Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

persistent NTOSKRNL-HOOK on vista,

Started by richgriff , Aug 12 2009 05:45 AM

  • Please log in to reply

#1
richgriff
Posted 12 August 2009 - 05:45 AM

richgriff

    New Member

  • Member
  • Pip
  • 5 posts
Hi

I have a very persistent NTOSKRNL-HOOK, on my computer. originally it was picked up by mcafee, but not removed, it has been subsequently picked up but not removed by

nod32
avira
avast
windows defender

all other attempts to remove it through antivirus have been blocked by the trojan.

I followed your very helpful guide on removing spyware but unfortunately I could not successfully run RootRepeal, SysRestorePoint, ERUNT, or more importantly, malwarebytes.

if anyone has a few minutes to spare I would be grateful for any help you could offer.

GREAT website by the way guys!

Thanks

Rich.
  • 0

Advertisements

#2
IndiGenus
Posted 12 August 2009 - 10:47 AM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi Rich and welcome to the forums here at G2G!

Let's first try the renamed combofix to see if it will run. Make sure to rename before downloading, or download on another PC, rename, and copy it over. It may not run but that's okay, we'll go to plan "b" if so.

Please read through the instructions to familiarize yourself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab
    -Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:

Posted Image

Posted Image

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  • Double click on ComboFix.exe & follow the prompts.Close all other windows/browser first.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do Not run combofix more than once. If you have problems please post back for further instructions.
3.CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log.

Edited by IndiGenus, 12 August 2009 - 10:49 AM.

  • 0

#3
richgriff
Posted 18 August 2009 - 12:45 PM

richgriff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Indigenus

First of all, thanks for all your help, it is appreciated!

Ok, so I downloaded a renamed combofix and it started without any prompting, almost immediately it stated that it had found issues with the following, and asked me to write them down because they may be needed later (how polite).

(in the background seperate to combofix, a windows error box with a yellow exclamation mark appeared to say that catchme.exe had failed to initialise)

C:\windows\system32\ESQULofudtlxfthpempqqadcooqtucqtvgyf.dll
C:\windows\system32\ESQULxxkmobnaugxxxnytmvnuyifeyhweippr.sys
C:\windows\system32\ESQULsttvocbstpjiebwjqipqwuwxrdyisanv.dll
C:\windows\system32\drivers\ESQULxxkmobnaugxxxnytmunuifeyhweippr.sys
C:\windows\system32\ESQULofvoltglxthpempqqabcooqtucqtvgyt.dll
C:\windows\system32\ESQULsttvocbstpjicbwjqipqwuwxrdyisanv.dll

It then seemed to do its stuff for a little, where it reverted to a black screen and seemed to be doing a registry fix or check. it reminded me of the scan that avast carries out when you first re-boot after installation. It was fixing and recovering many things as it went along.

Then this is when the issues began to occur.

Upon re-starting windows, the screen displayed instead of welcome, "windows is preparing desktop"

The it seemed to lose my desktop, displaying

C:\windows\system32\config\systemprofile\desktop
refers to a location that is unavailable. It could be on a hard drive on this computer, or on a network. Check to make sure that the disk is inserted, or that you are connected to the internet or your nrtwork and then try again. If this si not succesful it may have been moved to a different location.

I also had a microsoft windows box appear stating;

Windows media playernetwork sharing service stopped working and was closed
Aproblem caused it to stop working correctly. windows will notify you when a solution is available.

I've probably done something wrong! Could you please advise?

once again, thank you so much for all your help.

Regards,

Richgriff.
  • 0

#4
IndiGenus
Posted 18 August 2009 - 02:10 PM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi Rich,

Sorry to hear of the troubles. I don't think you did anything wrong. You just have a severely infected machine and these rootkits (that's what combofix had you write down) dig in deep to the OS and are very nasty.

Did combofix produce a log? Should be at....

C:\ComboFix.txt

If so can you post it?

If the desktop won't load you will need to start explorer manually (if it will).

Click ctrl-alt-del.
Then select Windows Task Manager.
Click the Applications tab.
Click on the New Task... button.
Type in explorer and click OK.

This should start up Windows Explorer so you can look for the file.
  • 0

#5
richgriff
Posted 19 August 2009 - 01:34 PM

richgriff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hey Indigenus

Thanks for getting back to me. Unfortunately, I cant find a combofix.txt file, i started explorer as you instructed, but to no avail, it cant find the file. I'm sorry i have nothing more to give you.

At least i didnt do anything wrong!

Once again, I do appreciate the time you're giving me in sorting this out.

Thanks

Rich.
  • 0

#6
IndiGenus
Posted 19 August 2009 - 02:01 PM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
I don't hold out much hope for this but we can try a system restore. This infection usually disables it so.....

Worth a shot. Try to restore to a point before the issue occurred. Instructions are at the following link:

http://www.bleepingc...utorial143.html
  • 0

#7
richgriff
Posted 20 August 2009 - 11:16 AM

richgriff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Indigenus

I should have mentioned it before, but system restore was the first thing I tried after I lost the desktop. the path i use to findit is different from the one stated on bleeping computer, as when i open my accessories folder in the start option, there's no system tools option.

I went to control panel - backup and restore centre - use system restore to fix problems and undo changes to windows. But the computer doesnt respond.

How about this: I have intel centrino duo on my acer computer. my main concern is obviously losing all my personal folders, music, photo's etc from my computer. What if I copy all of this from ACER © to ACERDATA (D), use my original backup image from CD('s) and then copy everything back. do you think this would work?

Obviously I'd like to do this as a last option.

What do you think?

Rich.
  • 0

#8
IndiGenus
Posted 20 August 2009 - 11:29 AM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts
Hi richgriff,

when i open my accessories folder in the start option, there's no system tools option.

That's also very weird...? You are running Vista right? Sounds like there is much corruption here to the OS. Not sure how well we'll be able to save this at this point. One of my other thoughts was to have you run (if you're running Vista) the startup repair.

What if I copy all of this from ACER © to ACERDATA (D), use my original backup image from CD('s) and then copy everything back

Not quite sure what you mean by that? I would suggest you do a backup of your data ASAP, in case this gets worse and you cannot even get into Windows. But I would suggest making it on something external to the drive you are running your OS on. Something like DVD's, USB drive, ect....

Backing up and reloading the OS may be the way we have to go here. Everything you're describing about this PC, with missing folders, ect..., sounds like there is quite a bit of corruption.
  • 0

#9
richgriff
Posted 20 August 2009 - 11:40 AM

richgriff

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Indigenus

Thanks for a quick reply. Can you tell me how to run start up repair?

Also, sorry for for confusing you, when i first ran my computer, i had to insert 6 cd into the drive while the computer backed up all the programs etc (i think), probably for this type of eventuality. Whati meant was that my hard drive is split in two, could i move data from C to D, and then back again after i reinstall using the CD's?

Thanks
  • 0

#10
IndiGenus
Posted 20 August 2009 - 11:47 AM

IndiGenus

    Anti-Malware Buddha

  • Member
  • PipPipPipPip
  • 1,617 posts

Whati meant was that my hard drive is split in two, could i move data from C to D,

Oh yes, if the D drive is a separate partition from the one you have your OS on (I assume C), then you can put your files over there. What's on the D drive and how much room is there? Typically, with these laptops the mfgs. put the recovery tools on the D drive. You don't want to copy over those. If that's the case then you can actually run the recovery from there. When your laptop first boots you should see some options like click F2 to do "this, or click F12 for "this". But you want to backup your data first I think before we do anything.

Edited by IndiGenus, 20 August 2009 - 11:47 AM.

  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Forum
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP