them unless you are instructed to do so.
Read the instructions carefully. If you have problems, stop what you  were doing and describe the problems you encountered as precisely as  you can.
Don't install or uninstall software during the cleanup unless you are told to do so.
If you can't answer for the next few days, please let me know. If  you haven't answered within 5 days, I am assuming that you don't need  help anymore and your topic will be closed.
I can not guarantee that we will find and be able to remove all  malware. The cleaning process is not instant. Please continue to review  my answers until I tell you that your computer is clean
Please reply to this thread. Do not start a new topic
As my first language is not English, please do not use slang or idioms. It could be hard for me to understand.
Please open as administrator  the computer. How is open as administrator  the computer?
Disable your AntiVirus and AntiSpyware applications, as they will  interfere with our tools and the ... Read more

Read other 46 answers
RELEVANCY SCORE 76

Greetings,

Classic story, a few days ago, the computer boots, then tells me with hard drive has crashed. About 20 dialog boxes line up saying my HD is failing and cannot be reached. I must have pressed the wrong button because since them, My web navigation slowed down and pages are being redirected to commercial sites.

I first ran AVG who told me I had a rootkit: IRP hook,\Driver/iastor IRP_MJ_INTERNAL_DEVICE_CONTROL -) 0xFFFFFA8009799334. Even cleaning it with AVG, it comes back.

TDSSkiller will not run. Most anti-rootkit will either not run or will not find anything I am running Windows 7 64-bits on a MSI laptop GE620DX

DDS and GMER logs following. Please note that GMER would not let me check anything other than the last 3 categories. The rest was grayed out.

I am grateful for ideas and assistance. I have been trying to fix this but have gone to the limit of my competency.

Best Regards

Marc
-------------------------------------------------------

.
DDS (Ver_2011-08-26.01) - NTFSAMD64
Internet Explorer: 9.0.8112.16421
Run by Laptop at 22:58:10 on 2012-09-17
Microsoft Windows 7 Home Premium 6.1.7601.1.1252.1.1033.18.8099.5205 [GMT 2:00]
.
AV: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: AVG Anti-Virus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}
.
============== Running Processes ===============
... Read more

A:Infected IRP Hook Rootkit will not go away

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems. I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At... Read more

Read other 21 answers
RELEVANCY SCORE 76

Hello! I ran my AVG and it found this rootkit hook ATAPI IRP in 27 different versions. I tried several times to get rid off by using AVG, however, every time I ran it again; surprise, surprise, puppy surprise, the rootkit hook appears again. I need your help to eradicate this rootkit hook out of my PC. Please, let me know what you need and I will gladly provide it. Thanks, Juan

A:Rootkit hook ATAPI IRP

DownloadTDSSkillerLaunch it.Click on change parameters-Select TDLFS file systemClick on "Scan".Please post the LOG report(log file should be in your C drive) Do not change the default options on scan resultsDownloadaswMBRLaunch it, allow it to download latest Avast! virus definitionsClick the "Scan" button to start scan.After scan finishes,click on Save logPost the log results hereDownloadESET online scannerInstall itClick on START,it should download the virus definitionsWhen scan gets completed,click on LIST of found threatsExport the list to desktop,copy the contents of the text file in your reply

Read other 28 answers
RELEVANCY SCORE 76

Hello all:

I did an AVG rootkit scan as my laptop running windows XP started getting slow to open IE7. I did a regular scan first then did a rootkit scan just in case. When asked I told AVG to remove all unhealed infections. it asked for a reboot but after rebooting the problem seemed worse so I rescanned and the same rootkits are still there. I was wondering if they could be a fals positive?

System specs
HP DV 5000
Windows xp pro sp3
640mb ram showing
AMD Turion Mobile 1.79
65gb HDD
45GB free

Result of AVG Rootkit scan

"";"<unknown>";"tcpip.sys, hooked import NDIS.SYS NdisRegisterProtocol -> 0x8339502B";"Reboot is required to finish the action"
"";"<unknown>";"IRP hook, \Driver\Tcpip IRP_MJ_CREATE -> 0x8339502B";"Reboot is required to finish the action"
"";"<unknown>";"Service function NtAllocateVirtualMemory hook -> 0x8339502B";"Reboot is required to finish the action"
"";"<unknown>";"IRP hook, \Driver\Tcpip IRP_MJ_CLOSE -> 0x8339502B";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\Tcpip IRP_MJ_READ -> 0x8339502B";"Object is hidden"
"";"<unknown>";"IRP hook, \Driver\Tcpip IRP_MJ_WRITE -> 0x8339502B";"Object is hidden"
"";"... Read more

A:AVG Reports rootkit IRP hook

Hello, lets get another opinion.Please download MiniToolBox, save it to your desktop and run it. Checkmark the following checkboxes: Flush DNS Report IE Proxy Settings Reset IE Proxy Settings Report FF Proxy Settings Reset FF Proxy Settings List content of Hosts List IP configuration List Winsock Entries List last 10 Event Viewer log List Installed Programs List Users, Partitions and Memory size. List Minidump FilesClick Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run. Note: When using "Reset FF Proxy Settings" option Firefox should be closed.Next run MBAM (MalwareBytes):Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Fini... Read more

Read other 7 answers