AVG antipsyware doesn't detect this file-why?

Discussion in 'other anti-malware software' started by robinb9, Nov 16, 2006.

Thread Status:
Not open for further replies.
  1. robinb9

    robinb9 Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    219
    I ran superantispyware and it found this:

    Scan type : Complete Scan
    Total Scan Time : 00:29:31

    Memory items scanned : 447
    Memory threats detected : 0
    Registry items scanned : 8156
    Registry threats detected : 0
    File items scanned : 44170
    File threats detected : 1

    Trojan.Downloader-Gen
    C:\WINDOWS\SYSTEM32\NTOS.EXE

    I do not know if this is a real fine that xp pro needs so i did not quarantine it.
    AVG 7.5 antispyware cannot find it- whynot?
    In fact Windows defender- ad-aware- spybot, none of them found it.

    what is this and is it a false positive? I would think if it was a true trojan why can't the others find it?

    thanks
    robin
     
  2. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: Why not run thru Virus Total? It may be picked up by some of AVs. Good luck.:-*
     
  3. robinb9

    robinb9 Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    219
    I did and none of them found this file infected.

    Now what?

    robin
     
  4. Perman

    Perman Registered Member

    Joined:
    Nov 23, 2005
    Posts:
    2,160
    Hi, folks: Well, since none of other AVs has echoed SuperAntispyware's finding, the only thing you could do now is to send the file to them for advice. I know their support is w/ lighting speed. Good luck.:-*
     
  5. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    Maybe ok then. How big is the file in bytes, (in the scan results)

    Edit : okay maybe fine if you have no symptoms, or run ntos.exe

    FYI Check O4 - HKLM\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
     
    Last edited: Nov 16, 2006
  6. robinb9

    robinb9 Registered Member

    Joined:
    Apr 3, 2006
    Posts:
    219
    what do you mean by the FYI- explain further please

    robin
     
  7. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    Robin - Can you paste a copy of your virus total report here, so we can see the MD5 of the file and we can see if it matches the known spyware/malware we have of the sample?

    I am curious as how you were able to submit the file to VirusTotal - you mentioned it was locked when you contacted us, and could not zip, access nor submit the file. If you were able to submit it to VirusTotal, then you should be able to submit it to us.

    Our only definitions dealing with that file require specific information inside which our kernel direct technology allows us to see.

    It is likely NOT a false positive, but I would like to see the file to be sure.
     
  8. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Robin I have taken the liberty to move your thread to a Forum other than the Ewido Forum so that you can determine first if this is a superantispyware issue. Since "Windows defender- ad-aware- spybot" and "AVG antipsyware" did not detect this item....let's keep the cart before the horse and determine first if SAS is at fault.

    Bubba
     
  9. Meriadoc

    Meriadoc Registered Member

    Joined:
    Mar 28, 2006
    Posts:
    2,642
    Location:
    Cymru
    robinb9 :
    Hi,
    Sorry to confuse, for your information - some samples I have add itself to the start up for various reasons. In a HiJackThis scan it is 04 -
    O4 - HKLM\..\Run: [userinit] - Hkey_Local_Machine\Run in the registry and the file - C:\WINDOWS\system32\ntos.exe.

    The file size may of gave me some indication as well as the MD5 of the file SuperAntiSpy has asked for, and at this point I'll leave you in his capable hands as it was found by a SAS scan. Good Luck:)
     
  10. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,695
    Hello,

    Whenever you find an infection, try the following:

    First, try to see if your machine is misbehaving - cpu, number of processes running, strange popups etc.

    Second, upload the suspect file to virusscan.jotti.org.

    Third, perform scans with other applications for comparison.

    Fourth, send the culprit file to the vendor for inspection.

    Do not use HijackThis as this will scare and confuse you, if you are not familiar with it, and especially do not attempt to fix items on your own.

    Whatever course of action you choose to take, make sure you backup your personal stuff.

    Mrk
     
  11. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK

    First off in defence of "others" is that no one software detects everything and that includes all software types(AV,AT,ASW).All softwares no matter how good or popular will miss stuff unfortunetly.

    **Back to the matter in hand,we need to find out whether this is a F/P by SAS or a a genuine detection since ntos.exe(trojan) is one of the more unpleasent trojans you can get on your Pc currently.It is a major security issue(backdoor,password stealer,keylogger and sometimes cloaked under Rustock B "lz32.sys" in active infection,so for your sake we need to divine the files content whether legit or malware as soon as possible!


    Have you tried going to windows/system32 file and then locating ntos.exe,right click your mouse and send to my documents.If this is sucessful
    it would allow you to upload to Virustotal>>>
    http://www.virustotal.com/en/indexf.htm

    Also please get a copy off to SUPERantispyware for Nick to review.

    Since google search is not very telling about this file "ntos.exe",no1 hit is my topic up at CC MIRT forum tells you about the rarety/emerging threat of this malware or level of information available about it.

    For the techs heres some more info related to my 3 archived samples of ntos.exe of what i can divine with my limited knowledge&tools.


    (1)ntos.exe MD5: 3e01536789b96f547b0d52aadd440d47

    I found this on the 25/10/06 during a borked malware install involving multiple rootkits(Goldun,Rustock B,Sinowal trojans,Agents,Spambots in the mix)
    http://www.castlecops.com/t171104-Suspected_MZU_installer_ntos_exe_barely_detected.html

    Shows up in HJT as once executed.
    Check O4 - HKLM\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe


    "Watcher" report
    18:43:29: D:\WINDOWS\system32\ntos.exe -- FILE_ADD
    18:44:14: D:\WINDOWS\system32\wsnpoem\video.dll -- FILE_ADD
    18:44:14: D:\WINDOWS\system32\wsnpoem\audio.dll -- FILE_ADD

    This is the ntos installer file and is ultrarare since it is very shortlived.The one run cycle to complete its mission and then it is superceded by another ntos.exe.

    This file is detected by SAS but not by AVG 7.5 or Adaware.I did not have Spybot installed to test at this time of posting.

    **generated by above executable
    (2)ntos.exe MD5: f48ba332beed9e39f7b67321ecfbaebf

    HJT log entry
    F2 - REG:system.ini: UserInit=D:\WINDOWS\system32\Userinit.exe,D:\WINDOWS\system32\ntos.exe,

    This file is detectable by SAS but not by AVG7.5 & Adaware.
    However the 2 DLL's produced are hidden from win API but are not detected by SASo_O
    They were visible & recoverable using IceSword file option ;)

    (3)ntos.exe Sample c/o Bobby_ @ MIRT Unknown files CastleCops forums
    http://www.castlecops.com/t171215-barclay_ntos_exe.html

    untested(not installed/active but detected by SAS when sat inactive in my documents folder but again missed by Adaware & AVG7.5 scan.

    I believe that one Security professional is shortly to deliver a public paper about this particular malware and its tricks.Any R&D worth there salt would have this one under the microscope.....

    ~removed a number of VT screenshots....Bubba~
     
    Last edited by a moderator: Nov 17, 2006
  12. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Just seen ya post Bubba,my apologies no cart,no horse but almost certainly a smoking gun
    SAS is at fault for detecting a trojan that Nick got c/o my sample submitted on the 25/10/06 or Bobby_ sample later @MIRT.

    You will notice from the VT screenshots that a lot of the *big names* are missing this particular elusive trojan as well although a few are nailing it on heuristics.

    Googling "ntos.exe" reveals its presents in HJT logs of malware inflicted PC's,i'm still looking for legitimate file reference and i'm onto page 2.

    So with that i'm sorry if my previous post is presumptious and against the grain of what you posted.
     
  13. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    The NTOS.EXE samples we have, from FCUKDAT and the ones we have harvested in our labs ARE INDEED SPYWARE. The Audio.DLL / Video.DLL files are not actual DLL files most of the time, and are simple data files that are not executable and simply have the .DLL extension (my opinion) for obfuscation only and do not contatain the actual infection.

    Some of the NTOS.EXE samples we have are UPX encoded with altered headers to prevent standard decompression.

    SUPERAntiSpyware is able to "see" this file and the other files that often appear "hidden or cloaked" by the rootkit because we have our Kernel Direct technology that bypasses the Windows API and bypasses the hide/cloak attempts.
     
  14. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    ntos.exe

    FAO Nick S and any other Security experts/R&D stumbling by this topic.

    It has arrived:thumb: :)

    Thankyou very much and huge kudo's to the Secure Science Corp and Michael Ligh for such a detailed research paper and sharing it with us all.

    http://www.securescience.net/securescienceblog/malwarecasestudy.html
     
  15. SUPERAntiSpy

    SUPERAntiSpy Developer

    Joined:
    Mar 21, 2006
    Posts:
    1,088
    Re: ntos.exe

    Thanks for the link - we actually weren't stumbling as were were one of the few that detected it already :)
     
  16. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Not the Grassy Knoll again :blink:

    Due to our position on VT screenshots in regards to who has or who hasn't added the item to their database....I have taken the liberty to remove the VT screenshots.

    No problem on this end. We just needed to move the thread to a more appropriate Forum since vendors other than Grisoft were not going to be able to assist if it remained in that product specific forum.
     
    Last edited: Nov 17, 2006
  17. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    Re: ntos.exe

    As usual my previous post came out the wrong way,you were already here but anyone googling "ntos.exe" for reference at the moment will find this link ranked #4.

    That is what i ment by stumbling onto this thread ;)


    Hi Bubba

    Did'nt realise there was prob with VT listings here but i do now,thanks for leaving the MD5's alone.My info was not ment as a "walking advert for brand X" so much as heres proof it is malware,it is nasty malware and not many Vendors have it targeted yet at time/date of uploading.Everyone knows that this could change during the course of one update and hopefully with enough publicity it will get elevated in the R&D departments.
     
  18. fcukdat

    fcukdat Registered Member

    Joined:
    Feb 20, 2005
    Posts:
    569
    Location:
    England,UK
    AVG7.5(Ewido) and Kaspersky have updated their definitions to include the 3 files referenced in this topic overnight :)

    So in reply to the initial topic "it does now" :thumb:
     
  19. robinb

    robinb Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    456
    Location:
    NJ
    ok in windows32 the audio.dll, vidio.dll and ntos.exe doesn't exist (ntos.exe was quarantined by superantispyware and now I deleted it out of the computer completely. Superantispyware and AVG antispyware is showing me clean when doing a full scan.

    I did a search in the registry and found only this key with all 3 files.
    What can be deleted?

    hkey-currentuser/software/microsoft\Search Assistance\ACMru\5603
    on the right side it said:
    Default Reg-SZ (value not set)
    000 Reg-SZ wsnpoem
    001 Reg-SZ ntos.exe
    002 Reg-SZ audio.dll
    003 Reg-SZ vidio.dll


    this is the only place in the whole registry (i did a find) for these 3 files.
    now what?

    robin
     
  20. robinb

    robinb Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    456
    Location:
    NJ
    also could this key be where I originally did a search in Microsoft "search" for those files? and it is only showing what I searched?
    robin
     
  21. robinb

    robinb Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    456
    Location:
    NJ
    I think i figured that out.
    It was when i did the searches to check to see if i had these files.
    and since I can delete this with this method then i am clean

    To clear the search cache, perform the following steps:

    1. Stop all Windows Explorer sessions.
    2. Start a registry editor (e.g., regedit.exe).
    3. Navigate to the HKEY_CURRENT_USER\Software\Microsoft\Search Assistant\ACMru registry subkey.
    4. Select and delete each subkey under ACMru, or simply delete the entire ACMru subkey.
    5. Close the registry editor.
    6. Log off and log on before performing new searches; otherwise, XP will recreate the search cache and store the recreated cache in memory.
    robin
     
Loading...
Thread Status:
Not open for further replies.