[carte]

hie ter
i need help on this..my commad promt keep poping out every few seconds, t wont stay long, jus like blinking,
some how i manage to see what's on the prompt title bar it's written:
c:\WINDOWS\system32\nvidia.exe

for the infrmation i don't use nvidia graphic card on my laptop..
i tried running virs scanning using kaspersky. avg and a few AV but none of the AV detects anything..
finaly i did HijackOnThis..and this is what i came up with

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:18 PM, on 2/24/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS.0\System32\smss.exe
C:\WINDOWS.0\system32\winlogon.exe
C:\WINDOWS.0\system32\services.exe
C:\WINDOWS.0\system32\lsass.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\System32\svchost.exe
C:\WINDOWS.0\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\WINDOWS.0\Explorer.exe
C:\WINDOWS.0\system32\shell.exe
C:\WINDOWS.0\system32\igfxpers.exe
C:\WINDOWS.0\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
C:\WINDOWS.0\system32\igfxsrvc.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS.0\system32\msdto.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HotKey_Driver\HotKeyDriver.exe
C:\Documents and Settings\Administrator\Desktop\New Folder\NkbMonitor.exe
C:\WINDOWS.0\system32\svchost.exe
C:\WINDOWS.0\system32\wbem\unsecapp.exe
C:\WINDOWS.0\system32\wuauclt.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS.0\system32\cstrike.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.smart.com.my/home.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.smart.com.my/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.smart.com.my/
F2 - REG:system.ini: Shell=Explorer.exe shell
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS.0\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msdto] C:\WINDOWS.0\system32\msdto.exe
O4 - HKLM\..\Run: [cstrike] C:\WINDOWS.0\system32\cstrike.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: HotKeyDriver.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Documents and Settings\Administrator\Desktop\New Folder\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.smart.com.my/
O17 - HKLM\System\CCS\Services\Tcpip\..\{B5F43E10-41BB-4516-8856-52FA5054F50C}: NameServer = 10.251.3.2,10.253.0.13
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 for Windows Workstations\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS.0\system32\UTSCSI.EXE

--
End of file - 3683 bytes

i have no idea what i should delete, and i realy need help on this oz i don't want to reformat my laptop
thanks

[Advertisements]

Hi carte and welcome to the forums here at G2G!

Before we do anything, let's get a closer look.

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

• Open the OTScanIt2 folder and double-click on OTScanIt.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
  
  • In the Rootkit Search section select the Yes radio button.
  • Under Additional Scans check the boxes beside Reg - ColumnHandlers, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Associations, Reg - NetSvcs, Reg - Protocol Filters, Reg - Protocol Handlers, Reg - SafeBoot Minimal, Reg - SafeBoot Network, Reg - Session Manager Settings, Reg - Uninstall List, Reg - Winsock2 Catalogs, File - Lop Check, File - Purity Scan, Files - Signature Check, and Evnt - EventViewer Logs ( Last 10 Errors).
• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

[IndiGenus]

Hi carte and welcome to the forums here at G2G!

Before we do anything, let's get a closer look.

Download OTScanIt2.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt2 on your desktop.

• Open the OTScanIt2 folder and double-click on OTScanIt.exe to start the program. Make sure you close all other programs and don't use the PC while the scan runs.
  
  • In the Rootkit Search section select the Yes radio button.
  • Under Additional Scans check the boxes beside Reg - ColumnHandlers, Reg - Desktop Components, Reg - Disabled MS Config Items, Reg - File Associations, Reg - NetSvcs, Reg - Protocol Filters, Reg - Protocol Handlers, Reg - SafeBoot Minimal, Reg - SafeBoot Network, Reg - Session Manager Settings, Reg - Uninstall List, Reg - Winsock2 Catalogs, File - Lop Check, File - Purity Scan, Files - Signature Check, and Evnt - EventViewer Logs ( Last 10 Errors).
• Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and post the information back here in an attachment. I will review it when it comes in. The last line is < End of Report >, so make sure that is the last line in the attached report.


Make sure you attach the report in your reply. If it is too big to upload, then zip the text file and upload it that way

[carte]

helo IndiGenus thanks for ur respon, i did everything accordng to your instructions and this s what i came out with:(attachment)
once again thank you..

