Please Help Removing NTOSKRNL-HOOK Generic Rootkit.d!rootkit

[quattroB4U]

Hi,

I am here to ask for help with removing NTOSKRNL-HOOK Generic Rootkit.d!rootkit infection that appears to be redirecting most browser search attempts indicating 'www.clickover.cn' within the url.

I have run DDS and included the resulting .txt and Attach as instructed.

Thank you for your support!

Regards

DDS (Ver_09-06-26.01) - NTFSx86
Run by Norm at 1:38:45.54 on Thu 07/30/2009
Internet Explorer: 7.0.5730.13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1287 [GMT -5:00]

AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated) {D3C23B96-C9DC-477F-8EF1-69AF17A6EFF6}
AV: AntiVir Desktop *On-access scanning disabled* (Outdated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: McAfee VirusScan *On-access scanning enabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\system32\svchost -k rpcss
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\System32\svchost.exe -k NetworkService
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\WINDOWS\System32\svchost.exe -k LocalService
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\Program Files\McAfee\MBK\McAfeeDataBackup.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Registry Mechanic\RegMech.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Spyware Doctor\TFEngine\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Norm\Desktop\dds.scr
C:\WINDOWS\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: scriptproxy: {7db2d5a0-7241-4e79-b68d-6309f01c5231} - c:\program files\mcafee\virusscan\scriptsn.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
EB: {0207D531-4FEC-B23C-46D9-52CA38FEFCBE} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [SkyTel] SkyTel.EXE
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [mcagent_exe] c:\program files\mcafee.com\agent\mcagent.exe /runkey
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [CanonSolutionMenu] c:\program files\canon\solutionmenu\CNSLMAIN.exe /logon
mRun: [CanonMyPrinter] c:\program files\canon\myprinter\BJMyPrt.exe /logon
mRun: [SSBkgdUpdate] "c:\program files\common files\scansoft shared\ssbkgdupdate\SSBkgdupdate.exe" -Embedding -boot
mRun: [OpwareSE4] "c:\program files\scansoft\omnipagese4\OpwareSE4.exe"
mRun: [McAfee Backup] c:\program files\mcafee\mbk\McAfeeDataBackup.exe
mRun: [MBkLogOnHook] c:\program files\mcafee\mbk\LogOnHook.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
uPolicies-system: EnableProfileQuota = 1 (0x1)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
LSP: c:\program files\common files\pc tools\lsp\PCTLsp.dll
DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} - hxxp://www2.snapfish.com/SnapfishActivia.cab
DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} - hxxp://www.linkedin.com/cab/LinkedInContactFinderControl.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1201396145780
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1201396991982
DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - hxxp://www.adobe.com/products/acrobat/nos/gp.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digiwet.dll

============= SERVICES / DRIVERS ===============

R0 PCTCore;PCTools KDS;c:\windows\system32\drivers\PCTCore.sys [2009-7-29 130936]
R0 TfFsMon;TfFsMon;c:\windows\system32\drivers\TfFsMon.sys [2009-7-29 51488]
R0 TfSysMon;TfSysMon;c:\windows\system32\drivers\TfSysMon.sys [2009-7-29 39200]
R0 xfilt;VIA SATA IDE Hot-plug Driver;c:\windows\system32\drivers\xfilt.sys [2008-1-26 11264]
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2009-7-29 11608]
R1 BIOS;BIOS;c:\windows\system32\drivers\BIOS.sys [2008-1-26 13696]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-1-28 201320]
R1 pctgntdi;pctgntdi;c:\windows\system32\drivers\pctgntdi.sys [2009-7-29 159600]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2009-7-29 108289]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-7-29 55640]
R2 McProxy;McAfee Proxy Service;c:\progra~1\common~1\mcafee\mcproxy\mcproxy.exe [2008-1-28 359248]
R2 McShield;McAfee Real-time Scanner;c:\progra~1\mcafee\viruss~1\mcshield.exe [2008-1-28 144704]
R2 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2009-1-1 348752]
R2 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2009-1-1 1097096]
R3 McSysmon;McAfee SystemGuards;c:\progra~1\mcafee\viruss~1\mcsysmon.exe [2008-1-28 695624]
R3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-1-28 79304]
R3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-1-28 35240]
R3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-1-28 33832]
R3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-1-28 40488]
R3 pctplsg;pctplsg;c:\windows\system32\drivers\pctplsg.sys [2009-7-29 64392]
R3 TfNetMon;TfNetMon;c:\windows\system32\drivers\TfNetMon.sys [2009-7-29 33056]
R3 ThreatFire;ThreatFire;c:\program files\spyware doctor\tfengine\tfservice.exe service --> c:\program files\spyware doctor\tfengine\TFService.exe service [?]
RUnknown aswFsBlk;aswFsBlk; [x]
RUnknown aswSP;aswSP; [x]
S1 f696529;f696529;c:\windows\system32\drivers\f696529.sys --> c:\windows\system32\drivers\f696529.sys [?]
S2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2009-7-29 185089]
S2 stisvcCryptSvc;Windows Image Acquisition (WIA) stisvcCryptSvc;c:\windows\system32\1028j.exe srv --> c:\windows\system32\1028j.exe srv [?]

