virus NTOSKRNL-HOOK

Gski · 03-13-2009, 04:50 PM

Have a virus - virus NTOSKRNL-HOOK

McAfee will not clean. I run the program and it keeps coming back.

Affecting start up of computer and internet browser.

Please Help

DDS (Ver_09-02-01.01) - NTFSx86
Run by grendm01 at 17:36:16.44 on Fri 03/13/2009
Internet Explorer: 6.0.2900.5512
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.463 [GMT -5:00]

AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe "C:\WINDOWS\system32\apphelpn.exe"
C:\Program Files\Sprint\Fgrd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Novatel Wireless\Sprint\Sprint PCS Connection Manager\OSCMUtilityService.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\StacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDA.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Sonic Shared\CineTray.exe
C:\Program Files\HP\Smart Web Printing\hpswp_clipbook.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\grendm01\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://intranet.rhd.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uInternet Settings,ProxyOverride = 162.81.*
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: HP Print Enhancer: {0347c33e-8762-4905-bf09-768834316c61} - c:\program files\hp\smart web printing\hpswp_printenhancer.dll
BHO: HP Print Clips: {053f9267-dc04-4294-a72c-58f732d338c0} - c:\program files\hp\smart web printing\hpswp_framework.dll
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\reader\activex\AcroIEHelper.dll
BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.0.926.3450\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_219B3E1547538286.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [EPSON Stylus CX7400 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticda.exe /fu "c:\windows\temp\E_S354.tmp" /EF "HKCU"
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [Apoint] c:\program files\apoint\Apoint.exe
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\WLTRAY.exe
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [UpdateManager] "c:\program files\common files\sonic\update manager\sgtray.exe" /r
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Lexmark X1100 Series] "c:\program files\lexmark x1100 series\lxbkbmgr.exe"
mRun: [HP Software Update] c:\program files\hp\hp software update\HPWuSchd2.exe
mRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe" -s
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [SunJavaUpdateSched] c:\program files\java\jre1.5.0_06\bin\jusched.exe
mRun: [PDVDDXSrv] "c:\program files\cyberlink\powerdvd dx\PDVDDXSrv.exe"
mRunOnce: [InstallShieldSetup] c:\progra~1\instal~1\{c5074~1\setup.exe -rebootc:\progra~1\instal~1\{c5074~1\reboot.ini -l0x9
dRunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"
dRunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\exifla~1.lnk - c:\program files\finepixviewer\QuickDCF2.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\documents and settings\all users\start menu\programs\startup\logon.bat
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\sonicc~1.lnk - c:\program files\common files\sonic shared\CineTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~1.lnk - c:\windows\installer\{3e5562ed-69ab-4cec-91e2-64e18ec5acc6}\Icon3E5562ED7.ico
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\vpncli~2.lnk - c:\program files\cisco systems\vpn client\VPNClientLoad.cmd
uPolicies-explorer: NoWindowsUpdate = 1 (0x1)
uPolicies-system: NoDispScrSavPage = 1 (0x1)
mPolicies-explorer: NoWelcomeScreen = 1 (0x1)
mPolicies-explorer: DisableLocalMachineRunOnce = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_06\bin\ssv.dll
IE: {58ECB495-38F0-49cb-A538-10282ABF65E7} - {E763472E-A716-4CD9-89BD-DBDA6122F741} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {700259D7-1666-479a-93B1-3250410481E8} - {A93C41D8-01F8-4F8B-B14C-DE20B117E636} - c:\program files\hp\smart web printing\hpswp_extensions.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: rhd.com\myportal
Trusted Zone: rhd.com\ourpeople
Trusted Zone: rhd.com\testmyportal
Trusted Zone: rhdricwss00
DPF: {5AF1D9C8-CDB0-42C0-AE87-4378B9100BDC} - hxxp://prdappacrm/general/activex/AmdocsACRMAutoOutlook.CAB;jsessionid=JqRdNlGhF717!1347234574
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {B81D1517-AB08-41D4-B4FD-6C9FAE9467C0} - hxxp://hpux20:6700/general/activex/AmdocsACRMAutoOutlook.CAB;jsessionid=HLkY9YGGMdTg!1797475279
DPF: {C71A410F-BB8D-4561-AE6A-59F9E93BCC15} - hxxp://prdappacrm/general/activex/AmdocsACRMAutoOutlook.CAB
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {E51CD51D-FF04-493F-87F3-0134F5293635} - hxxp://prdappacrm/general/activex/AmdocsACRMAutoOutlook.CAB;jsessionid=LyqWh1Ppkj0p!2092521183
Notify: igfxcui - igfxdev.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\grendm01\applic~1\mozilla\firefox\profiles\00pdaf0i.default\
FF - plugin: c:\program files\adobe\reader\browser\nppdf32.dll
FF - plugin: c:\program files\google\google updater\2.4.1425.4532\npCIDetect13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\java\jre1.5.0_06\bin\NPOJI610.dll

============= SERVICES / DRIVERS ===============

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2007-2-15 26624]
R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2008-10-6 31816]
R2 FGR Service;FGR Service;c:\program files\sprint\Fgrd.exe [2003-5-30 57344]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2007-11-1 103744]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2008-10-6 144704]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2008-10-6 54608]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2007-2-7 2944]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2008-4-4 72904]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2008-4-4 34344]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2008-4-4 177672]
S2 BrowserNetman;Computer Browser BrowserNetman;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 ClipSrv Cleanup Service;ClipBook ClipSrv Cleanup Service;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 COMSysAppTermService;COM+ System Application COMSysAppTermService;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 COMSysAppTermServiceMcAfeeFramework;COM+ System Application COMSysAppTermService COMSysAppTermServiceMcAfeeFramework;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 dmserverMcShield;Logical Disk Manager dmserverMcShield;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 Dot3svcSharedAccessWmiApSrv;Wired AutoConfig Dot3svcSharedAccessWmiApSrv;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 hpqddsvc Utility Service;HP CUE DeviceDiscovery Service hpqddsvc Utility Service;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 ImapiServiceOracleDEFAULT_HOME6iClientCache80Wmi;IMAPI CD-Burning COM Service ImapiServiceOracleDEFAULT_HOME6iClientCache80Wmi;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 McAfeeFrameworkUPS;McAfee Framework Service McAfeeFrameworkUPS;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 mnmsrvcThemes;NetMeeting Remote Desktop Sharing mnmsrvcThemes;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 napagentProtectedStorage;Network Access Protection Agent napagentProtectedStorage;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 NetBrowser;Net Driver HPZ12 NetBrowser;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 NetBrowserwuauserv;Net Driver HPZ12 NetBrowser NetBrowserwuauserv;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 NetDDEdsdmgusvc;Network DDE DSDM NetDDEdsdmgusvc;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 NetlogonNtLmSsp;Net Logon NetlogonNtLmSsp;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 OracleDEFAULT_HOME6iClientCache80Wmi;OracleDEFAULT_HOME6iClientCache80 OracleDEFAULT_HOME6iClientCache80Wmi;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 OSCMnapagent;OSCM Utility Service OSCMnapagent;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 seclogonSharedAccessWmiApSrvBrowserNetman;Secondary Logon seclogonSharedAccessWmiApSrvBrowserNetman;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 SharedAccessWmiApSrv;Windows Firewall/Internet Connection Sharing (ICS) SharedAccessWmiApSrv;c:\windows\system32\adsntf.exe srv --> c:\windows\system32\adsntf.exe srv [?]
S2 SharedAccessWmiApSrvBrowserNetman;Windows Firewall/Internet Connection Sharing (ICS) SharedAccessWmiApSrv SharedAccessWmiApSrvBrowserNetman;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 ShellHWDetectiondmadmin;Shell Hardware Detection ShellHWDetectiondmadmin;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 UMWdfwuauserv;Windows User Mode Driver Framework UMWdfwuauserv;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S2 wscsvcImapiService;Security Center wscsvcImapiService;c:\windows\system32\apphelpn.exe srv --> c:\windows\system32\apphelpn.exe srv [?]
S3 ess;ESS Audio Driver (WDM);c:\windows\system32\drivers\ess.sys [2005-7-19 63360]
S3 NWUSBCDFIL;Novatel Wireless Installation CD;c:\windows\system32\drivers\NwUsbCdFil.sys [2007-9-6 13824]
S3 NWUSBPort2;Novatel Wireless USB Status2 Port Driver;c:\windows\system32\drivers\nwusbser2.sys [2007-10-12 99200]
S3 OracleDEFAULT_HOME6iClientCache80;OracleDEFAULT_HOME6iClientCache80;c:\oracle6i\bin\ONRSD80.EXE [2004-12-11 101136]
S3 OracleORA92CLClientCache;OracleORA92CLClientCache;c:\oracle\ora92cl\bin\ONRSD.EXE [2002-4-26 242328]
S3 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2003-8-28 189792]

=============== Created Last 30 ================

2009-03-06 13:20 8,461,312 -------- c:\windows\system32\dllcache\shell32.dll
2009-02-25 16:45 <DIR> --d----- c:\windows\system32\RHDTools
2009-02-23 18:02 100 a--s---- c:\windows\system32\269630729.dat
2009-02-23 15:46 32 a--s---- c:\windows\system32\3967870291.dat
2009-02-23 15:46 53,760 ---shr-- c:\windows\system32\adsntf.exe
2009-02-23 15:20 <DIR> --d----- C:\Quarantine
2009-02-22 10:46 4,444 a------- c:\windows\system32\pid.PNF
2009-02-20 14:18 47,622 ---shr-- c:\windows\system32\apphelpn.exe
2009-02-13 23:27 <DIR> --d----- c:\program files\common files\Sonic Shared
2009-02-13 23:12 <DIR> --d----- C:\DECCHECK
2009-02-13 14:34 664 a------- c:\windows\system32\d3d9caps.dat
2009-02-13 14:33 1,047,552 a------- c:\windows\system32\MFC71u.dll

==================== Find3M ====================

2009-02-18 20:15 935,581 a------- c:\windows\system32\DexBrand.Scr
2009-02-13 14:35 5 a------- c:\windows\system32\drivers\1028_DELL_LAT_D630.MRK
2009-02-13 14:35 5 a------- c:\windows\system32\drivers\DELL_LAT_D630.MRK

============= FINISH: 17:36:43.11 ===============

attachment of scans

Gski · 03-13-2009, 08:15 PM

Help?

Billy O'Neal · 03-13-2009, 08:21 PM

Hello, Gski
Welcome to TSF

My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.)
Please give me some time to look over your computer's log(s).
Please take note of the following:

In the meantime, please refrain from making any changes to your computer.
Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :)
If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken.
Finally, please reply using the button in the lower left hand corner of your screen.
Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" .

We Need to Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

If this tool helped you, please consider a donation to it's author:

How to run ComboFix:

Please download ComboFix from one of the following mirrors, and save it to your desktop.
Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix.
Double click on your desktop.
Read and accept (Press Yes) to the disclaimer.
For Windows XP Systems: Install the Recovery Console:
- If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted.
- When prompted to accept the EULA, press OK.
- Accept Microsoft's EULA (Press Yes).
- When you are told that the RC is installed correctly, please press YES to continue scanning for malware.
ComboFix will run. Simply wait for it to finish.
When it finishes, ComboFix will produce a log. Please post that log in your next reply here :)

NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again!

