Hi,

Spybot found on my computer following entries:

Win32.Agent.pz: Program directory
C:\WINDOWS\System32\wsnpoem\

Win32.Agent.pz: Library
C:\WINDOWS\System32\wsnpoem\audio.dll

Win32.Agent.pz: Library
C:\WINDOWS\System32\wsnpoem\video.dll

Win32.Agent.pz: Settings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=...C:\WINDOWS\System32\ntos.exe

And was not able to remove them. Norton antivirus found nothing.

Wondering what was going on I started to search for similar cases on your forum, and found this:

http://forums.spybot.info/showthread.php?t=12758

In panic because of the comments of "Angelfire777 - Warrior", I kept on searching and found also this:

http://forums.spybot.info/showthread.php?t=9080&highlight=ntos.exe

Were "bitman - Spybot Advisor Team' advices "Gabe2k2" to take a look at this:

http://ip.securescience.net/advisori...eCaseStudy.pdf

I also took a look at this document and followed the advice given to clean up the trojan:

"There is an easier way to clean the system that does not share the same stability concerns, but is very effective. One can use a tool such as Process Explorer, [11] to close winlogon.exe’s handle to ntos.exe. This can be done by using the “Find Handle” function and searching for “ntos.exe.”
From here, ntos.exe can be deleted; and once the system is rebooted, it will no longer be infected. This is because after removing ntos.exe from disk, the trojan is only memory resident. The remaining files and registry values identified in the detection program can be removed, however they will not cause harm to the system once the main trojan code is deactivated."
([Prg] Malware Case Study, By Secure Science Corporation and Michael Ligh
13-November 2006, v1.0)

After having done this, and rebooting the system, Spybot found the same entries like given before, but was now able to remove the entries.

So, according to Spybot my system is clean now. But beeing an absolut dummy on this matters, and after reading so many comments and things that I don't understand at all, i have serious doubts if indeed the problem is completely solved> Therefore these questions:
1. Are the hackers indeed not receiving information from my pc anymore?
2. Am I more vurnible now for other attacks?
3. Can i (still) spread or affect other computers with this trojan?
And 4. If this trojan is already know that well since november 2006, how come that Norton, wich costs me +/- €100 a year for two computers, don't report anything? - How come that Spybot still can not repair the entry?

I thank U already in advance to help this dummy to become a little less dumb.
:sad:

It looks that in my search for more info about the threat that infected my pc, I found another discription of the threat, and even a name for this Trojan-Spy: Win32.Banker.cmb
For more details: http://www.viruslist.com/en/viruses/encyclopedia?virusid=154559#doc2
I also noticed that I posted in the "New and undetected" section of the forum, what was not my intention in the first place. :oops: Since it's clear this thread don't belong here, I relay on the administrators to move this thread to a more apropiate place. Thanks.
Meanwhile i'm still waiting for some answers on my questions... :rolleyes:

It seems that indeed not everything was deleted or solved, because today Norton-antivirus reported that it found a trojan: Infostealer.Banker.C, and that it deleted and restored the problem. According to what I found on the Norton webpage, it's indeed about the same trojan (ntos.exe):
http://www.symantec.com/security_response/writeup.jsp?docid=2007-040208-5335-99&tabid=1
They discoverd it on april 2, 2007, and call it << Infostealer.Banker.C >>
So it seems that it took a week or 6 for them to have the updates for the virusscanner ready.
Anyway, the remark in my previous post about Norton not detecting the treat is not current anymore, because since today it does, and reports that it solves the problem. :bigthumb:
I'm however not so sure about this, so I'm planning a Kaspersky online anti-virus scan and post this togheter with a HighjackThis log as a new thread in the Malware Removal forum, where authorized helpers may give malware removal assistance in this forum.
I post here the link to it as soon as I've posted the thread.

I was not able to install the Active-X for the Kaspersky online scan. So i did the CA online virusscan ( http://www.ca.com/us/ ) and the CA online malwarescan, wich indeed detected traces of the trojan.
I posted the results and a HighjackThis log here:

http://forums.spybot.info/showthread.php?p=89182#post89182

Hit me (or the PC of a customer) today. Kasperski Internet Security 6.0 fresh installed (on already infected PC) found some other files (*.hta, possibly these have been the droppers only) - but didn't detect the NTOS itself.
Cleaned using the PE-CDROM and filemanager/autostart tool to remove
ntos.exe and video.dll, audio.dll and autostart registry key
(Will check tomorrow if it came back)

Triggered by the fact that the (commercial) Kaspersky didn't detect ntos.exe
I will donate to the spybot project and use this opportunity to say thank you for that great work!

Marcovaldo

I have the same Trojan file on my computer and Trendcillin didn't find it. My HijackThis program did.

I can't delete it in the safe mode with the command prompt as so many people suggest. I get the "file being used" can't delete message.

I don't know what PE-CDROM is.

Hi Tawny.

I have the same Trojan file on my computer and Trendcillin didn't find it. My HijackThis program did.

I can't delete it in the safe mode with the command prompt as so many people suggest. I get the "file being used" can't delete message.

I don't know what PE-CDROM is.

It would probably be best if you follow the instructions here: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) so that we can see exactly what HJT found.

Then start your own thread in the Malware Removal Forum (http://forums.spybot.info/forumdisplay.php?f=22)

Most of what HJT lists will be harmless or even required by your Operating System, so please do not 'fix' anything until you are advised by one of our helpers.

Cheers.