Ntoskrnl-hook

GeoffKerman · 04-12-2009, 08:42 AM

I've been having an issue with the NTOSKRNL-HOOK trojan. I'm not exactly sure when my computer became infected with it but it has sent me to a blue screen crash several times and has been the source of other trouble (I'm assuming) such as random freezing of my computer requiring restarts, and issues using my anti virus software. As well, when using google, my search results always redirect me to an unrelated page when I click them.

I've run anti virus and malware removal software several times, but read that since this is a rootkit virus that won't do much :S?

Here and the logs, any help would be appreciated :) :

DDS (Ver_09-03-16.01) - NTFSx86
Run by Geoffrey Kerman at 21:22:26.32 on 11/04/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1173 [GMT -4:00]

AV: McAfee VirusScan *On-access scanning enabled* (Updated)
FW: McAfee Personal Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\Dell Support Center\bin\sprtsvc.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
c:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\OEM02Mon.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Dell\Dell Webcam Manager\DellWMgr.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Common Files\Logitech\LCD Manager\LCDMon.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDClock.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDCountdown.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDMedia.exe
C:\Program Files\Common Files\Logitech\LCD Manager\Applets\LCDPOP3.exe
C:\WINDOWS\system32\KADxMain.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe
C:\Program Files\Dell\MediaDirect\PCMService.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\Documents and Settings\Geoffrey Kerman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Geoffrey Kerman\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = http://www.google.ca/ig/dell?hl=en&c...ca&ibd=5080218
uSearch Page = hxxp://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca
uDefault_Page_URL = http://www.google.ca/ig/dell?hl=en&c...ca&ibd=5080218
uSearch Bar = hxxp://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca
mDefault_Page_URL = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
mStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Connection Wizard,ShellNext = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=5080218
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.ca/hws/sb/dell-row/en/side.html?channel=ca
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: McAfee Phishing Filter: {27b4851a-3207-45a2-b947-be8afe6163ab} - c:\progra~1\mcafee\msk\mskapbho.dll
BHO: Groove GFS Browser Helper: {72853161-30c5-4d22-b7f9-0bbc1d38a37e} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
BHO: Java(tm) Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\progra~1\mcafee\viruss~1\scriptsn.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CBrowserHelperObject Object: {ca6319c0-31b7-401e-a518-a07c3db8f777} - c:\program files\dell\bae\BAE.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
uRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [DAEMON Tools Lite] "c:\program files\daemon tools lite\daemon.exe" -autorun
uRun: [P2kAutostart]
uRun: [Google Update] "c:\documents and settings\geoffrey kerman\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /installquiet
mRun: [NVHotkey] rundll32.exe nvHotkey.dll,Start
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [OEM02Mon.exe] c:\windows\OEM02Mon.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [DELL Webcam Manager] "c:\program files\dell\dell webcam manager\DellWMgr.exe" /s
mRun: [Dell QuickSet] c:\program files\dell\quickset\quickset.exe
mRun: [Launch LCDMon] "c:\program files\common files\logitech\lcd manager\LCDMon.exe"
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [KADxMain] c:\windows\system32\KADxMain.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [<NO NAME>]
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\9.0\sharedcom\RoxWatchTray9.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\drag-to-disc\DrgToDsc.exe"
mRun: [PCMService] "c:\program files\dell\mediadirect\PCMService.exe"
mRun: [ECenter] c:\dell\e-center\EULALauncher.exe
mRun: [mcagent_exe] "c:\program files\mcafee.com\agent\mcagent.exe" /runkey
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [DellSupportCenter] "c:\program files\dell support center\bin\sprtcmd.exe" /P DellSupportCenter
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [PWRISOVM.EXE] c:\program files\poweriso\PWRISOVM.EXE
mRun: [Zune Launcher] "c:\program files\zune\ZuneLauncher.exe"
StartupFolder: c:\docume~1\geoffr~1\startm~1\programs\startup\onenot~1.lnk - c:\program files\microsoft office\office12\ONENOTEM.EXE
IE: E&xport to Microsoft Excel - c:\progra~1\mi1933~1\office12\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\mi1933~1\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\mi1933~1\office12\REFIEBAR.DLL
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_11-windows-i586.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\geoffr~1\applic~1\mozilla\firefox\profiles\rcalyfhk.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\documents and settings\geoffrey kerman\local settings\application data\google\update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npbittorrent.dll

============= SERVICES / DRIVERS ===============

R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-2-18 213640]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-2-18 359952]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-2-18 144704]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-2-18 606736]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-2-18 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-2-18 35272]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-2-18 34216]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-2-18 40552]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\drivers\OEM02Dev.sys [2008-2-18 235520]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\drivers\OEM02Vfx.sys [2008-2-18 7424]
R3 physX32;physX32;c:\windows\system32\drivers\physX32.sys [2008-2-18 117888]
S0 nbmpikh;nbmpikh;c:\windows\system32\drivers\unjru.sys --> c:\windows\system32\drivers\unjru.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\geoffrey kerman\my documents\vcdrom.sys --> c:\documents and settings\geoffrey kerman\my documents\VCdRom.sys [?]
S3 ati1texx;ati1texx;\??\c:\windows\system32\drivers\ati1texx.sys --> c:\windows\system32\drivers\ati1texx.sys [?]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys [2008-8-25 18688]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2008-8-25 8320]
S3 MotDev;Motorola Inc. USB Device;c:\windows\system32\drivers\motodrv.sys [2008-10-27 42112]
S3 motport;Motorola USB Diagnostic Port;c:\windows\system32\drivers\motport.sys [2008-10-27 23680]

=============== Created Last 30 ================

2009-04-11 19:21 <DIR> --d----- c:\docume~1\geoffr~1\applic~1\DataSafeOnline
2009-04-01 15:41 <DIR> --d----- c:\docume~1\geoffr~1\applic~1\Malwarebytes
2009-04-01 15:41 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-04-01 15:40 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 15:40 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-04-01 15:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-03-24 17:35 2,524 a------- C:\autorun.PNF
2009-03-20 18:18 <DIR> --d----- c:\program files\Combined Community Codec Pack

==================== Find3M ====================

2009-04-10 00:24 34 a------- c:\documents and settings\geoffrey kerman\jagex_runescape_preferences.dat
2009-04-07 17:59 56,781 a------- c:\windows\system32\nvModes.dat
2009-02-09 07:13 1,846,784 a------- c:\windows\system32\win32k.sys
2009-02-09 07:13 1,846,784 -------- c:\windows\system32\dllcache\win32k.sys
2008-10-04 13:58 87,608 a------- c:\docume~1\geoffr~1\applic~1\inst.exe
2008-10-04 13:58 47,360 a------- c:\docume~1\geoffr~1\applic~1\pcouffin.sys
2008-02-18 12:38 76 ---shr-- c:\windows\CT4CET.bin

============= FINISH: 21:22:54.93 ===============

tetonbob · 04-13-2009, 02:36 PM

Hello, and Welcome to TSF.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix.

McAfee::

Double-click the taskbar icon to open the Security Center
Click Advanced Menu (lower left)
Click Configure (left)
Click Computer & Files (upper left)
VirusScan can be disabled on the right.
Double click on combofix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed.

Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement.

ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says:

The Recovery Console was successfully installed.

Click on Yes, to continue scanning for malware.
Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

---------------------------------------------------------------------------------------------
Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this.

---------------------------------------------------------------------------------------------

GeoffKerman · 04-13-2009, 04:14 PM

Thanks!

Here is the log it produced:

ComboFix 09-04-13.A2 - Geoffrey Kerman 2009-04-13 18:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1589 [GMT -4:00]
Running from: c:\documents and settings\Geoffrey Kerman\Desktop\ComboFix.exe
AV: McAfee VirusScan *On-access scanning disabled* (Updated)
FW: McAfee Personal Firewall *enabled*
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Geoffrey Kerman\Application Data\inst.exe
c:\windows\system32\drivers\gaopdxmoeayeplyovelkxejnqipxtfktujneow.sys
c:\windows\system32\gaopdxstsvgrdkgwxwylgriybkrugmvwtbafdn.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gaopdxserv.sys

((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 )))))))))))))))))))))))))))))))
.

2009-04-11 23:40 . 2009-04-11 23:40 -------- d-----w c:\documents and settings\Geoffrey Kerman\Local Settings\Application Data\Dell
2009-04-11 23:21 . 2009-04-11 23:21 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\DataSafeOnline
2009-04-01 19:41 . 2009-04-01 19:41 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\Malwarebytes
2009-04-01 19:41 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-01 19:40 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-01 19:40 . 2009-04-01 19:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-27 17:59 . 2009-03-27 17:59 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-03-24 21:35 . 2009-03-24 21:35 2524 ----a-w C:\autorun.PNF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-13 21:21 . 2008-08-19 20:28 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\DNA
2009-04-12 01:17 . 2008-08-19 20:28 -------- d-----w c:\program files\DNA
2009-04-10 04:24 . 2008-08-28 17:42 34 ----a-w c:\documents and settings\Geoffrey Kerman\jagex_runescape_preferences.dat
2009-04-09 22:33 . 2009-04-01 19:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-08 15:10 . 2008-08-19 20:29 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\BitTorrent
2009-04-07 21:59 . 2008-02-18 15:58 56781 ----a-w c:\windows\system32\nvModes.dat
2009-04-07 21:25 . 2008-02-27 04:42 -------- d-----w c:\program files\Steam
2009-04-02 00:18 . 2008-02-18 16:53 -------- d-----w c:\program files\McAfee
2009-03-20 22:18 . 2009-03-20 22:18 -------- d-----w c:\program files\Combined Community Codec Pack
2009-03-14 23:55 . 2008-09-03 23:28 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\Vso
2009-03-11 03:34 . 2008-02-29 04:11 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-03-10 19:05 . 2008-02-18 16:53 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee
2009-03-03 22:17 . 2008-07-10 03:44 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\LimeWire
2009-03-01 02:45 . 2009-01-06 01:17 -------- d-----w c:\program files\Microsoft Silverlight
2009-02-09 11:13 . 2008-10-15 05:14 1846784 ------w c:\windows\system32\dllcache\win32k.sys
2009-02-09 11:13 . 2004-08-11 23:00 1846784 ----a-w c:\windows\system32\win32k.sys
2008-12-24 00:09 . 2008-02-18 17:04 87448 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2008-10-04 17:58 . 2008-09-03 23:28 47360 ----a-w c:\documents and settings\Geoffrey Kerman\Application Data\pcouffin.sys
2008-06-27 14:28 . 2008-06-27 14:21 184368 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2008-02-18 17:04 . 2008-02-26 21:02 44976 ----a-w c:\documents and settings\Geoffrey Kerman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]
"BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848]
"DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952]
"Google Update"="c:\documents and settings\Geoffrey Kerman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-18 133104]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-18 851968]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-05 8491008]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-05 81920]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848]
"DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784]
"Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800]
"Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2007-07-18 775952]
"KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920]
"mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576]
"PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704]
"Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312]
"nwiz"="nwiz.exe" [2007-11-05 c:\windows\system32\nwiz.exe]
"NVHotkey"="nvHotkey.dll" [2007-11-05 c:\windows\system32\nvhotkey.dll]
"SigmatelSysTrayApp"="stsystra.exe" [2007-07-17 c:\windows\stsystra.exe]

c:\documents and settings\Geoffrey Kerman\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1texx.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\Steam\\steamapps\\quitcryin\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Steam\\Steam.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\Left 4 Dead\\left4dead.exe"=
"c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"c:\\Program Files\\Steam\\steamapps\\arm123\\counter-strike source\\hl2.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724

R0 nbmpikh;nbmpikh; [x]
R1 vcdrom;Virtual CD-ROM Device Driver; [x]
R3 ati1texx;ati1texx; [x]
R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-21 18688]
R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-21 8320]
R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112]
R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-18 23680]
S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520]
S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424]
S3 physX32;physX32;c:\windows\system32\DRIVERS\physX32.sys [2007-06-26 117888]

.
Contents of the 'Scheduled Tasks' folder

2009-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2056057916-3460842416-330518327-1005.job
- c:\documents and settings\Geoffrey Kerman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 19:17]

2008-10-15 c:\windows\Tasks\McDefragTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]

2008-11-01 c:\windows\Tasks\McQcTask.job
- c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-P2kAutostart - (no file)

.
------- Supplementary Scan -------
.
uStart Page = http://www.google.ca/ig/dell?hl=en&c...ca&ibd=5080218
mStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen
uInternet Connection Wizard,ShellNext = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=5080218
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Geoffrey Kerman\Application Data\Mozilla\Firefox\Profiles\rcalyfhk.default\
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
FF - plugin: c:\documents and settings\Geoffrey Kerman\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-13 18:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
P2kAutostart = ???

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-13 18:11
ComboFix-quarantined-files.txt 2009-04-13 22:10

Pre-Run: 28,500,983,808 bytes free
Post-Run: 29,180,747,776 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

192 --- E O F --- 2009-03-20 22:01

tetonbob · 04-13-2009, 05:28 PM

Hello again. That looks much better. I should think McAfee is not complaining as much now. More work to do still.....

As mentioned in our preposting topic:

NEW INSTRUCTIONS - Read This Before Posting For Malware Removal Help

Quote:

3. Uninstall the following via Add or Remove Programs in Control Panel:

p2p programs like uTorrent, Bittorrent, LimeWire, Morpheus, etc., as they are a major conduit for malware and a likely source of your current issues.

P2P - I see you have P2P software ( BitTorrent, LimeWire 4.18.8 ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

Please see this topic for more information:

Perils of P2P File Sharing

I would strongly recommend that you uninstall these now. You can do so via Control Panel >> Add or Remove Programs.

---------------------------------------------------------------------------------------------

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
Scroll down to where it says "Java SE Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Select the Windows platform from the dropdown menu.
Read the License Agreement and then check the box that says: " I agree to the Java SE Runtime Environment 6 with JavaFX License Agreement". Click on Continue.The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE or Java(TM) 6) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
- On the General tab, under Temporary Internet Files, click the Settings button.
- Next, click on the Delete Files button
- There are two options in the window to clear the cache - Leave BOTH Checked
  - Applications and Applets
    Trace and Log Files
- Click OK on Delete Temporary Files Window
  Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
- Click OK to leave the Temporary Files Window
- Click OK to leave the Java Control Panel.

---------------------------------------------------------------------------------------------

Please perform this online scan to help look for remnants

Establish an internet connection & perform an online scan with Firefox or Internet Explorer at Kaspersky Online Scanner

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs
Turn off the real time scanner of any existing antivirus program while performing the online scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.
The program will then begin downloading and installing and will also update the database.
Please be patient as this can take several minutes.
Once the update is complete, click on Settings. Uncheck Mail databases.
Next, click on My Computer under the green Scan bar to the left to start the scan.
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
Click View scan report at the bottom.
Click the Save Report As... button.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

---------------------------------------------------------------------------------------------

How is the machine behaving now please?

GeoffKerman · 04-14-2009, 01:33 PM

Well my computer hasn't crashed since or put up any trouble at all really.

Here are the results of the scan.

Thank you:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Tuesday, April 14, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, April 14, 2009 18:21:07
Records in database: 2043980
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan statistics:
Files scanned: 100198
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 02:03:13

File name / Threat name / Threats count
C:\Documents and Settings\All Users\Documents\Incomplete\T-5745425-sequoia throne (unplugged version).mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1

The selected area was scanned.

tetonbob · 04-14-2009, 01:37 PM

Looks good, only one infected file to delete. This came from Limewire, which again drives home my point about P2P file sharing, and the risks.

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

cmd /c del /f/a/s "C:\Documents and Settings\All Users\Documents\Incomplete\T-5745425-sequoia throne (unplugged version).mp3"

Other than that....

Your logs appear clean.You should be good to go. We still have a few items to address.

Go to

-> Run -> copy/paste in the following single line command & click OK

combofix /u

This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points.

Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs:

Microsoft Windows Update - http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
SpywareBlaster to help prevent spyware from installing in the first place.
- Install & update SpywareBlaster with the latest definitions.
  After you have updated, click the button - enable protection for all unprotected items
McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.
Winpatrol

Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here.

You can get a free copy of Winpatrol or use the Plus version for more features.

You can read Winpatrol's FAQ if you run into problems.
MVPS HOST FILE
The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer.
- Download Host.zip to your desktop.
- From your Desktop right-click (hosts.zip) and select:
  Extract All from the menu.
- Click Next, click Next, select the option:
  "Show Extracted files", click Finish
- This will open the newly created hosts folder on your Desktop.
- Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine.
- Once updated you should see another prompt that the task was completed.
ANTIVIRUS SOFTWARE
It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out.

Do not install more than one AntiVirus program because they will conflict with each other.
Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer
http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT.

ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles

If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

GeoffKerman · 04-15-2009, 02:34 PM

The only issue I have now is the "combofix /u" line didn't work, but other than that thank you! You were a great help fixing everything and I'll definitely follow up with some more of thoe protection suggestions.

Thank you :)

tetonbob · 04-15-2009, 02:39 PM

uninstalling ComboFix properly is an important detail in cleaning up our mess. It does more than just delete itself.

Is ComboFix still on your desktop? If so, the command should work. Did you receive an error message?

Try this command (be sure to include the quote mark at the beginning):

"c:\documents and settings\Geoffrey Kerman\Desktop\ComboFix.exe" /u

GeoffKerman · 04-15-2009, 02:47 PM

Ok I put combofix back on my desktop and it worked.

tetonbob · 04-15-2009, 02:51 PM

Cheers! We should be done then.

Surf Safely, and Think Prevention!

Since this issue is resolved, this topic will be archived.

GeoffKerman · 04-15-2009, 02:52 PM

Thanks!

04-13-2009, 02:36 PM	#2 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,572 OS: 2000 Pro; XP Pro; XP Home	Re: Ntoskrnl-hook Hello, and Welcome to TSF. Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix. It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence. --------------------------------------------------------------------------------------------- Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete. Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum. --------------------------------------------------------------------------------------------- Download ComboFix from one of these locations: Link 1 Link 2 Link 3 * IMPORTANT !!! Place combofix.exe on your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with ComboFix. McAfee:: Double-click the taskbar icon to open the Security Center Click Advanced Menu (lower left) Click Configure (left) Click Computer & Files (upper left) VirusScan can be disabled on the right. Double click on combofix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement. ComboFix will now automatically install the Microsoft Windows Recovery Console onto your computer, which will show up as a new option when booting up your computer. Do not select the Microsoft Windows Recovery Console option when you start your computer unless requested to by a helper. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed. Click on Yes, to continue scanning for malware. Your desktop may go blank. This is normal. It will return when ComboFix is done. ComboFix may reboot your machine. This is normal. When finished, it shall produce a log for you. Post that log in your next reply Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall. --------------------------------------------------------------------------------------------- Ensure your AntiVirus and AntiSpyware applications are re-enabled. A reboot should have done this. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-13-2009, 04:14 PM	#3 (permalink)
GeoffKerman Registered User Join Date: Apr 2009 Posts: 6 OS: xp sp3	Re: Ntoskrnl-hook Thanks! Here is the log it produced: ComboFix 09-04-13.A2 - Geoffrey Kerman 2009-04-13 18:04.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1589 [GMT -4:00] Running from: c:\documents and settings\Geoffrey Kerman\Desktop\ComboFix.exe AV: McAfee VirusScan On-access scanning disabled (Updated) FW: McAfee Personal Firewall enabled * Resident AV is active . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\documents and settings\Geoffrey Kerman\Application Data\inst.exe c:\windows\system32\drivers\gaopdxmoeayeplyovelkxejnqipxtfktujneow.sys c:\windows\system32\gaopdxstsvgrdkgwxwylgriybkrugmvwtbafdn.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_gaopdxserv.sys ((((((((((((((((((((((((( Files Created from 2009-03-13 to 2009-04-13 ))))))))))))))))))))))))))))))) . 2009-04-11 23:40 . 2009-04-11 23:40 -------- d-----w c:\documents and settings\Geoffrey Kerman\Local Settings\Application Data\Dell 2009-04-11 23:21 . 2009-04-11 23:21 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\DataSafeOnline 2009-04-01 19:41 . 2009-04-01 19:41 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\Malwarebytes 2009-04-01 19:41 . 2009-04-06 19:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys 2009-04-01 19:40 . 2009-04-06 19:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys 2009-04-01 19:40 . 2009-04-01 19:40 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes 2009-03-27 17:59 . 2009-03-27 17:59 -------- d-----w c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla 2009-03-24 21:35 . 2009-03-24 21:35 2524 ----a-w C:\autorun.PNF . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-04-13 21:21 . 2008-08-19 20:28 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\DNA 2009-04-12 01:17 . 2008-08-19 20:28 -------- d-----w c:\program files\DNA 2009-04-10 04:24 . 2008-08-28 17:42 34 ----a-w c:\documents and settings\Geoffrey Kerman\jagex_runescape_preferences.dat 2009-04-09 22:33 . 2009-04-01 19:40 -------- d-----w c:\program files\Malwarebytes' Anti-Malware 2009-04-08 15:10 . 2008-08-19 20:29 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\BitTorrent 2009-04-07 21:59 . 2008-02-18 15:58 56781 ----a-w c:\windows\system32\nvModes.dat 2009-04-07 21:25 . 2008-02-27 04:42 -------- d-----w c:\program files\Steam 2009-04-02 00:18 . 2008-02-18 16:53 -------- d-----w c:\program files\McAfee 2009-03-20 22:18 . 2009-03-20 22:18 -------- d-----w c:\program files\Combined Community Codec Pack 2009-03-14 23:55 . 2008-09-03 23:28 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\Vso 2009-03-11 03:34 . 2008-02-29 04:11 -------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help 2009-03-10 19:05 . 2008-02-18 16:53 -------- d-----w c:\documents and settings\All Users\Application Data\McAfee 2009-03-03 22:17 . 2008-07-10 03:44 -------- d-----w c:\documents and settings\Geoffrey Kerman\Application Data\LimeWire 2009-03-01 02:45 . 2009-01-06 01:17 -------- d-----w c:\program files\Microsoft Silverlight 2009-02-09 11:13 . 2008-10-15 05:14 1846784 ------w c:\windows\system32\dllcache\win32k.sys 2009-02-09 11:13 . 2004-08-11 23:00 1846784 ----a-w c:\windows\system32\win32k.sys 2008-12-24 00:09 . 2008-02-18 17:04 87448 ----a-w c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2008-10-04 17:58 . 2008-09-03 23:28 47360 ----a-w c:\documents and settings\Geoffrey Kerman\Application Data\pcouffin.sys 2008-06-27 14:28 . 2008-06-27 14:21 184368 ----a-w c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat 2008-02-18 17:04 . 2008-02-26 21:02 44976 ----a-w c:\documents and settings\Geoffrey Kerman\Local Settings\Application Data\GDIPFONTCACHEV1.DAT . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360] "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368] "BitTorrent DNA"="c:\program files\DNA\btdna.exe" [2008-12-19 342848] "DAEMON Tools Lite"="c:\program files\DAEMON Tools Lite\daemon.exe" [2008-08-08 490952] "Google Update"="c:\documents and settings\Geoffrey Kerman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" [2008-11-18 133104] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-07-18 851968] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-05 8491008] "NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-11-05 81920] "OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-08-28 36864] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-07-25 823296] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-07-25 974848] "DELL Webcam Manager"="c:\program files\Dell\Dell Webcam Manager\DellWMgr.exe" [2007-07-27 118784] "Dell QuickSet"="c:\program files\Dell\QuickSet\quickset.exe" [2007-07-20 1228800] "Launch LCDMon"="c:\program files\Common Files\Logitech\LCD Manager\LCDMon.exe" [2007-07-18 775952] "KADxMain"="c:\windows\system32\KADxMain.exe" [2006-11-02 282624] "ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184] "ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920] "RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184] "RoxioDragToDisc"="c:\program files\Roxio\Drag-to-Disc\DrgToDsc.exe" [2006-08-17 1116920] "PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320] "ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-24 17920] "mcagent_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2009-01-08 645328] "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-10-09 16384] "GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792] "DellSupportCenter"="c:\program files\Dell Support Center\bin\sprtcmd.exe" [2008-08-13 206064] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-20 136600] "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-10-01 111936] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696] "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-10-01 289576] "PWRISOVM.EXE"="c:\program files\PowerISO\PWRISOVM.EXE" [2007-08-06 200704] "Zune Launcher"="c:\program files\Zune\ZuneLauncher.exe" [2008-12-12 157312] "nwiz"="nwiz.exe" [2007-11-05 c:\windows\system32\nwiz.exe] "NVHotkey"="nvHotkey.dll" [2007-11-05 c:\windows\system32\nvhotkey.dll] "SigmatelSysTrayApp"="stsystra.exe" [2007-07-17 c:\windows\stsystra.exe] c:\documents and settings\Geoffrey Kerman\Start Menu\Programs\Startup\ OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2007-12-07 101440] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "vidc.ffds"= c:\progra~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ati1texx.sys] @="Driver" [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus] "DisableMonitoring"=dword:00000001 [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "c:\\Program Files\\Dell\\MediaDirect\\PCMService.exe"= "c:\\Program Files\\Intel\\Wireless\\Bin\\iFrmewrk.exe"= "c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"= "c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"= "c:\\Program Files\\Steam\\steamapps\\quitcryin\\counter-strike source\\hl2.exe"= "c:\\Program Files\\LimeWire\\LimeWire.exe"= "c:\\Program Files\\Steam\\Steam.exe"= "c:\\WINDOWS\\system32\\dpvsetup.exe"= "c:\\Program Files\\DNA\\btdna.exe"= "c:\\Program Files\\BitTorrent\\bittorrent.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "c:\\Program Files\\Left 4 Dead\\left4dead.exe"= "c:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"= "c:\\Program Files\\Steam\\steamapps\\arm123\\counter-strike source\\hl2.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724 R0 nbmpikh;nbmpikh; [x] R1 vcdrom;Virtual CD-ROM Device Driver; [x] R3 ati1texx;ati1texx; [x] R3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\DRIVERS\motccgp.sys [2008-08-21 18688] R3 motccgpfl;MotCcgpFlService;c:\windows\system32\DRIVERS\motccgpfl.sys [2008-08-21 8320] R3 MotDev;Motorola Inc. USB Device;c:\windows\system32\DRIVERS\motodrv.sys [2007-10-10 42112] R3 motport;Motorola USB Diagnostic Port;c:\windows\system32\DRIVERS\motport.sys [2007-06-18 23680] S3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\system32\DRIVERS\OEM02Dev.sys [2007-08-28 235520] S3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\system32\DRIVERS\OEM02Vfx.sys [2007-08-28 7424] S3 physX32;physX32;c:\windows\system32\DRIVERS\physX32.sys [2007-06-26 117888] . Contents of the 'Scheduled Tasks' folder 2009-04-07 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34] 2009-04-13 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2056057916-3460842416-330518327-1005.job - c:\documents and settings\Geoffrey Kerman\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2008-11-18 19:17] 2008-10-15 c:\windows\Tasks\McDefragTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53] 2008-11-01 c:\windows\Tasks\McQcTask.job - c:\progra~1\mcafee\mqc\QcConsol.exe [2009-01-09 10:53] . - - - - ORPHANS REMOVED - - - - HKCU-Run-P2kAutostart - (no file) . ------- Supplementary Scan ------- . uStart Page = http://www.google.ca/ig/dell?hl=en&c...ca&ibd=5080218 mStart Page = hxxp://www1.ca.dell.com/content/default.aspx?c=ca&l=en&s=gen uInternet Connection Wizard,ShellNext = hxxp://www.google.ca/ig/dell?hl=en&client=dell-row&channel=ca&ibd=5080218 uInternet Settings,ProxyOverride = .local IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000 FF - ProfilePath - c:\documents and settings\Geoffrey Kerman\Application Data\Mozilla\Firefox\Profiles\rcalyfhk.default\ FF - prefs.js: browser.search.selectedEngine - Wikipedia (en) FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/ FF - plugin: c:\documents and settings\Geoffrey Kerman\Local Settings\Application Data\Google\Update\1.2.141.5\npGoogleOneClick7.dll FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll . *********************************************************************** catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-04-13 18:09 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... HKCU\Software\Microsoft\Windows\CurrentVersion\Run P2kAutostart = ??? scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************ . Completion time: 2009-04-13 18:11 ComboFix-quarantined-files.txt 2009-04-13 22:10 Pre-Run: 28,500,983,808 bytes free Post-Run: 29,180,747,776 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 192 --- E O F --- 2009-03-20 22:01

