I *think* I Also Have That Nt Kernel Error 1256

stickymango
edited February 2008 in Malware talk

Hi, I'm sure you've all got a lot of this but I've been getting these pop ups like everyone else has and I see people posting A HJT Log so I thought I should too. I did vundofix before and it got rid of it for like... a week and now it came back and that vundo doesn't work at all anymore. I download Spybot, adaware, and ccleaner cause I read that I should download those. Anyways, any help will be appreciated.


Also if and when you explain to help me, I'd appreciate it if you can .. simplify what I have to do since I read other peoples topics and I don't understand a thing...So if you can just..dumb it down a bit for me lol :P


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 8:59:09 AM, on 2/11/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


C:\WINDOWS\system32\LEXBCES.EXE


C:\WINDOWS\system32\spoolsv.exe


C:\WINDOWS\system32\LEXPPS.EXE


C:\WINDOWS\system32\bcwtvgkn.exe


C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\Explorer.EXE


C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe


C:\WINDOWS\system32\hkcmd.exe


C:\WINDOWS\system32\igfxpers.exe


C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


C:\WINDOWS\system32\rundll32.exe


C:\WINDOWS\system32\ctfmon.exe


C:\Program Files\Messenger\msmsgs.exe


C:\Program Files\Lexmark 1200 Series\lxczbmon.exe


C:\WINDOWS\system32\wscntfy.exe


C:\Program Files\Mozilla Firefox\firefox.exe


C:\WINDOWS\system32\wuauclt.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


O4 - HKLM\..\Run: [Lexmark 1200 Series] "C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe"


O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=http://trustedantivirus.com ad=http://trustedantivirus.com sd=http://ykeeper.trustedantivirus.com


O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe


O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe


O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe


O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


O4 - HKLM\..\Run: [7812c002] rundll32.exe "C:\WINDOWS\system32\aivjswnr.dll",b


O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background


O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL


O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O15 - Trusted Zone: *.gomyhit.com


O15 - Trusted Zone: *.imagesrvr.com


O15 - Trusted Zone: *.storageguardsoft.com


O15 - Trusted Zone: *.gomyhit.com (HKLM)


O15 - Trusted Zone: *.imageservr.com (HKLM)


O15 - Trusted Zone: *.imagesrvr.com (HKLM)


O15 - Trusted Zone: *.storageguardsoft.com (HKLM)


O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab


O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1201642015703


O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


O23 - Service: DomainService - - C:\WINDOWS\system32\bcwtvgkn.exe


O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE


O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows


O24 - Desktop Component 0: (no name) - C:\Program Files\microsoft frontpage\vikozisi.html

Comments

  • Vundo is a very "polymoprphic" trojan and it gets "updated" all the time. Vundofix only works against that particular trojan, so it does a somewhat better job in keeping up to date with all it's variants. Download an updated version and try again.


    Attach here (in a new post) the following files:


    C:\WINDOWS\system32\bcwtvgkn.exe


    C:\Program Files\Common Files\TrustedAntivirus\bm.exe


    C:\WINDOWS\system32\aivjswnr.dll


    Fix these from HJT (Vundo comes with a rootkit to protect itself though, so it may revert anything you fix):


    O4 - HKLM\..\Run: [bm] "C:\Program Files\Common Files\TrustedAntivirus\bm.exe" dm=http://trustedantivirus.com ad=http://trustedantivirus.com sd=http://ykeeper.trustedantivirus.com


    O15 - Trusted Zone: *.gomyhit.com


    O15 - Trusted Zone: *.imagesrvr.com


    O15 - Trusted Zone: *.storageguardsoft.com


    O15 - Trusted Zone: *.gomyhit.com (HKLM)


    O15 - Trusted Zone: *.imageservr.com (HKLM)


    O15 - Trusted Zone: *.imagesrvr.com (HKLM)


    O15 - Trusted Zone: *.storageguardsoft.com (HKLM)


    O4 - HKLM\..\Run: [7812c002] rundll32.exe "C:\WINDOWS\system32\aivjswnr.dll",b


    O23 - Service: DomainService - - C:\WINDOWS\system32\bcwtvgkn.exe


    Note that I'm assuming you haven't installed the "TrustedAntivirus" on purpose (it's just adware).


    Speaking of AVs, you don't appear to have any installed. It might help keeping you from getting infected again...

  • I followed what you told me to do but it still came back =( good thing is my computer doesn't seem to crash all of a sudden anymore :D