ran superantispyware and got this- is this a real trojan?

[Robin]

Windows defender cannot find it
AVG antivirus did not find it
AVG spyware did not find it

only superantispyware did.
I will not remove this unless someone here tells me what this is
Does Windows need this file? I do not want to delete it and find now
windows xp doesn't run or runs funky

Application Version : 3.3.1020

Core Rules Database Version : 3131
Trace Rules Database Version: 1149

Scan type : Complete Scan
Total Scan Time : 00:29:31

Memory items scanned : 447
Memory threats detected : 0
Registry items scanned : 8156
Registry threats detected : 0
File items scanned : 44170
File threats detected : 1

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\NTOS.EXE

 

[Dave M]

Good on Nick Skrepetos' SuperAntiSpyware... Send that file off to
Virustotal for analysis... then see this post to make sure it's the very
same file:
http://www.castlecops.com/p854902-Suspected_MZU_installer_ntos_exe_barely_detected.html

 

[Guest]

Robin,
A search of my computer does not find this file, ergo it is not a
default/necessary Windows XP file.

A Yahoo search "seems" to indicate malware.
Do you have a secondary Virus checker. If it is to be considered a virus,
AVG antivirus has failed. If it is to be considered a virus I am surprized
that SASW caught it but there is some over lap between viruses and spyware in
some programs.

Perhaps one of those online scans, not using your current products of
course, would help.

I would look at the file with suspision, but at the sametime SASW is not
among my #1, Most Trusted programs so I would be hesitant.

Any idea how it showed up all of a sudden?

?
Tim

 

[robinb]

i am running bid defender on that computer now to see if it comes up with
anything
robin

 

[robinb]

what i cannot understand is why all the other programs cannot find it
robin

 

[Guest]

Hi Robin:

Find the routine with Windows Explorer and hover your mouse pointer over the
file to get creation date, etc. Might provide a clue as to time of
infection.

 

[Guest]

Hello Robin,

Submit it via the process noted in Windows Defender Help, or here:
Report a possible spyware problem to Microsoft
http://www.microsoft.com/athome/security/spyware/software/support/reportspyware.mspx

 

[Dave M]

Cause nobuddie sent it in to Uncle Bill yet as a undetected item... it's
your chance to be heroine of the day... lol

 

[Robin]

ok now what?

there is the result from virustotal.com
Complete scanning result of "ntos.exe", received in VirusTotal at
11.16.2006, 18:27:33 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.39 11.16.2006 no virus found
Authentium 4.93.8 11.16.2006 no virus found
Avast 4.7.892.0 11.15.2006 no virus found
AVG 386 11.16.2006 no virus found
BitDefender 7.2 11.16.2006 no virus found
CAT-QuickHeal 8.00 11.16.2006 no virus found
ClamAV devel-20060426 11.16.2006 no virus found
DrWeb 4.33 11.16.2006 no virus found
eTrust-InoculateIT 23.73.57 11.16.2006 no virus found
eTrust-Vet 30.3.3195 11.16.2006 no virus found
Ewido 4.0 11.16.2006 no virus found
Fortinet 2.82.0.0 11.16.2006 no virus found
F-Prot 3.16f 11.16.2006 no virus found
F-Prot4 4.2.1.29 11.16.2006 no virus found
Ikarus 0.2.65.0 11.16.2006 no virus found
Kaspersky 4.0.2.24 11.16.2006 no virus found
McAfee 4897 11.16.2006 no virus found
Microsoft 1.1609 11.16.2006 no virus found
NOD32v2 1868 11.15.2006 no virus found
Norman 5.80.02 11.16.2006 no virus found
Panda 9.0.0.4 11.16.2006 no virus found
Prevx1 V2 11.16.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.1.119 11.15.2006 no virus found
UNA 1.83 11.15.2006 no virus found
VBA32 3.11.1 11.16.2006 no virus found
VirusBuster 4.3.15:9 11.16.2006 no virus found

 

[Guest]

Robin,

I would contact SASW and ask them to Verify (Is confidence HIGH, considering
that no one else is finding it). Ask when it was added to the detections.

Couldn't hurt

?
Tim

 

[Dave M]

....ummmm that wasn't what I expected... how about the file itself, was it
the same size and MD5 hash as listed in that CastleCops thread? Perhaps
the CastleCops detected file was injected and yours is not exactly the same
file... As Tim wrote, I don't have that file either on my XP/SP2, although
there is a similarly named one... ntoskrnl.exe at 2,136,576 bytes in
system32... that's a common trick to make you think it could be part of the
system. Until you get this cleared up, let SAS quarantine it would be my
recommendation, as that way you could always get it back. Nick Skrepetos
may be able to answer this query, as he has a way of finding web references
that feature his name (wink), or you could query SAS support with your new
virustotal results to see what they have to say. If it's the free version
they may take a bit longer but they do answer eventually, and meanwhile
ntos.exe will have a nice cozy place to rest in quarantine.

 

[Robin]

I did, they have not emailed me back yet
wierd that i did a scan a few days ago and did not find this
and btw the file is from 8/4/2004
ummm this computer is 5mths old
robin

 

[Robin]

thanks
I just did
just hope ms gets back to me before i get a yr older
robin

 

[Guest]

Robin,
From yesterdays SASW update:

Trojan Downloader-SystemSafetyAlerter 1 Items Added/Updated
Trojan.DollarRevenue/Installer 2 Items Added/Updated
Trojan.Downloader-BigP/Bare 3 Items Added/Updated
Trojan.Downloader-FatB 1 Items Added/Updated
Trojan.Downloader-FreeProd 5 Items Added/Updated
Trojan.Downloader-Gen 3 Items Added/Updated <----------------------- *
Trojan.Downloader-Gen/Win 3 Items Added/Updated <--------------------
Trojan.Downloader-NoCondm 3 Items Added/Updated
Trojan.Downloader-SMSS/Fake 2 Items Added/Updated
Trojan.Downloader-Snafu 3 Items Added/Updated
Trojan.Elite Media/Installer 3 Items Added/Updated
Trojan.Hide-Evr/Rootkit 2 Items Added/Updated
Trojan.Media-Codec 2 Items Added/Updated
Trojan.MZU_DRV-Rootkit 3 Items Added/Updated
Trojan.Unknown Origin 5 Items Added/Updated
Trojan.ZQuest

 

[Robin]

ya this is what it is coming from but
when i try to send them the file like the asked- it says it is read only or
locked and will not go
I took it off "read only" but it still will not go so how the heck do i send
it?
robin

 

[Guest]

My enquiries seem to suggest you have a trojan on that machine. As a starting
point, my advice would be to download and run HJT, as you will almost
certainly be asked to provide the log later:

http://www.majorgeeks.com/download3155.html

Run it and save the results to notepad then go to the Castle Cops forum,
post the problem, and they will be happy to assist you. They will talk you
thru and point you other tools which may be necessary to download in order to
identify the problem and how to resolve it. It can be lengthy but is
definately worth the effort

http://www.castlecops.com/

Stu

 

[robinb]

nick replied to me and told me if it will not allow me to send it- then i
can assume it is spyware and he told me to quarantine it and see if anything
happens if windows needs it
robin

 

[Robin]

after googling this ntos.exe i find that it is indeed spyware and i took
nicks advice and quarantined it.
I will give it about a month and if i find no problems with xp i will delete
the sucker
robin

 

[Guest]

You will need to do more than that. See my post in this thread above.

Stu

 

[Guest]

ok now what?

there is the result from virustotal.com
Complete scanning result of "ntos.exe", received in VirusTotal at
11.16.2006, 18:27:33 (CET).

All those negative results seem baffling, particularly when this file
'ntos.exe' is presumably sitting there among the Systems files for all to
see, and can be discovered to be spyware merely by Googling!

How could they possibly have missed this?