O meni:

Sem še relativno mlad (v '30 letih) inženir informatike iz Ljubljane. Teme, ki me najbolj zanimajo: dogodki po svetu (novice, politika), zgodovina, znanost (sploh vesolje)

Infekcija z ntos.exe in še par drugih reči

Okay, čeprav sem v moji prejšnji objavi na tem blogu o smiselnosti uporabe anti-virusnih programov (vsaj v mojem specifičnem primeru, torej glede na moje obširno znanje) napisal, da jaz v bistvu sploh ne potrebujem AV programa oz. natančneje, da jaz ne potrebujem njegove t.i. “resident protection” funkcije (ki jo takorekoč vsi ti programi nudijo), priznam, da bi mi v tem konkretnem primeru okužbee z “ntos.exe” virusom, AV program morda celo prišel prav. Ni pa to nikakršno dejstvo (zato sem napisal “morda”), kajti ta virus se na srečo še ni imel priložnosti zagnati (beri: naložiti v RAM) in laufati kot proces, zato ga po vsej verjetnosti tudi “resident protection” od mojega “Avast!” AV programa ne bi uspel odkriti/zaznati. Skratka, odkril bi ga lahko edinole tako, da bi “ročno” skeniral tisti direktorij (v katerem se ta .exe fajl nahaja), za kar pa bi jasno moral že vnaprej sumiti, da je s tem fajlom nekaj “narobe” (torej, da bi se sploh namenil skenirati ta direktorij) oz. drugače povedano, da je zlonameren.

Vse to pa sem zelo obširno opisal v diskusiji “Another ‘ntos.exe’ related thread: a warning!!“: http://www.castlecops.com/postitle203409-0-0-.html, ki sem jo odprl na forumu na “CastleCops” spletnem mestu (jah, tu mi je bil v veliko pomoč AutoRuns program); tule spodaj imate skopiran moj uvodni post.

Hey all after some time; I am posting this here (I really hope it’s the right section/part; please mods move it if it isn’t) because the barclay (ntos.exe) thread here on CastleCops forum is already closed… You see, today I noticed a file named “ntos.exe” in my “D:SettingsUsernameData” directory, therefore I’ve checked on the Internet and indeed I found out with Google (see here: ntos.exe – Google Search) that it’s a some sort of a virus.

And on that Google result-page I also noticed a link to this thread Recently Appearing Trojan Ntos.exe on the Lavasoft Support forums, and the following quote:

[quote]To my frustation by deleting the ntos.exe file i could never log on to windows again. I searched throught the net but i could not find any solution rather …[/quote]

Yeah, how lucky I am to check it out before rebooting the computer. Because you see, naturally I deleted the file in question immediately (btw. after I checked/scanned it, Prevx2 program also considers it as malware), but in the registry it was still “D:SettingsUsernameDatantos.exe” instead of “D:WINDOWSsystem32userinit.exe” for the “userinit” value under “HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun” key.

Of course I changed it back to the original value data, since not doing so would most likely result in me not being able to boot-up (or just log-on) anymore the next time after restarting the computer.

So be warned to check out the respective registry key after deleting that file in case of this particular infection!!

satyr

Torej, kot vidite sem imel totalno srečo, da sem na Google-u opazil tisti tekst od nekega uporabnika, ki je napisal, da se po odstranitvi tega virusa ne more več uspešno prijaviti v sistem. Namreč, ta virus se namesti namesto Windows-ovega “userinit.exe” v “HKCU…………Run” key v registry-ju in je zato po njegovi odstranitvi treba vrednost od tega registry “value-ta” naštimati tako, da kaže nazaj na omenjeni fajl, tako kot mora.

Kot drugo pa dodajam še moj post iz diskusije naslovljene “smsghzgh.dll WTH?“: http://episteme.arstechnica.com/…/482002547831 na “Ars OpenForum” forumu (te sicer nisem jaz odprl), kjer pišem malo na splošno o tem, katere programe uporabljam (večino so to Sysinternals programi) za nadzorovanje svojega sistema.

[QUOTE]Originally posted by Fulgan:
Here is the ONLY sure way to get rid of your maleware:

1/ Backup data from HDD (Data only)
2/ Wipe all HDDs
3/ reinstall OS and applications from original media.
4/ restore backup of data
5/ Profit

Anything less that this is just playing dice with your machine: once you managed to get it compromised this much, you’ll never be sure to be ridden of all the nasty critters.[/QUOTE]

Oh and yes, one more thing: I *somehow* don’t agree with what was said in the post quoted above, in fact I don’t agree with it at all …

I mean at least in my own particular situation (I can’t say/know for vwracer409, but AFAIK he is also quite knowledgeable in such stuff), i.e. the general knowledge of what processes are normally running etc., and with the help of a few Sysinternals utilities, namely Process Explorer and Filemon programs (which I am running more or less non-stop anyway; and yeah I am a “monitoring” freak too, which surely helps here), then Autoruns program, and possibly also Regmon and TcpView programs (in the case of the latter one, it’s to see it anything suspicious, the process that is, is connecting to the Internet), I consider a complete HD-wipe and/or a complete re-install of the OS to be unnecessary!!

And btw. my current Windows installation is from June 2005 (that means more than two years old), and though I was indeed infected a few times in the mean time (mostly it was my own fault, for instance when I launched a process for which I was certain it’s a virus/trojan, but wanted to see effects anyway), the system is running flawlessly anyways. For example see the /Fixed: HELP: My computer was probably infected and now I am afraid to reboot thread that I opened on Ars OpenForum, and similarly titled /Fixed: My PC probably infected; now I am afraid to reboot one that I opened on CastleCops forum back then (of course, if you are interested), in which I described the solution to this specific infection in great detail (it was an infection with the “Haxdoor” trojan), particularly see the various techiniques that I described there, with which I managed to finally ged rid of “ydsvgd.dll” (this one was “findable” with PE’s “Find Handle or DLL” feature, but none of the listed/visible processes owned it) and “ycsvgd.sys” trojan’s files.

shirker

No, to je pa za danes tudi nekako vse, kar sem imel za povedati. Naj pa vseeno poudarim, da so bile vse okužbe, s katerimi sem imel na svojem PC-ju opravka v zadnjem času, izključno posledica mojega eksperimentiranja in ne neznanja in/ali naivnosti.

P.S. – Pa še to: tisti link za program RegMon v postu zgoraj je “outdejtani” in bi moral namesto tja kazati semle.

Tadej

Advertisements

One Comment on “Infekcija z ntos.exe in še par drugih reči”

  1. CrniAngeo says:

    se da rešiti z combofixom+sdfixom. Stestirano 😉


Oddajte komentar

Fill in your details below or click an icon to log in:

WordPress.com Logo

Komentirate prijavljeni s svojim WordPress.com računom. Odjava / Spremeni )

Twitter picture

Komentirate prijavljeni s svojim Twitter računom. Odjava / Spremeni )

Facebook photo

Komentirate prijavljeni s svojim Facebook računom. Odjava / Spremeni )

Google+ photo

Komentirate prijavljeni s svojim Google+ računom. Odjava / Spremeni )

Connecting to %s