Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cannot remove NTOSKRNL-HOOK


  • Please log in to reply
2 replies to this topic

#1 Kimber73

Kimber73

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:my computer chair
  • Local time:03:06 PM

Posted 26 April 2009 - 08:58 PM

My Dell Dimension 8250 running Windows XP with sp3 has been noticeably sick since April 15th. I ran TUT and found some suspicious processes so I ran McAfee virus scan and removed more problems than Carter had liver pills.

I then ran Ad-Aware and removed more junk.

According to TUT there were still suspicious processes running so I downloaded and installed Spybot S&D... did a scan and found/removed more junk.

Somewhere in the midst of this I started getting the blue screen of death. I then ran McAfee again in safe mode and found and supposedly removed NTOSKRNL-HOOK and quarantined C:\WINDOWS\SYSTEM32\DRIVERS\OVFSTHXPYNMWXNH.SYS which it detected as a DNSChanger!d.

I then rebooted and upon trying to play World of Warcraft I got the BSOD again. I then did several McAfee scans again in safe mode and each time i got the same results: removed NTOSKRNL-HOOK and quarantined C:\WINDOWS\SYSTEM32\DRIVERS\OVFSTHXPYNMWXNH.SYS.

How do I remove this from my computer?

Thanks and sorry if I gave TMI or not enough...
Where's the "any" key?

BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:04:06 PM

Posted 26 April 2009 - 09:17 PM

This a very new and dangerous rootkit

One or more of the identified infections is a rootkit/backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Someone may still be able to clean this machine but we can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

If you decide to continue on you will need to post in our HJT forum

http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/
Chewy

No. Try not. Do... or do not. There is no try.

#3 Kimber73

Kimber73
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:my computer chair
  • Local time:03:06 PM

Posted 10 May 2009 - 02:17 PM

I used UnHackMe and so far so good. Thanks for the info.
Where's the "any" key?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users