My pc appears to be infected with ntoskrnl-hook, how do i deal with this.

McAfee finds it and says its been removed only for it to be found again.
Max secure spyware remover finds a Generic rootkit and quarantines it only for it to reappear next time.

McAfee also now finds the following

C:\WINDOWS\SYSTEM32\KBIWKMGRKCTNDY.DLL Trojan Rescan after restart
C:\WINDOWS\SYSTEM32\KBIWKMTBQMDXFB.DLL Trojan Rescan after restart
C:\WINDOWS\SYSTEM32\DRIVERS\KBIWKMXXDEVNLV.SYS Trojan Quarantined
all of these files are still there no matter what

some ones help would be much appreciated, i understand the ntoskrnl-hook i quite common but asap would be good.

This post has been edited by jxp1000: Aug 26 2009, 02:31 PM

Hello and welcome to the forum!

Let's continue with two more scans.

Download and run DDS

We need to see some information about what is happening in your machine. Please perform the following scan:

• Download DDS by sUBs from one of the following links. Save it to your desktop.
  • DDS.scr
  • DDS.pif
• Double click on the DDS icon, allow it to run.
• A small box will open, with an explanation about the tool. No input is needed, the scan is running.
• Notepad will open with the results soon.
• Follow the instructions that pop up for posting the results and then click Ok.
• The black and message box window shall then disappear.
• Please save both log files on your desktop and post the DDS.txt and zip up and attach Attach.txt as instructed.
  

Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet. Information on A/V control HERE

Download and Run Scan with GMER

We will use GMER to scan for rootkits.

• Please download GMER from one of the following locations, and save it to your desktop:
  
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zip Mirror
    Alternate Zip Mirror 1
    Alternate Zip Mirror 2
  
  This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop. Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.

• Close any and all open programs, as this process may crash your computer.
• Double click or on your desktop.
  
• When you have done this, close all running programs.
  There is a small chance this application may crash your computer so save any work you have open.

• Double-click on Gmer.exe to start the program. Right-click and select Run As Administrator... if you are using Vista
• Allow the gmer.sys driver to load if asked.
  If it detects rootkit activity, you will receive a prompt (refer below) to run a full scan. Click NO..
  

• In the right panel, you will see several boxes that have been checked. Please UNCHECK the following:
  
  • Sections
  • IAT/EAT
  • Registry
  • Drives/Partition other than Systemdrive (typically C:\)
  • Show all (Don't miss this one!)
• Click on and wait for the scan to finish.
• If you see a rootkit warning window, click OK.
• Push and save the logfile to your desktop.
• Copy and Paste the contents of that file in your next post.

If GMER doesn't work in Normal Mode try running it in Safe Mode

Note: Do Not run any program while GMER is running
*Note*: Rootkit scans often produce false positives. Do NOT take any actions on "<--- ROOKIT" entries

Post back with those logs in your next reply and provide a description of any remaining problems or symptoms you may still have please.

With Regards,
Extremeboy

Well, I ran both those programs, GMER crashed the computer everytime (blue screen - dumping physical memory) and with DDS all I got was the attached .txt file.

Hello.

I can't read that DDS log file.

Please run RootRepeal. Then afterwards, re-run DDS again.

Download and run RootRepeal CR

Please download RootRepeal from the following location and save it to your desktop.

• Direct Download (Recommended)
  • Primary Mirror
  • Secondary Mirror
  • Secondary Mirror
  • Secondary Mirror
• Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
  
  • Primary Mirror
    
  • Secondary Mirror
    
  • Secondary Mirror

• Unzip the RootRepeal.zip file it to it's own folder. (If you did not use the "Direct Download" mirror to download RootRepeal).
• Close/Disable all other programs especially your security programs (anti-spyware, anti-virus, and firewall) Refer to this page, if you are unsure how.
• Physically disconnect your machine from the internet as your system will be unprotected.
• Double-click on RootRepeal.exe to run it. If you are using Vista, please right-click and run as Administrator...
• Click the tab at the bottom.
• Now press the button.
• A box will pop up, check the boxes beside All Seven options/scan area
  
• Now click OK.
• Another box will open, check the boxes beside all the drives, eg : C:\, then click OK.
• The scan will take a little while to run, so let it go unhindered.
• Once it is done, click the Save Report button.
• Save it as RepealScan and save it to your desktop
• Reconnect to the internet.
• Post the contents of that log in your reply please.

~Extremeboy

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.