TechSpot

Ntos.exe

By Ninte
Oct 16, 2007
  1. I think that there is something wrong with my ntoskrnl, because it's showing up on the windows task manager and I'm pretty sure that it isn't supposed to. I'm not actually sure if it's virus/trojan related or something else. Really, I have no idea what to do or how to fix it. I'm not very technically savvy, so I was wondering if you guys could help me out with simple language and all that.
     
  2. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Hello and welcome to Techspot.

    Let`s have a quick check for malware.

    Go and read this thread HERE and post a HJT log as an attachment into this thread.

    Regards Howard :)
     
  3. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    What is Hijack This, exactly? I keep seeing it pop up in posts, but I don't really understand what it is.
     
  4. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    It`s a tool that allows us to see if there`s malware on your system and in some cases stop it from running.

    Just post the HJT log as requested.

    Regards Howard :)
     
  5. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    I think it's attached. Sorry that took so long!
     
  6. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Just as I suspected, your system is badly infected with a variety of malware, as well as a hijacker.

    Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

    If after reading the above, you wish to clean your system, do the following.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
    The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    Then, go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

    Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

    Also, please attach the C:\fixwareout\report.txt.

    Also, let me know the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of Ninte only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  7. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    I read it and cleaning seems a better option, so I'll get started on your instructions. Be warned, it might take me a while.
     
  8. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s ok, just make sure you follow the instructions properly.

    Regards Howard :)

    This thread is for the use of Ninte only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  9. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    I was trying to upload the report so I wouldn't forget, but I couldn't find it. I used search, and it said the file was in the fixwareout.exe, but I couldn't figure out how to get the report out of that.

    I got as far as to finish step 6, but I have to go. I'll do the rest either wednesday or thursday. I have no idea how to find the report for the fixit, by the way. I tried search.
     
  10. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The Fixwareout report is located at C:\fixwareout\report.txt. as I said in my post above.

    Wait till you have the rest of the requested log files etc, before you attach it.

    Regards Howard :)

    This thread is for the use of Ninte only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  11. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    I got as far as the combofix. A blue box opened, and nothing else loaded, so I tried to type in the 1. It didn't work (the 1 didn't even show up). Did I do something wrong?
     
  12. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    That`s ok, just redownload SmitFraudFix and try again. If it still happens, just skip it and move on to the next instruction.

    Regards Howard :)

    This thread is for the use of Ninte only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  13. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    You mean redownload combofix, right? Or should I actually redo smitfraudfix?

    EDIT: Combofix suddenly popped up, so I don't know about the whole ten minute delay thing. Thanks, though!
     
  14. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Sorry, yes, I meant Combofix lol.

    Regards Howard :)
     
  15. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    The instructions said to delete anything in the virus vault after the scan, but I was wondering about the ntos.exe. I googled it and saw something about it being used to help start up the computer or something unless it gets corrupted. Should I delete it?
     
  16. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    ntos.exe is nasty, especially if it`s found in your Windows\system32 folder. So, yes, you should delete it.

    You really do need to post the requested log files and the results of the Panda Antirootkit scan.

    Regards Howard :)

    This thread is for the use of Ninte only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  17. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    The panda antirootkit didn't find anything.

    AVG spyware also had some trouble quarantining. It couldn't quarantine about five out of the six trojans. AVG went crazy at that point, and I must have seleted heal on about 35 or so threat detections.

    I tried several times to upload the HJT log, but I'm not sure if it worked. This happened with the fixit log, too. The combofix as well! I'll post this and try those three logs again.

    When I try to upload them, all it says is 'Attachment in progress. Can be deleted here.'
     
  18. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    All the infections in your AVG Antispyware log are in your system restore points. There`s no need to worry about those at the moment and we`ll deal with them after we`ve cleaned your system.

    Regards Howard :)
     
  19. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    Alright. What about the logs that wouldn't show up?
     
  20. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    You need to run the Panda antirootkit scan and let me know the results. that`s because the Downloader.Agent.uj uses rootkit technology.

    Then, after we`ve looked at that, we`ll see about those log files.

    Regards Howard :)

    This thread is for the use of Ninte only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  21. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    I did run the panda antiroot kit scan. It didn't find anything. Will the showing private files thing change that?
     
  22. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    Ok, in that case, please do the following.

    Download and run the Blacklight programme. Follow all the instructions carefully.

    Let me know if it finds anything.

    Regards Howard :)

    This thread is for the use of Ninte only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.
     
  23. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    What version do I want? The Backlight Beta graphical interface user version or the command line version?

    Also, the main page mentions something about it not working after the first of october.
     
  24. howard_hopkinso

    howard_hopkinso TS Rookie Posts: 24,177   +19

    The Backlight Beta graphical interface user version.

    Regards Howard :)
     
  25. Ninte

    Ninte TS Rookie Topic Starter Posts: 16

    I downloaded it and tried to run it, but a the pop up said that the evaluation period for the software has expired and to go to the website and look for the latest software. I think it's the first of october thing.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...