ntos.exe trojan/spyware [solved]

cheXzie

I just got infected by this crap. I notice something was up when I couldn't open any applications (or get to the task manager). I'm writing this from safe mode.

I've googled all over and I can't find anything. All everone seems to talk about is finding it but not how to remove it. You can't just delete the files since they're being locked by winlogon.exe (the trojan ties itself into it). You can't kill winlogon.exe because it's a critical process and crashes the computer when you do so.

I managed once to delete the files but they came back once I booted regularly.

A few people linked to the PDF about the trojan on http://www.securescience.net/securescienceblog/malwarecasestudy.html . The removal section gets to one point and states "From here, ntos.exe can be deleted". I'm not sure how it can be deleted (from processexlporer) but it doesn't work for me. Maybe it's some new variant.

Rohaq

It's a trojan, what does your antivirus program say?

Otherwise, go into the recovery console from a bootable XP Cd and remove it from there, or boot from a Live Linux CD and mount the filesystem in there and delete it through that.

cheXzie

My antivirus said nothing (McAfee). I'm downloading AVG because it's supposed to catch it.

As for bootable XP CD, I don't have that. Live Linux CD, I have no I idea how to even use linux.

edit: aaaand that didn't work. AVG can't install in safe mode (and my computer crashes in normal mode).

So, how do you make a Linux live CD?

Rohaq

Ubuntu would probably be the easiest. Go here:
http://www.ubuntu.com/products/GetUbuntu/download?action=show&redirect=download

Burn to a CD, boot off the CD, if you want net access, I advise using a wired connection, you can then likely talk to someone here about mounting the windows partition and deleting the offending file.

Everywhereasign

I've never had a problem finding and mounting widows partitions using a bootable Knoppix.

http://www.knoppix.net/

Download the CD or DVD version (I like the DVD one for more options, that's what I keep around in case of emergencies)

Assuming your 'puter is set to boot from CD when one is there (and who's isn't these days) boot Knoppix from the CD, you don't have to install anything, it'll run straight from the CD/DVD. It's got a nice pretty GUI and as a non-linux user I found it pretty easy to figure out.

Going through the setup is fairly straight forward, it should find and mount all your partitions without trouble. Then you just need to find the infected files and kill them from there. You should be able to use your Google-fu to figure out which ones need killing. Then I'd try a restart into normal mode but with your network unplugged. Then try to install AVG and run it.

One of my friends had a similar problem, if he pops online I'll ask him what the name of the trojan was. Once he tried deleting the files in knoppix he had no problem cleaning things up from there.

cheXzie

I'm sure I can figure out how to delete the files but how do I go about closing the handles of the virus in winlogon.exe?

Everywhereasign

Doing some Google-fu of my own has really come up with the same stuff you did. It looks like a really nasty trojan. There doesn't seem to be an easy solution. You might want to drop by one of the virus message boards and start asking them. All the boards had solutions, but they were very case specific.

It's also possible that once you get the files deleted you will be able to install AVG and it might beable to take care of it.

Either way, best of luck.

cheXzie

I installed AntiVir, one of the anti virus programs that's supposed to detect it, and it found nothing. When I did scans of the file I got "[WARNING] The file could not be opened!"

I'm about to try ubuntu, hopefully it works. It didn't work on my laptop, maybe a bad CD-R.

cheXzie

Well ubuntu works but I can't mount the C: Drive

error: device /dev/hda1/ is not removable
error: could not execute pmount

edit: When booting off the CD, is there a way to increase the resolution? Or is this something that requries video drivers?

CKyle

If you had problems about your laptop not being able to mount the root filesystem, you may want to try another distro. I tried many things but could never get cd's to work (including the live one) in Ubuntu.

If you're trying to fix a different computer than the laptop, go ahead and try Ubuntu, though. It may be a problem local to that one cd drive.

nexuscrawler

Ok I had this one recently too. What you have to do is go downlaod a program called killbox at www.killbox.net. It lets you force deletion of in-use files. Just use it's "delete next startup" option on the ntos.exe file and it should get rid of it.

cheXzie

CKyle wrote: »

If you had problems about your laptop not being able to mount the root filesystem, you may want to try another distro. I tried many things but could never get cd's to work (including the live one) in Ubuntu.

If you're trying to fix a different computer than the laptop, go ahead and try Ubuntu, though. It may be a problem local to that one cd drive.

I couldn't get Live CD running on my laptop but it worked on my PC. Except on my PC I couldn't get the resolution above 640x480, even when I folled instructions on redoing my configuration.

nexuscrawler wrote: »

Ok I had this one recently too. What you have to do is go downlaod a program called killbox at www.killbox.net. It lets you force deletion of in-use files. Just use it's "delete next startup" option on the ntos.exe file and it should get rid of it.

I'm not sure what I did but my problem is gone. I don't even remember what I did, I tried many things, it might have been killbox (I tried it just not 'delete on restart' at that time). Eitherway, thank you all.