cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Level 7
Report Inappropriate Content
Message 1 of 19

NTROSKRNL and DNSchanger problem

Hello,
I'm having some serious trouble removing viruses (virii?) from one of my computers. It makes it impossible to use the internet and random pop-ups and supposed anti-virus ads keep showing up. I ran a full scan using McAfee and it found many things but couldn't remove them all. This caused some kind of chain reaction and now they're acting almost like they are "mad" and doing all kinds of things... when I do another scan different things can show up. I've also used MalwareByte's AntiMalware and it found and "removed" quite a few things. When I rerun it or McAfee, it will often find _different_ items.

I've since disconnected from the internet, which really helped (it seems obvious now, but I didn't consider that it was downloading new virii in the background before). I've tried to close the processes causing any popups and then run the scans. Slowly I've managed to reduce the number of detects. MalwareByte's will sometimes claim no detects now (they come back eventually), but McAfee will always find some. The last scan I finally got it down to these (according to McAfee):

NTOSKRNL-HOOK Generic Rootkit.d!rootkit(Trojan) ... which it claims to delete successfully, but never goes away
DNSChanger.p(Trojan) ... which it claims to delete successfully
DNSChanger.p(Trojan) ... (another file) delete failed
DNSChanger!e(Trojan) ... which it claims to delete successfully
DNSChanger!e(Trojan) ... (another file) delete failed
DNSChanger!d(Trojan) ... which it claims to delete successfully
DNSChanger!d(Trojan) ... (another file) delete failed

All the DNSChanger files are named something like C:\windows\system32\OVF*
I've tried booting with a windows rescue console cd and deleting the OVF* files by hand ... no luck.

Please help!
-kevin

P.S. I'm sorry I can't post a full log. As I noted, the infected computer has been removed from the internet... and I don't really want to risk swapping anything between the computers. If it helps though, I'll type some of the beginning by hand
Engine version =5301.4018
Antivirus DAT version =5631.0000
Number of detection signatures in EXTRA.DAT =None
Names of detection signatures in EXTRA.DAT =None
...the rest, besides times/dates/long filenames, is summarized above.
18 Replies
Highlighted
Level 7
Report Inappropriate Content
Message 2 of 19

RE: NTROSKRNL and DNSchanger problem

Additional difficulty:
Now when doing a full scan with McAfee, during the memory scan when it gets to the explorer.exe process the computer freezes and I have to reboot.

Any suggestions or assistance you can provide for dealing with these virii would be much appreciated.
Thanks,
-kevin
Highlighted
Level 11
Report Inappropriate Content
Message 3 of 19

RE: NTROSKRNL and DNSchanger problem

This is a rootkit. Do you have the ability to burn an ISO CD image?
Highlighted
Level 7
Report Inappropriate Content
Message 4 of 19

RE: NTROSKRNL and DNSchanger problem

Yes. I can download whatever you need me to, and burn it to a CD on my laptop (what I'm posting from now). Then run the CD on my computer hurting with virii, or whatever you need me to.
Highlighted
Level 11
Report Inappropriate Content
Message 5 of 19

RE: NTROSKRNL and DNSchanger problem

I created a boot CD that will scan and clean a computer if the hardware is supported.

If internet connectivity does work, you can scan and clean your computer with either the ESET Scanner or McAfee (default).

Wireless connections are not supported. Even if the program can not start an Internet Connection, I have left a file manager that will allow you to go into your computer and find the bad files. You access the other programs by Right-Clicking on the desktop background.


This is a main one you need to get rid of
C:\Windows\System32\drivers\OVF*.SYS

These are the ones you should also remove:
C:\Windows\System32\OVF*.DLL

Highlighted
Level 7
Report Inappropriate Content
Message 6 of 19

RE: NTROSKRNL and DNSchanger problem

Okay, I used that CD. Unfortunately, it was unable to use my ethernet port hardware. (If I run ipconfig /all from the command line, I don't even see the device and MAC address.) So because it is missing the necessary drivers or something, it couldn't run either of the anti-virus programs. I deleted the OVF* files and rebooted, but since the rootkit should still be present, I don't expect it to help much. I'm running some new scans after restarting now.

Is there some way I can put some virus definition files on the CD so it doesn't need the internet?
Highlighted
Level 11
Report Inappropriate Content
Message 7 of 19

RE: NTROSKRNL and DNSchanger problem

It is possible to put the scanner on your computer ahead of time and it is also possible to load your own network drivers into the CD (while it's running), but for version 1, I haven't had the time to add all those need features (especially for a free-side project).

Since the virus isn't running in the boot CD, you should have no problem at all removing the bad files thus disabling the virus. A normal scan should now detect what is left over and remove it without any problems.
Highlighted
Level 7
Report Inappropriate Content
Message 8 of 19

RE: NTROSKRNL and DNSchanger problem


But all I removed was the OVF* files. How am I supposed to remove the NTOSKRNL rootkit? Sure, McAfee claims to remove it each time it runs a scan ... but it clearly doesn't since it is always there every scan.

I just finished the new scans. MBAM didn't find anything. McAfee still found the same stuff as before. Even the OVF* files are back somehow, and it again claims "delete failed" for every other OVF* file.

I've never dealt with a rootkit before. Please help, this is over my head.

Can I boot from your CD, then get the McAfee that is installed on the harddrive to run a scan? If it can run without the rootkit in memory (because my infected Windows isn't loaded) maybe it has a chance to clean it for real. Or is that being overly hopeful?
Highlighted
Level 11
Report Inappropriate Content
Message 9 of 19

RE: NTROSKRNL and DNSchanger problem

The rootkit is the the bad sys and dll files. If it is coming back, it's because there is another rootkit or virus still active on the system.

If you'd like, I'll attempt to remove this rootkit for you. Head over to the following URL on the infected machine and run the remote software.

https://www.fastsupport.com/800482070

This support key expires 30 minutes from the time of this post.
Highlighted
Level 7
Report Inappropriate Content
Message 10 of 19

RE: NTROSKRNL and DNSchanger problem

The DNSchanger virus prevents me from getting anywhere on the internet, and I can't get to the internet with your CD. So I can't really go that route.

Thank you for all your effort and help. It is very much appreciated. From your comments it sounds like there is yet another virus that McAfee isn't detecting, so maybe I'll just copy what data files I can to CDs and start from scratch. I was really hoping to avoid that since I can't find the CDs to some of the software anymore. Oh well. Again, thank you ever so much for your help. It really is appreciated.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community