04-14-2009, 01:33 PM	#5 (permalink)
GeoffKerman Registered User Join Date: Apr 2009 Posts: 6 OS: xp sp3	Re: Ntoskrnl-hook Well my computer hasn't crashed since or put up any trouble at all really. Here are the results of the scan. Thank you: -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7.0 REPORT Tuesday, April 14, 2009 Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600) Kaspersky Online Scanner version: 7.0.26.13 Program database last update: Tuesday, April 14, 2009 18:21:07 Records in database: 2043980 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ F:\ G:\ Scan statistics: Files scanned: 100198 Threat name: 1 Infected objects: 1 Suspicious objects: 0 Duration of the scan: 02:03:13 File name / Threat name / Threats count C:\Documents and Settings\All Users\Documents\Incomplete\T-5745425-sequoia throne (unplugged version).mp3 Infected: Trojan-Downloader.WMA.GetCodec.r 1 The selected area was scanned.

04-14-2009, 01:37 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,572 OS: 2000 Pro; XP Pro; XP Home	Re: Ntoskrnl-hook Looks good, only one infected file to delete. This came from Limewire, which again drives home my point about P2P file sharing, and the risks. Go Start > Run and copy/paste the following single-line command into the Run box and click OK: cmd /c del /f/a/s "C:\Documents and Settings\All Users\Documents\Incomplete\T-5745425-sequoia throne (unplugged version).mp3" Other than that.... Your logs appear clean.You should be good to go. We still have a few items to address. Go to -> Run -> copy/paste in the following single line command & click OK combofix /u This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore points. Now that your system is clean, to help protect your computer in the future I recommend that you follow these steps and look into the following free programs: Microsoft Windows Update - http://www.windowsupdate.com Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. SpywareBlaster to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad. Winpatrol Winpatrol is heuristic protection program, meaning it looks for patterns in codes that work like malware. It also takes a snapshot of your system's critical resources and alerts you to any changes that may occur without you knowing. You can read more about Winpatrol's features here. You can get a free copy of Winpatrol or use the Plus version for more features. You can read Winpatrol's FAQ if you run into problems. MVPS HOST FILE The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Download Host.zip to your desktop. From your Desktop right-click (hosts.zip) and select: Extract All from the menu. Click Next, click Next, select the option: "Show Extracted files", click Finish This will open the newly created hosts folder on your Desktop. Double-click on the included mvps.bat file, this will rename the existing HOSTS file to HOSTS.MVP, then it will copy the included updated HOSTS file to the correct location on your machine. Once updated you should see another prompt that the task was completed. ANTIVIRUS SOFTWARE It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come out. Do not install more than one AntiVirus program because they will conflict with each other. Scan here http://secunia.com/software_inspector/ for out of date & vulnerable common applications on your computer http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP//Vista. It's made up of two parts - ERUNT & NTREGOPT. ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry. NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster. In light of your recent troubles, I'm sure you'll like to avoid any future infections. Please take a look at these well written articles How did I get infected in the first place? PC Safety and Security--What Do I Need? If you want to fight back the Malware Writers that have made your life a misery, please take a look here and read what you can do against it. Please respond to this thread one more time so we can mark this thread as resolved. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-15-2009, 02:34 PM	#7 (permalink)
GeoffKerman Registered User Join Date: Apr 2009 Posts: 6 OS: xp sp3	Re: Ntoskrnl-hook The only issue I have now is the "combofix /u" line didn't work, but other than that thank you! You were a great help fixing everything and I'll definitely follow up with some more of thoe protection suggestions. Thank you :)

04-15-2009, 02:39 PM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,572 OS: 2000 Pro; XP Pro; XP Home	Re: Ntoskrnl-hook uninstalling ComboFix properly is an important detail in cleaning up our mess. It does more than just delete itself. Is ComboFix still on your desktop? If so, the command should work. Did you receive an error message? Try this command (be sure to include the quote mark at the beginning): "c:\documents and settings\Geoffrey Kerman\Desktop\ComboFix.exe" /u __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-15-2009, 02:47 PM	#9 (permalink)
GeoffKerman Registered User Join Date: Apr 2009 Posts: 6 OS: xp sp3	Re: Ntoskrnl-hook Ok I put combofix back on my desktop and it worked.

04-15-2009, 02:51 PM	#10 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 35,572 OS: 2000 Pro; XP Pro; XP Home	Re: Ntoskrnl-hook Cheers! We should be done then. Surf Safely, and Think Prevention! Since this issue is resolved, this topic will be archived. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Microsoft MVP - Consumer Security 2009

04-15-2009, 02:52 PM	#11 (permalink)
GeoffKerman Registered User Join Date: Apr 2009 Posts: 6 OS: xp sp3	Re: Ntoskrnl-hook Thanks!