Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Can't get rid of NTOSKRNL-HOOK Trojan

  • This topic is locked This topic is locked
2 replies to this topic

#1 Quartang


  • Members
  • 2 posts
  • Local time:11:14 PM

Posted 26 May 2009 - 11:48 AM

Hello and thank you in advance,

I have been unable to remove the NTOSKRNL-HOOK Trojan, as it keeps turning up in my McAfee scans, as well as the several Malware programs I have downloaded (Malewarebyte, NVT Malware Removal Tool, Spybot Search and Destroy, and SmitFraudFix). This all started after I somehow contracted the WinPC-Antivirus virus, I believe I got it when I clicked on a suspicious link, something I normally know better than to do. I have tried each of the programs just listed and they each usually turn up infections and say they have deleted them, but they just turn up again the next time I run those programs. I also followed the instructions at this site http://www.spywarevoid.com/remove-winpc-an...#manual_removal (perhaps ill-advisedly) for trying to remove the WinPC-Antivirus virus, including editing the registry.

The major symptoms seem to have stopped, i.e. I donít get the WinPC-Antivirus pop-ups, programs are no longer being blocked from stopping, web addresses are no longer being redirected and my overall system performance is fine, but the virus is still there and I would feel a whole lot better knowing it was gone for good.

I have followed the steps in the Preparation Guide and I've posted the DDS log and attached the Attach.txt. Please let me know if I need to do anything else. Thank you so much!

DDS (Ver_09-05-14.01) - NTFSx86
Run by Ian Cairns at 9:15:29.79 on Tue 05/26/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.926 [GMT -7:00]

AV: McAfee VirusScan Enterprise *On-access scanning enabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\vstskmgr.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe
C:\Program Files\Compact Wireless-G USB Adapter Wireless Network Monitor\WUSB54GC.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Ian Cairns\Desktop\Comp Cleanup\OTListIt2.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam1.exe
C:\Program Files\Microsoft Office\Office10\POWERPNT.EXE
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Documents and Settings\Ian Cairns\Desktop\dds.scr

============== Pseudo HJT Report ===============

uWindow Title = Windows Internet Explorer provided by Comcast
mWindow Title = Windows Internet Explorer provided by Comcast
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Winamp Toolbar Loader: {25cee8ec-5730-41bc-8b58-22ddc8ab8c20} - c:\program files\winamp toolbar\winamptb.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
TB: Winamp Toolbar: {ebf2ba02-9094-4c5a-858b-bb198f3d8de2} - c:\program files\winamp toolbar\winamptb.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [ShStatEXE] "c:\program files\mcafee\virusscan enterprise\SHSTAT.EXE" /STANDALONE
mRun: [McAfeeUpdaterUI] "c:\program files\mcafee\common framework\UdaterUI.exe" /StartedFromRunKey
mRun: [Alcmtr] ALCMTR.EXE
mRun: [LXSUPMON] c:\windows\system32\LXSUPMON.EXE RUN
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [WinampAgent] "c:\program files\winamp\winampa.exe"
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\docume~1\iancai~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\documents and settings\ian cairns\start menu\programs\startup\PowerReg Scheduler.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: &Winamp Search - c:\documents and settings\all users\application data\winamp toolbar\ietoolbar\resources\en-us\local\search.html
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office10\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
Trusted Zone: microsoft.com\office
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: AtiExtEvent - Ati2evxx.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\iancai~1\applic~1\mozilla\firefox\profiles\yx71yypd.default\
FF - prefs.js: browser.startup.homepage - nytimes.com
FF - component: c:\documents and settings\ian cairns\application data\mozilla\firefox\profiles\yx71yypd.default\extensions\{0b38152b-1b20-484d-a11f-5e04a9b0661f}\components\WinampTBPlayer.dll
FF - plugin: c:\program files\google\picasa3\npPicasa3.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmusicn.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npracplug.dll
FF - plugin: c:\program files\real\realarcade\plugins\mozilla\npracplug.dll

============= SERVICES / DRIVERS ===============

R1 mferkdk;VSCore mferkdk;c:\program files\mcafee\virusscan enterprise\mferkdk.sys [2006-11-30 31944]
R2 McAfeeFramework;McAfee Framework Service;c:\program files\mcafee\common framework\FrameworkService.exe [2006-12-27 104000]
R2 McShield;McAfee McShield;c:\program files\mcafee\virusscan enterprise\mcshield.exe [2006-11-30 144960]
R2 McTaskManager;McAfee Task Manager;c:\program files\mcafee\virusscan enterprise\vstskmgr.exe [2006-11-30 54872]
R3 mfeavfk;McAfee Inc.;c:\windows\system32\drivers\mfeavfk.sys [2006-12-27 72264]
R3 mfebopk;McAfee Inc.;c:\windows\system32\drivers\mfebopk.sys [2006-12-27 34152]
R3 mfehidk;McAfee Inc.;c:\windows\system32\drivers\mfehidk.sys [2006-12-27 168776]
RUnknown lphewqy;lphewqy; [x]

=============== Created Last 30 ================

2009-05-25 22:52 <DIR> --d----- c:\program files\Cobian Backup 9
2009-05-25 22:42 <DIR> --d----- C:\Rooter$
2009-05-25 21:34 2,110 a------- c:\windows\wininit.ini
2009-05-25 21:34 <DIR> --d----- c:\docume~1\iancai~1\applic~1\Malwarebytes
2009-05-25 21:17 <DIR> --d----- c:\program files\NVT Malware Remover Tool
2009-05-25 21:03 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-05-25 21:03 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-25 21:03 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-25 21:03 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-25 21:03 2,872 a------- c:\windows\system32\tmp.reg
2009-05-01 11:30 3,366,912 a------- c:\windows\system32\GPhotos.scr

==================== Find3M ====================

2009-04-30 01:36 75,776 a------- c:\windows\system32\WS2Fix.exe
2009-03-23 20:26 165,787 ac------ c:\windows\War3Unin.dat
2009-03-06 07:44 283,648 a------- c:\windows\system32\pdh.dll
2009-03-05 23:04 35,408 ac------ c:\windows\scunin.dat
2009-03-05 22:42 70,656 a------- c:\windows\ScUnin.exe
2009-03-02 17:18 826,368 a------- c:\windows\system32\wininet.dll
2007-11-06 09:52 23,672 ac------ c:\docume~1\iancai~1\applic~1\GDIPFONTCACHEV1.DAT
2007-03-02 12:24 774,144 ac------ c:\program files\RngInterstitial.dll
1956-09-09 09:26 3,198,976 a------- c:\program files\ViewSonicregistration.exe

============= FINISH: 9:16:34.53 ===============

Attached Files

BC AdBot (Login to Remove)



#2 Quartang

  • Topic Starter

  • Members
  • 2 posts
  • Local time:11:14 PM

Posted 26 May 2009 - 10:20 PM

Please go ahead and close this topic for now, I have posted the same problem at another site. Sorry for the hassle.

#3 Orange Blossom

Orange Blossom

    OBleepin Investigator

  • Moderator
  • 36,701 posts
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:14 AM

Posted 27 May 2009 - 05:19 PM

Thank you for letting us know. This topic shall now be closed.

Orange Blossom :thumbup2:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users