HJT Log Analysis

[GTek]

*EDIT* Please look here https://www.techspot.com/vb/topic114567.html last post *EDIT*

Hi people, my PC I believed has been infected by virus (?) Well most likely, well I've done a HijackThis Log and wish for an analysis of the log.

Some symptoms is .. that the PC constantly restarts every now and then when I log on to a Windows Account. Most programs that I attempt to launch fail and result with an Error msg. Therefore I couldn't run the 8 step removal guide, but I did manage to do the CCleaner (because I had it installed previously).

Logging on to the windows account not in safe mode, usually crashes within the first few minute making it hard to actually run any processes. My anti-virus is Eset, but Eset also crashes while loads making it impossible to do a virus scan and during safe mode scanning also seems to close unexpectedly. To put it simply programs eventually crash when running.

Well I hope for the best and thank those whom help. Thanks!

 

[momok]

Can HJT be run in normal mode? Can any of your virus scanners work in safe mode?

O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe (file missing)

This entry hints you have been infected with a rootkit. But I cant be sure what causes your crashes, could be RAM or something else.

To be sure, please try downloading Panda antirootkit from HERE. Let us know the results of the scan.

 

[rf6647]

I see that Momok has replied to your post.
His advice take precedent.
This reply has issues that Panda antiroot may fix.

Do not fix O10 entry. Trained volunteer is needed.
O10 - Broken Internet access because of LSP provider 'c:\program files\netlimiter\nl_lsp.dll' missing

Disable these services. HJT fix check should accomplish this.
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe (file missing)

HJT fix check these entries
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

Up to this point, no files are deleted.

Download ONLY the programs found in the 8-step Malware Removal Guide.

Caution: Our trained volunteers may substitute different tools from what is cited below:

Reason from HJT tutorial –
Seek advice from an experienced user when fixing these errors. It is also advised that you use LSPFix, see link below, to fix these.

You should use extreme caution when deleting these objects if it is removed without properly fixing the gap in the chain, you can have loss of Internet access.
There is a tool designed for this type of issue that would probably be better to use, called LSPfix. For a great list of LSP and whether or not they are valid you can visit Zupe's LSP List

 

[GTek]

*EDIT* Please look here https://www.techspot.com/vb/topic114567.html last post *EDIT*

Can HJT be run in normal mode? Can any of your virus scanners work in safe mode?
This entry hints you have been infected with a rootkit. But I cant be sure what causes your crashes, could be RAM or something else.

Let us know the results of the scan.

Well I've downloaded the anti-rootkit and ran it in both safe and normal mode and no root kits have been found. According to it's statistics.
HJT I've managed to run on normal mode but the problem is, now HJT seems to hang when it's scanning the section

04 - Registry & Start Menus Autoruns

Now does this mean I should post what I've enabled in "msconfig" to run at startup?

As for virus scanners, it takes several attempts to get it running. Most of the time errors come up upon trying to start up, even more common it says the program/file is corrupt. What's even weirder is, if I restart the PC and try running the program again, sometimes it works again .. sometimes it doesn't and the same error/corrupt msg pops up.

In the matter that I do get it up and running, once I start the scan so far I haven't been successful in getting a complete scan of the system in neither safe mode or normal mode. The closest was with Spybot Search and Destroy where it almost completed the scan but the PC restarted out of nowhere and ... all was lost. But out of that report I got the reports of a spyware called "Zango, Zango Shopping Reports".

To be more accurate I guess the crashes are more like restarts, just ends the session and starts back up at the boot screen and loads its way to the Windows Login screen.

Do not fix O10 entry. Trained volunteer is needed.
O10 - Broken Internet access because of LSP provider 'c:\program files\netlimiter\nl_lsp.dll' missing

Up to this point, no files are deleted.

Download ONLY the programs found in the 8-step Malware Removal Guide.

Caution: Our trained volunteers may substitute different tools from what is cited below:

Reason from HJT tutorial –
Seek advice from an experienced user when fixing these errors. It is also advised that you use LSPFix, see link below, to fix these.

You should use extreme caution when deleting these objects if it is removed without properly fixing the gap in the chain, you can have loss of Internet access.
There is a tool designed for this type of issue that would probably be better to use, called LSPFIX. For a great list of LSP and whether or not they are valid you can visit Zupe List

I've also followed what you've said and removed the appropriate ones. What's weird is every time I removed this entry

O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

It comes back in the new scan, regardless of how many times I remove it. But the others have been removed fine. As for the LSP, the 2 that showed up in the HJT log were both valid. So I fixed the one that showed up in the LSPFix program and my net is working fine, so I guess that's a good sign?

Well with that done, what's next? And thanks so much for the help, it really is appreciated. Without you I'd be hopeless.

 

[rf6647]

If you succeeded in downloading MBAM and SAS, 
then execute the 8-step malware removal guide.

These are not proper startup items unless created by you.
MBAM will look at these when we restore them.

HJT fix check only if you agree. HJT (advance) can restore these.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

These are blacklisted (per robtex)
O17 - HKLM\System\CCS\Services\Tcpip\..\{8AB7C52D-6218-45FF-8C7B-9DD5AB0822F3}: NameServer = 203.2.75.152,198.142.0.51
O17 - HKLM\System\CCS\Services\Tcpip\..\{D72A390A-14C9-4C04-8C0A-C66B25DBBA53}: NameServer = 203.2.75.152,198.142.0.51

 

[GTek]

*EDIT* Please look here https://www.techspot.com/vb/topic114567.html last post *EDIT*

I already have the mbam and sas. Mbam has been installed, but usually once it starts scanning the PC restarts at sometime during the scan. I've tried countless times .. and no luck. Always seems to restart, even on the quick scan mode. SAS can't be installed unless in normal mode, and well ... normal mode crashes/restarts on a more frequent rate than Safe Mode .. so that's a no go.

O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

Those 2 pop back up on the list every time I restart the system so I disabled the CTFMON.exe on startup and in HJT.

203.2.75.152 - That I searched on "whois.domaintools" led to OptusNet. OptusNet is our internet provider and ..

198.142.0.51 - Also seems to be a part of Optus ..

 

[rf6647]

O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE

Logitech is legit.
Are you using the features of SetPoint?
Here is some info about SetPoint

I'd check off both of these.

 

[GTek]

*EDIT* Please look here https://www.techspot.com/vb/topic114567.html last post *EDIT*

Yep I use SetPoint so I can use the extra features of my mouse and keyboard, so fix on HJT?

 

[rf6647]

HJT actions against O4 items are reversible.

For SetPoint, I venture to guess that there is a way to disable it from the startup by using its configuration menu. This would leave the suspect in the startup.

Having said this, you have keyboards & mice. I cannot divine if Logitec created separate applications for each and, thereby, resulting in confusing us.

There is not much left in the HJT log to pick at. HJT run in safe mode results in a shorter process list. So, it is harder to understand what is causing the aborts running MBAM & SAS.

The link provided giving info about SetPoint cites that there are instances where malware has borrowed the filename of the executable.

The keyboard & mouse will function after disabling the startup. You should do fine without the bells & whistles for a while.

 

[GTek]

*EDIT* Please look here https://www.techspot.com/vb/topic114567.html last post *EDIT*

Done, well I know that took 24 hours ... not necessarily. Well I had my fair share of school and work, well anyway I guess I got some good news? Well I brainstormed for a while and figured it might help to load HJT on normal mode if I disable all my startup programs? So I did and well magically HJT got passed where it usually hangs at

04 - Registry & StartMenu autoruns

Now the thing is ... I don't know if disabling the bulk of my startup will help you since you're missing a chunk of what starts up at the logon of normal mode in the log. So I decided to try and remember what I had on startup and added an extra entry to the log at the very end, if it helps that is. Although it isn't the most accurate it has pretty much all the programs I used on startup.

So here's the log file.

 

[rf6647]

The next objective is to run MBAM & SAS. I recommend leaving "msconfig" in the present "off normal" condition. Let both tools work some magic for us in normal mode.

From earlier posts, these are the startup applications still under suspicion:
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto

A few of the msconfig checked items you cite do not appear on an earlier HJT log. Of no consequence presently.

It will be interesting to see all 3 logs together.

 

[GTek]

*EDIT* Please look here https://www.techspot.com/vb/topic114567.html last post *EDIT*

Well I've tried and ... well no luck After countless number of tries .. lots and lots of restarts and crashes. I don't know if it's me or something but getting normal mode even to login has become increasingly more difficult every time, crashes and restarts are becoming more frequent , but maybe that's me. But I will keep trying ... because I really don't want to have to reformat T_T I just simply don't have the space to store my family's stored documents and files temporarily ...

Is there nothing else I could do to help with this?

 

[rf6647]

Well I've tried and ... well no luck After countless number of tries .. lots and lots of restarts and crashes. ...Is there nothing else I could do to help with this?

The short answer is to open a new thread in the Windows OS forum to look at the restarts & crashes. I'll even suggest a title: Lots of restarts,crashes, and safe mode after removing trojans. As part of the description, refer to this thread.


The long answer follows.

The primary objective is to be stable in normal mode. At this point I consider the malware to be hobbled or less of a problem. A new thread will bring in new eyes and a fresh look. My availability will be spotty for the next 2 weeks. Of course, the moderator could object, in which case hang it on me.

The events logs should be inspected for error messages. At startup, error messages will help focus the investigation. Include text from the logs. Don't repeat messages. The icon (2 pages) below the icons for 'up direction' & 'down direction' is the 'copy text to clipboard' function. In the post or in notepad, paste contents & remove the data portion (duplicates the formatted msg).

Current HJT log may be helpful, as well.

My Computer > right click menu > manage
Easy way to get to events logs & services.

Some symptoms .... that the PC constantly restarts every now and then when I log on to a Windows Account. Most programs that I attempt to launch fail and result with an Error msg..........
My anti-virus is Eset, but Eset also crashes while loads making it impossible to do a virus scan and during safe mode scanning also seems to close unexpectedly. To put it simply programs eventually crash when running.

AV (Eset) is most likely broken by the trojans and/or the combination of the sweeping tools thrown at the trojans. Repair or re-install the application.

Another approach to gaining some control, is to use HJT Fix Check for o23 items. Service is stopped.
Manage > Services can bring them back (auto, manual).

AntiVirus
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe

The unknown
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe

The masses; Change to manual if you want them to show in the o23 list.
O23 - Service: Adobe Version Cue CS3 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS3\Server\bin\VersionCueCS3.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\McAfee\Common Framework\FrameworkService.exe (file missing)
O23 - Service: NetLimiter (nlsvc) - Locktime Software - C:\Doyle\Programs\NetLimiter 2 Monitor\nlsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\system32\oodag.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

 

[momok]

Hi.. Are you able to run the scans in safe mode then?
Also, please download and run Combofix from HERE.
The log C:\Combofix.txt will be generated; Attach that in your next reply, together with a fresh HijackThis log (from normal mode) and your MBAM scan in safe mode.

 

[GTek]

*EDIT* Please look here https://www.techspot.com/vb/topic114567.html last post *EDIT*

Got the log and will post in thew new thread probably when I have time tomorrow Have a problem with MBAM, well it got corrupted/damaged when I was using it and well it required a reinstall. So which I did. As it was installing a fresh copy the PC restarted just as it was about to finish. So now when I try to run mbam it says error certain file missing and same goes for uninstall; file missing for uninstall. Combofix seems to be a nightmare to run, hasn't worked once yet but I'm working on it.\

Hopefully when I get the new thread up in the windows os forum they can shed some light and help solve the problem.

 

[momok]

I'm suspecting your PC is plagued with problems of a different sort from malware.
Also please see this:
http://www.reger24.de/prozesse/fast.exe.php