• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

ntoskrnl.exe infected with Trojan.Dropper

Hi

A large amount of obscene websites appeared on our internet browsing history today. I did a scan with Norton 360 and no issues arose, however I did a scan with this free download version of Spyhunter3 and it found a Trojan.Dropper virus in the ntoskrnl.exe. How do I fix?

The file path that it identified is C:\WINDOWS\$hf_mig$\KB890859/SP2QFE/ntoskrnl.exe

(also there are no viruses showing in my registry at all - just this one file)

I looked on the Symantec website against Dropper.Trojan Virus and it says to delete the infected files (after following all of the other steps of course), however the computer needs this ntoskrnl.exe doesn't it? If I delete that, wont that cause problems?

 I also noticed there was a Latest Rapid Release Version (revision 035) of this virus dated 20/7/2009. If you can please help that would hugely appreciated. Thanks.

Replies

Kudos1 Stats

Re: ntoskrnl.exe infected with Trojan.Dropper

Hi Daniel_Selleck:

Please download and scan with this tool. http://homepages.slingshot.co.nz/~crutches/SysProt

Go into Norton and turn auto-protect off,  Click the report or log tab, check all areas and hard drive and scan.

You will be able to post the log here using the "add attachments" button just below the post button.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: ntoskrnl.exe infected with Trojan.Dropper

Thanks delphinium,

Here is the log attached. Done just as asked, turned off auto-protect and followed steps.

Hope this makes sense.

Message Edited by Daniel_Selleck on 07-21-2009 11:06 PM
File Attachment: 
Kudos1 Stats

Re: ntoskrnl.exe infected with Trojan.Dropper

Hi Daniel_Selleck:

I'm  not seeing anything too desperate on that log.  Let's have you run a Hijackthis log.  Perhaps you have nothing more that a DNSchanger.

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Once the log is up, I will have one of our analysts have a look at that.  Quads will be available later today and have another look at the SysProt log to confirm.

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos1 Stats

Re: ntoskrnl.exe infected with Trojan.Dropper

Daniel,

You can try running a scan with MBAM if you want, it may fix the problem.

malwarebyte's anti-malware - www.malwarebytes.org

Matt

"The fact that man knows right from wrong proves his intellectual superiority to other creatures; but the fact that he can do wrong proves his moral inferiority to any creature that cannot."- Mark Twain
Kudos1 Stats

Re: ntoskrnl.exe infected with Trojan.Dropper

Daniel_Selleck

The file you listed in the original post is part of a MS KB update and could be a false positive.  I would follow the other advise here and scan with Malware Bytes AntiMalware to confirm the find with a second source and then scan with HiJackThis to check for a possible redirecting browser setting / Add-ons.

Win10 x64; Proud graduate of GeeksToGo
Kudos0

Re: ntoskrnl.exe infected with Trojan.Dropper

Hi all,

Please see attached.

I accidently ran a quick scan with the Malware Bytes AntiMalware to begin with which picked up a lot of infected Registry Values which really surprised me. I then Ran a full scan later and it picked up a couple more. Both times I clicked on "Quarantine and Delete" which it said was performed correctly.

I then ran the Hijackthis and got a logfile which I have also posted.

After doing all of these checks the ntoskrnl.exe seems to still be infected (according to the Spyhunter3 program).

PLUS Spyhunter3 just then picked up another file called "Internet Security.Ink" with an Object name "Neospace" (which I guess could have become unearthed after doing the cleanup with MBAM). I searched on Google and from what I gather this is a security program that viruses/trojans download to your computer. The wierd thing is there does not seem to be any mention of it in my computers registry (where the Symantec site tells you to look). The filepath that this is located is in C:\Documents and Settings\Daniel\Recent\Internet Security.Ink  

- however i cant seem to gain access to a "Recent" folder to delete it. So now I have a new problem  

Thanks for your help so far, hopefully I haven't added any confusion to the situation with this further news.

Cheers.

- edit - dbrisendine I just looked up what you meant by false positive (didn't know the meaning until now) - Could it just be infact that the Spyhunter3 got it wrong? 

Message Edited by Daniel_Selleck on 07-23-2009 12:46 AM
Kudos1 Stats

Re: ntoskrnl.exe infected with Trojan.Dropper

Hi Daniel_Selleck,

 

From the Hijackthis log you provided, only the following unnecessary entries need to be fixed(not threats at all):

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - (no file)
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?

 

The heuristic techniques and definitions for the detection/repair of virus may different for different Security Products. For example, if Norton detects a macro virus, then it opens the macro file and removes as much of the viral code as possible. However, to keep the macro intact, it may leave harmless pieces of viral code or the macro name behind. Other security programs may detect this and report an infection even though the file cannot infect other files (I am not sure if this is your case..)

I think, there is a chance of false positives from SpyHunter 3. To confirm whether that file is not a false positive from SpyHunter 3, better submit ntoskrnl.exe file to Symantec Security Response for further analysis. For instructions on how to do this, read Submit Virus Samples.

Yogesh

Kudos0

Re: ntoskrnl.exe infected with Trojan.Dropper

yogesh_mohan thankyou for having a look at this for me!

It is now really starting to sound like a false positive (a term which I learnt about 5 minutes ago!)

Is this the same for the Internet Security.Ink file that Spyhunter3 has picked up as well? Or is this something I need to try and get rid of and if so how do I gain access to it?

Thankyou for putting up with the questions. 

Message Edited by Daniel_Selleck on 07-23-2009 12:59 AM
Kudos0

Re: ntoskrnl.exe infected with Trojan.Dropper

Have you gone to Start - Search for those files?  You might be able to delete them from there.  That would be the safest. You could also download Ccleaner, which is a handy program and long as it is used judiciously.  "Fix" to a cleaner means "Eradicate"

http://www.ccleaner.com/

Under certain circumstances profanity provides relief denied even to prayer.Mark Twain
Kudos0

Re: ntoskrnl.exe infected with Trojan.Dropper

Excellent! I already have Ccleaner on my computer which I just ran from your advice and it has cleaned the Internet Security.Ink file out of Documents and Settings\User\Recent.

Seriously you guys rock!

Kudoes to all of you, I for now am considering this solved. If I bump into any further problems with this ntoskrnl.exe issue later I'll get back you, however it doesn't sound like I will - but for now, one last big THANKYOU.

This thread is closed from further comment. Please visit the forum to start a new thread.