AVG antipsyware doesn't detect this file-why?

I ran superantispyware and it found this:

Scan type : Complete Scan
Total Scan Time : 00:29:31

Memory items scanned : 447
Memory threats detected : 0
Registry items scanned : 8156
Registry threats detected : 0
File items scanned : 44170
File threats detected : 1

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\NTOS.EXE

I do not know if this is a real fine that xp pro needs so i did not quarantine it.
AVG 7.5 antispyware cannot find it- whynot?
In fact Windows defender- ad-aware- spybot, none of them found it.

what is this and is it a false positive? I would think if it was a true trojan why can't the others find it?

thanks
robin

 

Hi, folks: Why not run thru Virus Total? It may be picked up by some of AVs. Good luck.

 

I did and none of them found this file infected.

Now what?

robin

 

Hi, folks: Well, since none of other AVs has echoed SuperAntispyware's finding, the only thing you could do now is to send the file to them for advice. I know their support is w/ lighting speed. Good luck.

 

Maybe ok then. How big is the file in bytes, (in the scan results)

Edit : okay maybe fine if you have no symptoms, or run ntos.exe

FYI Check O4 - HKLM\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe

 

what do you mean by the FYI- explain further please

robin

 

Robin - Can you paste a copy of your virus total report here, so we can see the MD5 of the file and we can see if it matches the known spyware/malware we have of the sample?

I am curious as how you were able to submit the file to VirusTotal - you mentioned it was locked when you contacted us, and could not zip, access nor submit the file. If you were able to submit it to VirusTotal, then you should be able to submit it to us.

Our only definitions dealing with that file require specific information inside which our kernel direct technology allows us to see.

It is likely NOT a false positive, but I would like to see the file to be sure.

 

Robin I have taken the liberty to move your thread to a Forum other than the Ewido Forum so that you can determine first if this is a superantispyware issue. Since "Windows defender- ad-aware- spybot" and "AVG antipsyware" did not detect this item....let's keep the cart before the horse and determine first if SAS is at fault.

Bubba

 

robinb9 :

Hi,
Sorry to confuse, for your information - some samples I have add itself to the start up for various reasons. In a HiJackThis scan it is 04 -
O4 - HKLM\..\Run: [userinit] - Hkey_Local_Machine\Run in the registry and the file - C:\WINDOWS\system32\ntos.exe.

The file size may of gave me some indication as well as the MD5 of the file SuperAntiSpy has asked for, and at this point I'll leave you in his capable hands as it was found by a SAS scan. Good Luck

 

Hello,

Whenever you find an infection, try the following:

First, try to see if your machine is misbehaving - cpu, number of processes running, strange popups etc.

Second, upload the suspect file to virusscan.jotti.org.

Third, perform scans with other applications for comparison.

Fourth, send the culprit file to the vendor for inspection.

Do not use HijackThis as this will scare and confuse you, if you are not familiar with it, and especially do not attempt to fix items on your own.

Whatever course of action you choose to take, make sure you backup your personal stuff.

Mrk

 

First off in defence of "others" is that no one software detects everything and that includes all software types(AV,AT,ASW).All softwares no matter how good or popular will miss stuff unfortunetly.

**Back to the matter in hand,we need to find out whether this is a F/P by SAS or a a genuine detection since ntos.exe(trojan) is one of the more unpleasent trojans you can get on your Pc currently.It is a major security issue(backdoor,password stealer,keylogger and sometimes cloaked under Rustock B "lz32.sys" in active infection,so for your sake we need to divine the files content whether legit or malware as soon as possible!


Have you tried going to windows/system32 file and then locating ntos.exe,right click your mouse and send to my documents.If this is sucessful
it would allow you to upload to Virustotal>>>
http://www.virustotal.com/en/indexf.htm

Also please get a copy off to SUPERantispyware for Nick to review.

Since google search is not very telling about this file "ntos.exe",no1 hit is my topic up at CC MIRT forum tells you about the rarety/emerging threat of this malware or level of information available about it.

For the techs heres some more info related to my 3 archived samples of ntos.exe of what i can divine with my limited knowledge&tools.


(1)ntos.exe MD5: 3e01536789b96f547b0d52aadd440d47

I found this on the 25/10/06 during a borked malware install involving multiple rootkits(Goldun,Rustock B,Sinowal trojans,Agents,Spambots in the mix)
http://www.castlecops.com/t171104-Suspected_MZU_installer_ntos_exe_barely_detected.html

Shows up in HJT as once executed.
Check O4 - HKLM\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe


"Watcher" report
18:43:29: D:\WINDOWS\system32\ntos.exe -- FILE_ADD
18:44:14: D:\WINDOWS\system32\wsnpoem\video.dll -- FILE_ADD
18:44:14: D:\WINDOWS\system32\wsnpoem\audio.dll -- FILE_ADD

This is the ntos installer file and is ultrarare since it is very shortlived.The one run cycle to complete its mission and then it is superceded by another ntos.exe.

This file is detected by SAS but not by AVG 7.5 or Adaware.I did not have Spybot installed to test at this time of posting.

**generated by above executable
(2)ntos.exe MD5: f48ba332beed9e39f7b67321ecfbaebf

HJT log entry
F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\Userinit.exe,D:\WINDOWS\system32\ntos.exe,

This file is detectable by SAS but not by AVG7.5 & Adaware.
However the 2 DLL's produced are hidden from win API but are not detected by SAS
They were visible & recoverable using IceSword file option

(3)ntos.exe Sample c/o Bobby_ @ MIRT Unknown files CastleCops forums
http://www.castlecops.com/t171215-barclay_ntos_exe.html

untested(not installed/active but detected by SAS when sat inactive in my documents folder but again missed by Adaware & AVG7.5 scan.

I believe that one Security professional is shortly to deliver a public paper about this particular malware and its tricks.Any R&D worth there salt would have this one under the microscope.....

~removed a number of VT screenshots....Bubba~

 

Just seen ya post Bubba,my apologies no cart,no horse but almost certainly a smoking gun
SAS is at fault for detecting a trojan that Nick got c/o my sample submitted on the 25/10/06 or Bobby_ sample later @MIRT.

You will notice from the VT screenshots that a lot of the *big names* are missing this particular elusive trojan as well although a few are nailing it on heuristics.

Googling "ntos.exe" reveals its presents in HJT logs of malware inflicted PC's,i'm still looking for legitimate file reference and i'm onto page 2.

So with that i'm sorry if my previous post is presumptious and against the grain of what you posted.

 

The NTOS.EXE samples we have, from FCUKDAT and the ones we have harvested in our labs ARE INDEED SPYWARE. The Audio.DLL / Video.DLL files are not actual DLL files most of the time, and are simple data files that are not executable and simply have the .DLL extension (my opinion) for obfuscation only and do not contatain the actual infection.

Some of the NTOS.EXE samples we have are UPX encoded with altered headers to prevent standard decompression.

SUPERAntiSpyware is able to "see" this file and the other files that often appear "hidden or cloaked" by the rootkit because we have our Kernel Direct technology that bypasses the Windows API and bypasses the hide/cloak attempts.

 

ntos.exe

FAO Nick S and any other Security experts/R&D stumbling by this topic.

It has arrived

Thankyou very much and huge kudo's to the Secure Science Corp and Michael Ligh for such a detailed research paper and sharing it with us all.

http://www.securescience.net/securescienceblog/malwarecasestudy.html

 

Re: ntos.exe

Thanks for the link - we actually weren't stumbling as were were one of the few that detected it already

 

Not the Grassy Knoll again

Due to our position on VT screenshots in regards to who has or who hasn't added the item to their database....I have taken the liberty to remove the VT screenshots.

No problem on this end. We just needed to move the thread to a more appropriate Forum since vendors other than Grisoft were not going to be able to assist if it remained in that product specific forum.

 

Re: ntos.exe

As usual my previous post came out the wrong way,you were already here but anyone googling "ntos.exe" for reference at the moment will find this link ranked #4.

That is what i ment by stumbling onto this thread


Hi Bubba

Did'nt realise there was prob with VT listings here but i do now,thanks for leaving the MD5's alone.My info was not ment as a "walking advert for brand X" so much as heres proof it is malware,it is nasty malware and not many Vendors have it targeted yet at time/date of uploading.Everyone knows that this could change during the course of one update and hopefully with enough publicity it will get elevated in the R&D departments.

 

AVG7.5(Ewido) and Kaspersky have updated their definitions to include the 3 files referenced in this topic overnight

So in reply to the initial topic "it does now"

 

ok in windows32 the audio.dll, vidio.dll and ntos.exe doesn't exist (ntos.exe was quarantined by superantispyware and now I deleted it out of the computer completely. Superantispyware and AVG antispyware is showing me clean when doing a full scan.

I did a search in the registry and found only this key with all 3 files.
What can be deleted?

hkey-currentuser/software/microsoft\Search Assistance\ACMru\5603
on the right side it said:
Default Reg-SZ (value not set)
000 Reg-SZ wsnpoem
001 Reg-SZ ntos.exe
002 Reg-SZ audio.dll
003 Reg-SZ vidio.dll


this is the only place in the whole registry (i did a find) for these 3 files.
now what?

robin

 

also could this key be where I originally did a search in Microsoft "search" for those files? and it is only showing what I searched?
robin

 

I think i figured that out.
It was when i did the searches to check to see if i had these files.
and since I can delete this with this method then i am clean

To clear the search cache, perform the following steps:

1. Stop all Windows Explorer sessions.
2. Start a registry editor (e.g., regedit.exe).
3. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru registry subkey.
4. Select and delete each subkey under ACMru, or simply delete the entire ACMru subkey.
5. Close the registry editor.
6. Log off and log on before performing new searches; otherwise, XP will recreate the search cache and store the recreated cache in memory.
robin