cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Former Member
Not applicable
Report Inappropriate Content
Message 1 of 3

Ntoskrnl - hook.

Hey Everyone. I have just scanned my Compaq Presario laptop computer with McAfee, scanning all files and folders, and finding and deleting four antiviruses, however, no matter what i do, that pesky NTOSKRNL - HOOK just won't go away. I have read multiple forums regarding this problem and many of them suggested booting into safe mode. Unfortunately, i get a blue screen of death every time i attempt this, so i am stuck in regular windows unable to proceed any further. Also, occasionally when i run windows in normal mode the blue death screen still appears, automatically restarting my computer repeatedly. I still have full internet access, full access to my antimalware and antivirus protection, and nothing else seems to be restricted as i can see now. I have ran three Malwarebytes AntiMalware scans - two quick and one full - and deleted any spyware, as well as restarted my computer asap. I also have ran an AVG free antivirus scan which found absolutely nothing. I am going to post my most recent logs from Malwarebytes, McAfee and RootRepeal, and any help would be greatly appreciated, as I am going to college in two days and need my computer up and running at full speed without a risk of crashing. Thank you very much.





ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time: 2009/08/25 09:58
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xED4C7000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7B4C000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xEDA3A000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\WINDOWS\system32\kbiwkmabrpuhhb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmgdqrdlft.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmiranwuyr.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\kbiwkmkymkkdmp.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\Temp\kbiwkmoqmcrtqjhx.tmp
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\kbiwkmwboradae.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\admin\local settings\application data\google\chrome\user data\default\current session
Status: Size mismatch (API: 19594, Raw: 15591)

Stealth Objects
-------------------
Object: Hidden Module [Name: kbiwkmiranwuyr.dll]
Process: svchost.exe (PID: 988) Address: 0x10000000 Size: 49152

Object: Hidden Module [Name: kbiwkmabrpuhhb.dll]
Process: Explorer.EXE (PID: 1632) Address: 0x10000000 Size: 32768

Hidden Services
-------------------
Service Name: kbiwkmppqoqvxo
Image Path: C:\WINDOWS\system32\drivers\kbiwkmwboradae.sys

Service Name: WZSZXserv.sys
Image Path: C:\WINDOWS\system32\drivers\WZSZXuwkiorbqbdqomuwkriqhkltapucwjudw.sys

==EOF==


==========================================================
========================Malwarebytes AntiMalware=================
==========================================================

Malwarebytes' Anti-Malware 1.40
Database version: 2693
Windows 5.1.2600 Service Pack 3

8/25/2009 10:35:56 AM
mbam-log-2009-08-25 (10-35-56).txt

Scan type: Quick Scan
Objects scanned: 88033
Time elapsed: 5 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\AntipPro2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\Root\LEGACY_ANTIPPRO2009_100 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
2 Replies
Former Member
Not applicable
Report Inappropriate Content
Message 2 of 3

and here is my mcafee scan...

=========================================================
=========================McAfee============================
==========================================================

8/24/2009 2:12:09 PM Engine version =5301.4018
8/24/2009 2:12:09 PM AntiVirus DAT version =5718.0000
8/24/2009 2:12:09 PM Number of detection signatures in EXTRA.DAT =None
8/24/2009 2:12:09 PM Names of detection signatures in EXTRA.DAT =None
8/24/2009 2:11:17 PM Scan Started ADMIN-MOJDWJQRW\Admin On-Demand Scan
8/24/2009 2:13:26 PM Deleted Admin NTOSKRNL-HOOK Generic Rootkit.d!rootkit(Trojan)
8/24/2009 2:23:33 PM Deleted Admin C:\WINDOWS\svchast.exe Generic FakeAlert.a(Trojan)
8/24/2009 2:31:45 PM Deleted Admin c:\Documents and Settings\Admin\Local Settings\Temp\rdl1.tmp W32/Autorun.worm!bt(Virus)
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Scan Summary
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Processes scanned : 62
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Processes detected : 2
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Processes cleaned : 0
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors scanned : 1
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors detected: 0
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors cleaned : 0
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Files scanned : 6132
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Files with detections: 1
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin File detections : 1
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Files cleaned : 0
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Files deleted : 1
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Files not scanned : 13
8/24/2009 3:19:49 PM Scan Summary ADMIN-MOJDWJQRW\Admin Run time : 1:08:08
8/24/2009 3:19:49 PM Scan Terminated ADMIN-MOJDWJQRW\Admin On-Demand Scan

8/24/2009 3:32:09 PM Engine version =5301.4018
8/24/2009 3:32:09 PM AntiVirus DAT version =5718.0000
8/24/2009 3:32:09 PM Number of detection signatures in EXTRA.DAT =None
8/24/2009 3:32:09 PM Names of detection signatures in EXTRA.DAT =None
8/24/2009 3:31:29 PM Scan Started ADMIN-MOJDWJQRW\Admin On-Demand Scan
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Scan Summary
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Processes scanned : 0
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Processes detected : 0
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Processes cleaned : 0
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors scanned : 0
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors detected: 0
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors cleaned : 0
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Files scanned : 0
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Files with detections: 0
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin File detections : 0
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Files cleaned : 0
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Files deleted : 0
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Files not scanned : 1
8/24/2009 3:33:30 PM Scan Summary ADMIN-MOJDWJQRW\Admin Run time : 0:02:01
8/24/2009 3:33:30 PM Scan Terminated ADMIN-MOJDWJQRW\Admin On-Demand Scan

8/24/2009 3:45:17 PM Engine version =5301.4018
8/24/2009 3:45:17 PM AntiVirus DAT version =5718.0000
8/24/2009 3:45:17 PM Number of detection signatures in EXTRA.DAT =None
8/24/2009 3:45:17 PM Names of detection signatures in EXTRA.DAT =None
8/24/2009 3:44:33 PM Scan Started ADMIN-MOJDWJQRW\Admin fullscan 1
8/24/2009 3:45:48 PM Deleted Admin NTOSKRNL-HOOK Generic Rootkit.d!rootkit(Trojan)
8/24/2009 9:00:55 PM Engine version =5301.4018
8/24/2009 9:00:55 PM AntiVirus DAT version =5719.0000
8/24/2009 9:00:55 PM Number of detection signatures in EXTRA.DAT =None
8/24/2009 9:00:55 PM Names of detection signatures in EXTRA.DAT =None
8/25/2009 3:48:20 AM Deleted Admin c:\WINDOWS\system32\WZSZXclpas.dll Generic.dx!dct(Trojan)
8/25/2009 3:48:29 AM Deleted Admin c:\WINDOWS\system32\WZSZXppc.dll Generic.dx!ced(Trojan)
8/25/2009 3:48:35 AM Deleted Admin c:\WINDOWS\system32\WZSZXsocks.dll Generic.dx!ced(Trojan)
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Scan Summary
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Processes scanned : 67
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Processes detected : 1
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Processes cleaned : 0
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors scanned : 1
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors detected: 0
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors cleaned : 0
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Files scanned : 46945
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Files with detections: 3
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin File detections : 3
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Files cleaned : 0
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Files deleted : 3
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Files not scanned : 25
8/25/2009 4:10:07 AM Scan Summary ADMIN-MOJDWJQRW\Admin Run time : 12:25:34
8/25/2009 4:10:07 AM Scan Complete ADMIN-MOJDWJQRW\Admin fullscan 1

8/25/2009 9:16:06 AM Engine version =5301.4018
8/25/2009 9:16:06 AM AntiVirus DAT version =5719.0000
8/25/2009 9:16:06 AM Number of detection signatures in EXTRA.DAT =None
8/25/2009 9:16:06 AM Names of detection signatures in EXTRA.DAT =None
8/25/2009 9:15:49 AM Scan Started ADMIN-MOJDWJQRW\Admin On-Demand Scan
8/25/2009 9:16:17 AM Deleted Admin NTOSKRNL-HOOK Generic Rootkit.d!rootkit(Trojan)
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Scan Summary
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Processes scanned : 65
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Processes detected : 1
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Processes cleaned : 0
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors scanned : 1
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors detected: 0
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Boot sectors cleaned : 0
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Files scanned : 444
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Files with detections: 0
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin File detections : 0
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Files cleaned : 0
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Files deleted : 0
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Files not scanned : 0
8/25/2009 9:20:25 AM Scan Summary ADMIN-MOJDWJQRW\Admin Run time : 0:04:36
8/25/2009 9:20:25 AM Scan Complete ADMIN-MOJDWJQRW\Admin On-Demand Scan

8/25/2009 9:28:15 AM Engine version =5301.4018
8/25/2009 9:28:15 AM AntiVirus DAT version =5719.0000
8/25/2009 9:28:15 AM Number of detection signatures in EXTRA.DAT =None
8/25/2009 9:28:15 AM Names of detection signatures in EXTRA.DAT =None
8/25/2009 9:27:56 AM Scan Started ADMIN-MOJDWJQRW\Admin On-Demand Scan
8/25/2009 9:28:18 AM Deleted Admin NTOSKRNL-HOOK Generic Rootkit.d!rootkit(Trojan)
Former Member
Not applicable
Report Inappropriate Content
Message 3 of 3

RE: and here is my mcafee scan...

Your computer is infected with a Rookit.. Why don't you try one of our moderator's CDs.. You may post on his thread for any feedback or help.

http://community.mcafee.com/showthread.php?t=231079&highlight=bootcd

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community