One More...storage Protector & Kernel 1256 Error
Am seeing other posts and am facing a similar issue as well. Couldn't find VundoFix V6.7.7 so ran the V6.5.1 version but found only djgrfnod.dll that cannot be deleted. Have tried all other tools sybot, rogue remover but the above error just won't go away. Am feeling frustrated that nothing fixes this...
Can you pls take a look at HJT and advise:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:03:45 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: OracleOraHome90TNSListener - Unknown owner - C:\oracle\ora90\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceORCL - Oracle Corporation - c:\oracle\ora90\bin\ORACLE.EXE
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Software\Panda Antivirus 2008\PsImSvc.exe
--
End of file - 2937 bytes
Thanks in advance!
PH
Comments
-
It seems the infection has manged to hide itself from the HJT. You may try this: go to the folder where the HijackThis.exe resides (C:\Program Files\Trend Micro\HijackThis\HijackThis.exe). Change the HijackThis.exe to something like moon.exe or whatever you like. Double click moon.exe or whatever you name it (name.exe) and make a new log. If you notice the log is showing more items post the new one. Note that renaming the shortcut shortcut doesn't do the job.
0 -
It seems the infection has manged to hide itself from the HJT. You may try this: go to the folder where the HijackThis.exe resides (C:\Program Files\Trend Micro\HijackThis\HijackThis.exe). Change the HijackThis.exe to something like moon.exe or whatever you like. Double click moon.exe or whatever you name it (name.exe) and make a new log. If you notice the log is showing more items post the new one. Note that renaming the shortcut shortcut doesn't do the job.
03-feb-08:
Thanks. Finally founf the Vundo6.7.7 and could get rid of most. Cleaned some other malaware per directions on this forum. However, the bitdefender still shows that there are 15 entries that it cannot delete because those files are pssword protected. All these files rest under C/i386/valert.ui{} and similar. The interent is SLOW. Can you pls help:
Attached is the hijackthis log: (changed the hijackthis.exe to moon.exe prior to runing this below, as advised)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:21 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitDefender\BitDefender 2008\seccenter.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\moon.exe.exe
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: (no name) - {6EDBADC7-9BD3-4F2C-ADFE-7829A3F731D8} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx
O20 - Winlogon Notify: sstqn - C:\WINDOWS\
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender S.R.L. - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 3904 bytes0 -
Hi,
It is a long time back since the previous post. Usually you should not worry about the password protected items as they don't pose any actual treat.
step 1.
Run hijackthis.click "Do a system scan only", check the items, close all windows including this one and click on fix checked:
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {6EDBADC7-9BD3-4F2C-ADFE-7829A3F731D8} - (no file)
O2 - BHO: (no name) - {6EDBADC7-9BD3-4F2C-ADFE-7829A3F731D8} - (no file)
O20 - Winlogon Notify: sstqn - C:\WINDOWS\
Step 2.
Please run Notepad and copy the following text into a new file:
@ECHO OFF
sc del OracleOraHome90TNSListener
sc del ASP.NET State Service
del delete.bat
Save the file to the desktop as delete.bat and make sure the "Save as type" field says "All files". Locate delete.bat on the Desktop and double-click on it to run it. Please note any errors encountered. The delete.bat should disappear after doing the job.
Step 3.
I want to make sure everything is cleaned:*Go to start-search-clickall files and folders
*Clickmore advanced optionsand check: search system folders,search hidden files and foldersandsearch subfolders
*Typesstqnin the upper box click on search and report the eventual findings.
*Type again pos*.tmp and report the result.
step 4.
Please download RenV.exe to desktop from:
http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
Reboot, double click to run it, and post the log it produce - (log.txt)
Step 5.
Make a new hijackthis log and copy and paste it to your reply.
Step 6.
Run a Bitdefender full system scan and copy and paste the log.0 -
Hello,
Thanks a lot for step by step instructions. Am in midst of launch at work (read it as more slog hours).....hence the delay in replying.
1. Fixed the files as advised.
2. Ran Delete.bat No errors.
3A. No files found for "sstqn"
3B. Found 5000+ files under "C:\Documents and Settings\Administrator\My Documents" for pos*.tmp search
4. RenV Log:Ran on Tue 02/05/2008 - 18:59:34.79
5. Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:00:26 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitDefender\BitDefender 2008\bdagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\moon.exe.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: BitDefender Toolbar - {381FFDE8-2394-4f90-B10D-FC6124A40F8C} - C:\Program Files\BitDefender\BitDefender 2008\IEToolbar.dll
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://floridakeysmedia.tv/axiscam/Codebas...sCamControl.ocx
O23 - Service: ASP.NET State Service (aspnet_state) - Unknown owner - C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - BitDefender SRL - C:\Program Files\Common Files\BitDefender\BitDefender Update Service\livesrv.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - BitDefender S.R.L. - C:\Program Files\BitDefender\BitDefender 2008\vsserv.exe
O23 - Service: BitDefender Communicator (XCOMM) - BitDefender - C:\Program Files\Common Files\BitDefender\BitDefender Communicator\xcommsvr.exe
--
End of file - 3667 bytes
6. BitDefender Full System Scan Log:
BitDefender Log File !!!!!
