Ntos.exe help!! HJT log included:

By Namrack
Apr 16, 2007
1. 'ello, I recently was infected with a trojan on my Windows XP computer. I ran Ad-Aware and during this scan popped up a niftly little "System must restart because DCOM server process launcher terminated unexpectedly" <-this gave me a 1:00 minute countdown until my computer restarted.

According to the Lavasoft website, "This is most probably caused by a malware known as KILL-AV (detected by Ad-Aware as Win32.Trojan.KillAV), which attempts to thwart Anti-Spyware and Anti-Virus programs by restarting the computer before a scan and removal is complete."

I followed their solution and cancelled the scan with approx 20 seconds left till shut down, continued with what was currently found by Ad-Aware (which I posted below), and quarentined/deleted it. Then my computer restarted automatically. When Windows loaded, I ran Ad-Aware again, this time it ran successfully and found some remaining Worm objects. Now feeling pretty okay about the situation, I found I could not connect online, and that the only way for me to connect was to continuously go into command and type "ipconfig /release" then "ipconfig /renew" <<this gave me about 1 minute worth of online time until I could browse no longer and it would tell me that it is unnable to connect. I am currently doing this repeatedly to be online and really hope to find an answer. I ran msconfig and looked at the startup processes, out of which i found "Ntos.exe" to be unusual in my mind. After googling the process, I was unable to delete the executable itself manually so I used FileAssassin to remove it. I'm assuming there are reminants left over of whatever it was I was hit with, but hopefully somebody out there can help me. I had an outdated Nortan Anti-Virus 2005, which I recently picked up '07, but am unable to install it on my computer simply because after I click "install" on the CD's autorun, it just does nothing (or appears that way).

Please tell me there's a way to fix this, If I am unable to remove any reminants of the virus/worm, then at least how can solve the problem of my connectivity (if they can be dealt with separately). It's annoying to continue releasing and renewing my IP.

(I have no idea what I'm looking at here so help me out please):

2. howard_hopkinsoTS RookiePosts: 24,177   +19

Hello and welcome to Techspot.

Youre running an outdated version of HijackThis.

Very Important: Before deciding whether you should clean or reformat your system, go and read this thread HERE and decide what it is you want to do.

If after reading the above, you wish to clean your system, do the following.

Go and read the Viruses/Spyware/Malware, preliminary removal instructions. Follow all the instructions exactly.

Post fresh HJT, AVG Antispyware and Combofix logs as attachments into this thread, only after doing the above.

Also, let me know the results of the AVG Antirootkit scan.

Regards Howard :wave: :wave:

3. NamrackTS RookieTopic Starter

As I just finished typing this, I realize I'm a dumbarse; I didn't follow the instructions completely, let me rename the HijackThis exe file to Analyze.exe, and then get AVG and I'll redo this entry.

[Original Entry]:

I downloaded the Avast Antiviral program and ran a scan prior to my system boot up. No log was saved but I was writing things down as it was scanning:
1) "Zup[1].exe" Infected with "Win32:Zhelatin-MI" [WRM]
2) "svchlx.dll" Infected with "Win32:small-DQT" [TRJ] <- googled this filename, found nothing on Microsoft's page concerning it, so felt it was okay to delete
3) "Wincom32.sys" Infected with "Win32:Zhelatin-I" [WRM] <-same result in searching Microsoft's page, no found entries
4) "Zup.exe.exe" infected with ------(sorry this wasn't recorded by me)

Action taken for all files: Attempted repair failed, then deleted.

The link to the AVG software was a dead one, currently I am searching for it and will supply the results once completed.

I downloaded the new HijackThis ver: 2.0.0; the log is attached (hopefully if the attachment was successfull).
**Note: the HijackThis log was scanned during SafeMode because my computer is currently restarting the second it loads windows now... hopefully something in there will help.

4. howard_hopkinsoTS RookiePosts: 24,177   +19

I have fixed the AVG free antivirus link. Thanks for pointing that out.

Please post all the requested log files, along with as fresh HJT log from normal mode(if you can).

Regards Howard

This thread is for the use of Namrack only. Please dont post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

5. kitty500catTS EvangelistPosts: 2,154   +6

Don't mind this post. Howard got there before I did.

Regards

6. NamrackTS RookieTopic Starter

Sadly ever since I attempted the online virus scanner found at http://uk.trendmicro-europe.com/consumer/housecall/housecall_launch.php
I have been unable to load Windows, (the computer restarted right after loading the online scanner). As a result, all of my logs are from safe mode, and worse than that, the AVG Antiviral program tells me it is unable to start in safe mode: "Installation Error: Action failed for file avg7core.sys: Starting service.... This service cannot be started in safe mode (1084)."

The attached logs are of HijackThis renamed "Analyze.exe" taken in safe mode, also included is an AVG AntiSpyware Log also taken in safe mode(which doesn't seem much use).

If you need me to try anything out and to see results please let me know.

7. howard_hopkinsoTS RookiePosts: 24,177   +19

1. Disconnect from the Internet, go to the LSPfix file and extract/unzip LSP-Fix into its own folder [C:\lspfix].
2. Open the lspfix folder and double-click on LSPFix.exe to start the program.
3. Check the "I know what I am doing" checkbox.
4. Select (highlight) all instances of 'pbhblggek.dll' in the left column under "Keep".
5. Click the arrow >> so it goes over to the right column under "Remove".
6. Click "Finish" and LSPfix will remove references to the file and restore the chain numbers.
7. Restart your computer and reconnect to the net.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by double clicking on its icon on your desktop.

Under "Script file to execute" choose "Load script from file".
Now click on the folder icon which will open a new window titled "open Script File"
navigate to the file you have just downloaded, click on it and press open
Now click on the Green Light to begin execution of the script

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please attach the content of c:\avenger.txt into your reply, as well as a fresh HJT log.

Regards Howard

8. NamrackTS RookieTopic Starter

While running the computer in safe mode, avenger worked successfully in creasting the txt file along with a zipped backup: the new HJT log was taken in Safe Mode.

9. howard_hopkinsoTS RookiePosts: 24,177   +19

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how HERE.

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how HERE.

Open your task manager, by holding down the ctrl and alt keys and pressing the delete key.

Click on the processes tab and end process for(if there).

ntos.exe
PowerReg Scheduler V3.exe

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

F2 - REG:system.ini: Shell=

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe

O2 - BHO: Need2Find Bar BHO - {4D1C4E81-A32A-416b-BCDB-33B3EF3617D3} - C:\Program Files\Need2Find\bar\1.bin\ND2FNBAR.DLL (file missing)

O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')

O4 - Startup: PowerReg Scheduler V3.exe

O20 - AppInit_DLLs: C:\WINDOWS\system32\svchlx.dll

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll (file missing)

Click on the fix checked button.

Close HJT.

Locate and delete the following bold files and/or directories(if there).

C:\WINDOWS\system32\svchlx.dll
C:\WINDOWS\system32\ntos.exe
PowerReg Scheduler V3.exe<Search your system for this file and delete all instances found.

Reboot into normal mode and rehide your protected OS files.

Post a fresh HJT log from normal mode if you can.

Regards Howard

This thread is for the use of Namrack only. Please dont post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

10. NamrackTS RookieTopic Starter

Schweet, I can now load Windows normally, however I still cannot connect to the internet after about 1 minute of connectivity. (note: My normal user account is the admin account, there are no other subordinate accounts). The fresh new HJT file is from normal mode.

11. howard_hopkinsoTS RookiePosts: 24,177   +19

Your HJT log is now clean.

However, somethings still not right. Can you tell me exactly what happens when you connect to the net?

Please post the Combofix log and run the AVG Antirootkit scan and let me know the results.

Regards Howard

12. NamrackTS RookieTopic Starter

I've started up my computer, and currently the Local Area COnnection 2 Activity states that it has Sent 28,500 bytes, and received 50,000 bytes, as I keep a log of this activity, I'll let you know what the final received # of bytes are until it stops receiving them, yet continues to send them (Given none are being recieved I'm assuming that is exactly when I am no longer able to connect). I ran Combofix, and left my computer for a short while, (about 4 ish minutes); when I came back my computer was loading windows, and as it opened up my user automatically, Combofix was displaying that it had finished and created the txt file. I don't know if this was supposed to happen, though also I could not complete my AVG7.5 scan because my computer abruptly restarted during its scan. Right now I'm at 6,900,000 bytes sent and 3,421,000 received, I'm surprised it has not yet kicked me off the internet... maybe that's solved. I've now clicked to install norton anti-virus (generally nothing happens after this, and similarly nothing has happened). Okay I'm assuming the internet thing is fixed because it's not showing any sort of issue, however the blue screens under the Local Area Connection 2 Status occasionally blink grey and back to blue (this could easily be normal, I have no idea).

**Edit: AVG is now scanning the computer and has not yet restarted, so far the only threats found are in the .zip backup files created by avenger (as to be expected im assuming).

Thank you a ton for your help so far! Right now the only random restart I'm getting from my computer happens when I am doing a scan of some sort (either the AVG scan, or my newly installed Norton Internet Security scan)

13. howard_hopkinsoTS RookiePosts: 24,177   +19

According to your combo fix log you have the following hidden files.

C:\WINDOWS\system32\windev-55af-a1.sys 139264 bytes
C:\WINDOWS\system32\windev-peers.ini 8192 bytes

Download the AVG Antirootkit programme. Disconnect from the net and install the programme, then restart your computer.

Run the programme and click the "Perform in-depth search." Allow AVG to complete the scan. The AVG scanner will give the "Rootkit path" Do not fix anything yet. Reconnect to the net.

Let me know the results of both scans and post a fresh HJT log.

Regards Howard

This thread is for the use of Namrack only. Please dont post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

14. NamrackTS RookieTopic Starter

Before recieving that message I ran a Norton Internet Security Scan successfully and it found some trojans and other low risk items (log attached). Before this scan, I booted up my computer and found that it was running abnormally slow, with "svchost.exe" using 99% of my cpu, and leaving me with nothing to do except run the task manager. I ended that process, and afterwhich came popup warnings from Norton about emails being sent that it was uncertain about (screenshot attached). Again, this was before the scan. I scanned successfully and removed some things to which I really hope was the cause of the issue. After this scan I ran AVG Antirootkit and found nothing along with Backlight which also found nothing. A new HJT log is attached. So far it seems like there are no issues with my computer, though I have not restarted it yet. After my restart, if any issues arise I'll post them. Thanks a ton!!

Question: Is there anyway to donate to the techspot site?

~Thanks!!

15. howard_hopkinsoTS RookiePosts: 24,177   +19

It looks like Norton took care of the C:\WINDOWS\system32\windev-55af-a1.sys and C:\WINDOWS\system32\windev-peers.ini files.

Turn off system restore.(XP/ME only) See how HERE.

Now, turn system restore back on. This will have deleted all your old restore points and any nasties that are in them. It will also have created a new, clean restore point.

If you have any further virus/spyware problems, please post in this thread.

Regards Howard