Author Topic: ntsokrnl infected with trojan (Read 7636 times)

Hawkjr6 · « **on:** March 11, 2009, 07:05:59 AM »

having trouble NTOSKRNL is infected can anyone help with a fix

Carbon Dudeoxide · « **Reply #1 on:** March 11, 2009, 07:22:52 AM »

Same as Ronnieg, Hawkjr6.
http://www.computerhope.com/forum/index.php/topic,46313.0.html

Hawkjr6 · « **Reply #2 on:** March 11, 2009, 07:56:33 AM »

Cant download Superantispyware Free version . It will start the download page and them i get the cannot open this page

Carbon Dudeoxide · « **Reply #3 on:** March 11, 2009, 08:13:15 AM »

Try here:
http://downloads.superantispyware.com/downloads/SUPERAntiSpyware.exe

Hawkjr6 · « **Reply #4 on:** March 12, 2009, 05:11:39 AM »

I try to open the download page and get the cannot open page

harry 48 · « **Reply #5 on:** March 12, 2009, 01:37:10 PM »

carbon , thats 4/5 people i have seen that cannot open or download sas lately ,

harry

evilfantasy · « **Reply #6 on:** March 12, 2009, 03:23:29 PM »

Click Start > Control Panel > System > Hardware > Device Manager > View > Show Hidden Devices.

* Scroll down to Non-plug and Play Drivers and click the plus icon to open those drivers.
* Search for any of the following:

- Seneka.sys <- Or anything beginning with Seneka
- clbdriver.sys <- Or anything beginning with clbdriver
- TDSSserv.sys <- Or anything beginning with TDSS

* Let me know if you find them or not.
* If you do find it, right click on it, and select Disable. Do not try to uninstall them.
* Now reboot and see if you can run the scans that would not run.

Hawkjr6 · « **Reply #7 on:** March 13, 2009, 11:40:34 AM »

No did not see any of the things you mentioned in last post

finally got the Superanti spyware to download and run now cant get Malware to run

Hawkjr6 · « **Reply #8 on:** March 13, 2009, 11:50:45 AM »

Her are ethe Superantispyware and Hijackthis scan results still trying to get malware to run
Can download and install MBAM but it wont run

[attachment deleted by admin]

evilfantasy · « **Reply #9 on:** March 13, 2009, 12:16:18 PM »

You may want to print the below instructions that are in blue text, or copy them to a Notepad file and save it to your desktop. You might loose your Internet connection temporarily.

Open HijackThis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

- R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.mynortonaccount.com/amsweb/redirect.do?fpage=getKey&product_lang=EN
- O2 - BHO: (no name) - {5E21D8DC-9618-46B6-86F9-8915DF05A503} - (no file)
- O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.21,85.255.112.89
- O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.21,85.255.112.89

Important: Close all open windows except for HijackThis and then click Fix checked.

Once completed, exit HijackThis.

----------

<<<Start Print>>>

Go to Start > Control Panel - If you are using Windows XP's Category View, select the Network and Internet Connections category. If you are in Classic View, go to the next step.

* Double-click the Network Connections icon.
* Right-click the Local Area Connection icon and select Properties.
* Highlight Internet Protocol (TCP/IP) and click the Properties button.
* Be sure Obtain DNS server address automatically is selected.
* OK your way out.

Go to Start > Run and type in cmd
Click OK

* This will open a command prompt.
* Type the following line in the command window:

ipconfig /flushdns (note the space between ipconfig and /)

* Press Enter on the keyboard.
* Exit the command window

Now restart your computer.

<<<End Print>>>

----------

Now try to install and run MalwareBytes again.

Hawkjr6 · « **Reply #10 on:** March 13, 2009, 12:42:01 PM »

Hey tried the ipconfig / flush still cannot run malware. I tried to open the Malware.org website and it will not open

evilfantasy · « **Reply #11 on:** March 13, 2009, 12:42:44 PM »

Download ComboFix© by sUBs from one of the below links. Be sure top save it to the Desktop.

Link #1
Link #2

**Note: It is important that it is saved directly to your Desktop

Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.

Temporarily disable your antivirus, and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.

Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.

Remember to re-enable your antivirus and antispyware protection when ComboFix is complete.

If you have problems with ComboFix usage, see How to use ComboFix

Hawkjr6 · « **Reply #12 on:** March 13, 2009, 03:15:08 PM »

Here is the combo fix log Rootkit was found.

[attachment deleted by admin]

evilfantasy · « **Reply #13 on:** March 13, 2009, 04:05:47 PM »

ComboFix got one rootkit but there are some other files that don't look right to me.

Run the F-Secure Online Scanner for Viruses, Spyware and RootKits.

Note: This Scanner is for Internet Explorer Only!

Click on Online Services and then Online Scanner
Accept the License Agreement.
Once the ActiveX installs,Click Full System Scan
Once the download completes,the scan will begin automatically.
The scan will take some time to finish,so please be patient.
When the scan completes, click the Automatic cleaning (recommended) button.
Click the Show Report button and Copy&Paste the entire report in your next reply.

Hawkjr6 · « **Reply #14 on:** March 13, 2009, 06:11:38 PM »

Here is the f secure scan report

Scanning Report
Friday, March 13, 2009 18:19:47 - 20:08:10
Computer name: HAWKSMACHINE
Scanning type: Scan system for malware, rootkits
Target: C:\

--------------------------------------------------------------------------------

Result: 2 malware found
TrackingCookie.Doubleclick (spyware)
System
TrackingCookie.Revsci (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 42408
System: 4085
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\TEMP\MCMSC_D7GLHB0WVYORHNI
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.6.8511, 2009-03-13
F-Secure AVP: 7.0.171, 2009-03-13
F-Secure Pegasus: 1.20.0, 1969-11-31
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Computer Hope Forum

News:

Author Topic: ntsokrnl infected with trojan (Read 7636 times)

Hawkjr6

ntsokrnl infected with trojan

Carbon Dudeoxide

Re: ntsokrnl infected with trojan

Hawkjr6

Re: ntsokrnl infected with trojan

Carbon Dudeoxide

Re: ntsokrnl infected with trojan

Hawkjr6

Re: ntsokrnl infected with trojan

harry 48

Re: ntsokrnl infected with trojan

evilfantasy

Re: ntsokrnl infected with trojan

Hawkjr6

Re: ntsokrnl infected with trojan

Hawkjr6

Re: ntsokrnl infected with trojan

evilfantasy

Re: ntsokrnl infected with trojan

Hawkjr6

Re: ntsokrnl infected with trojan

evilfantasy

Re: ntsokrnl infected with trojan

Hawkjr6

Re: ntsokrnl infected with trojan

evilfantasy

Re: ntsokrnl infected with trojan

Hawkjr6

Re: ntsokrnl infected with trojan