Product : BitDefender Total Security 2008
Version : BitDefender UIScanner v.11
Log date : 19:58:08 05/02/2008
Log path : C:\Documents and Settings\All Users\Application Data\BitDefender\Desktop\Profiles\Logs\full_scan\1202259488_1_02.xml
Scan Paths:Path0000: C:\
Path0001:
\
Scan Options:Scan for viruses : Yes
Scan for adware : Yes
Scan for spyware : Yes
Scan for applications : Yes
Scan for dialers : Yes
Scan for rootkits : Yes
Target selection options:Scan registry keys : Yes
Scan cookies : Yes
Scan boot sectors : Yes
Scan memory processes : Yes
Scan archives : No
Scan runtime packers : Yes
Scan emails : Yes
Scan all files : Yes
Heuristic Scan : Yes
Scanned extensions :
Excluded extensions :
Target ProcessingDefault action for infected objects : Disinfect
Default action for suspicious objects : None
Default action for hidden objects : None
Scan engines summaryNumber of virus signatures : 979156
Archive plugins : 41
Email plugins : 6
Scan plugins : 12
Archive plugins : 41
System plugins : 4
Unpack plugins : 7
Overall scan summaryScanned items : 145348
Infected items : 0
Suspicious items : 0
Resolved items : 0
Individual viruses found : 0
Scanned directories : 10189
Scanned boot sectors : 5
Scanned archives : 54
Input-output errors : 24
Scan time : 00:00:56:28
Files per second : 42
Scanned processes summaryScanned : 30
Infected : 0
Scanned registry keys summaryScanned : 327
Infected : 0
Scanned cookies summaryScanned : 1
Infected : 0
Remaining issues:Object Name Threat Name Final Status
Resolved issues:Object Name Threat Name Final Status
Objects that were not scanned:Object Name Reason Final Status
C:\i386\valert[1].ui=]CmnIds.vbs Password-Protected No action was possible
C:\i386\valert[1].ui=]images/arrow_right.gif Password-Protected No action was possible
C:\i386\valert[1].ui=]images/btn_signup_52x20.gif Password-Protected No action was possible
C:\i386\valert[1].ui=]images/more_info.gif Password-Protected No action was possible
C:\i386\valert[1].ui=]images/sidetable_bottom.gif Password-Protected No action was possible
C:\i386\valert[1].ui=]images/sidetable_bottom_red.gif Password-Protected No action was possible
C:\i386\valert[1].ui=]images/sidetable_top.gif Password-Protected No action was possible
C:\i386\valert[1].ui=]images/sidetable_top_red.gif Password-Protected No action was possible
C:\i386\valert[1].ui=]images/transpix.gif Password-Protected No action was possible
C:\i386\valert[1].ui=]images/watermark_mys_150x130.gif Password-Protected No action was possible
C:\i386\valert[1].ui=]oemcfg.vbs Password-Protected No action was possible
C:\i386\valert[1].ui=]OEMIds.vbs Password-Protected No action was possible
C:\i386\valert[1].ui=]valert.htm Password-Protected No action was possible
C:\i386\valert[1].ui=]valert_old.htm Password-Protected No action was possible
C:\i386\valert[1].ui=]hs~valert.htm Password-Protected No action was possible
Thanks a lot in advance to help get rid of the malware.
Regards,
PH20 -
You have done a thorough job and everything looks good. To finish cleaning do the following:
Step 1.
Go to My documents folder and remove the *.tmp files manually. To do that highlight them all (select the first .tmp file- hold down Shift and scroll down to the last .tmp and highlight/select the last .tmp) and delete them using Shift+Del to bypass the Recycle bin.
Step 2.
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
Step 3.
Use the search box, type in P*.tmp if you find any of those files remove them manually.
Step 4.
Reboot and check if your computer is running fine. Then empty your restore volume/system volume folder to get rid of recreation of infection by windows recovery. To do that: go to start-control panel- system- system restore- check turn off system restore on all drives. Click apply. By doing this you loose all your (often infected) restore points. Reboot and uncheck “turn off system restore on all drives' then press apply to create a clean restore point.
That is it. How is your computer running?0 -
It's working fine now....am still getting a log from Bit Defender that states it could not kill the files w/ password protected items and the log shows the C/I386/valert items. But like you said, this should not be an issue, right?
Thanks a lot!0 -
It's working fine now....am still getting a log from Bit Defender that states it could not kill the files w/ password protected items and the log shows the C/I386/valert items. But like you said, this should not be an issue, right?
Thanks a lot!
You are welcome.
About those files: BD says: "I bring these files under your attention. They are encrypted and password protected, I can not open them to scan them, so I can not say if they are safe". Therefore it is up to you, if you have (password protected) decrypted the file you should open it and let it scan. If it is there without you knowing you have to find out which application puts them there. If they are legit leave it there, if not remove it.
Now you ask me what to do? First it looks to me whatever they are they are where they should not be unless they belong to MS, because C:\i386 is the backup install Windows. I searched and could not find any official word on that. I am also having Windows XP SP2 and I don't have those on my system and BD doesn't come with it in its scan. If they were on my system I would remove them all manually.
Have a nice day.0 -
You are welcome.
About those files: BD says: "I bring these files under your attention. They are encrypted and password protected, I can not open them to scan them, so I can not say if they are safe". Therefore it is up to you, if you have (password protected) decrypted the file you should open it and let it scan. If it is there without you knowing you have to find out which application puts them there. If they are legit leave it there, if not remove it.
Now you ask me what to do? First it looks to me whatever they are they are where they should not be unless they belong to MS, because C:\i386 is the backup install Windows. I searched and could not find any official word on that. I am also having Windows XP SP2 and I don't have those on my system and BD doesn't come with it in its scan. If they were on my system I would remove them all manually.
Have a nice day.
Thanks! I went in in DOS & had to manually delete this ADWARE resulting from C:\Recycler. Everything looks clean now and PC is working just fine. Thanks again!!0 -
You are weclome.
0 -
You are weclome.
I'm having some problems with this one. First i can't manually delete those pos.tmp files, i get this message, The instructions at "0x01d62739" referenced memory at "0x02354e50" This file could not be deleted.
and my finder wont even find these files on my HD
any ideas0
