Results 1 to 7 of 7

Thread: Trojan ntos.exe

  1. #1
    Junior Member
    Join Date
    May 2007
    Location
    Montgat (Barcelona)
    Posts
    7

    Default Trojan ntos.exe

    Hi,

    Spybot found on my computer following entries:

    Win32.Agent.pz: Program directory
    C:\WINDOWS\System32\wsnpoem\

    Win32.Agent.pz: Library
    C:\WINDOWS\System32\wsnpoem\audio.dll

    Win32.Agent.pz: Library
    C:\WINDOWS\System32\wsnpoem\video.dll

    Win32.Agent.pz: Settings
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit=...C:\WINDOWS\System32\ntos.exe

    And was not able to remove them. Norton antivirus found nothing.

    Wondering what was going on I started to search for similar cases on your forum, and found this:

    http://forums.spybot.info/showthread.php?t=12758

    In panic because of the comments of "Angelfire777 - Warrior", I kept on searching and found also this:

    http://forums.spybot.info/showthread...light=ntos.exe

    Were "bitman - Spybot Advisor Team' advices "Gabe2k2" to take a look at this:

    http://ip.securescience.net/advisori...eCaseStudy.pdf

    I also took a look at this document and followed the advice given to clean up the trojan:

    "There is an easier way to clean the system that does not share the same stability concerns, but is very effective. One can use a tool such as Process Explorer, [11] to close winlogon.exe’s handle to ntos.exe. This can be done by using the “Find Handle” function and searching for “ntos.exe.”
    From here, ntos.exe can be deleted; and once the system is rebooted, it will no longer be infected. This is because after removing ntos.exe from disk, the trojan is only memory resident. The remaining files and registry values identified in the detection program can be removed, however they will not cause harm to the system once the main trojan code is deactivated."
    ([Prg] Malware Case Study, By Secure Science Corporation and Michael Ligh
    13-November 2006, v1.0)

    After having done this, and rebooting the system, Spybot found the same entries like given before, but was now able to remove the entries.

    So, according to Spybot my system is clean now. But beeing an absolut dummy on this matters, and after reading so many comments and things that I don't understand at all, i have serious doubts if indeed the problem is completely solved> Therefore these questions:
    1. Are the hackers indeed not receiving information from my pc anymore?
    2. Am I more vurnible now for other attacks?
    3. Can i (still) spread or affect other computers with this trojan?
    And 4. If this trojan is already know that well since november 2006, how come that Norton, wich costs me +/- €100 a year for two computers, don't report anything? - How come that Spybot still can not repair the entry?

    I thank U already in advance to help this dummy to become a little less dumb.

  2. #2
    Junior Member
    Join Date
    May 2007
    Location
    Montgat (Barcelona)
    Posts
    7

    Lightbulb Trojan-Spy.Win32.Banker.cmb

    It looks that in my search for more info about the threat that infected my pc, I found another discription of the threat, and even a name for this Trojan-Spy: Win32.Banker.cmb
    For more details: http://www.viruslist.com/en/viruses/...id=154559#doc2
    I also noticed that I posted in the "New and undetected" section of the forum, what was not my intention in the first place. Since it's clear this thread don't belong here, I relay on the administrators to move this thread to a more apropiate place. Thanks.
    Meanwhile i'm still waiting for some answers on my questions...
    Last edited by Gomhoofd; 2007-05-21 at 14:41. Reason: typo

  3. #3
    Junior Member
    Join Date
    May 2007
    Location
    Montgat (Barcelona)
    Posts
    7

    Default Infostealer.Banker.C

    It seems that indeed not everything was deleted or solved, because today Norton-antivirus reported that it found a trojan: Infostealer.Banker.C, and that it deleted and restored the problem. According to what I found on the Norton webpage, it's indeed about the same trojan (ntos.exe):
    http://www.symantec.com/security_res...335-99&tabid=1
    They discoverd it on april 2, 2007, and call it << Infostealer.Banker.C >>
    So it seems that it took a week or 6 for them to have the updates for the virusscanner ready.
    Anyway, the remark in my previous post about Norton not detecting the treat is not current anymore, because since today it does, and reports that it solves the problem.
    I'm however not so sure about this, so I'm planning a Kaspersky online anti-virus scan and post this togheter with a HighjackThis log as a new thread in the Malware Removal forum, where authorized helpers may give malware removal assistance in this forum.
    I post here the link to it as soon as I've posted the thread.
    Last edited by Gomhoofd; 2007-05-26 at 13:21. Reason: error removal

  4. #4
    Junior Member
    Join Date
    May 2007
    Location
    Montgat (Barcelona)
    Posts
    7

    Default CA online scan

    I was not able to install the Active-X for the Kaspersky online scan. So i did the CA online virusscan ( http://www.ca.com/us/ ) and the CA online malwarescan, wich indeed detected traces of the trojan.
    I posted the results and a HighjackThis log here:

    http://forums.spybot.info/showthread...9182#post89182

  5. #5
    Junior Member
    Join Date
    Jun 2007
    Posts
    1

    Default Ntos.exe

    Hit me (or the PC of a customer) today. Kasperski Internet Security 6.0 fresh installed (on already infected PC) found some other files (*.hta, possibly these have been the droppers only) - but didn't detect the NTOS itself.
    Cleaned using the PE-CDROM and filemanager/autostart tool to remove
    ntos.exe and video.dll, audio.dll and autostart registry key
    (Will check tomorrow if it came back)

    Triggered by the fact that the (commercial) Kaspersky didn't detect ntos.exe
    I will donate to the spybot project and use this opportunity to say thank you for that great work!

    Marcovaldo

  6. #6
    Junior Member
    Join Date
    Oct 2007
    Posts
    1

    Default

    I have the same Trojan file on my computer and Trendcillin didn't find it. My HijackThis program did.

    I can't delete it in the safe mode with the command prompt as so many people suggest. I get the "file being used" can't delete message.

    I don't know what PE-CDROM is.

  7. #7
    Member of Team Spybot tashi's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    30,491

    Default

    Hi Tawny.
    Quote Originally Posted by Tawny View Post
    I have the same Trojan file on my computer and Trendcillin didn't find it. My HijackThis program did.

    I can't delete it in the safe mode with the command prompt as so many people suggest. I get the "file being used" can't delete message.

    I don't know what PE-CDROM is.
    It would probably be best if you follow the instructions here: "BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) so that we can see exactly what HJT found.

    Then start your own thread in the Malware Removal Forum

    Most of what HJT lists will be harmless or even required by your Operating System, so please do not 'fix' anything until you are advised by one of our helpers.

    Cheers.
    Microsoft MVP Reconnect 2018-
    Windows Insider MVP 2016-2018
    Microsoft Consumer Security MVP 2006-2016

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •