Poll

Wanna buy me a new computer? >.<

yes
Yes

Author Topic: ROOTKIT NTNDIS.EXE - STILL NOT FIXED >.<  (Read 11645 times)

0 Members and 1 Guest are viewing this topic.

Husk

  • Guest
ROOTKIT NTNDIS.EXE - STILL NOT FIXED >.<
« on: February 03, 2009, 07:06:08 AM »
Hello, I have been trying to remove this by myself, Mainly because it stops all clicking action, So I couldn't get any =Z I've done a bit

I found it was a process called ntndis.exe I looked for it in hijackthis and found it, I fixed it but it hasn't solved it. On startup, I couldn't get to the desktop because it froze, I managed to fix that through hijackthis, but I can get on now but anywhere I click doesn't do anything unless in safe mode 80% of the time. I turned off system restore

This is my hijackthis log and Picture of SuperAntiSpyware scan.

I'm gonna do a scan on avast at some point. It did find something once but I couldn't see the message, but I couldn't click. But I don't know
« Last Edit: February 06, 2009, 08:12:25 AM by Husk »

ardvark

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #1 on: February 03, 2009, 08:11:04 AM »
Hi...

You might want to try the following if you have a legal copy of your operating system or a restore partition on your hard drive...

http://support.microsoft.com/kb/315265

http://support.microsoft.com/kb/187941

The latter link is an explanation of the different options or "switches" that are available using chkdsk.

Let us know if this helps. :)

May God Bless you!
« Last Edit: February 03, 2009, 08:13:44 AM by ardvark »

Husk

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #2 on: February 03, 2009, 10:08:55 AM »
Will this work in safe mode?

Offline Tarq57

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3694
  • If at first you don’t succeed; call it version 1.0
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #3 on: February 03, 2009, 11:18:17 AM »
While not being well versed in the interpretation of HJT logs, a couple of things seem odd to me.
1) you are running it from the desktop. It should be normally run from the program files, where it should have been installed.
2) The 04 item WIN32APIH.exe has no Googel reference, is similar in name to a valid Ms file (win32api.exe) and is thus suspicious.

I don't know about the checkdisk routines suggested above, even having skimmed through the KB articles linked.

What I would do is schedule a boot scan with Avast. If that fails to address the issue, look to run some rootkit scans.
Trend Micro make a free download called rootkit buster, Sophos have an anti rootkit tool, have a look here http://andymanchesta.com/ for a choice of scanners.
SAS is highly regarded, so is MBAM. I'd try it. I think you can update it and run it in safe mode, with networking. Don't know if it can be installed in safe.
Windows 10,Windows Firewall,Firefox w/Adblock.

ardvark

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #4 on: February 03, 2009, 11:57:51 PM »
Will this work in safe mode?

Hi...

Possibly, I'm not sure since I've never tried it in safe mode. :)

Best Regards...

Husk

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #5 on: February 04, 2009, 07:27:23 AM »
One problem I have though.

I have no internet access so I can't download anything.

And the 04 thing... Should I fix in HJT?

When I tried to chest some trojan called

PWstealer-u, The chest said it could not connect to some server...

And... I can't open task manager because 'Administrator has disabled it' Probably by the virus >.<

And I can no longer run normally, it freezes


Here's an updated HJT log
« Last Edit: February 04, 2009, 08:08:16 AM by Husk »

Husk

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #6 on: February 04, 2009, 08:12:32 AM »
Also, Chkdsk in cmd doesn't work

Husk

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #7 on: February 04, 2009, 08:13:23 AM »
And what is sas? Sophos?

onlysomeone

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #8 on: February 04, 2009, 08:18:42 AM »
And what is sas? Sophos?

i would say SAS is Super Anti Spyware
and MBAM is MalwareBytes Anti Malware

yours
onlysomeone

Husk

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #9 on: February 04, 2009, 08:20:36 AM »
Ok, thanks someone >.< I have sas, I think I stil have MBAM, I'll run a scan with it


and sophos doesn't work in safe mode =Z

Husk

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #10 on: February 04, 2009, 09:28:24 AM »
Here's the MBAM results

Should I delete them or what?
 
The first one shown is disabletaskmgr or something. But that's why it's gone

i know how to restore the task manager, but I don't know where the HKEY  path is
« Last Edit: February 04, 2009, 09:34:48 AM by Husk »

ardvark

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #11 on: February 04, 2009, 09:28:42 AM »
Also, Chkdsk in cmd doesn't work

Hi...

Do you get any kind of error message? ???

Also, here are a couple of specific anti-rootkit tools that may be of help...

F-Secure's Blacklight...

http://www.f-secure.com/security_center/

(scroll down to "downloads.")

Trend Micro Rootkit-Buster...

http://www.trendmicro.com/download/rbuster.asp

If none of these utilities are able to help and if chkdsk is unable to work, I think you may be looking at a reinstall. :(

EDIT: Yes, delete them and rescan upon reboot.

Best Regards...
« Last Edit: February 04, 2009, 09:42:05 AM by ardvark »

Husk

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #12 on: February 04, 2009, 09:38:38 AM »
I think I was doing that wrong >.< I kept putting in chkdsk volume:/f which did nothing.

chkdsk works though

ardvark

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #13 on: February 04, 2009, 09:44:00 AM »
I think I was doing that wrong >.< I kept putting in chkdsk volume:/f which did nothing.

chkdsk works though

Hi...

Ok, just type in exactly ---> chkdsk /r

You can copy and paste this into the run box. :)

I'd be happy to build you a computer... you would need to cover labor, parts and shipping. ;)

Best Regards...
« Last Edit: February 04, 2009, 09:48:54 AM by ardvark »

Husk

  • Guest
Re: ROOTKIT NTNDIS.EXE - I got it and it's really bad, 7 of them >.<
« Reply #14 on: February 04, 2009, 09:52:56 AM »
Quote
Hi...

Ok, just type in exactly ---> chkdsk /r

You can copy and paste this into the run box. :)

I'll do that

Quote
Quote
Quote
I'd be happy to build you a computer... you would need to cover labor, parts and shipping. ;)

Best Regards...

Or You can be really nice =P I'm too young to buy anything  :P

blacklight in safe mode, doesn't work
Trend Micro, Tcomm is installed but doesn't work, so that's out
« Last Edit: February 04, 2009, 10:00:24 AM by Husk »