Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Inactive Malware Help Topics

User Tag List

Need help - Infected with viruses and trojans (e.g. ntos.exe)

This is a discussion on Need help - Infected with viruses and trojans (e.g. ntos.exe) within the Inactive Malware Help Topics forums, part of the Tech Support Forum category. Hi, I am new to this and don't know much. Ok, my pc has just been fixed for a couple


 
 
Thread Tools Search this Thread
Old 04-15-2008, 03:34 PM   #1
Guest
 
Join Date: Apr 2008
Posts: 2
OS:



Hi, I am new to this and don't know much.

Ok, my pc has just been fixed for a couple of days after there was something wrong with it i.e. it wouldn't switch on and when it did it would switch off after logging on, the USB and sound drives got busted - maybe a fuse blew or something. It's fixed now but had to install a new sounddrive and USB ports. After a couple of days now viruses started popping up, it was quite evident in the windows task manager and there was pop-ups galore, so I downloaded AVG Free Edition and deleted that and then downloaded Counterspy v2.5.1043 and deleted quite a lot of viruses, trojan downloaders and other stuff. One thing however, the ntos.exe and 4 other objects associated with it still remains after numerous attempts. I've scanned it lots of times and deleted it afterwards but it keeps popping back up after another scanning.

Also, this keeps popping up:

"buffer overrun detected!

Program: C:\WINDOWS\explorer.exe

A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated."

I press the cross/exit button each time it appears and the explorer bar/taskbar disappears for 5 seconds and reappears.

I don't know what to do, I only have Counterspy. I tried Spybot but every time it loads the computer restarts - it's not the first time.

This is what I get from Counterspy:

Backdoor.Win32.Small.lu Backdoor

Files detected
c:\windows\system32\ntos.exe
C:\WINDOWS\SYSTEM32\WSNPOEM\audio.dll
C:\WINDOWS\SYSTEM32\WSNPOEM\video.dll
C:\WINDOWS\SYSTEM32\WSNPOEM


HiJackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:02:21, on 15/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{5cc2aaa6-875b-98c6-e459-72237b9d5c00}.dll" DllInit
O4 - HKLM\..\Run: [0ce66b80] rundll32.exe "C:\WINDOWS\system32\wkxftfmx.dll",b
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [BM0fd5581c] Rundll32.exe "C:\WINDOWS\system32\xujcbwmd.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Drscrqhi] "C:\Program Files\Common Files\W?nSxS\r?gedit.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - https://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - https://www.adobe.com/products/acrobat/nos/gp.cab
O20 - AppInit_DLLs: "C:\WINDOWS\shwol.dll";"C:\WINDOWS\shwol.dll"
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 3887 bytes
yazuka is offline  
Sponsored Links
Advertisement
 
Old 04-16-2008, 01:30 PM   #2
Guest
 
Join Date: Apr 2008
Posts: 2
OS:



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 16, 2008 7:59:00 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/04/2008
Kaspersky Anti-Virus database records: 710612
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 37764
Number of viruses found: 9
Number of infected objects: 16
Number of suspicious objects: 0
Duration of the scan process: 02:00:24

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008041620080417\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP18\A0002272.exe Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP18\A0003168.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP19\A0003175.exe Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP19\A0003176.exe Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP19\A0003177.exe Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP19\A0003178.exe Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP19\A0003180.exe Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP19\A0003181.exe Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP19\A0003182.dll Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP19\A0003183.exe Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP21\A0003190.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP21\A0003191.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP21\A0003191.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP21\A0003195.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP21\A0003198.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP21\A0003199.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP21\A0003200.dll Infected: Backdoor.Win32.Agent.gry skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP21\A0003202.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP21\A0003203.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP21\A0003214.exe Infected: not-a-virus:AdWare.Win32.PurityScan.hl skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP22\A0003523.dll Infected: Backdoor.Win32.Agent.gry skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP22\A0003551.exe Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP22\A0003558.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aw skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP24\A0004030.exe Object is locked skipped
C:\System Volume Information\_restore{BA4B259B-C59D-4373-A823-A5CD24FD11EE}\RP26\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\ccpcrklo.dll Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\gjkjijjl.ini Object is locked skipped
C:\WINDOWS\system32\iecjqgo.dll Infected: not-a-virus:AdWare.Win32.PurityScan.hk skipped
C:\WINDOWS\system32\jikbnaei.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\WINDOWS\system32\kcbhdiee.dll Object is locked skipped
C:\WINDOWS\system32\ntos.exe Object is locked skipped
C:\WINDOWS\system32\urqqonlm.dll Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wsnpoem\audio.dll Object is locked skipped
C:\WINDOWS\system32\wsnpoem\video.dll Object is locked skipped
C:\WINDOWS\system32\yhmdcnhi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
yazuka is offline  
 

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 06:39 AM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts