1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Newbie: Need help with virus/trojan - ntos.exe

Discussion in 'Virus & Other Malware Removal' started by yazuka, Apr 15, 2008.

Thread Status:
Not open for further replies.
  1. yazuka

    yazuka Thread Starter

    Joined:
    Apr 15, 2008
    Messages:
    2
    I am new to this and don't know much.

    Ok, my pc has just been fixed for a couple of days after there was something wrong with it i.e. it wouldn't switch on and when it did it would switch off after logging on, the USB and sound drives got busted - maybe a fuse blew or something. It's fixed now but had to install a new sounddrive and USB ports. After a couple of days now viruses started popping up, it was quite evident in the windows task manager and there was pop-ups galore, so I downloaded AVG Free Edition and deleted that and then downloaded Counterspy v2.5.1043 and deleted quite a lot of viruses, trojan downloaders and other stuff. One thing however, the ntos.exe and 4 other objects associated with it still remains after numerous attempts. I've scanned it lots of times and deleted it afterwards but it keeps popping back up after another scanning.

    Also, this keeps popping up:

    "buffer overrun detected!

    Program: C:\WINDOWS\explorer.exe

    A buffer overrun has been detected which has corrupted the program's internal state. The program cannot safely continue execution and must now be terminated."

    I press the cross/exit button each time it appears and the explorer bar/taskbar disappears for 5 seconds and reappears.

    I don't know what to do, I only have Counterspy. I tried Spybot but every time it loads the computer restarts - it's not the first time.

    This is what I get from Counterspy:

    Backdoor.Win32.Small.lu Backdoor

    Files detected
    c:\windows\system32\ntos.exe
    C:\WINDOWS\SYSTEM32\WSNPOEM\audio.dll
    C:\WINDOWS\SYSTEM32\WSNPOEM\video.dll
    C:\WINDOWS\SYSTEM32\WSNPOEM


    HiJackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 18:02:21, on 15/04/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
    C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\System32\Rundll32.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\WINDOWS\system32\ntos.exe,
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\{5cc2aaa6-875b-98c6-e459-72237b9d5c00}.dll" DllInit
    O4 - HKLM\..\Run: [0ce66b80] rundll32.exe "C:\WINDOWS\system32\wkxftfmx.dll",b
    O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
    O4 - HKLM\..\Run: [BM0fd5581c] Rundll32.exe "C:\WINDOWS\system32\xujcbwmd.dll",s
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Drscrqhi] "C:\Program Files\Common Files\W?nSxS\r?gedit.exe"
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
    O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
    O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
    O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.amaena.com (HKLM)
    O15 - Trusted Zone: *.avsystemcare.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.onerateld.com (HKLM)
    O15 - Trusted Zone: *.safetydownload.com (HKLM)
    O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
    O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
    O15 - Trusted Zone: *.virusschlacht.com (HKLM)
    O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
    O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
    O20 - AppInit_DLLs: "C:\WINDOWS\shwol.dll";"C:\WINDOWS\shwol.dll"
    O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

    --
    End of file - 3887 bytes
     
  2. yazuka

    yazuka Thread Starter

    Joined:
    Apr 15, 2008
    Messages:
    2
    It's still there =/
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/704019

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice