NTOSKRNL-HOOK Trojan

amitsbhandari · 05-30-2009, 04:58 AM

I ran the Virusscan and it found the NTOSKRNL-HOOK Trojan (detection name: Generic Rootkit.d!rootkit). The Virusscan claimed that it had been removed. However when I ran Virusscan a second time immediately after, the same trojan showed up again with the message that it had been removed.
I could not find this trojan in the virus dictionary. Any idea what it is and how to get it removed?

Also, my USB drives are blocked.

=========================================================

DDS (Ver_09-05-14.01) - NTFSx86
Run by ambhanda at 21:17:22.98 on Fri 05/29/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.5.0_14
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2006.951 [GMT 2:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Symantec\Symantec Endpoint Protection\Smc.exe
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\PMService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Symantec\Symantec Endpoint Protection\Rtvscan.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\Symantec Endpoint Protection\SmcGui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
D:\Program Files\TortoiseSVN\bin\TSVNCache.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\DS Clock\DSClock.exe
D:\Program Files\Microsoft ActiveSync\Wcescomm.exe
D:\PROGRA~1\MICROS~1\rapimgr.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
D:\Program Files\Skype\Phone\Skype.exe
D:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\FreeCall.com\FreeCall\FreeCall.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\ambhanda\Desktop\dds.scr
C:\Program Files\Common Files\Symantec Shared\COH\coh32.exe

============== Pseudo HJT Report ===============

uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uStart Page = hxxp://intranet.in.capgemini.com
uDefault_Page_URL = hxxp://intranet.in.capgemini.com
uInternet Settings,ProxyServer = 10.48.133.184:6588
uInternet Settings,ProxyOverride = *.capgemini*;10.*;<local>
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - d:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan enterprise\scriptcl.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DS Clock] "d:\program files\ds clock\DSClock.exe"
uRun: [H/PC Connection Agent] "d:\program files\microsoft activesync\Wcescomm.exe"
uRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [googletalk] c:\program files\google\google talk\googletalk.exe /autostart
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
dRun: [Communicator] "c:\program files\microsoft office communicator\Communicator.exe"
dRun: [ColdWare] c:\windows\temp\tempo-11568375.tmp.exe
uExplorerRun: [1] \\Corp.capgemini.com\Netlogon\IN\Login-India.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ciscos~1.lnk - c:\program files\cisco systems\vpn client\vpngui.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\office~1.lnk - c:\windows\installer\{6396799d-1dbf-4589-a515-dcaaf8d0dd04}\_4D216295AD17FF633A3735.exe
uPolicies-explorer: ForceActiveDesktopOn = 1 (0x1)
uPolicies-system: NoDispScrSavPage = 1 (0x1)
uPolicies-system: Wallpaper = %userprofile%\Capgemini_wallpaper.jpg
uPolicies-system: WallpaperStyle = 0
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\thinkpad\bluetooth software\btsendto_ie_ctx.htm
IE: Send To Bluetooth - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\thinkpad\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\progra~1\micros~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - d:\progra~1\micros~1\INetRepl.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - d:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: capgemini.com
Trusted Zone: kanbay.com
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1240950179546
DPF: {741747F6-83B4-4FB9-A268-8CA4010762C8} - hxxp://www4.snapfish.in/SnapfishActivia2.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0014-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_14-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.232,85.255.112.234
TCP: {8312C6F6-6861-42CC-B83D-BAC60DC89E01} = 85.255.112.232,85.255.112.234
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-10-6 31816]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-11-26 108392]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSvcHst.exe [2008-11-26 108392]
R2 EPA_GPO_PMService;Energy Star(TM) EZ GPO Power Management Configuration Tool;c:\windows\system32\PMService.exe [2009-4-27 94208]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2009-5-12 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\Mcshield.exe [2008-10-6 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\VsTskMgr.exe [2008-10-6 54608]
R2 Symantec AntiVirus;Symantec Endpoint Protection;c:\program files\symantec\symantec endpoint protection\Rtvscan.exe [2008-11-26 2436536]
R3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-11-26 23888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-28 101936]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2009-5-29 72904]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2009-5-29 34344]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2009-5-29 177672]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090528.023\NAVENG.SYS [2009-5-29 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090528.023\NAVEX15.SYS [2009-5-29 876144]
S3 AteksoftAudio;WebCamera Plus Audio;c:\windows\system32\drivers\ateksoftaudio.sys [2009-5-26 11776]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2008-8-18 280344]

=============== Created Last 30 ================

2009-05-29 13:19 34,344 a------- c:\windows\system32\drivers\mfebopk.sys
2009-05-29 13:19 64,488 a------- c:\windows\system32\drivers\mfeapfk.sys
2009-05-29 13:19 72,904 a------- c:\windows\system32\drivers\mfeavfk.sys
2009-05-29 13:19 52,136 a------- c:\windows\system32\drivers\mfetdik.sys
2009-05-29 13:19 177,672 a------- c:\windows\system32\drivers\mfehidk.sys
2009-05-29 13:19 <DIR> --d----- c:\program files\common files\McAfee
2009-05-28 17:48 <DIR> --dsh--- c:\documents and settings\ambhanda\UserData
2009-05-28 14:51 91,968 a------- c:\windows\system32\drivers\SysPlant.sys
2009-05-28 14:50 123,952 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-28 14:50 60,800 a------- c:\windows\system32\S32EVNT1.DLL
2009-05-28 14:50 10,563 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-28 14:50 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-28 10:35 <DIR> --dshr-- C:\autorun.inf
2009-05-28 10:11 <DIR> --d----- c:\docume~1\ambhanda\applic~1\IObit
2009-05-26 16:43 85,504 a------- c:\windows\system32\certadm.dll
2009-05-26 16:43 569,344 a------- c:\windows\system32\certutil.exe
2009-05-26 14:37 11,776 a------- c:\windows\system32\drivers\ateksoftaudio.sys
2009-05-25 16:20 <DIR> --d----- c:\program files\MSECache
2009-05-19 23:10 <DIR> --d----- c:\documents and settings\ambhanda\WINDOWS
2009-05-17 17:42 <DIR> --d----- c:\program files\Microsoft Office Communicator
2009-05-13 10:30 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-05-12 20:34 <DIR> --d----- C:\QUARANTINE
2009-05-12 19:43 <DIR> --d----- c:\documents and settings\ambhanda\wallpaper
2009-05-12 17:05 1,495,552 a------- c:\windows\system32\epoPGPsdk.dll
2009-05-12 17:05 280 a------- c:\windows\system32\epoPGPsdk.dll.sig
2009-05-12 17:05 <DIR> --d----- c:\program files\common files\Cisco Systems
2009-05-12 17:04 <DIR> --d----- c:\program files\McAfee
2009-05-12 12:19 <DIR> --d----- C:\MR3
2009-05-12 09:10 1,694,074 a------- c:\documents and settings\ambhanda\Capgemini.scr
2009-05-11 09:08 410,984 a------- c:\windows\system32\deploytk.dll
2009-05-11 09:08 73,728 a------- c:\windows\system32\javacpl.cpl
2009-05-10 17:31 18,968 a---h--- c:\windows\system32\mlfcache.dat
2009-05-09 15:55 9,200 -------- c:\windows\system32\drivers\cdralw2k.sys
2009-05-09 15:55 9,072 -------- c:\windows\system32\drivers\cdr4_xp.sys
2009-05-09 15:54 <DIR> --d----- c:\windows\system32\IOSUBSYS
2009-05-09 12:28 5,328 a------- c:\windows\cgpower.exe
2009-05-09 12:23 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-09 11:47 <DIR> --d----- c:\docume~1\ambhanda\applic~1\Windows Search
2009-05-08 13:52 15,104 ac------ c:\windows\system32\dllcache\usbscan.sys
2009-05-08 13:52 15,104 a------- c:\windows\system32\drivers\usbscan.sys
2009-05-08 13:52 5,632 a------- c:\windows\system32\ptpusb.dll
2009-05-08 13:52 159,232 a------- c:\windows\system32\ptpusd.dll
2009-05-07 20:24 <DIR> --d----- c:\program files\common files\Canon
2009-05-07 17:44 1,060,864 a------- c:\windows\system32\MFC71.DLL
2009-05-06 21:07 <DIR> --d----- c:\program files\common files\xing shared
2009-05-06 21:07 <DIR> --d----- c:\program files\common files\Real
2009-05-06 10:33 <DIR> --d----- c:\docume~1\ambhanda\applic~1\TextPad
2009-05-05 07:55 1,042,304 a------- c:\windows\wweb32.dll
2009-05-05 07:43 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-05 07:42 <DIR> --d----- c:\program files\Bonjour
2009-05-04 16:57 <DIR> --d----- c:\docume~1\ambhanda\applic~1\TortoiseSVN
2009-05-04 16:46 <DIR> --d----- c:\windows\SxsCaPendDel
2009-05-04 16:42 <DIR> --d----- c:\docume~1\ambhanda\applic~1\Subversion
2009-05-04 16:40 <DIR> --d----- c:\program files\common files\TortoiseOverlays
2009-05-04 14:50 754 a------- c:\windows\WORDPAD.INI
2009-05-02 19:18 <DIR> --d----- c:\windows\ie8updates
2009-05-02 16:23 <DIR> --d----- c:\program files\Windows Live SkyDrive
2009-05-02 16:18 <DIR> --d----- c:\program files\common files\Windows Live
2009-05-02 16:17 <DIR> --d----- c:\program files\Microsoft
2009-05-02 16:17 <DIR> --d----- c:\program files\Synaptics
2009-05-02 16:17 52,480 ac------ c:\windows\system32\dllcache\i8042prt.sys
2009-05-02 16:17 23,040 ac------ c:\windows\system32\dllcache\mouclass.sys
2009-05-02 16:17 52,480 a------- c:\windows\system32\drivers\i8042prt.sys
2009-05-02 16:17 23,040 a------- c:\windows\system32\drivers\mouclass.sys
2009-05-02 16:16 <DIR> --d----- c:\docume~1\ambhanda\applic~1\Windows Desktop Search
2009-05-02 16:16 <DIR> --d----- c:\program files\Windows Desktop Search
2009-05-02 16:15 192,000 -c------ c:\windows\system32\dllcache\offfilt.dll
2009-05-02 16:15 98,304 -c------ c:\windows\system32\dllcache\nlhtml.dll
2009-05-02 16:15 29,696 -c------ c:\windows\system32\dllcache\mimefilt.dll
2009-05-02 16:14 <DIR> --d----- c:\program files\Windows Media Connect 2
2009-05-02 16:12 <DIR> --d----- c:\windows\system32\LogFiles
2009-05-02 16:12 179,048 a------- c:\windows\system32\e1000msg.dll
2009-05-02 16:12 154,496 a------- c:\windows\system32\Prounstl.exe
2009-05-02 16:12 66,424 a------- c:\windows\system32\NicEtCoE.dll
2009-05-02 16:12 62,840 a------- c:\windows\system32\NicInstE.dll
2009-05-02 16:12 28,536 a------- c:\windows\system32\NicCo.dll
2009-05-02 16:12 2,889 a------- c:\windows\system32\e1e5132.din
2009-05-02 16:12 252,048 a------- c:\windows\system32\drivers\e1e5132.sys
2009-05-02 16:11 159,744 a------- c:\windows\system32\SET35D.tmp
2009-05-02 16:11 57,344 a------- c:\windows\system32\SET2FD.tmp
2009-05-02 16:11 24,576 a------- c:\windows\system32\SET35F.tmp
2009-05-02 16:11 1,717,504 a------- c:\windows\system32\SET301.tmp
2009-05-02 16:11 245,760 a------- c:\windows\system32\SET311.tmp
2009-05-02 16:11 150,528 a------- c:\windows\system32\SET2FF.tmp
2009-05-02 16:11 102,400 a------- c:\windows\system32\SET30D.tmp
2009-05-02 16:11 47,616 a------- c:\windows\system32\SET30F.tmp
2009-05-02 16:11 3,293,184 a------- c:\windows\system32\SET323.tmp
2009-05-02 16:11 2,681,344 a------- c:\windows\system32\SET303.tmp
2009-05-02 16:11 204,800 a------- c:\windows\system32\SET319.tmp
2009-05-02 16:11 204,800 a------- c:\windows\system32\SET313.tmp
2009-05-02 16:09 <DIR> --d----- c:\windows\system32\URTTEMP
2009-05-02 16:08 102,912 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-02 07:07 <DIR> --dsh--- c:\documents and settings\ambhanda\IECompatCache
2009-05-02 07:07 <DIR> --dsh--- c:\documents and settings\ambhanda\PrivacIE
2009-05-02 07:06 <DIR> --dsh--- c:\documents and settings\ambhanda\IETldCache
2009-05-01 21:30 <DIR> -cd-h--- c:\windows\ie8
2009-05-01 20:57 <DIR> --d----- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-05-01 20:54 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-05-01 20:53 337,408 -c------ c:\windows\system32\dllcache\netapi32.dll
2009-05-01 20:52 331,776 -c------ c:\windows\system32\dllcache\msadce.dll
2009-05-01 20:52 691,712 -c------ c:\windows\system32\dllcache\inetcomm.dll
2009-05-01 20:51 272,128 -c------ c:\windows\system32\dllcache\bthport.sys
2009-05-01 20:51 203,136 -c------ c:\windows\system32\dllcache\rmcast.sys
2009-05-01 20:30 3,366,912 a------- c:\windows\system32\GPhotos.scr
2009-05-01 20:21 534,568 a------- c:\windows\system32\drivers\btaudio.sys
2009-05-01 20:21 156,816 a------- c:\windows\system32\drivers\btwdndis.sys
2009-05-01 20:21 91,304 a------- c:\windows\system32\drivers\btserial.sys
2009-05-01 20:21 91,176 a------- c:\windows\system32\drivers\btwsecfl.sys
2009-05-01 20:21 57,384 a------- c:\windows\system32\drivers\btwhid.sys
2009-05-01 20:21 47,272 a------- c:\windows\system32\drivers\btwusb.sys
2009-05-01 20:21 37,160 a------- c:\windows\system32\drivers\btport.sys
2009-05-01 20:21 37,032 a------- c:\windows\system32\drivers\btwmodem.sys
2009-04-30 17:58 <DIR> --d----- c:\windows\system32\scripting
2009-04-30 17:58 <DIR> --d----- c:\windows\system32\en
2009-04-30 17:58 <DIR> --d----- c:\windows\l2schemas
2009-04-30 17:57 <DIR> --d----- c:\windows\ServicePackFiles
2009-04-30 17:54 <DIR> --d----- c:\windows\network diagnostic
2009-04-30 17:51 <DIR> --d----- c:\docume~1\ambhanda\applic~1\Duality Software
2009-04-30 17:45 701,440 -------- c:\windows\system32\drivers\ati2mtag.sys
2009-04-30 16:54 <DIR> --d----- c:\windows\system32\PreInstall
2009-04-30 13:40 30,592 -------- c:\windows\system32\drivers\rndismpx.sys
2009-04-30 13:40 12,800 -------- c:\windows\system32\drivers\usb8023x.sys
2009-04-30 11:04 <DIR> --d----- c:\docume~1\ambhanda\applic~1\PLSQL Developer
2009-04-30 11:02 180,000 a------- c:\windows\aaRemove.exe

==================== Find3M ====================

2009-05-03 07:00 90,112 a------- c:\windows\DUMP543a.tmp
2009-05-03 06:55 90,112 a------- c:\windows\DUMP5459.tmp
2009-05-03 06:54 90,112 a------- c:\windows\DUMP54d6.tmp
2009-05-03 06:53 90,112 a------- c:\windows\DUMP5ef8.tmp
2009-04-30 18:01 86,327 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-04-27 16:14 94,208 a------- c:\windows\system32\PMService.exe
2009-04-12 09:53 77,824 a------- c:\windows\system32\EZ_GPO_Tool.exe
2009-03-08 01:04 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 01:04 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 01:03 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 01:03 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 01:02 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 01:02 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 01:01 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 01:01 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 01:01 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 00:52 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 16:22 284,160 a------- c:\windows\system32\pdh.dll

============= FINISH: 21:19:01.12 ===============

amitsbhandari · 05-31-2009, 12:18 AM

I am also not anle to do the check disk and Defragmantion of c and d drives.

When I reboot is safe mode, I could not see any viruses.

My PC is having McAfee and Symantec Endpoint Protestion 11. Do I need to uninstall any one of them? Which one is good? and which one should I uninstall?

Thanks.

Jintan · 06-08-2009, 06:45 PM

A belated welcome to TSF amitsbhandari,

The logs show infection, but you also have two antivirus softwares installed on one system, which can cause each to damage the other as well as cause system corruption. You will need to choose between Symantec Endpoint and McAfee VirusScan Enterprise, temp disable all security software then uninstall one of those. Being sure to reboot after.

Once you have done that and rebooted, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs.

Then download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to combi.com, then click the renamed combi.com to run that scan.

Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt.

05-31-2009, 12:18 AM	#2 (permalink)
amitsbhandari Registered User Join Date: May 2009 Posts: 2 OS: Windows XP	Re: NTOSKRNL-HOOK Trojan I am also not anle to do the check disk and Defragmantion of c and d drives. When I reboot is safe mode, I could not see any viruses. My PC is having McAfee and Symantec Endpoint Protestion 11. Do I need to uninstall any one of them? Which one is good? and which one should I uninstall? Thanks.

06-08-2009, 06:45 PM	#3 (permalink)
Jintan Analyst, Security Team Join Date: Feb 2006 Posts: 220 OS: 2K	Re: NTOSKRNL-HOOK Trojan A belated welcome to TSF amitsbhandari, The logs show infection, but you also have two antivirus softwares installed on one system, which can cause each to damage the other as well as cause system corruption. You will need to choose between Symantec Endpoint and McAfee VirusScan Enterprise, temp disable all security software then uninstall one of those. Being sure to reboot after. Once you have done that and rebooted, be sure to temporarily disable all antivirus/anti-spyware softwares while these steps are being completed. This can usually be done through right clicking the software's Taskbar icons, or accessing each software through Start - Programs. Then download ComboFix.exe from here to your desktop, but I would like you to rename the file as you download it (do not download it directly without renaming it - use right click "Save Target/Link As" ). For this, rename the downloading file to combi.com, then click the renamed combi.com to run that scan. Be sure to install the Recovery Console if you are asked to do so. When the scan completes, a text window with your log will open. Please copy and paste that log back here. A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Allow the scan to run. When completed a text window will appear - please copy/paste the contents back here. This log can also be found at C:\ComboFix.txt. __________________