Thread: NTOSKRNL-HOOK malware
View Single Post
Old 06-30-2009, 08:08 PM   #1 (permalink)
KNewman
Registered User
 
Join Date: Jun 2009
Posts: 16
OS: XP


NTOSKRNL-HOOK malware
I seem to have picked up a bit of malware over the weekend. My symptoms are Yahoo searches redirect & Mcafee finds NTOSKRNL-HOOK and removes it; but, it returns. Thanks in advance for any help cleaning this item from my system. KNewman


DDS (Ver_09-06-26.01) - NTFSx86
Run by Bob at 20:58:16.79 on Tue 06/30/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.45 [GMT -5:00]

AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

F:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
F:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
F:\WINDOWS\system32\spoolsv.exe
F:\WINDOWS\Explorer.EXE
F:\Program Files\Verizon\Servicepoint\VerizonServicepoint.exe
F:\Program Files\SiteAdvisor\6172\SiteAdv.exe
F:\WINDOWS\system32\Rundll32.exe
svchost.exe
F:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
F:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\Java\jre6\bin\jqs.exe
F:\Program Files\Verizon\McciTrayApp.exe
F:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
F:\Program Files\Common Files\Real\Update_OB\realsched.exe
F:\Program Files\Java\jre6\bin\jusched.exe
F:\WINDOWS\system32\ctfmon.exe
F:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
F:\WINDOWS\system32\svchost.exe -k imgsvc
F:\Program Files\Viewpoint\Common\ViewpointService.exe
F:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
f:\PROGRA~1\mcafee\msc\mcshell.exe
f:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
F:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
F:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
f:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
f:\PROGRA~1\mcafee.com\agent\mcagent.exe
F:\Program Files\McAfee\MPF\MPFSrv.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Program Files\Internet Explorer\iexplore.exe
F:\Documents and Settings\Bob\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://my.yahoo.com/
uInternet Settings,ProxyOverride = *.local
BHO: {06647158-359E-4D10-A8DE-E6145DA90BE9} - No File
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - f:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: {089fd14d-132b-48fc-8861-0048ae113215} - f:\program files\siteadvisor\6253\SiteAdv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - f:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - f:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - f:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: McAfee SiteAdvisor: {0bf43445-2f28-4351-9252-17fe6e806aa0} - f:\program files\siteadvisor\6253\SiteAdv.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} -
TB: {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - No File
uRun: [ctfmon.exe] f:\windows\system32\ctfmon.exe
mRun: [VerizonServicepoint.exe] f:\program files\verizon\servicepoint\VerizonServicepoint.exe
mRun: [mcagent_exe] "f:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [SiteAdvisor] f:\program files\siteadvisor\6172\SiteAdv.exe
mRun: [P17Helper] Rundll32 P17.dll,P17Helper
mRun: [UpdReg] f:\windows\UpdReg.EXE
mRun: [EPSON Stylus Photo R200 Series (Copy 1)] f:\windows\system32\spool\drivers\w32x86\3\E_S4I2H1.EXE /P39 "EPSON Stylus Photo R200 Series (Copy 1)" /O5 "LPT1:" /M "Stylus Photo R200"
mRun: [Verizon_McciTrayApp] f:\program files\verizon\McciTrayApp.exe
mRun: [ArcSoft Connection Service] f:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [TkBellExe] "f:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Ad-Watch] f:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [SunJavaUpdateSched] "f:\program files\java\jre6\bin\jusched.exe"
StartupFolder: f:\docume~1\bob\startm~1\programs\startup\msimn.lnk - f:\program files\outlook express\msimn.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\hpoddt~1.lnk - f:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
StartupFolder: f:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - f:\program files\microsoft office\office10\OSA.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - f:\program files\messenger\msmsgs.exe
Trusted Zone: internet
Trusted Zone: mcafee.com
Trusted Zone: turbotax.com
DPF: vzTCPConfig - hxxp://www2.verizon.net/help/fios_settings/include/vzTCPConfig.CAB
DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} - hxxp://www.musicnotes.com/download/mnviewer.cab
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/b/0/5b0d4654-aa20-495c-b89f-c1c34c691085/LegitCheckControl.cab
DPF: {233C1507-6A77-46A4-9443-F871F945D258} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su2/CTL_V02002/ocx/15034/CTPID.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - f:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Handler: siteadvisor - {3A5DC592-7723-4EAA-9EE6-AF4222BCF879} - f:\program files\siteadvisor\6253\SiteAdv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - f:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;f:\windows\system32\drivers\Lbd.sys [2009-6-27 64160]
R1 mfehidk;McAfee Inc. mfehidk;f:\windows\system32\drivers\mfehidk.sys [2008-1-19 214024]
R2 McProxy;McAfee Proxy Service;f:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-19 359952]
R2 McShield;McAfee Real-time Scanner;f:\progra~1\mcafee\viruss~1\mcshield.exe [2008-1-19 144704]
R2 Viewpoint Manager Service;Viewpoint Manager Service;f:\program files\viewpoint\common\ViewpointService.exe [2007-1-11 24652]
R3 mfeavfk;McAfee Inc. mfeavfk;f:\windows\system32\drivers\mfeavfk.sys [2008-1-19 79880]
R3 mfebopk;McAfee Inc. mfebopk;f:\windows\system32\drivers\mfebopk.sys [2008-1-19 35272]
S2 RDFLabel;RDFLabel;f:\program files\icraplus\rdflabel\rdflabel.exe -picraplusid01f --> f:\program files\icraplus\rdflabel\RDFLabel.exe -PICRAplusID01F [?]
S3 idmc1aud;Intel(r) Play(tm) USB Audio Filter (WDM);f:\windows\system32\drivers\idmc1aud.sys [2007-1-9 15188]
S3 IDMC1Blk;Intel Play DMC Download Driver;f:\windows\system32\drivers\IDMC1Blk.sys [2007-1-9 14628]
S3 IDMC1Vxp;Intel(r) Play(tm) DMC Camera;f:\windows\system32\drivers\idmc1vme.sys [2007-1-9 416564]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;f:\program files\lavasoft\ad-aware\AAWService.exe [2009-3-9 1003344]
S3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.12.1;f:\windows\system32\drivers\libusb0.sys [2009-5-6 28672]
S3 mferkdk;McAfee Inc. mferkdk;f:\windows\system32\drivers\mferkdk.sys [2008-1-19 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;f:\windows\system32\drivers\mfesmfk.sys [2008-1-19 40552]
S3 p17filt;p17filt;f:\windows\system32\drivers\p17filt.sys [2006-3-20 1452032]
S4 AdobeActiveFileMonitor;Adobe Active File Monitor;f:\program files\adobe\photoshop elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-4 98304]
S4 IntuitUpdateService;Intuit Update Service;f:\program files\common files\intuit\update service\IntuitUpdateService.exe [2009-2-25 13088]
S4 McSysmon;McAfee SystemGuards;f:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-19 606736]
S4 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;f:\program files\adobe\photoshop elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-4 118784]

=============== Created Last 30 ================

2009-06-28 11:05 <DIR> -cd----- f:\windows\system32\dllcache\cache
2009-06-27 19:26 15,688 a------- f:\windows\system32\lsdelete.exe
2009-06-27 17:35 64,160 a------- f:\windows\system32\drivers\Lbd.sys
2009-06-27 17:31 <DIR> -cd-h--- f:\docume~1\alluse~1\applic~1\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-06-27 13:46 <DIR> --d----- f:\docume~1\bob\applic~1\McAfee
2009-06-26 19:16 <DIR> --d----- f:\windows\pss
2009-06-10 21:54 246,272 -c------ f:\windows\system32\dllcache\ieproxy.dll
2009-06-10 21:54 12,800 -c------ f:\windows\system32\dllcache\xpshims.dll
2009-06-08 19:52 60,744 a------- f:\documents and settings\bob\g2mdlhlpx.exe

==================== Find3M ====================

2009-05-13 00:15 915,456 a------- f:\windows\system32\wininet.dll
2009-05-09 19:21 170,952 a------- f:\windows\pchealth\helpctr\config\cache\Professional_32_1033.dat
2009-05-07 10:32 345,600 a------- f:\windows\system32\localspl.dll
2009-04-17 07:26 1,847,168 a------- f:\windows\system32\win32k.sys
2009-04-15 09:51 585,216 a------- f:\windows\system32\rpcrt4.dll
2009-03-12 19:52 52,872 ac------ f:\docume~1\bob\applic~1\GDIPFONTCACHEV1.DAT
2008-10-28 20:55 30 ac------ f:\documents and settings\bob\jagex_runescape_preferences.dat
2008-02-29 00:51 159 ac--h--- f:\documents and settings\bob\hpothb07.dat
2008-02-29 00:46 164 ac--h--- f:\documents and settings\all users\hpothb07.dat
2008-07-22 20:02 32,768 ac-sh--- f:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008072220080723\index.dat

============= FINISH: 21:00:35.38 ===============
Attached Files
File Type: zip Attach.zip (42.3 KB, 4 views)
KNewman is offline  
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here