Nt Kernel Error 1256

wballstarz

Hey there.

Seems ive joined the party and got this Kernel. From info ive got from this forum, im going to download and run vundofix. I only got it yesterday, if it means anything. Normally extremely safe server, i was an idiot to download a more than dodgy file. Going to run that program, then hijack this log, anything else i need to do, or any help is kindly recieved.

dan

wballstarz

Hijack this log.

Logfile of HijackThis v1.99.1

Scan saved at 14:46:20, on 13/02/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\cryptainersrv.exe

C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

C:\WINDOWS\system32\TPSMain.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\WINDOWS\RTHDCPL.EXE

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\PeerGuardian2\pg2.exe

C:\Program Files\MSN Messenger\MsnMsgr.Exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\DansFirefox\firefox.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\DansFirefox\firefox.exe

C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.skybroadband.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Sky Broadband

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,

O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"

O4 - HKLM\..\Run: [synTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [90a54e4a] rundll32.exe "C:\WINDOWS\system32\srtashfb.dll",b

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [PeerGuardian] C:\Program Files\PeerGuardian2\pg2.exe

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [ssAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll

O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Partypoker\PartyPoker\RunApp.exe

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\Partypoker\PartyPoker\RunApp.exe

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O11 - Options group: [iNTERNATIONAL] International*

O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL

O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll

O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe (file missing)

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)

O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe

O23 - Service: Microsoft security update service (msupdate) - Unknown owner - c:\windows\system32\msvcrtd.exe

O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe

O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe

O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

Ive also noticed i have about 1500 files in my c drive i cant delete, and spybot is stopping registry chanegs constantly.

rbenchea

the name of this file doesn't seem right. Please submit so i can have a look at it.

C:\Windows\system32\srtashfb.dll

wballstarz

how do i submit a file?

sorry for noobism!

rbenchea

when you add a reply below your text are is a text field with a "Browse" button on the right.select the file and press upload That should do it

wballstarz

aha, i had noscript on, something that stops webites. I had to allow birdefender, before i could see the browse button thanks

oh...as i write this post..

" Upload failed. You are not permitted to upload this type of file"

and i archived it, and it disappeared...not good lol.

wballstarz

done now i think /uploads/emoticons/default_smile.png">

 

/applications/core/interface/file/attachment.php?id=19758" data-fileExt='zip' data-fileid='19758'>srtashfb.rar.zip

rbenchea

yes, you can upload only archives (forgot to mention). The file you've sent me is infected with vundo. You have to delete that file. As far as i know vundo injects itself in many processes including winlogon. So the best way to delete that file is using a boot cd. Try it and tell me how it went.

wballstarz

yes, you can upload only archives (forgot to mention). The file you've sent me is infected with vundo. You have to delete that file. As far as i know vundo injects itself in many processes including winlogon. So the best way to delete that file is using a boot cd. Try it and tell me how it went.

what is a boot CD?

Can i just use system restore if thers a restore point?

WOuld you mind, if you know what to do, on giving me step by step instructions to get rid of this?

many thanks

dan

edit: i have looked,a nd found a recover disk, if that helps, it formats the drive though, something i only wsh to do, if it is tottaly neccsary and will work.

thanks

rbenchea

OK... download the file from this address:

http://students.info.uaic.ro/~mihai.benche...BDAspySetup.exe

It is a program that we are currently working on. So, download it, install it and then run it. Go to [On Demand], select [Choose file form disk] and browse for the file you want to delete. Below, from the [Choose action to take], select [Force file delete(requires restart)] and press start clean.

Tell me hot it went.

[You no longer need the boot cd]

wballstarz

OK... download the file from this address:

http://students.info.uaic.ro/~mihai.benche...BDAspySetup.exe

It is a program that we are currently working on. So, download it, install it and then run it. Go to [On Demand], select [Choose file form disk] and browse for the file you want to delete. Below, from the [Choose action to take], select [Force file delete(requires restart)] and press start clean.

Tell me hot it went.

[You no longer need the boot cd]

SO.....

it did delete it, but i still have 3 thousand .tmp files in my c drive and warning messages everywhere!

rbenchea

try now to delete the tmp files. Also please post here a bd_sys_log info file. (You can create this kind of file using the program you have just downloaded, from SysLog ingo)

wballstarz

try now to delete the tmp files. Also please post here a bd_sys_log info file. (You can create this kind of file using the program you have just downloaded, from SysLog ingo)

Well, the tmp files are undeletable.

and on top of that, I cant get to my files, my computer, my documets, etc etc, just will not open.

/applications/core/interface/file/attachment.php?id=1487" data-fileid="1487" rel="">bd_sys_log.xml

rbenchea

please submit the following files:

C:\WINDOWS\system32\\jrarbxgu.dll (i'm 90% sure this is a vundo file)

C:\WINDOWS\system32\jkhfc.dll

C:\WINDOWS\system32\jkkigdd.dll

wballstarz

Razvan Benchea said:

please submit the following files:

C:\WINDOWS\system32\\jrarbxgu.dll (i'm 90% sure this is a vundo file)

C:\WINDOWS\system32\jkhfc.dll

C:\WINDOWS\system32\jkkigdd.dll

sorry for the long reply time!

 

/applications/core/interface/file/attachment.php?id=19760" data-fileExt='zip' data-fileid='19760'>virusfiles.rar.zip

rbenchea

All these files are vundo files. You can delete them using the program I've sent you. To delete all of the files using one restart do the following. After you have selected the first file to delete (don't forget to use force file delete), press Start Clean. A window will appear telling you that you need to restart you computer. Select no and choose the second file to delete. Again, press start clean and select No. Now, there's only one file left for deletion. So select it for deletion and press Start Clean. Now you can select yes (so the system can restart). Even though there is no dialog telling that you have selected three files for deletion, when you reboot your computer you'll see that there actually three files .

Good Luck and tell me how it went.

trianglesuzie

Hi. I have sent a message to storageprotector.com. If they are the link of the desktop icons then they should also be responsible for being able to remove. I said there were a lot of people having problems. Maybe they want a mass attack of emails from everyone having problems. Anyhoo if i get a reply i will advise.

wballstarz

superb, thank you, its allowed me to delete my nigh on 5 thousand .tmp files!

lol what are tmp files by the way?

thanks alot for the help, ive bookmarked this topic, and will reply if anything else happens, like files coming back, etc etc.

thanks again.

dan