Nt_kernel Error 1256

jmoore
jmoore
in Malware talk

I have been trying to solve this problem with no luck. I also read the past forums and used VundoFix but nothing. The computer is still infected. I really need to solve this problem as soon as posible. Please HELP!


This is the Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2


Scan saved at 3:40:41 PM, on 2/12/2008


Platform: Windows XP SP2 (WinNT 5.01.2600)


MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


Boot mode: Safe mode with network support


Running processes:


C:\WINDOWS\System32\smss.exe


C:\WINDOWS\system32\winlogon.exe


C:\WINDOWS\system32\services.exe


C:\WINDOWS\system32\lsass.exe


C:\WINDOWS\system32\svchost.exe


C:\WINDOWS\System32\svchost.exe


C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


C:\Program Files\Softex\OmniPass\OPXPApp.exe


C:\WINDOWS\Explorer.EXE


C:\WINDOWS\wt\updater\wcmdmgr.exe


C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/


R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/


R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/


R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost


O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - (no file)


O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll


O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar1.02.5000.1021\en-us\msntb.dll


O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll


O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll


O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL


O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe


O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe


O4 - HKLM\..\Run: [HPHUPD05] "c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe"


O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe


O4 - HKLM\..\Run: [storageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r


O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE


O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup


O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"


O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"


O4 - HKLM\..\Run: [sunkist2k] "C:\Program Files\Multimedia Card Reader\shwicon2k.exe"


O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe


O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"


O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE


O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\System32\igfxtray.exe


O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb08.exe


O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot


O4 - HKLM\..\Run: [DNSE] "C:\Program Files\Common Files\SystemDoctor\DNSE.exe" -c


O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"


O4 - HKLM\..\Run: [ddoctorv2] "C:\Program Files\Comcast\Desktop Doctor\bin\sprtcmd.exe" /P ddoctorv2


O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe


O4 - HKLM\..\Run: [salestart] "C:\Program Files\Common Files\StorageProtector\strpmon.exe" dm=http://storageprotector.com ad=http://storageprotector.com sd=http://inspaid.storageprotector.com


O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto


O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"


O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP


O4 - HKLM\..\Run: [64762bce] "rundll32.exe" "C:\WINDOWS\system32\kttcotrb.dll",b


O4 - HKLM\..\Run: [spySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray


O4 - HKLM\..\RunOnce: [VundoFix] "K:\Antivirus\VundoFix 6.6\vundofix.exe"


O4 - HKCU\..\Run: [backupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe


O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook


O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')


O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')


O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')


O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')


O4 - .DEFAULT User Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe (User 'Default user')


O4 - Startup: mod_sm.lnk = C:\hp\bin\cloaker.exe


O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll


O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\npjpi150_09.dll


O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll


O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll


O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe


O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe


O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe


O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe


O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe


O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe


O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe


O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe


O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe


O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe


O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe


O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe


O23 - Service: SupportSoft Sprocket Service (ddoctorv2) (sprtsvc_ddoctorv2) - SupportSoft, Inc. - C:\Program Files\Comcast\Desktop Doctor\bin\sprtsvc.exe


O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe


O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


--


End of file - 8187 bytes


And the vundoFix log is this one:


VundoFix V6.5.11


Checking Java version...


Java version is 1.5.0.9


Old versions of java are exploitable and should be removed.


Scan started at 6:53:22 PM 2/11/2008


Listing files found while scanning....


C:\WINDOWS\system32\lbxtmzsp.dll


C:\WINDOWS\system32\pmnlkkj.dll


Beginning removal...


Attempting to delete C:\WINDOWS\system32\lbxtmzsp.dll


C:\WINDOWS\system32\lbxtmzsp.dll Could not be deleted.


Performing Repairs to the registry.


Done!


Beginning removal...


Attempting to delete C:\WINDOWS\system32\lbxtmzsp.dll


C:\WINDOWS\system32\lbxtmzsp.dll Could not be deleted.


Performing Repairs to the registry.


Done!


VundoFix V6.5.11


Checking Java version...


Java version is 1.5.0.9


Old versions of java are exploitable and should be removed.


Scan started at 7:07:01 PM 2/11/2008


Listing files found while scanning....


C:\WINDOWS\system32\dgzpyqio.dll


Beginning removal...


Attempting to delete C:\WINDOWS\system32\dgzpyqio.dll


C:\WINDOWS\system32\dgzpyqio.dll Has been deleted!


Performing Repairs to the registry.


Done!


VundoFix V6.7.8


Checking Java version...


Java version is 1.5.0.9


Old versions of java are exploitable and should be removed.


Scan started at 2:04:50 PM 2/12/2008


Listing files found while scanning....


C:\windows\system32\dgzpyqio.dllbox


C:\windows\system32\lbxtmzsp.dll


C:\windows\system32\lbxtmzsp.dllbox


C:\WINDOWS\system32\rntbbjfp.dll


C:\windows\system32\rntbbjfp.dllbox


Beginning removal...


Attempting to delete C:\windows\system32\dgzpyqio.dllbox


C:\windows\system32\dgzpyqio.dllbox Has been deleted!


Attempting to delete C:\windows\system32\lbxtmzsp.dll


C:\windows\system32\lbxtmzsp.dll Has been deleted!


Attempting to delete C:\windows\system32\lbxtmzsp.dllbox


C:\windows\system32\lbxtmzsp.dllbox Has been deleted!


Attempting to delete C:\WINDOWS\system32\rntbbjfp.dll


C:\WINDOWS\system32\rntbbjfp.dll Could not be deleted.


Attempting to delete C:\windows\system32\rntbbjfp.dllbox


C:\windows\system32\rntbbjfp.dllbox Has been deleted!


Performing Repairs to the registry.


Done!


Beginning removal...


Attempting to delete C:\WINDOWS\system32\rntbbjfp.dll


C:\WINDOWS\system32\rntbbjfp.dll Could not be deleted.


Attempting to delete C:\windows\system32\rntbbjfp.dllbox


C:\windows\system32\rntbbjfp.dllbox Has been deleted!


Performing Repairs to the registry.


Done!


Beginning removal...


VundoFix V6.7.8


Checking Java version...


Java version is 1.5.0.9


Old versions of java are exploitable and should be removed.


Scan started at 3:08:35 PM 2/12/2008


Listing files found while scanning....


C:\windows\system32\rntbbjfp.dll


C:\windows\system32\rntbbjfp.dllbox


Beginning removal...


Attempting to delete C:\windows\system32\rntbbjfp.dll


C:\windows\system32\rntbbjfp.dll Could not be deleted.


Attempting to delete C:\windows\system32\rntbbjfp.dllbox


C:\windows\system32\rntbbjfp.dllbox Has been deleted!


Performing Repairs to the registry.


Done!


Beginning removal...


Attempting to delete C:\windows\system32\rntbbjfp.dll


C:\windows\system32\rntbbjfp.dll Could not be deleted.


Attempting to delete C:\windows\system32\rntbbjfp.dllbox


C:\windows\system32\rntbbjfp.dllbox Has been deleted!


Performing Repairs to the registry.


Done!

Comments

  • bszente
    bszente

    Hello Jacky,


    If you have not solved it already your problem with the Vundo infection, I recommend you to do a scan using our Linux based BitDefender 2008 Rescue CD. It can scan your Windows partition offline, and it can remove successfully all kind of detected trojans/rootkits. You can download it from the following link: http://download.bitdefender.com/rescue_cd/


    Regards,


    bszente

All Time Leaders

Categories

Defenders of the month