Solve : I am infected with ntos.exe trojan keylogger - please help.?

1.	Solve : I am infected with ntos.exe trojan keylogger - please help.?
Answer» I run Win XP SP2 and all software is legal. I use Zonealarm Security Suite for firewall and antivirus. However, as I have pointed out to my 'friends' at the Zonealarm forum, it would appear that Zonealarm is completely inadequate for providing protection or removal of this sort of virus. I have followed all the steps kindly set out in the sticky and I hereby humbly attach my logs below for your perusal. I can confirm that I have never received or responded to any spoof emails over the last 12 months. I would be hugely grateful for any support that can be provided. My computer appears to be seriously infected by this malicious virus. PS: Your 'attach' function has not been working for me this morning, so I attach my logs here: CCleaner-ScanLog Ccleaner-RegistryLog SuperAntiSpywareLog MBAMLog TrojanRemoverLog HijackThisLogOpen Hijackthis and select Do a system scan only. Place a check mark next to the following entries: (if there) F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe, O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) Important: Close all windows except for Hijackthis and then click Fix checked. Exit Hijackthis. ---------- Run the F-Secure online scan for Viruses, Spyware and RootKits: This scanner works with Internet Explorer only Go to the F-Secure Online Virus Scanner Scroll to the bottom of the page and click the Start scanning button. A window will pop up. Allow the Active X control to be installed on your computer, then click the Accept button Click Full System Scan and allow the components to download and the scan to complete. If malware is found, check Submit samples to F-Secure then select Automatic cleaning When cleaning has finished, click Show report (this will open an Internet Explorer window CONTAINING the report) Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post If Automatic cleaning with Submit samples HANGS, click Cancel, then New Scan When the cleaning option is presented, Uncheck Submit samples to F-Secure Click Automatic cleaning When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report) Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post along with a fresh HijackThis log. *Note:* This scan will only work with Internet Explorer You must have administrator rights to run this scan This scan can take several hours, so please be patient [/I] Hello EvilFantasy Thank you for your advice. I have removed the two specified items use HJT (renamed Sniper) and I have run the F-Secure online scan and attached the log to this post. I look forward to hearing what you think. PS: Your 'attach' function is still not working for me today (it causes my IE6 to consistently crash each time). I know you asked me to paste it, but if it's ok with you, I would prefer to host the file at the location below: FSecureOnlineScannerLogHow is everything now?Hi EvilFantasy Thank you for your continued help with this. I am amazed and delighted to say that the ominous ntos.exe entry in the usernit section of my registry has now disappeared. In addition, I have performed scans with SuperAntiSpyware and Malwarebytes Anti-Malware and both have found nothing! Does this mean that my computer is ok again now? Does this mean that you're a genius? Looks good!!! Final steps. Set a New Restore Point to prevent possible reinfection from an OLD one Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed. Go to Start > Programs > Accessories > System Tools and click System Restore Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create. The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore. Next go to Start > Run and type Cleanmgr Click OK Click the More Options Tab. Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one. . Use the Secunia Software Inspector to check for out of date software. Click Start Now Check the box next to Enable thorough system inspection. Click Start Allow the scan to finish and scroll down to see if any updates are needed. Update anything listed. . Here are some GREAT FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC. To prevent unknown applications from being installed on your computer install WinPatrol 2008 Using Winpatrol to protect your computer from malicious software Another thing I would suggest installing SiteAdvisor. SiteAdvisor rates sites on business practices and spam. SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox. Using SpywareBlaster to protect your computer from Spyware and Malware Check out Keeping Yourself Safe On The Web for tips and free tools to keep you safe in the future. Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Hello EvilFantasy Thank you so much for all your help. I have scanned everything again just to be certain and it appears that my computer is definitely healed! You're a life-saver! Kind regards PippsNo problem. Safe surfing...

Answer»

I run Win XP SP2 and all software is legal.

I use Zonealarm Security Suite for firewall and antivirus. However, as I have pointed out to my 'friends' at the Zonealarm forum, it would appear that Zonealarm is completely inadequate for providing protection or removal of this sort of virus.

I have followed all the steps kindly set out in the sticky and I hereby humbly attach my logs below for your perusal.

I can confirm that I have never received or responded to any spoof emails over the last 12 months.

I would be hugely grateful for any support that can be provided. My computer appears to
be seriously infected by this malicious virus.

PS: Your 'attach' function has not been working for me this morning, so I attach my logs here:
CCleaner-ScanLog
Ccleaner-RegistryLog
SuperAntiSpywareLog
MBAMLog
TrojanRemoverLog
HijackThisLogOpen Hijackthis and select Do a system scan only.

Place a check mark next to the following entries: (if there)

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Important: Close all windows except for Hijackthis and then click Fix checked.

Exit Hijackthis.

----------

Run the F-Secure online scan for Viruses, Spyware and RootKits:

This scanner works with Internet Explorer only

Go to the F-Secure Online Virus Scanner
Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finished, click Show report (this will open an Internet Explorer window CONTAINING the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

If Automatic cleaning with Submit samples HANGS, click Cancel, then New Scan

When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post along with a fresh HijackThis log.

Note:

This scan will only work with Internet Explorer
You must have administrator rights to run this scan
This scan can take several hours, so please be patient

[/I]

Hello EvilFantasy

Thank you for your advice. I have removed the two specified items use HJT (renamed Sniper) and I have run the F-Secure online scan and attached the log to this post.

I look forward to hearing what you think.

PS: Your 'attach' function is still not working for me today (it causes my IE6 to consistently crash each time). I know you asked me to paste it, but if it's ok with you, I would prefer to host the file at the location below:

FSecureOnlineScannerLogHow is everything now?Hi EvilFantasy

Thank you for your continued help with this.

I am amazed and delighted to say that the ominous ntos.exe entry in the usernit section of my registry has now disappeared. In addition, I have performed scans with SuperAntiSpyware and Malwarebytes Anti-Malware and both have found nothing!

Does this mean that my computer is ok again now?

Does this mean that you're a genius? Looks good!!!

Final steps.

Set a New Restore Point to prevent possible reinfection from an OLD one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.

Go to Start > Programs > Accessories > System Tools and click System Restore
Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
Next go to Start > Run and type Cleanmgr
Click OK
Click the More Options Tab.
Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.

.
Use the Secunia Software Inspector to check for out of date software.

Click Start Now
Check the box next to Enable thorough system inspection.
Click Start
Allow the scan to finish and scroll down to see if any updates are needed.
Update anything listed.

.
Here are some GREAT FREE tools to help you keep from getting infected again. These tools use little or no resources so won't slow down your PC.

To prevent unknown applications from being installed on your computer install WinPatrol 2008
Using Winpatrol to protect your computer from malicious software

Another thing I would suggest installing SiteAdvisor. SiteAdvisor rates sites on business practices and spam.

SpywareBlaster - Secure your Internet Explorer to make it harder for these ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
Using SpywareBlaster to protect your computer from Spyware and Malware

Check out Keeping Yourself Safe On The Web for tips and free tools to keep you safe in the future.

Also see Slow Computer? It May Not Be Malware for free cleaning/maintenance tools to help keep your computer running smooth.Hello EvilFantasy

Thank you so much for all your help. I have scanned everything again just to be certain and it appears that my computer is definitely healed!

You're a life-saver!

Kind regards

PippsNo problem.

Safe surfing...

Solve : I am infected with ntos.exe trojan keylogger - please help.?

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment