Rootkit Ntoskrnl Exe

Details from the McAfee scan: File name: NTOSKRNL-HOOK Detection name: Generic Rootkit.d!rootkit -------- I guess I'm lucky in that this hasn't caused me any problems yet, but I want to get rid of it before it does! As with others who've reported the problem, on both quick scan and full scan, McAfee reports this as a trojan and says it's removed it, but it keeps showing up on all subsequent scans. Here's what I've tried already: First, I'm on automatic update for Windows XP, and my history does show some recent updates, so I'm assuming my system is up to date.

Hooking SwapContext Hooking functions is useful during detection. The SwapContext function in ntoskrnl.exe is called to swap the currently running thread's context with the thread's context that is resuming execution. When SwapContext has been called, the value contained in the EDI register is a pointer to the next thread.

I scanned with system restore disabled, which got rid of something like this for me several years ago. It did get rid of one other thing that had been hiding there, but not NTOSKRNL-HOOK.

The one solution offered on the McAfee forum is to scan in safe mode, but for some reason my system refuses to restart in safe mode. When I choose it, I get the message that the system did not start successfully and I should choose how I want it to start. It gives me safe mode as an option again, but when I select it the message just comes up again. It starts fine if I tell it to restart normally.

Results from my efforts with your 'Malware and Spyware Cleaning Guide': SysRestorePoint.exe gives me an error message saying it needs.NET framework. According to my administrative listings, my computer has.NET framework 1.1 - a search for it on the Windows update site shows no results. Root Repeal gives me an error message of 'invalid PE image found' - I have no idea what this means. I had high hopes for this, since the problem does seem to be a rootkit (at least it says it is). The instructions for ERUNT were so complex that I knew I'd just be courting trouble if I tried them on my own.

Malwarebytes' Anti-Malware is the one thing that did some good - found a dozen things McAfee hadn't, and eliminated them: but NTOSKRNL-HOOK was still there on reboot. -- So, where do I go from here? Hello tgshaw and welcome to GeeksToGo I'm hammerman and I'm going to help you fix your problem. Before we begin, I suggest you print or save any instructions I give you for easy reference. We may be using Safe mode and you will not always be able to access this thread. You can copy and paste these instructions into Notepad and then save the text file to your Desktop.

If you need any help with this or further clarification, please let me know. Do you have the results of the Malwarebytes scan you can post? If not, please carry out another scan and post the results. Please follow these steps. -- Step 1 -- To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to and post the sharing link. Download to your Desktop • Close ALL OTHER PROGRAMS.

• Double-click on OTS.exe to start the program. • Check the box that says Scan All Users • Under Additional Scans check the following: • Reg - Shell Spawning • File - Lop Check • File - Purity Scan • Evnt - EvtViewer (last 10) • Now click the Run Scan button on the toolbar.

• Let it run unhindered until it finishes. • When the scan is complete Notepad will open with the report file loaded in it. • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it. Please attach the log in your next post.

To attach a file, do the following: • Click Add Reply • Under the reply panel is the Attachments Panel • Browse for the attachment file you want to upload, then click the green Upload button • Once it has uploaded, click the Manage Current Attachments drop down box • Click on to insert the attachment into your post -- Step 2 -- Download SysProt Antirootkit from the link below (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors). Unzip it into a folder on your desktop. Start the Sysprot.exe program. • Click on the Log tab. • In the Write to log box select all items. • Click on the Create Log button on the bottom right. • After a few seconds a new Window should appear.

• Make sure Scan all drives is selected and click on the Start button. • When it is complete a new Window will appear to indicate that the scan is finished. • The log will be created and saved automatically in the same folder. Open the text file and copy/paste the log here.

Hello, You have a backdoor trojan installed on your computer. Backdoor Trojans, IRCBots and Infostealers are very dangerous because they provide a means of accessing a computer system that bypasses security mechanisms and steal sensitive information like passwords, personal and financial data which they send back to the hacker. Remote attackers use backdoor Trojans as part of an exploit to to gain unauthorized access to a computer and take control of it without your knowledge.

If your computer was used for online banking, has credit card information or other sensitive data on it, I suggest you do the following. All passwords should be changed to include those used for banking, email, eBay and forums. You should consider them to be compromised. They should be changed using a different computer and not the infected one. If you use the infected computer, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breach.

I finally had a few minutes to start working on the problem, and wasn't expecting to see this when I checked in - thanks for the warning. I might be at a little less danger than some people because I don't have/use any credit cards, but I do have some other vulnerabilities that I should be able to take care of as soon as I can get to my office computer tomorrow morning. In the meantime, I'll see what I can do with the other scans. Is this related to the NTOSKRNL-HOOK trojan, or is it something else entirely? _______ ETA: I'll try attaching the OTS scan 153.78KB 120 downloads Edited by tgshaw, 24 September 2009 - 09:32 PM. Hello, Is this related to the NTOSKRNL-HOOK trojan, or is it something else entirely? Yes, they are related.

Please download ComboFix from or to your Desktop. **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop** • If you are using Firefox, make sure that your download settings are as follows: • Tools->Options->Main tab • Set to 'Always ask me where to Save the files'. • During the download, rename Combofix to Combo-Fix as follows: • It is important you rename Combofix during the download, but not after. • Please do not rename Combofix to other names, but only to the one indicated.

• Close any open browsers. • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

----------------------------------------------------------- • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause 'unpredictable results'. • Click on to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask. ----------------------------------------------------------- • Close any open browsers.

• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished. • If there is no internet connection after running Combofix, then restart your computer to restore back your connection. ----------------------------------------------------------- • Double click on combo-Fix.exe & follow the prompts. • When finished, it will produce a report for you. • Please post the 'C: Combo-Fix.txt' for further review. **Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**.

Hello, The plugins are for Java (quite normal) and Viewpoint. Viewpoint is considered foistware and you can uninstall this if you wish. There is an article about it. If you decide to remove Viewpoint, then uninstall the following (if they exist) using Add or Remove Programs. Viewpoint, Viewpoint Manager, Viewpoint Media Player Please follow these steps. -- Step 1 -- Download to your desktop • Open the file and close any other windows.

• It will close all programs itself when run, make sure to let it run uninterrupted. • Click the Start button to begin the process. The program should not take long to finish its job • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean -- Step 2 -- Please download to your desktop and unzip it to its own folder • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions. • Accept any prompts.

• Open JavaRa.exe again and select Search For Updates. Sync2 2 11 Crackle. • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer. -- Step 3 -- Run Malwarebytes' Anti-Malware.

• Select the Update tab and then click Check for Updates. If an update is found, it will download and install the latest version. Office 2003 Professional Ita Isoniazid. • Select the Scanner tab, select ' Perform full scan', then click Scan • The scan may take some time to finish, so please be patient. • When the scan is complete, click OK, then Show Results to view the results.

• Make sure that everything is checked, and click Remove Selected. • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note) • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM. • Copy&Paste the entire report in your next reply. Extra Note: If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly. -- Step 4 -- • Download to your desktop.

• Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted. • When the window appears, underneath Output at the top change it to Minimal Output. • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan won't take long. • When the scan completes, it will open two notepad windows.

OTListIt.Txt and Extras.Txt. These are saved in the same location as OTL. • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in. Well, I'm glad I waited until I had a day off - the Kaspersky scan took about 6.5 hours.

Some weird things - I was able to start in safe mode, and everything seemed to go according to plan, except for the length of time it took, until after I clicked on the 'save to file' button. It would not let me save the file. The dialogue box opened and the file type was shown as.txt, but the file name box was empty. My cursor blinked in the box, but I wasn't able to type anything. I tried choosing a file that was already there and then changing the name, but I couldn't do that either - it only let me completely delete the name and go back to the blank box. There was one detected item, which I was able to delete.

Since I couldn't save the report, I wrote down as much info on it as I could. 'As much as I could' because, I suppose because I was in safe mode, my monitor resolution reverted to default and I couldn't change it - default is 600x800, so the information went farther to the right than I could see it. What I was able to see follows (My name and email address were shown correctly - I haven't included them): __________________ deleted: Trojan program Trojan-Spy.HTML.Fraud.gen(modification) Email message body: Main Identity Local folders Sent items [from: 'my correct name' ][Subject: Message includes suspi _________________ -- that's it.

I hated to close the program without saving the report because of how long the scan had taken, but I just couldn't find any way to save it. Another weird thing, though, was that instead of uninstalling itself, the program actually opened up again at reboot. Just the original screen - not the scan results. ____________________ Something else weird that's happened - some time after we started doing these scans, etc., but before the latest ones - is that in every folder I look in there's a file titled Thumbs.db. It shows up in every level, e.g., in the desktop, in My Documents, and in My Pictures. It's labeled as a database file, and when I set the view on thumbnails, it shows a database icon but is 'grayed out'. Properties says that it opens with 'unknown application'.

And something new just now - when I rebooted after the Kaspersky scan - is a file in My Pictures titled Desktop.ini. Label says that its type is configuration settings, and it also shows a grayed-out icon. I haven't seen this in any other folders, but maybe that's because it's new. Properties says it opens with notepad, but I haven't attempted it. These files all show different creation and last modified dates, although two of the Thumbs.db files have creation dates only a week apart (March 8 and March 17, 2005). So far I've seen creation dates ranging from August 26, 2004, to August 20, 2007, and a modification date as recent as July 19, 2009.

I've never seen anything like this before! Do you have any idea what might be happening? - As with everything else, these files don't seem to be affecting how my computer works, but I'm getting to be afraid to use it. Edited by tgshaw, 01 October 2009 - 04:27 PM.