Malware/Rootkit - NTOS.exe

Hi Guys,
Everytime I start my computer, avast detects NTOS.exe files as malware or rootkit and I delete the file. Next time when i boot my system it again comes up. Is there any way to get rid from this problem permanently? Appreciate ur help on this… thanks!

For this little problem you will need a specialist tool as the replicator file is not being deleted. I would recommend for starters that you use SDFix

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
[*]Restart your computer
[*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
[*]Instead of Windows loading as normal, the Advanced Options Menu should appear;
[*]Select the first option, to run Windows in Safe Mode, then press Enter.
[*]Choose your usual account.

[*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
[*] Type Y to begin the cleanup process.
[*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
[*] Press any Key and it will restart the PC.
[*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
[*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
[*] Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Try a boot time scan with avast! first: this is when avast! is able to remove rootkits.

Right click the avast! scanner screen (or click the tab at the top left) and select ‘Schedule a boot time scan’. Reboot when requested.

Hi nitin1612,

Recognition of a NTOS.exe infection:

As soon as this Trojan horse has been activated, it creates the following mute, seeing to it that only one copy of the threat is actively running on the infected machine:

SYSTEM__64AD0625

The Trojan then checks whether the following firewall programs are active on the infected machine:

• ZLCLIENT.EXE
• OUTPOST.EXE

Then the Trojan collects the following information on the infected computer:

• Version of Operational System OS?
• If Service Pack 2 has been installed?
• What language the system has running?

Then the Troajan copies itself to the following location and adds random data to the file to vary its file size:

%System%\ntos.exe

The Trojan then creates the following folder with hidden system attributes:

%System%\wsnpoem

The Trojan horse then creates the following files that are being initially used to gather information and secondly to save the encrypted configuration of the Trojan:

• %System%\wsnpoem\audio.dll
• %System%\wsnpoem\video.dll

Then the Trojan horse creates the following registry entries, that are being executed every time at at start-up:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run"userinit" = “%System%\ntos.exe”
HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run"userinit" = “%System%\ntos.exe”

The Trojan also changes the following registry entrance to be executed every time Windows starts up:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon"Userinit" = “%System%\userinit.exe, %System%\ntos.exe”

Then it injects malicious code into the following running processes:

• WINLOGON.EXE
• SVCHOST.EXE

The Trojan horse is threatening towards all running process files, except the following process

CSRSS.EXE

The Trojan also creates a couple of the following mutexes to synchronize all active threats that are running under memory:

SYSTEM__23D80F10
SYSTEM__45A2F601
SYSTEM__7F4523E5
SYSTEM__91C38905

The injected code will try to prevent that the Trojan is deleted by blocking entrance to deleting all malicious files. The Trojan horse will regenerate all sub keys that are associated to malicious files that have been deleted.

Then the Trojan horse can create the following registry entries being infection markers:

HKEY_LOCAL_MACHINE\Software\microsoft\windows nt\currentversion\network"UID" = “[COMPUTERNAME]_[UNIQUE_ID]”

HKEY_CURRENT_USER\Software\microsoft\windows\currentversion\explorer"{6780A29E-6A18-0C70-1DFF-1610DDE00108}" = “[HEXADECIMAL VALUE]”

HKEY_CURRENT_USER\Software\microsoft\windows\currentversion\explorer"{F710FA10-2031-3106-8872-93A2B5C5C620}" = “[HEXADECIMAL VALUE]”

The Trojan deleted all cookies in the URL of Internet Explorer making that users have to write their user name and password every time again whenever they log in to their bank account website.z

The Trojaanse saves info to steal passwords from the infected machine.

Then it hijacks following system functions in NTDLL.DLL using rootkit techniques to enable malicious code is injected into every process:

• NtCreateThread
• LdrLoadDll
• LdrGetProcedureAddress

The Trojan tries to hijack the following functions from the WININET.DLL libarary to check network functions and to steal confidential private data:

• HttpSendRequestW
• HttpSendRequestA
• HttpSendRequestExW
• HttpSendRequestExA
• InternetReadFile
• InternetReadFileExW
• InternetReadFileExA
• InternetQueryDataAvailable
• InternetCloseHandle

The Trojan tries to steal the following functions of WS2_32.DLL and WSOCK32.DLL libraries to check confidential net info:

• send
• sendto
• closesocket
• WSASend
• WSASendTo

The Trojan also tries to hijack the following functions of the USER32.DLL library with similar aims:

• GetMessageW
• GetMessageA
• PeekMessageW
• PeekMessageA
• GetClipboardData

The Trojan can change to change the contents of the following host file:

%System%\drivers\etc.

The Trojan can execute the following activities on an infected machine:

• Hijacking network traffic
• Keylogging
• Stealing clipboard information
• Saving screenshots of present desktop
• Re-directing all traffic

The Trojan horse has been configured to look for specific keywords that are being typed inside URL and HTTP packets:

Tan
Schmetterling
berweisung
Amount
tanentry
RESULT2
citibank.de/
• I2=&H0=DT
banking./cgi/ueber
.cgi*
• ###=######&tid=*
• [https://]onlineeast.bankofamerica.com/cgi-bin/ias//GotoW[REMOVED]
• CustomerServiceMenuEntryPoint?custAction=75
bankofamerica.com/cgi-bin/ias/
/GotoWelcome
• *

Good luck cleansing this “rotter” from your computer,

polonus