Attached Files

•  OTScanIt.Txt   106.11KB   101 downloads

Edited by carte, 24 February 2009 - 07:54 PM.

[carte]

sory the first 2 posts i have trouble editing n typying because of the blinking command prompt..hres the actual atachement

Attached Files

•  OTScanIt.zip   13.23KB   218 downloads

[IndiGenus]

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply. Please also post an updated HijackThis log and let me know how it's running.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

[carte]

hie IndiGenus..thanks..if ur last reply was to cure the problem..den it didn't work..i still have the blinks goin on..anyway i did everyting according to your instruction..here's i've attached it..thank you for your concern..

Attached Files

•  hijackthis.zip   1.41KB   171 downloads
•  log.zip   2.67KB   211 downloads

[IndiGenus]

1. Open Notepad

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
F:\hpkq.cmd
c:\windows.0\udll3011.dll
c:\windows.0\system32\msdto.exe
c:\windows.0\system32\cstrike.exe

DirLook::
C:\WINDOWS.0test

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msdto"=-
"cstrike"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c51a28b-d8e6-11dd-ab71-0015af73f92d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78341756-f33c-11dd-ab96-0015af73f92d}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{78341870-f33c-11dd-ab96-0015af73f92d}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.




5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new HijackThis log.

[carte]

hie ok after following your steps, i stil having the blinking commad promt, but this time i realise its having a different title written on the title bar..
like this

the old title: c\WINDOWS\System32\nvidia.exe
the new title : c\WINDOWS.O\System32\nvidia.exe

but the good news is the blinking period is reduced..

ok here the latest logs that i came up with

Attached Files

•  hijackthis2.zip   1.4KB   196 downloads
•  log2.zip   3.23KB   194 downloads

[IndiGenus]

We definitely have a rootkit running here....but I'm more concerned this may also have Virut, which is a nasty file infector. Before moving on I would like you to run an online Kaspersky scan so we can check for that. I know you have Kaspersky running on the machine already, and you may ask, why not just run that? It may be corrupted if it is indeed virut, so this gives us a second opinion. The online scanner won't fix anything, but once we get the report we can proceed.

I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Please do a scan with Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

• Click on the Accept button and install any components it needs.
• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobuc...ng/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozil...efox/addon/1419

In your next reply post:
Kaspersky log
New HJT log taken after the above scan has run

[IndiGenus]

How you making out here? Still want help?

[carte]

hei ter, sory i took so long to reply, i was outstation for the weekend..ok, i followed ur instruction but after doing the online scanning.the report was empty, there was no infection detected,thou i have attached online scning report and new hijack report, take a look and hope to har from u soon

Attached Files

•  hijackthis3.zip   1.76KB   94 downloads
•  kscan.zip   554bytes   104 downloads

[IndiGenus]

Okay well no Virut, so good news there.

Please download SDFix and save it to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• Open the SDFix folder and double click on RunThis.bat to start the script.
• Type Y and press Enter to begin the script.
• It will start cleaning your PC and then prompt you to press any key to Reboot.
• Press any key to restart the PC.
• Your system will take longer than normal to restart as the fixtool will be removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished.
• Press any key to end the script and to load your desktop icons.
• A text file should automatically open, so please copy the contents and post them here.

~~~~~~~~~~~~~~~~~~~~~~

I would also like you to re-run OTScanIt2 as you did earlier, and post the log from that.

Edited by IndiGenus, 03 March 2009 - 09:22 AM.

[carte]

hei ter
i followed ur steps, but i faced some problem
i manged to download the SDFix application and unzipped it
however wen i entered in safe modeand try to run the application, nothing hapenned. it's more like the application not responding

then i get back to the normal mode of window, it ws the same..
after that jus tried the catchme application came with the SDFix
here the log report

Attached Files

•  catchme.zip   497bytes   92 downloads

[IndiGenus]

Okay then, please run OTScanIt2 again as you did earlier, and upload those logs.

Thanks

[carte]

hei, here's the latest OTScanlt2 log

Attached Files

•  OTScanIt2.zip   16.06KB   126 downloads