Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

NTOSKRNL-HOOK Virus

Started by natashasarah , Jan 12 2010 08:49 PM

  • Please log in to reply

#1
natashasarah
Posted 12 January 2010 - 08:49 PM

natashasarah

    New Member

  • Member
  • Pip
  • 1 posts
Hiii,

I am completely not tech-savvy & my computer got a virus for the 100th time. I ran McAfee on it & it said it was removed... however my computer kept acting funny & when I ran the scan again, the virus was detected. This just kept happening over & over. I googled the virus name (NTOSKRNL-HOOK) & it seemed that the consensus was that ComboFix worked. I ran ComboFix just now but also read in some threads that there were additional steps depending on what the log came up with. So I wanted to post my log here & see if there is anything else that I need to do. Thank you so much for any help!!



ComboFix 10-01-12.04 - Natasha Sarah 01/12/2010 20:12:55.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1014.369 [GMT -6:00]
Running from: c:\documents and settings\Natasha Sarah\Desktop\Combo-Tashu.exe
AV: McAfee VirusScan Enterprise *On-access scanning disabled* (Updated) {918A2B0B-2C60-4016-A4AB-E868DEABF7F0}
* Resident AV is active

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Malware Defense
c:\program files\Malware Defense\md.db
c:\recycler\S-1-5-21-1708537768-602609370-725345543-500
c:\recycler\S-1-5-21-4033771810-1106279993-3489056504-500
c:\windows\system32\drivers\H8SRTpjrwqqlamy.sys
c:\windows\system32\h8srtkrl32mainweq.dll
c:\windows\system32\H8SRTkrratouqpp.dll
c:\windows\system32\H8SRTmpuyexidwy.dll
c:\windows\system32\H8SRTnkxyqmupop.dat
c:\windows\system32\H8SRTqvstillngs.dll
c:\windows\system32\h8srtshsyst.dll
c:\windows\system32\H8SRTxfwsenbgix.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_H8SRTd.sys
-------\Legacy_H8SRTd.sys


((((((((((((((((((((((((( Files Created from 2009-12-13 to 2010-01-13 )))))))))))))))))))))))))))))))
.

2010-01-19 06:09 . 2010-01-19 06:09 -------- d-----w- c:\documents and settings\Natasha Sarah\Application Data\DivX
2010-01-13 01:56 . 2010-01-13 01:58 -------- d-----w- C:\Combo-Tashu
2010-01-12 10:53 . 2009-12-02 13:19 15880 ----a-w- c:\windows\system32\lsdelete.exe
2010-01-12 08:59 . 2010-01-12 08:59 -------- dc----w- c:\windows\system32\DRVSTORE
2010-01-12 08:59 . 2009-12-02 13:19 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2010-01-12 08:58 . 2010-01-12 08:59 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}
2010-01-12 08:58 . 2009-12-07 14:10 2953352 -c--a-w- c:\documents and settings\All Users\Application Data\{BC9FCCF7-E686-494B-8C9B-55C9A39A7CA9}\Ad-AwareInstallation.exe
2010-01-12 08:56 . 2010-01-12 09:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Lavasoft
2010-01-12 08:56 . 2010-01-12 08:56 -------- d-----w- c:\program files\Lavasoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-03 22:17 . 2009-12-03 02:12 -------- d-----w- c:\documents and settings\All Users\Application Data\NOS
2009-12-03 02:20 . 2005-10-08 17:25 -------- d-----w- c:\program files\Common Files\Adobe
2009-12-03 02:15 . 2009-12-03 02:15 -------- d-----w- c:\program files\Common Files\Adobe AIR
2009-12-03 02:13 . 2009-12-03 02:13 86016 ----a-w- c:\documents and settings\All Users\Application Data\NOS\Adobe_Downloads\arh.exe
2009-11-15 21:31 . 2009-11-13 06:21 -------- d-----w- c:\documents and settings\Natasha Sarah\Application Data\AdobeUM
2009-10-29 07:46 . 2004-08-04 08:00 832512 ----a-w- c:\windows\system32\wininet.dll
2009-10-29 07:46 . 2004-08-04 08:00 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-10-29 07:46 . 2004-08-04 08:00 17408 ------w- c:\windows\system32\corpol.dll
2009-10-21 06:00 . 2004-08-04 08:00 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 06:00 . 2004-08-04 08:00 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-20 14:58 . 2004-08-04 08:00 263552 ----a-w- c:\windows\system32\drivers\http.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-05 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-01-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-01-22 126976]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 36975]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2004-10-13 278528]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2005-04-18 98304]
"eabconfg.cpl"="c:\program files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 290816]
"Cpqset"="c:\program files\HPQ\Default Settings\cpqset.exe" [2004-11-05 233534]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-14 253952]
"hpWirelessAssistant"="c:\program files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe" [2005-01-21 790528]
"LogMeIn GUI"="c:\program files\LogMeIn\LogMeInSystray.exe" [2006-10-07 303864]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 49152]
"ShStatEXE"="c:\program files\McAfee\VirusScan Enterprise\SHSTAT.EXE" [2007-02-23 112216]
"McAfeeUpdaterUI"="c:\program files\McAfee\Common Framework\UdaterUI.exe" [2006-12-19 136768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-10-03 35696]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-09-04 935288]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-5-15 217193]
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 569405]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2006-10-07 01:56 11504 ----a-w- c:\windows\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\oracle\\ora81\\Apache\\Apache\\Apache.exe"=
"c:\\bea\\jdk131\\bin\\java.exe"=
"c:\\pt842\\bin\\client\\winx86\\psdbgsrv.exe"=
"c:\\pt842\\bin\\client\\winx86\\pside.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\McAfee\\Common Framework\\FrameworkService.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [1/12/2010 2:59 AM 64288]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [12/2/2009 7:19 AM 1184912]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\rainfo.sys [10/6/2006 7:56 PM 11120]
R2 OracleOraHome81Agent;OracleOraHome81Agent;c:\oracle\ora81\bin\dbsnmp.exe [11/11/2000 10:48 PM 246332]
R2 OracleOraHome81DataGatherer;OracleOraHome81DataGatherer;c:\oracle\ora81\bin\vppdc.exe [11/11/2000 10:48 PM 170724]
R2 OracleOraHome81HTTPServer;OracleOraHome81HTTPServer;c:\oracle\ora81\Apache\Apache\Apache.exe [11/9/2000 8:12 AM 3584]
R2 OracleOraHome81TNSListener;OracleOraHome81TNSListener;c:\oracle\ora81\BIN\TNSLSNR --> c:\oracle\ora81\BIN\TNSLSNR [?]
R2 OracleServiceEPDMO;OracleServiceEPDMO;c:\oracle\ora81\bin\ORACLE.EXE EPDMO --> c:\oracle\ora81\bin\ORACLE.EXE EPDMO [?]
R2 OracleServiceORCL;OracleServiceORCL;c:\oracle\ora81\bin\ORACLE.EXE ORCL --> c:\oracle\ora81\bin\ORACLE.EXE ORCL [?]
R2 TUXEDO IPC Helper;TUXEDO IPC Helper;c:\program files\BEA Systems\TUXEDO\bin\tuxipc.exe [10/8/2005 12:58 PM 12800]
S2 TUXEDO Listener on Port 3050;TListen (Port: 3050);c:\program files\BEA Systems\TUXEDO\bin\slisten.exe [10/8/2005 12:58 PM 57344]
S3 OracleOraHome81ClientCache;OracleOraHome81ClientCache;c:\oracle\ora81\bin\ONRSD.EXE [10/19/2000 10:55 AM 411244]
S3 OracleOraHome81CMAdmin;OracleOraHome81CMAdmin;c:\oracle\ora81\bin\CMADMIN.EXE [10/19/2000 10:17 AM 172680]
S3 OracleOraHome81CMan;OracleOraHome81CMan;c:\oracle\ora81\bin\CMGW.EXE [10/19/2000 10:18 AM 179836]
S3 OracleOraHome81PagingServer;OracleOraHome81PagingServer;c:\oracle\ora81\bin\pagntsrv.exe [10/7/2005 10:06 PM 52224]
S3 PTDCWWAN;PANTECH PC Card WWAN Controller device driver;c:\windows\system32\drivers\PTDCWWAN.sys [9/14/2008 2:34 PM 58240]
.
Contents of the 'Scheduled Tasks' folder

2010-01-13 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-12-02 13:19]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_60D6097707281E79.dll/cmsidewiki.html
FF - ProfilePath - c:\documents and settings\Natasha Sarah\Application Data\Mozilla\Firefox\Profiles\5llbhdnk.default\
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPJPI150_06.dll
FF - plugin: c:\program files\Java\jre1.5.0_06\bin\NPOJI610.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Malware Defense - c:\program files\Malware Defense\mdefense.exe



**************************************************************************

scan completed successfully
hidden files: 0

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-01-12 20:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = c:\program files\HPQ\Default Settings\cpqset.exe????????3?6?2?0??????? ?,?B?????????????hLC? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome81PagingServer]
"ImagePath"="c:\oracle\ora81/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome81TNSListener]
"ImagePath"="c:\oracle\ora81\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(760)
c:\windows\system32\LMIinit.dll

- - - - - - - > 'explorer.exe'(2600)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\McAfee\Common Framework\FrameworkService.exe
c:\program files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\program files\McAfee\VirusScan Enterprise\VsTskMgr.exe
c:\program files\McAfee\Common Framework\McTray.exe
c:\program files\McAfee\Common Framework\naPrdMgr.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\oracle\ora81\BIN\TNSLSNR.exe
c:\oracle\ora81\bin\ORACLE.EXE
c:\oracle\ora81\bin\ORACLE.EXE
c:\oracle\ora81\Apache\jdk\bin\java.exe
c:\windows\System32\snmp.exe
c:\program files\iPod\bin\iPodService.exe
c:\windows\system32\wbem\unsecapp.exe
c:\program files\HPQ\SHARED\HPQWMI.exe
c:\program files\Lavasoft\Ad-Aware\AAWTray.exe
.
**************************************************************************
.
Completion time: 2010-01-12 20:41:02 - machine was rebooted
ComboFix-quarantined-files.txt 2010-01-13 02:40

Pre-Run: 54,878,920,704 bytes free
Post-Run: 55,770,968,064 bytes free

- - End Of File - - BDDDD4A37F1978962470AD9FC1D81F81
  • 0

Advertisements

Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP