TechSpot

HJT Log Analysis

By GTek
Oct 18, 2008
  1. *EDIT* Please look here http://www.techspot.com/vb/topic114567.html last post *EDIT*

    Hi people, my PC I believed has been infected by virus (?) Well most likely, well I've done a HijackThis Log and wish for an analysis of the log.

    Some symptoms is .. that the PC constantly restarts every now and then when I log on to a Windows Account. Most programs that I attempt to launch fail and result with an Error msg. Therefore I couldn't run the 8 step removal guide, but I did manage to do the CCleaner (because I had it installed previously).

    Logging on to the windows account not in safe mode, usually crashes within the first few minute making it hard to actually run any processes. My anti-virus is Eset, but Eset also crashes while loads making it impossible to do a virus scan and during safe mode scanning also seems to close unexpectedly. To put it simply programs eventually crash when running.

    Well I hope for the best and thank those whom help. Thanks!
     
  2. momok

    momok TS Rookie Posts: 2,265

    Can HJT be run in normal mode? Can any of your virus scanners work in safe mode?
    This entry hints you have been infected with a rootkit. But I cant be sure what causes your crashes, could be RAM or something else.

    To be sure, please try downloading Panda antirootkit from HERE. Let us know the results of the scan.
     
  3. rf6647

    rf6647 TS Maniac Posts: 829

    Do not fix O10 entry. Trained volunteer is needed.
    O10 - Broken Internet access because of LSP provider 'c:\program files\netlimiter\nl_lsp.dll' missing

    Disable these services. HJT fix check should accomplish this.
    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
    O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe (file missing)

    HJT fix check these entries
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

    Up to this point, no files are deleted.

    Download ONLY the programs found in the 8-step Malware Removal Guide.

    Caution: Our trained volunteers may substitute different tools from what is cited below:

    Reason from HJT tutorial –
    Seek advice from an experienced user when fixing these errors. It is also advised that you use LSPFix, see link below, to fix these.

    You should use extreme caution when deleting these objects if it is removed without properly fixing the gap in the chain, you can have loss of Internet access.
    There is a tool designed for this type of issue that would probably be better to use, called LSPfix. For a great list of LSP and whether or not they are valid you can visit Zupe's LSP List
     
  4. GTek

    GTek TS Rookie Topic Starter

    *EDIT* Please look here http://www.techspot.com/vb/topic114567.html last post *EDIT*

    Well I've downloaded the anti-rootkit and ran it in both safe and normal mode and no root kits have been found. According to it's statistics.
    HJT I've managed to run on normal mode but the problem is, now HJT seems to hang when it's scanning the section

    04 - Registry & Start Menus Autoruns

    Now does this mean I should post what I've enabled in "msconfig" to run at startup?

    As for virus scanners, it takes several attempts to get it running. Most of the time errors come up upon trying to start up, even more common it says the program/file is corrupt. What's even weirder is, if I restart the PC and try running the program again, sometimes it works again .. sometimes it doesn't and the same error/corrupt msg pops up.

    In the matter that I do get it up and running, once I start the scan so far I haven't been successful in getting a complete scan of the system in neither safe mode or normal mode. The closest was with Spybot Search and Destroy where it almost completed the scan but the PC restarted out of nowhere and ... all was lost. But out of that report I got the reports of a spyware called "Zango, Zango Shopping Reports".

    To be more accurate I guess the crashes are more like restarts, just ends the session and starts back up at the boot screen and loads its way to the Windows Login screen.

    I've also followed what you've said and removed the appropriate ones. What's weird is every time I removed this entry

    O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

    It comes back in the new scan, regardless of how many times I remove it. But the others have been removed fine. As for the LSP, the 2 that showed up in the HJT log were both valid. So I fixed the one that showed up in the LSPFix program and my net is working fine, so I guess that's a good sign?

    Well with that done, what's next? And thanks so much for the help, it really is appreciated. Without you I'd be hopeless.
     
  5. rf6647

    rf6647 TS Maniac Posts: 829

    Code:
    If you succeeded in downloading MBAM and SAS, 
    then execute the 8-step malware removal guide.
    These are not proper startup items unless created by you.
    MBAM will look at these when we restore them.

    HJT fix check only if you agree. HJT (advance) can restore these.

    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    These are blacklisted (per robtex)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{8AB7C52D-6218-45FF-8C7B-9DD5AB0822F3}: NameServer = 203.2.75.152,198.142.0.51
    O17 - HKLM\System\CCS\Services\Tcpip\..\{D72A390A-14C9-4C04-8C0A-C66B25DBBA53}: NameServer = 203.2.75.152,198.142.0.51
     
  6. GTek

    GTek TS Rookie Topic Starter

    *EDIT* Please look here http://www.techspot.com/vb/topic114567.html last post *EDIT*

    I already have the mbam and sas. Mbam has been installed, but usually once it starts scanning the PC restarts at sometime during the scan. I've tried countless times .. and no luck. Always seems to restart, even on the quick scan mode. SAS can't be installed unless in normal mode, and well ... normal mode crashes/restarts on a more frequent rate than Safe Mode .. so that's a no go.

    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

    Those 2 pop back up on the list every time I restart the system so I disabled the CTFMON.exe on startup and in HJT.

    203.2.75.152 - That I searched on "whois.domaintools" led to OptusNet. OptusNet is our internet provider and ..

    198.142.0.51 - Also seems to be a part of Optus ..
     
  7. rf6647

    rf6647 TS Maniac Posts: 829

    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

    Logitech is legit.
    Are you using the features of SetPoint?
    Here is some info about SetPoint

    I'd check off both of these.
     
  8. GTek

    GTek TS Rookie Topic Starter

  9. rf6647

    rf6647 TS Maniac Posts: 829

    HJT actions against O4 items are reversible.

    For SetPoint, I venture to guess that there is a way to disable it from the startup by using its configuration menu. This would leave the suspect in the startup.

    Having said this, you have keyboards & mice. I cannot divine if Logitec created separate applications for each and, thereby, resulting in confusing us.

    There is not much left in the HJT log to pick at. HJT run in safe mode results in a shorter process list. So, it is harder to understand what is causing the aborts running MBAM & SAS.

    The link provided giving info about SetPoint cites that there are instances where malware has borrowed the filename of the executable.

    The keyboard & mouse will function after disabling the startup. You should do fine without the bells & whistles for a while.
     
  10. GTek

    GTek TS Rookie Topic Starter

    *EDIT* Please look here http://www.techspot.com/vb/topic114567.html last post *EDIT*

    Done, well I know that took 24 hours ... not necessarily. Well I had my fair share of school and work, well anyway I guess I got some good news? Well I brainstormed for a while and figured it might help to load HJT on normal mode if I disable all my startup programs? So I did and well magically HJT got passed where it usually hangs at

    04 - Registry & StartMenu autoruns

    Now the thing is ... I don't know if disabling the bulk of my startup will help you since you're missing a chunk of what starts up at the logon of normal mode in the log. So I decided to try and remember what I had on startup and added an extra entry to the log at the very end, if it helps that is. Although it isn't the most accurate it has pretty much all the programs I used on startup.

    So here's the log file.
     
  11. rf6647

    rf6647 TS Maniac Posts: 829

    The next objective is to run MBAM & SAS. I recommend leaving "msconfig" in the present "off normal" condition. Let both tools work some magic for us in normal mode.

    From earlier posts, these are the startup applications still under suspicion:
    O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

    A few of the msconfig checked items you cite do not appear on an earlier HJT log. Of no consequence presently.

    It will be interesting to see all 3 logs together.
     
  12. GTek

    GTek TS Rookie Topic Starter

    *EDIT* Please look here http://www.techspot.com/vb/topic114567.html last post *EDIT*

    Well I've tried and ... well no luck :( After countless number of tries .. lots and lots of restarts and crashes. I don't know if it's me or something but getting normal mode even to login has become increasingly more difficult every time, crashes and restarts are becoming more frequent , but maybe that's me. But I will keep trying ... because I really don't want to have to reformat T_T I just simply don't have the space to store my family's stored documents and files temporarily ...

    Is there nothing else I could do to help with this?
     
  13. rf6647

    rf6647 TS Maniac Posts: 829

    The short answer is to open a new thread in the Windows OS forum to look at the restarts & crashes. I'll even suggest a title: Lots of restarts,crashes, and safe mode after removing trojans. As part of the description, refer to this thread.


    The long answer follows.

    The primary objective is to be stable in normal mode. At this point I consider the malware to be hobbled or less of a problem. A new thread will bring in new eyes and a fresh look. My availability will be spotty for the next 2 weeks. Of course, the moderator could object, in which case hang it on me.

    The events logs should be inspected for error messages. At startup, error messages will help focus the investigation. Include text from the logs. Don't repeat messages. The icon (2 pages) below the icons for 'up direction' & 'down direction' is the 'copy text to clipboard' function. In the post or in notepad, paste contents & remove the data portion (duplicates the formatted msg).

    Current HJT log may be helpful, as well.

    Code:
    My Computer > right click menu > manage
    Easy way to get to events logs & services.
    AV (Eset) is most likely broken by the trojans and/or the combination of the sweeping tools thrown at the trojans. Repair or re-install the application.

    Another approach to gaining some control, is to use HJT Fix Check for o23 items. Service is stopped.
    Manage > Services can bring them back (auto, manual).

     
  14. momok

    momok TS Rookie Posts: 2,265

    Hi.. Are you able to run the scans in safe mode then?
    Also, please download and run Combofix from HERE.
    The log C:\Combofix.txt will be generated; Attach that in your next reply, together with a fresh HijackThis log (from normal mode) and your MBAM scan in safe mode.
     
  15. GTek

    GTek TS Rookie Topic Starter

    *EDIT* Please look here http://www.techspot.com/vb/topic114567.html last post *EDIT*

    Got the log and will post in thew new thread probably when I have time tomorrow Have a problem with MBAM, well it got corrupted/damaged when I was using it and well it required a reinstall. So which I did. As it was installing a fresh copy the PC restarted just as it was about to finish. So now when I try to run mbam it says error certain file missing and same goes for uninstall; file missing for uninstall. Combofix seems to be a nightmare to run, hasn't worked once yet but I'm working on it.\

    Hopefully when I get the new thread up in the windows os forum they can shed some light and help solve the problem.
     
  16. momok

    momok TS Rookie Posts: 2,265

Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...