In your next reply, please include the following:
ComboFix.txt

Billy3

Gski · 03-13-2009, 09:02 PM

ComboFix 09-03-13.01 - grendm01 2009-03-13 21:49:03.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.648 [GMT -5:00]
Running from: c:\documents and settings\grendm01\Desktop\GlobRemover.exe
AV: VirusScan Enterprise + AntiSpyware Enterprise *On-access scanning enabled* (Updated)
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\adsntf.exe
c:\windows\system32\apphelpn.exe
c:\windows\system32\AutoRun.inf
c:\windows\system32\drivers\UACxumqonko.sys
c:\windows\system32\mdm.exe
c:\windows\system32\UACartapqla.dll
c:\windows\system32\UACddtwklwb.dll
c:\windows\system32\UACexaavxbf.dll
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkbwkvnxq.log
c:\windows\system32\UACkktplnuk.dll
c:\windows\system32\UAClaxtackj.dll
c:\windows\system32\UACovjmdecb.dat
c:\windows\system32\UACvrdqtmwj.log
c:\windows\system32\UACycqrtlpy.log
c:\windows\system32\x64

----- BITS: Possible infected sites -----

hxxp://RICPSCCM01.RHDROOT.COM:80
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys
-------\Legacy_BROWSERNETMAN
-------\Legacy_CLIPSRV_CLEANUP_SERVICE
-------\Legacy_COMSYSAPPTERMSERVICE
-------\Legacy_DMSERVERMCSHIELD
-------\Legacy_DOT3SVCSHAREDACCESSWMIAPSRV
-------\Legacy_HPQDDSVC_UTILITY_SERVICE
-------\Legacy_MCAFEEFRAMEWORKUPS
-------\Legacy_MNMSRVCTHEMES
-------\Legacy_NAPAGENTPROTECTEDSTORAGE
-------\Legacy_NETLOGONNTLMSSP
-------\Legacy_ORACLEDEFAULT_HOME6ICLIENTCACHE80WMI
-------\Legacy_SECLOGONSHAREDACCESSWMIAPSRVBROWSERNETMAN
-------\Legacy_SHAREDACCESSWMIAPSRV
-------\Legacy_SHELLHWDETECTIONDMADMIN
-------\Legacy_UMWDFWUAUSERV
-------\Legacy_WSCSVCIMAPISERVICE
-------\Service_BrowserNetman
-------\Service_ClipSrv Cleanup Service
-------\Service_COMSysAppTermService
-------\Service_dmserverMcShield
-------\Service_Dot3svcSharedAccessWmiApSrv
-------\Service_hpqddsvc Utility Service
-------\Service_McAfeeFrameworkUPS
-------\Service_mnmsrvcThemes
-------\Service_napagentProtectedStorage
-------\Service_NetBrowserWmdmPmSN
-------\Service_NetlogonNtLmSsp
-------\Service_OracleDEFAULT_HOME6iClientCache80Wmi
-------\Service_seclogonSharedAccessWmiApSrvBrowserNetman
-------\Service_SharedAccessWmiApSrv
-------\Service_ShellHWDetectiondmadmin
-------\Service_UMWdfwuauserv
-------\Service_wscsvcImapiService
-------\Legacy_COMSysAppTermServiceMcAfeeFramework
-------\Legacy_ImapiServiceOracleDEFAULT_HOME6iClientCache80Wmi
-------\Legacy_NetBrowser
-------\Legacy_NetBrowserwuauserv
-------\Legacy_NetDDEdsdmgusvc
-------\Legacy_OSCMnapagent
-------\Legacy_SharedAccessWmiApSrvBrowserNetman
-------\Service_COMSysAppTermServiceMcAfeeFramework
-------\Service_ImapiServiceOracleDEFAULT_HOME6iClientCache80Wmi
-------\Service_NetBrowser
-------\Service_NetBrowserwuauserv
-------\Service_NetDDEdsdmgusvc
-------\Service_OSCMnapagent
-------\Service_SharedAccessWmiApSrvBrowserNetman

((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 )))))))))))))))))))))))))))))))
.

Billy O'Neal · 03-13-2009, 09:43 PM

Hello :)

Your log is cut off. Please retry pasting C:\ComboFix.txt here.

Billy3

Billy O'Neal · 03-19-2009, 09:27 PM

Hello, Gski
Are you still here?

Billy3

Billy O'Neal · 03-21-2009, 05:42 AM

Hello, Gski
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html

Billy3

Billy O'Neal · 03-21-2009, 05:45 AM

Hello, Gski
Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here:

http://www.techsupportforum.com/secu...oval-help.html

Billy3

03-13-2009, 08:15 PM	#2 (permalink)
Gski Registered User Join Date: Mar 2009 Posts: 3 OS: Windows XP	Re: virus NTOSKRNL-HOOK Help?

03-13-2009, 08:21 PM	#3 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: virus NTOSKRNL-HOOK Hello, Gski Welcome to TSF My name is Billy O'Neal and I will be helping you. (Billy or Bill is fine, if you like.) Please give me some time to look over your computer's log(s). Please take note of the following: In the meantime, please refrain from making any changes to your computer. Also, even if things appear to be running better, there is no guarantee that everything is finished. Please continue to check this forum post in order to ensure we get your system completely clean. We do not want to clean you part-way up, only to have the system re-infect itself. :) If you do not understand any step(s) provided, please do not hesitate to ask before continuing. I would much rather clarify instructions or explain them differently than have something important broken. Finally, please reply using the button in the lower left hand corner of your screen. Old topics are closed after 3 days with no reply, and working topics are closed after 5 days. If for any reason you cannot complete instructions within that time, that's fine, just put a post here so that I know you're still here. We get a lot of people who simply leave, and if there is no contact for that amount of time I will have to assume you have "vanished" . We Need to Run ComboFix Note to readers of this post other than the starter of this thread: ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert. If this tool helped you, please consider a donation to it's author: How to run ComboFix: Please download ComboFix from one of the following mirrors, and save it to your desktop. This is a mirror. This is another mirror. This is yet another mirror. Disable any running Anti-Virus or Anti-Malware programs. This includes Firewalls, Anti-Virus, Spyware Scanners, etc. Any or all of them may interfere with the running of ComboFix. Double click on your desktop. Read and accept (Press Yes) to the disclaimer. For Windows XP Systems: Install the Recovery Console: If you are using Windows XP and do not already have the Recovery Console installed, please ensure your internet connection is active (if possible), and press Yes. If for some reason your internet is not working, please press No. If you are not using Windows XP, you will not be prompted. When prompted to accept the EULA, press OK. Accept Microsoft's EULA (Press Yes). When you are told that the RC is installed correctly, please press YES to continue scanning for malware. ComboFix will run. Simply wait for it to finish. When it finishes, ComboFix will produce a log. Please post that log in your next reply here :) NOTE: If ComboFix will not run, please rename it to GlobRemover.exe and try again! In your next reply, please include the following: ComboFix.txt Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

03-13-2009, 09:02 PM	#4 (permalink)
Gski Registered User Join Date: Mar 2009 Posts: 3 OS: Windows XP	Re: virus NTOSKRNL-HOOK ComboFix 09-03-13.01 - grendm01 2009-03-13 21:49:03.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1014.648 [GMT -5:00] Running from: c:\documents and settings\grendm01\Desktop\GlobRemover.exe AV: VirusScan Enterprise + AntiSpyware Enterprise On-access scanning enabled (Updated) * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat c:\windows\system32\adsntf.exe c:\windows\system32\apphelpn.exe c:\windows\system32\AutoRun.inf c:\windows\system32\drivers\UACxumqonko.sys c:\windows\system32\mdm.exe c:\windows\system32\UACartapqla.dll c:\windows\system32\UACddtwklwb.dll c:\windows\system32\UACexaavxbf.dll c:\windows\system32\uacinit.dll c:\windows\system32\UACkbwkvnxq.log c:\windows\system32\UACkktplnuk.dll c:\windows\system32\UAClaxtackj.dll c:\windows\system32\UACovjmdecb.dat c:\windows\system32\UACvrdqtmwj.log c:\windows\system32\UACycqrtlpy.log c:\windows\system32\x64 ----- BITS: Possible infected sites ----- hxxp://RICPSCCM01.RHDROOT.COM:80 . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_UACd.sys -------\Legacy_BROWSERNETMAN -------\Legacy_CLIPSRV_CLEANUP_SERVICE -------\Legacy_COMSYSAPPTERMSERVICE -------\Legacy_DMSERVERMCSHIELD -------\Legacy_DOT3SVCSHAREDACCESSWMIAPSRV -------\Legacy_HPQDDSVC_UTILITY_SERVICE -------\Legacy_MCAFEEFRAMEWORKUPS -------\Legacy_MNMSRVCTHEMES -------\Legacy_NAPAGENTPROTECTEDSTORAGE -------\Legacy_NETLOGONNTLMSSP -------\Legacy_ORACLEDEFAULT_HOME6ICLIENTCACHE80WMI -------\Legacy_SECLOGONSHAREDACCESSWMIAPSRVBROWSERNETMAN -------\Legacy_SHAREDACCESSWMIAPSRV -------\Legacy_SHELLHWDETECTIONDMADMIN -------\Legacy_UMWDFWUAUSERV -------\Legacy_WSCSVCIMAPISERVICE -------\Service_BrowserNetman -------\Service_ClipSrv Cleanup Service -------\Service_COMSysAppTermService -------\Service_dmserverMcShield -------\Service_Dot3svcSharedAccessWmiApSrv -------\Service_hpqddsvc Utility Service -------\Service_McAfeeFrameworkUPS -------\Service_mnmsrvcThemes -------\Service_napagentProtectedStorage -------\Service_NetBrowserWmdmPmSN -------\Service_NetlogonNtLmSsp -------\Service_OracleDEFAULT_HOME6iClientCache80Wmi -------\Service_seclogonSharedAccessWmiApSrvBrowserNetman -------\Service_SharedAccessWmiApSrv -------\Service_ShellHWDetectiondmadmin -------\Service_UMWdfwuauserv -------\Service_wscsvcImapiService -------\Legacy_COMSysAppTermServiceMcAfeeFramework -------\Legacy_ImapiServiceOracleDEFAULT_HOME6iClientCache80Wmi -------\Legacy_NetBrowser -------\Legacy_NetBrowserwuauserv -------\Legacy_NetDDEdsdmgusvc -------\Legacy_OSCMnapagent -------\Legacy_SharedAccessWmiApSrvBrowserNetman -------\Service_COMSysAppTermServiceMcAfeeFramework -------\Service_ImapiServiceOracleDEFAULT_HOME6iClientCache80Wmi -------\Service_NetBrowser -------\Service_NetBrowserwuauserv -------\Service_NetDDEdsdmgusvc -------\Service_OSCMnapagent -------\Service_SharedAccessWmiApSrvBrowserNetman ((((((((((((((((((((((((( Files Created from 2009-02-14 to 2009-03-14 ))))))))))))))))))))))))))))))) .

03-13-2009, 09:43 PM	#5 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: virus NTOSKRNL-HOOK Hello :) Your log is cut off. Please retry pasting C:\ComboFix.txt here. Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

03-19-2009, 09:27 PM	#6 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: virus NTOSKRNL-HOOK Hello, Gski Are you still here? Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

03-21-2009, 05:42 AM	#7 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: virus NTOSKRNL-HOOK Hello, Gski Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: http://www.techsupportforum.com/secu...oval-help.html Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....

03-21-2009, 05:45 AM	#8 (permalink)
Billy O'Neal Analyst, Security Team Join Date: Aug 2008 Location: Northfield, Ohio, United States Posts: 1,690 OS: XPSP3, Vista Ultimate SP1, Ubuntu Server	Re: virus NTOSKRNL-HOOK Hello, Gski Due to lack of response, this topic will now be closed. If you need continued support, please begin a new thread, and provide a link to this topic. This applies only to the original topic starter. Everyone else please begin a New Topic, after following the steps outlined here: http://www.techsupportforum.com/secu...oval-help.html Billy3 __________________ If I fail to reply for more than 24 hours, please feel free to send me a PM. Don't want you to be overlooked Not problems like "What is beauty".. 'cause that would fall under the purview of your conundrums of philosophy.....