=============== Created Last 30 ================

2009-07-29 21:58 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avira
2009-07-29 21:49 55,640 a------- c:\windows\system32\drivers\avgntflt.sys
2009-07-29 21:49 <DIR> --d----- c:\program files\Avira
2009-07-29 17:25 51,488 a------- c:\windows\system32\drivers\TfFsMon.sys
2009-07-29 17:25 39,200 a------- c:\windows\system32\drivers\TfSysMon.sys
2009-07-29 17:25 33,056 a------- c:\windows\system32\drivers\TfNetMon.sys
2009-07-29 17:25 12,576 a------- c:\windows\system32\drivers\TfKbMon.sys
2009-07-29 14:36 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-07-29 14:36 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-07-29 14:36 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-07-29 14:36 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-07-29 14:36 <DIR> --d----- c:\program files\common files\PC Tools
2009-07-29 14:36 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools

==================== Find3M ====================

2009-03-31 21:23 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012009033120090401\index.dat

============= FINISH: 1:40:13.28 ===============

[extremeboy]

Hello and welcome to TSF!

Regarding the rootkit and backdoors in general:

Unfortunatly One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall
We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


----

If you wish to continue follow the steps below, otherwise let me know



We are going to start with Combofix.

Download and Run ComboFix

Note to readers of this post other than the starter of this thread:
ComboFix is a VERY POWERFUL tool which should NOT BE USED without guidance of an expert.

Download Combofix from any of the links below, and save it to your desktop.
Link 1
Link 2

Please refer to this page for full instructions on how to run ComboFix.

• Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix. Refer to this page if you are not sure how.
• Double click ComboFix.exe to start the program. Agree to the prompts.
• When ComboFix is finished, a log report (C:\ComboFix.txt) will open. Post back with it.

Leave your computer alone while ComboFix is running.

ComboFix will restart your computer if malware is found; allow it to do so.

Note: Please Do NOT mouseclick combofix's window while its running because it may call it to stall.

~Extremeboy

[quattroB4U]

Hello extremeboy,

Thank you for assisting me with this issue. At this point I would like to continue on with removing the rootkit and will proceed with downloading and running ComboFix.

I will take further action on your recommendations after the removal process.

Thanks

[quattroB4U]

extremeboy,

I started ComboFix and when it got to the Autoscan there was a failure with resulting Microsoft report Send/Don't Send message. I selected Don't Send and ComboFix rebooted my PC and has been scanning for infections in Autoscan for over an hour now. I am posting this from another PC and wondering if there is a problem needing intervention or if I should let Autoscan continue, and for how long?

Thanks

[Ried]

Pardon the intrusion, but in an effort to help you out for the moment, can you bring up Task Manager by pressing Ctrl Alt Del on your keyboard? If so, look for these processes and end task on them, one at a time until ComboFix frees itself up. Let us know which one it was:

• findstr
• sed
• grep
• nircmd

[quattroB4U]

None of those 4 processes are currently running in Task Manager.

[Ried]

Do you see any files in the Processes with a .cfexe extension? If so, list them out for me

[quattroB4U]

Yes, only pev.cfexe is there.

[Ried]

Okay, end task on that and let me know if ComboFix continues, or closes

[quattroB4U]

Yes, ComboFix seems to have closed with the following -
Completed Stage_1
Completed Stage_2

I also received a nircmd error message.

[quattroB4U]

Sorry, the ComboFix window is still open with the Completed Stage_1 and Completed Stage_2 within it.

[Ried]

Let's give it some time and see if it continues. There are approx 50 stages, and from this point it should not take longer than 15 or 20 minutes. I'll be standing by...

[quattroB4U]

Roger that, thanks.

[quattroB4U]

Just to let you know I now have a sed.cfexe - Application Error, shall I click OK to terminate the program?

[Ried]

Yes, please do

[quattroB4U]

Have Completed Stage_4 about an hour ago, meaning it has been grinding through stage 5 for nearly an hour now.

[quattroB4U]

I have also noticed there is now a sed.cfexe process in Task Manager.

[Ried]

That's too long. Look again for processes running that have a .cfexe extension. What processes do you see running?

[Ried]

We posted at the same time.

End task on that.

[quattroB4U]

I ended sed.cfexe and Completed Stage_5 immediately after that. Have now quickly completed stages 6 & 6A. There is now both pev.cfexe & 2 seperate FINDSTR.cfexe processes running in Task Manager.