problems with virus.. i think ntos.exe

Hi!!

Im having problems to get rid of ntos.exe.. I tried many tools, re-starting computer in safe mode..

Also (maybe not related with this problem) my PC gives an error of "Cannot find c:\windows\system32\j7241332.dll" everytime i start.

Hope somebody can help me.. Im little desperate..
Many thanks in advance!!

 

Hi softiegends,
Welcome to Major Geeks!

I removed your inline log. HijackThis does not give us enough information to be able to solve most malware problems, and specifically not the one you are describing. Please go through the instructions in the READ & RUN ME FIRST and attach the requested logs.

I will attach your hijackthis log here.
Thanks.
abri

 

Hi abri! Thanks for your fast reply

Here I attach my Hijack log

 

I attach AVG report

 

Is there any way to get rid of this Logger.Zbot.bg?

 

Hi softlegends,

When you ran AVG Antispyware, you didn't have it fix everything it found. Please rerun it and have it fix what it finds.

Then please continue by going to the READ & RUN ME FIRST. Go through the instructions there. By the looks of your HijackThis log, you will get some relief from this virus as you work through these instructions. Then if there are any further files that need to be removed, we can then identify them from the logs that are produced from the scans.

We do not rely solely on HijackThis, because it does not give us all the information we need to help you. When you finish the instructions in the READ ME, you'll have several logs to attach to your next post.

Thanks.
abri

 

Hi abri,

Thanks for your information. I followed the steps of Read&Run, and here I attach the logs I got..

Thanks!

 

Here I attach the last log

 

Hi softlegends,
The scans got rid of a lot, but there is still some malware on your computer. Be patient. I will be back tomorrow with some further instructions.
abri

 

Thanks abri,

There is also something to consider:
everytime I start the computer, it gives to me an error of RUNDLL saying
"Error trying to load c:\WINDOWS\SYSTEM32\j7241332.dll, this module cannot be found"

I would like to get rid of this error..

Many thanks!!

 

Hi softlegends,

The error message you're getting is not related to a valid file, so let's see what happens if we remove some more malware. Please do the following:

1) Open your Windows Live Messenger, go to Help -> Customer Experience Improvement Program and turn it off. That will stop you getting all those sqm files.

2) Go to add/remove programs and uninstall the below:

- Java(TM) SE Runtime Environment 6 Update 1

3) Reboot after uninstalling the above.

4) Install the current version of Sun Java from: Sun Java Runtime Environment


5) Run C:\MGtools\analyse.exe by double clicking on it. This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

O2 - BHO: (no name) - {61C4F6FA-5F7C-4BE9-A089-F61C4D2B4557} - (no file)
O2 - BHO: (no name) - {8EE9804B-0684-44B6-8846-245888414D5A} - (no file)
O2 - BHO: (no name) - {CB4DD2E2-BBA2-4310-AF15-F4F268EE7BF4} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [j7241332] rundll32 C:\WINDOWS\system32\j7241332.dll sook
O4 - HKLM\..\Run: [QuickTime Task] "C:\Archivos de programa\QuickTime\QTTask.exe" -atboottime
O20 - Winlogon Notify: hggddcc - hggddcc.dll (file missing)
O20 - Winlogon Notify: winhoq32 - winhoq32.dll (file missing)

After you click fix, just close hijackthis.


6) Now download The Avenger by Swandog46, and save it to your Desktop.

• Extract avenger.exe from the Zip file and save it to your desktop
• Run avenger.exe by double-clicking on it.
• Check the 'Input script manually' box.
• Click on the magnifying glass icon.
• Copy everything in the Quote box below, and paste it in the box that opens:

• Now click the 'Done' button.
• Click on the traffic light icon and OK the prompt.
• You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

7) Now run CCleaner at the default setting with the Windows tab as the top one.


8) Please run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip it generates along with the Avenger log.


Let me know how things are running now?

abri

 

Hi abri,

The computer had a huge huge improvement!.. very fast now..

Just with the Avenger, it gave to me an error while executing, but maybe cuz I already delete that in a previous step..

That message of RUNDLL everytime I restart, it also disappear.

Let me know what you think about the logs..

Many Thanks!!

 

Hi softlegends,

Please go into 'Windows Explorer and look directly under C:\ for files that have the following structure and delete them all: (There are quite a few of them)

sqmnoopt12.sqm
sqmnoopt13.sqm

Then I would like for you to follow the instructions using Using SDFix.

After you finish, please run CCleaner.

Then run C:\MGtools\GetLogs.bat and attach the fresh MGlogs.zip along with the log produced by SD Fix.

How is your computer doing now?

abri

 

Hi abri!

Thanks again for your great support.
I did all the steps you suggested me.

I think computer is getting very recovered.. whats your opinion?

 

Hi softlegends,

Your computer is getting better, but I would like for you to do a little bit more before we are finished.

Please look for the following file and try to delete it along with any other files that are in that directory. Windows will not allow you to delete files from the current date. Just leave those.

C:\WINDOWS\Temp\fa56d7ec.$$$

If you cannot see this file or if it fails to delete, please run SD Fix again as you did in post 13 and attach the log to your next post along with a fresh MGlogs.zip.

I would also like for you to run the Alternative Scans page, scroll about halfway down the page and run the GMER rootkit scan. Attach this log as well.

abri

 

Hey abri! Thanks allot for your help..

I tried to delete "C:\WINDOWS\Temp\fa56d7ec.$$$", but I couldnt. I also tried with Killbox.exe, but not possible..

I ran SD Fix, and when SD Fix reboots the computer (and shows the log on the screen), the computer gets stuck in a blue screen (i tried twice, and finally i had to restart)..

I attach the logs you ask.. Thanks!!

 

Hi softlegends,

Please run this scan. See if it deletes these files ending with the $$$. If not, then continue on with the rest of the instructions. However, if it does delete them, please rerun GetLogs.bat as in the previous posts and attach the fresh MGlogs.zip. You can find the scan here: Dr. Web Cureit

If he above was not successful in removing those files, please continue here:

1) Please download ATF Cleaner by Atribune. This program does not require an installation. The executable actually runs the program.

NOTE: This program is for Windows XP and Windows 2000 only. ATF Cleaner will remove all files from the items that are checked so if you have some cookies you'd like to save. Please move them to a different directory first.

• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
• Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main ATF Cleaner menu to close the program.


2) Now please make a copy of these instructions and save them in Notepad somewhere like the desktop where you can find them again. After you do that, I would like for you to physically disconnect your computer from the internet. Then disable any protection software you have running including any Firewalls, Antivirus and Antispyware programs.

3) Now run Avenger

• Run avenger.exe by double-clicking on it.
• Do not change any check box options!!
• Copy everything in the Quote box below, and paste it into the Input script here: part of the window:

• Now click the 'Execute' button.
• Click Yes to the prompt to confirm you want to execute.
• Click Yes to the Reboot now? question that will appear when Avenger finishes running.
• Your PC should reboot, if not, reboot it yourself.
• A log file from Avenger will be produced at C:\avenger.txt

4) Now run ATF Cleaner again.

5) After you complete the above, reenable your protection software and reconnect to the internet.

6) Finally I would like for you to run C:\MGtools\GetLogs.bat and attach the fresh C:\MGlogs.zip it generates along with the Avenger log.




Let me know how things are running now?

abri

 

Hi Abri,

I ran all the steps.. everything seems very ok, but the file fa56d7ec.$$$ is still there.. do you think its a problem? i think it is related with a backup file of autocad.. let me know..

Many thanks!!

 

Hi softlegends,

I would be happy to know they are related to backup files for AUTOCAD. Why do you think this?
My main worry about the $$$ files is that they were picked up by SDFix as malware and it attempted to delete them. In the same report, it mentioned that there are signs in your log of an MBR rootkit infection. I would like for you to still run GMER which is a rootkit scan and if that doesn't find anything, I think that's all we can look for.

SDFix did not say that the $$$ files are those which indicate a rootkit infection, however, the only other thing it specified was your antivirus program, therefore I'm not sure what else to suspect or on what basis it might be seeing signs of an MBR rootkit.

The problem with all of these scans is that they detect each other as harmful and this creates false positives. If the $$$ are related to AUTOCAD, then I'd be much more prone to think that SDFix is picking up false positives.

If you want to run GMER, it can be found in the Alternative Scans page about halfway down. If you decide to run it, please post the log afterwards.

Other than that, your computer is looking good. After I hear back from you again, I will post you the final cleanup instructions.

Thanks.
abri