Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HijackThis NT_Kernel error1256

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HijackThis NT_Kernel error1256

Unread postby Nilz1 » January 30th, 2008, 4:34 pm

Please help!

Cant seam to get rid of this malvare, this is my log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:25:05, on 30.01.2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Programfiler\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Lokale innstillinger\Temporary Internet Files\Content.IE5\U9YR8VI9\HiJackThis_v2[1].exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE= ... &pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: {684e7440-b018-565a-8d24-8b1abb209d20} - {02d902bb-a1b8-42d8-a565-810b0447e486} - C:\WINDOWS\system32\tefpmels.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26CA1F51-50B0-4875-96D1-1FC2BC3236DA} - C:\WINDOWS\system32\opppq.dll
O2 - BHO: (no name) - {4D8746B8-49D3-4262-AFB5-5591B778ED78} - C:\WINDOWS\system32\efcbc.dll (file missing)
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {98663E21-9CCE-4CF6-863C-911A9523A66F} - C:\WINDOWS\system32\xxyywwu.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\jfhbgonr.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [D-Link D-Link Wireless N DWA-140] C:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [1b3feb92] rundll32.exe "C:\WINDOWS\system32\gvckcsic.dll",b
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Programfiler\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) - http://67.15.101.33/g_bin/eng/solitaire_2_0_0_28.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O20 - Winlogon Notify: jfhbgonr - C:\WINDOWS\SYSTEM32\jfhbgonr.dll
O20 - Winlogon Notify: xxyywwu - C:\WINDOWS\SYSTEM32\xxyywwu.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Programfiler\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Programfiler\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe

--
End of file - 7325 bytes
Nilz1
Active Member
 
Posts: 9
Joined: January 30th, 2008, 4:29 pm
Advertisement
Register to Remove

Re: HijackThis NT_Kernel error1256

Unread postby amateur » January 30th, 2008, 8:18 pm

Hello and welcome to MR :)

Surfing the net in Safe Mode with networking is a dangerous practice as none of your security applications will be able to protect you. Do you have problem running in Normal Mode?

Download Combofix from any of the links below, and save it to your desktop. For information regarding this download, please visit this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
    When finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Re: HijackThis NT_Kernel error1256

Unread postby Nilz1 » January 31st, 2008, 3:30 am

The computer will not work in normal mode, so this is the only option.
Have found the Trjojan.Vundo.DXE and DVS but there is no way of clean it out.
Will try the combofix.

Thanx
Nilz1
Active Member
 
Posts: 9
Joined: January 30th, 2008, 4:29 pm

Re: HijackThis NT_Kernel error1256

Unread postby Nilz1 » January 31st, 2008, 4:42 am

Here are the log files from HijackThis and ComboFix.
And btw, got it to work in normal mode.

Thanx for the help
You do not have the required permissions to view the files attached to this post.
Nilz1
Active Member
 
Posts: 9
Joined: January 30th, 2008, 4:29 pm

Re: HijackThis NT_Kernel error1256

Unread postby amateur » January 31st, 2008, 9:35 am

Hi,

As you may have already noticed, this machine does not have the Windows XP Recovery Console installed.

The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.

Please go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

===================================

P.S. I am going to post your logs below for convenience. Please do not attach the logs but copy and paste them in future.



ComboFix 08-01-31.3 - Administrator 2008-01-31 8:36:11.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.67 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Skrivebord\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Wenche\err.log
C:\Documents and Settings\Wenche\Programdata\DriveCleaner 2006 Free
C:\Documents and Settings\Wenche\Programdata\DriveCleaner 2006 Free\Logs\update.log
C:\Documents and Settings\Wenche\Programdata\storageprotector
C:\Documents and Settings\Wenche\Programdata\storageprotector\Logs\update.log
C:\Programfiler\StorageProtector
C:\Programfiler\StorageProtector\License.rtf
C:\Programfiler\StorageProtector\Readme.rtf
C:\Programfiler\StorageProtector\rm.url
C:\Programfiler\StorageProtector\sr.log
C:\Programfiler\StorageProtector\swupd.log
C:\Programfiler\StorageProtector\SysRep.exe.cer
C:\Programfiler\StorageProtector\SysRep.exe.Log
C:\Programfiler\StorageProtector\SysRep.exe.xml
C:\Programfiler\StorageProtector\SysRep.url
C:\Programfiler\StorageProtector\unins000.dat
C:\WINDOWS\images.zip
C:\WINDOWS\system32\cbcfe.ini
C:\WINDOWS\system32\cbcfe.ini2
C:\WINDOWS\system32\cisckcvg.ini
C:\WINDOWS\system32\gvckcsic.dll
C:\WINDOWS\system32\jfhbgonr.dll
C:\WINDOWS\system32\jfhbgonr.dllbox
C:\WINDOWS\system32\jjbimrlk.dllbox
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opppq.dll
C:\WINDOWS\system32\qpppo.ini
C:\WINDOWS\system32\qpppo.ini2
C:\WINDOWS\system32\tfcjdlgp.dll
C:\WINDOWS\system32\tobbjvmy.dll
C:\WINDOWS\system32\xxyywwu.dll
C:\WINDOWS\system32\ymvjbbot.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-30 22:15 . 2008-01-30 23:35 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-30 22:11 . 2008-01-30 22:11 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-30 20:50 . 2008-01-30 20:50 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\TuneUp Software
2008-01-30 19:34 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-30 19:34 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-30 19:34 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-30 19:34 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-30 19:33 . 2008-01-30 19:33 <DIR> d-------- C:\Programfiler\Alwil Software
2008-01-30 19:33 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-30 19:33 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-30 19:33 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-30 19:33 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-30 19:28 . 2003-05-04 06:15 <DIR> dr------- C:\Documents and Settings\Administrator\Start-meny
2008-01-30 19:28 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Administrator\Skrivere
2008-01-30 19:28 . 2008-01-31 08:42 <DIR> d-------- C:\Documents and Settings\Administrator\Skrivebord
2008-01-30 19:28 . 2008-01-30 20:34 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste
2008-01-30 19:28 . 2003-05-03 23:26 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Symantec
2008-01-30 19:28 . 2003-05-03 22:51 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Sonic
2008-01-30 19:28 . 2003-05-03 23:35 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Share-to-Web-opplastingsmappe
2008-01-30 19:28 . 2008-01-30 22:09 <DIR> dr-h----- C:\Documents and Settings\Administrator\Programdata
2008-01-30 19:28 . 2008-01-31 08:37 <DIR> dr------- C:\Documents and Settings\Administrator\Mine dokumenter
2008-01-30 19:28 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Administrator\Maler
2008-01-30 19:28 . 2008-01-31 08:43 <DIR> d--h----- C:\Documents and Settings\Administrator\Lokale innstillinger
2008-01-30 19:28 . 2003-05-04 06:15 <DIR> dr------- C:\Documents and Settings\Administrator\Favoritter
2008-01-30 19:28 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Administrator\AndrMask
2008-01-30 18:39 . 2008-01-30 18:39 <DIR> dr-h----- C:\Documents and Settings\Wenche\Siste
2008-01-30 17:27 . 2008-01-30 17:27 <DIR> d-------- C:\Programfiler\CCleaner
2008-01-29 22:48 . 2008-01-29 22:48 <DIR> d-------- C:\Documents and Settings\Wenche\Programdata\TuneUp Software
2008-01-29 22:47 . 2008-01-29 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\TuneUp Software
2008-01-29 22:47 . 2007-05-16 09:41 29,704 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-29 22:46 . 2008-01-29 22:48 <DIR> d-------- C:\Programfiler\TuneUp Utilities 2007
2008-01-29 22:45 . 2008-01-29 22:45 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard
2008-01-28 18:34 . 2008-01-29 21:37 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\LimeWire
2008-01-28 18:04 . 2008-01-28 18:04 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\DivX
2008-01-28 16:48 . 2008-01-28 16:49 <DIR> d-------- C:\Documents and Settings\Maikenpii\Contacts
2008-01-28 16:48 . 2008-01-28 16:48 268 --ah----- C:\sqmdata00.sqm
2008-01-28 16:48 . 2008-01-28 16:48 244 --ah----- C:\sqmnoopt07.sqm
2008-01-28 16:46 . 2008-01-28 16:46 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\Creative
2008-01-28 16:44 . 2003-05-04 06:15 <DIR> dr------- C:\Documents and Settings\Maikenpii\Start-meny
2008-01-28 16:44 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Maikenpii\Skrivere
2008-01-28 16:44 . 2008-01-28 19:23 <DIR> d-------- C:\Documents and Settings\Maikenpii\Skrivebord
2008-01-28 16:44 . 2008-01-29 21:37 <DIR> dr-h----- C:\Documents and Settings\Maikenpii\Siste
2008-01-28 16:44 . 2003-05-03 23:26 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\Symantec
2008-01-28 16:44 . 2003-05-03 22:51 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\Sonic
2008-01-28 16:44 . 2003-05-03 23:35 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\Share-to-Web-opplastingsmappe
2008-01-28 16:44 . 2008-01-28 18:34 <DIR> dr-h----- C:\Documents and Settings\Maikenpii\Programdata
2008-01-28 16:44 . 2008-01-31 08:37 <DIR> dr------- C:\Documents and Settings\Maikenpii\Mine dokumenter
2008-01-28 16:44 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Maikenpii\Maler
2008-01-28 16:44 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Maikenpii\Lokale innstillinger
2008-01-28 16:44 . 2008-01-28 16:45 <DIR> dr------- C:\Documents and Settings\Maikenpii\Favoritter
2008-01-28 16:44 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Maikenpii\AndrMask
2008-01-28 16:27 . 2008-01-28 16:27 <DIR> d-------- C:\Documents and Settings\Wenche\Programdata\HP
2008-01-28 16:27 . 2008-01-28 16:27 <DIR> d-------- C:\Documents and Settings\Wenche\Programdata\Common Files
2008-01-25 15:04 . 2008-01-25 15:05 354,816 --a------ C:\WINDOWS\RBossing05.exe
2008-01-21 19:19 . 2008-01-21 19:19 48 --a------ C:\tmp.bat
2008-01-14 22:26 . 2008-01-28 01:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-14 22:26 . 2008-01-14 22:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini
2008-01-07 23:03 . 2008-01-07 23:03 <DIR> d-------- C:\Programfiler\BearShare Applications
2008-01-07 23:03 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2007-12-28 21:58 . 2008-01-15 18:48 <DIR> d-------- C:\Programfiler\StepMania
2007-12-28 20:52 . 2008-01-30 21:08 7 --a------ C:\WINDOWS\system32\ANIWZCSUSERNAME
2007-12-28 20:46 . 2007-12-28 20:46 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{E122442F-4D48-49BD-9E2A-C34F1604040C}
2007-12-28 20:44 . 2008-01-29 17:45 7 --a------ C:\WINDOWS\system32\ANIWZCSUSERNAME{E122442F-4D48-49BD-9E2A-C34F1604040C}
2007-12-28 20:43 . 2007-12-28 20:43 <DIR> d-------- C:\Programfiler\ANI
2007-12-28 20:42 . 2007-12-28 20:42 <DIR> d-------- C:\Programfiler\D-Link
2007-12-28 20:42 . 2007-03-13 12:35 476,416 --a------ C:\WINDOWS\system32\drivers\rt2870.sys
2007-12-28 20:40 . 2007-12-28 20:40 <DIR> d-------- C:\Documents and Settings\Wenche\Programdata\InstallShield
2007-12-19 20:42 . 2007-12-19 20:42 <DIR> d-------- C:\f1741e191bcbe7fe20d5
2007-12-03 18:54 . 2007-12-03 18:54 <DIR> d-------- C:\Documents and Settings\Wenche\Programdata\GanymedeNet
2007-12-03 18:54 . 2007-12-03 18:54 4 --a------ C:\WINDOWS\system32\proc-1963933865.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 20:04 --------- d-----w C:\Programfiler\F-secure
2008-01-30 20:02 --------- d-----w C:\Programfiler\Yahoo!
2008-01-27 20:40 --------- d-----w C:\Documents and Settings\Wenche\Programdata\LimeWire
2007-12-28 19:43 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2007-11-29 17:16 --------- d-----w C:\Programfiler\Windows Live
2007-11-29 16:54 --------- dcsh--w C:\Programfiler\Fellesfiler\WindowsLiveInstaller
2007-11-29 16:44 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller
2006-08-29 13:12 30,432 -c--a-w C:\Documents and Settings\Wenche\Programdata\GDIPFONTCACHEV1.DAT
2007-06-13 13:24 354,816 --sh--r C:\WINDOWS\system32\sysregi.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02d902bb-a1b8-42d8-a565-810b0447e486}]
C:\WINDOWS\system32\tefpmels.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D8746B8-49D3-4262-AFB5-5591B778ED78}]
C:\WINDOWS\system32\efcbc.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-30 09:46 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-30 09:33 118784]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 02:48 36975]
"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 18:15 98304]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 18:58 483328]
"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2005-12-20 19:54 278528]
"ANIWZCS2Service"="C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 11:49 49152]
"eabconfg.cpl"="C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe" [2004-04-30 12:50 274432]
"D-Link D-Link Wireless N DWA-140"="C:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe" [2007-03-14 18:29 1388544]
"Cpqset"="C:\Programfiler\HPQ\Default Settings\cpqset.exe" [2004-04-30 09:32 208958]
"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24 49152]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:03 15360]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"NTSpool"= NTSpool.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 21:48:13 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Programfiler\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 09:26:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Programfiler\HPQ\Default Settings\cpqset.exe?????????8?1?9?6??P???? ???B???????????????B????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programfiler\Java\jre1.5.0_03\bin\jusched.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\HP\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\HPQ\SHARED\HPQWMI.exe
.
**************************************************************************
.
Completion time: 2008-01-31 9:30:46 - machine was rebooted [Wenche]
ComboFix-quarantined-files.txt 2008-01-31 08:30:38
.
2008-01-09 08:53:55 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:39, on 2008-01-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Programfiler\Java\jre1.5.0_03\bin\jusched.exe
C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\HP\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\system32\notepad.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adressa.no/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: {684e7440-b018-565a-8d24-8b1abb209d20} - {02d902bb-a1b8-42d8-a565-810b0447e486} - C:\WINDOWS\system32\tefpmels.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D8746B8-49D3-4262-AFB5-5591B778ED78} - C:\WINDOWS\system32\efcbc.dll (file missing)
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programfiler\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [D-Link D-Link Wireless N DWA-140] C:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Policies\Explorer\Run: [NTSpool] NTSpool.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) - http://67.15.101.33/g_bin/eng/solitaire_2_0_0_28.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Programfiler\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Programfiler\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe

--
End of file - 7838 bytes
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Re: HijackThis NT_Kernel error1256

Unread postby Nilz1 » January 31st, 2008, 12:06 pm

Didn't notice, it is not my machine, just trying to help my niece.
Downloading now
Nilz1
Active Member
 
Posts: 9
Joined: January 30th, 2008, 4:29 pm

Re: HijackThis NT_Kernel error1256

Unread postby Nilz1 » January 31st, 2008, 12:19 pm

New log:

WindowsXP-KB310994-SP2-Home-BootDisk-NOR.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
Nilz1
Active Member
 
Posts: 9
Joined: January 30th, 2008, 4:29 pm

Re: HijackThis NT_Kernel error1256

Unread postby amateur » January 31st, 2008, 12:33 pm

Hi,

Good. It's OK to reboot now.

I see that you are using some p2p file sharing programs like BearShare and LimeWire. I would like to warn you that the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. Also by default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple, file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft.
I recommend very strongly that you remove them from your system via Add/Remove Programs in Control Panel.

==================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u4.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • In the pull down menu next to Platform select Windows
  • Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.

==================================

Open notepad (Start>All programs>accessories>notepad ). and copy/paste the text in the quotebox below into it (It must be notepad, not wordpad, otherwise it won't work):

Code: Select all

File::
C:\tmp.bat
C:\WINDOWS\RBossing05.exe
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\sysregi.exe
C:\WINDOWS\system32\NTSpool.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02d902bb-a1b8-42d8-a565-810b0447e486}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D8746B8-49D3-4262-AFB5-5591B778ED78}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"NTSpool"=-



Save this as CFScript.txt

Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log taken after a reboot.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Re: HijackThis NT_Kernel error1256

Unread postby Nilz1 » January 31st, 2008, 1:23 pm

Like I said, it is not my PC :)
LimeWire and BerShare are now gone and Java updated.

HijackThis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:20, on 2008-01-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe
C:\Programfiler\HP\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\HPQ\SHARED\HPQWMI.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adressa.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [D-Link D-Link Wireless N DWA-140] C:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) - http://67.15.101.33/g_bin/eng/solitaire_2_0_0_28.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Programfiler\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Programfiler\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe

--
End of file - 8043 bytes

ComboFix:

ComboFix 08-01-31.4 - Wenche 2008-01-31 18:12:05.2 - NTFSx86
Running from: C:\Documents and Settings\Wenche\Skrivebord\ComboFix.exe
Command switches used :: C:\Documents and Settings\Wenche\Skrivebord\CFScript.txt
* Created a new restore point

FILE
C:\tmp.bat
C:\WINDOWS\RBossing05.exe
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\NTSpool.exe
C:\WINDOWS\system32\sysregi.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\tmp.bat
C:\WINDOWS\RBossing05.exe
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\system32\sysregi.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-31 )))))))))))))))))))))))))))))))
.

2008-01-31 18:06 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-31 18:03 . 2008-01-31 18:03 <DIR> d-------- C:\Programfiler\Fellesfiler\Java
2008-01-31 17:45 . 2008-01-31 17:45 382,352 --a------ C:\Documents and Settings\Wenche\jdk-6u4-windows-i586-p-iftw.exe
2008-01-31 17:43 . 2008-01-31 17:47 <DIR> d-------- C:\Documents and Settings\Wenche\.SunDownloadManager
2008-01-31 17:14 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-31 17:14 . 2004-11-25 15:31 211 --a------ C:\Boot.bak
2008-01-31 12:28 . 2007-12-06 18:12 110,592 --a------ C:\WINDOWS\system32\SynTPCo4.dll
2008-01-31 09:57 . 2007-10-11 00:53 6,065,664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-01-31 09:57 . 2007-07-01 04:31 2,455,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-01-31 09:57 . 2007-07-01 04:36 1,007,616 --------- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-01-31 09:57 . 2007-10-11 00:53 459,264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-01-31 09:57 . 2007-10-11 00:53 383,488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-01-31 09:57 . 2007-10-11 00:53 267,776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-01-31 09:57 . 2007-10-11 00:53 63,488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2008-01-31 09:57 . 2007-10-11 00:53 52,224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-01-31 09:57 . 2007-10-10 11:59 13,824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-01-31 09:55 . 2008-01-31 09:58 <DIR> d-------- C:\WINDOWS\system32\nb-no
2008-01-31 09:52 . 2008-01-31 09:56 1,374 --a------ C:\WINDOWS\imsins.BAK
2008-01-31 09:38 . 2008-01-31 09:38 <DIR> d-------- C:\Programfiler\Trend Micro
2008-01-30 22:15 . 2008-01-31 10:41 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-30 22:11 . 2008-01-30 22:11 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-01-30 20:50 . 2008-01-30 20:50 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\TuneUp Software
2008-01-30 19:34 . 2007-12-04 13:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-30 19:34 . 2007-12-04 15:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-30 19:34 . 2007-12-04 15:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-30 19:34 . 2007-12-04 15:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-30 19:33 . 2008-01-30 19:33 <DIR> d-------- C:\Programfiler\Alwil Software
2008-01-30 19:33 . 2007-12-04 14:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-30 19:33 . 2004-01-09 10:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-30 19:33 . 2007-12-04 15:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-30 19:33 . 2007-12-04 15:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-30 19:28 . 2003-05-04 06:15 <DIR> dr------- C:\Documents and Settings\Administrator\Start-meny
2008-01-30 19:28 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Administrator\Skrivere
2008-01-30 19:28 . 2008-01-31 08:42 <DIR> d-------- C:\Documents and Settings\Administrator\Skrivebord
2008-01-30 19:28 . 2008-01-30 20:34 <DIR> dr-h----- C:\Documents and Settings\Administrator\Siste
2008-01-30 19:28 . 2003-05-03 23:26 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Symantec
2008-01-30 19:28 . 2003-05-03 22:51 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Sonic
2008-01-30 19:28 . 2003-05-03 23:35 <DIR> d-------- C:\Documents and Settings\Administrator\Programdata\Share-to-Web-opplastingsmappe
2008-01-30 19:28 . 2008-01-30 22:09 <DIR> dr-h----- C:\Documents and Settings\Administrator\Programdata
2008-01-30 19:28 . 2008-01-31 08:37 <DIR> dr------- C:\Documents and Settings\Administrator\Mine dokumenter
2008-01-30 19:28 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Administrator\Maler
2008-01-30 19:28 . 2008-01-31 09:30 <DIR> d--h----- C:\Documents and Settings\Administrator\Lokale innstillinger
2008-01-30 19:28 . 2003-05-04 06:15 <DIR> dr------- C:\Documents and Settings\Administrator\Favoritter
2008-01-30 19:28 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Administrator\AndrMask
2008-01-30 18:39 . 2008-01-31 18:09 <DIR> dr-h----- C:\Documents and Settings\Wenche\Siste
2008-01-30 17:27 . 2008-01-30 17:27 <DIR> d-------- C:\Programfiler\CCleaner
2008-01-29 22:48 . 2008-01-29 22:48 <DIR> d-------- C:\Documents and Settings\Wenche\Programdata\TuneUp Software
2008-01-29 22:47 . 2008-01-29 22:47 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\TuneUp Software
2008-01-29 22:47 . 2007-05-16 09:41 29,704 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-01-29 22:46 . 2008-01-29 22:48 <DIR> d-------- C:\Programfiler\TuneUp Utilities 2007
2008-01-29 22:45 . 2008-01-29 22:45 <DIR> d-------- C:\Programfiler\Fellesfiler\Wise Installation Wizard
2008-01-28 18:34 . 2008-01-29 21:37 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\LimeWire
2008-01-28 18:04 . 2008-01-28 18:04 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\DivX
2008-01-28 16:48 . 2008-01-28 16:49 <DIR> d-------- C:\Documents and Settings\Maikenpii\Contacts
2008-01-28 16:48 . 2008-01-28 16:48 268 --ah----- C:\sqmdata00.sqm
2008-01-28 16:48 . 2008-01-28 16:48 244 --ah----- C:\sqmnoopt07.sqm
2008-01-28 16:46 . 2008-01-28 16:46 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\Creative
2008-01-28 16:44 . 2003-05-04 06:15 <DIR> dr------- C:\Documents and Settings\Maikenpii\Start-meny
2008-01-28 16:44 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Maikenpii\Skrivere
2008-01-28 16:44 . 2008-01-28 19:23 <DIR> d-------- C:\Documents and Settings\Maikenpii\Skrivebord
2008-01-28 16:44 . 2008-01-29 21:37 <DIR> dr-h----- C:\Documents and Settings\Maikenpii\Siste
2008-01-28 16:44 . 2003-05-03 23:26 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\Symantec
2008-01-28 16:44 . 2003-05-03 22:51 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\Sonic
2008-01-28 16:44 . 2003-05-03 23:35 <DIR> d-------- C:\Documents and Settings\Maikenpii\Programdata\Share-to-Web-opplastingsmappe
2008-01-28 16:44 . 2008-01-28 18:34 <DIR> dr-h----- C:\Documents and Settings\Maikenpii\Programdata
2008-01-28 16:44 . 2008-01-31 08:37 <DIR> dr------- C:\Documents and Settings\Maikenpii\Mine dokumenter
2008-01-28 16:44 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Maikenpii\Maler
2008-01-28 16:44 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Maikenpii\Lokale innstillinger
2008-01-28 16:44 . 2008-01-28 16:45 <DIR> dr------- C:\Documents and Settings\Maikenpii\Favoritter
2008-01-28 16:44 . 2003-05-04 06:15 <DIR> d--h----- C:\Documents and Settings\Maikenpii\AndrMask
2008-01-28 16:27 . 2008-01-28 16:27 <DIR> d-------- C:\Documents and Settings\Wenche\Programdata\HP
2008-01-28 16:27 . 2008-01-28 16:27 <DIR> d-------- C:\Documents and Settings\Wenche\Programdata\Common Files
2008-01-14 22:26 . 2008-01-28 01:18 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-14 22:26 . 2008-01-14 22:26 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-09 15:01 . 2008-01-09 15:01 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2008-01-09 15:01 . 2008-01-09 15:01 453 --a------ C:\WINDOWS\bdoscandellang.ini
2008-01-07 23:03 . 2008-01-07 23:03 <DIR> d-------- C:\Programfiler\BearShare Applications
2007-12-28 21:58 . 2008-01-15 18:48 <DIR> d-------- C:\Programfiler\StepMania
2007-12-28 20:52 . 2008-01-31 18:01 7 --a------ C:\WINDOWS\system32\ANIWZCSUSERNAME
2007-12-28 20:46 . 2007-12-28 20:46 3,284 --a------ C:\WINDOWS\system32\ANIWZCS{E122442F-4D48-49BD-9E2A-C34F1604040C}
2007-12-28 20:44 . 2008-01-29 17:45 7 --a------ C:\WINDOWS\system32\ANIWZCSUSERNAME{E122442F-4D48-49BD-9E2A-C34F1604040C}
2007-12-28 20:43 . 2007-12-28 20:43 <DIR> d-------- C:\Programfiler\ANI
2007-12-28 20:42 . 2007-12-28 20:42 <DIR> d-------- C:\Programfiler\D-Link
2007-12-28 20:42 . 2007-03-13 12:35 476,416 --a------ C:\WINDOWS\system32\drivers\rt2870.sys
2007-12-28 20:40 . 2007-12-28 20:40 <DIR> d-------- C:\Documents and Settings\Wenche\Programdata\InstallShield
2007-12-19 20:42 . 2007-12-19 20:42 <DIR> d-------- C:\f1741e191bcbe7fe20d5
2007-12-03 18:54 . 2007-12-03 18:54 <DIR> d-------- C:\Documents and Settings\Wenche\Programdata\GanymedeNet
2007-12-03 18:54 . 2007-12-03 18:54 4 --a------ C:\WINDOWS\system32\proc-1963933865.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-31 17:06 --------- d-----w C:\Programfiler\Java
2008-01-30 20:04 --------- d-----w C:\Programfiler\F-secure
2008-01-30 20:02 --------- d-----w C:\Programfiler\Yahoo!
2008-01-27 20:40 --------- d-----w C:\Documents and Settings\Wenche\Programdata\LimeWire
2007-12-28 19:43 --------- d--h--w C:\Programfiler\InstallShield Installation Information
2007-12-06 16:41 220,032 ----a-w C:\WINDOWS\system32\drivers\SynTP.sys
2007-12-06 16:20 147,456 ----a-w C:\WINDOWS\system32\SynTPAPI.dll
2007-12-06 16:09 196,608 ----a-w C:\WINDOWS\system32\SynCtrl.dll
2007-12-06 16:08 163,840 ----a-w C:\WINDOWS\system32\SynCOM.dll
2007-11-29 17:16 --------- d-----w C:\Programfiler\Windows Live
2007-11-29 16:54 --------- dcsh--w C:\Programfiler\Fellesfiler\WindowsLiveInstaller
2007-11-29 16:44 --------- d-----w C:\Documents and Settings\All Users\Programdata\WLInstaller
2007-11-07 09:30 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:30 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-31 04:00 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-29 22:45 1,290,752 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:45 1,290,752 ------w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-25 16:57 8,460,800 ------w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-20 05:01 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-18 10:31 51,224 ----a-w C:\WINDOWS\system32\sirenacm.dll
2007-10-11 06:14 474,112 ------w C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-10-11 06:14 151,552 ------w C:\WINDOWS\system32\dllcache\cdfview.dll
2007-10-11 06:14 1,494,528 ------w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-10-11 06:14 1,054,720 ------w C:\WINDOWS\system32\dllcache\danim.dll
2007-10-11 06:14 1,023,488 ------w C:\WINDOWS\system32\dllcache\browseui.dll
2007-10-10 23:54 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-10-10 23:54 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:54 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:53 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:53 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:53 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:53 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:53 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:53 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:53 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:53 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:53 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:53 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:53 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 23:53 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:53 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:53 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 11:02 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 11:02 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2006-08-29 13:12 30,432 -c--a-w C:\Documents and Settings\Wenche\Programdata\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2003-10-30 09:46 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2003-10-30 09:33 118784]
"SynTPLpr"="C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 18:15 98304]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 18:58 483328]
"iTunesHelper"="C:\Programfiler\iTunes\iTunesHelper.exe" [2005-12-20 19:54 278528]
"ANIWZCS2Service"="C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 11:49 49152]
"eabconfg.cpl"="C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe" [2004-04-30 12:50 274432]
"D-Link D-Link Wireless N DWA-140"="C:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe" [2007-03-14 18:29 1388544]
"Cpqset"="C:\Programfiler\HPQ\Default Settings\cpqset.exe" [2004-04-30 09:32 208958]
"HP Software Update"="C:\Programfiler\HP\HP Software Update\HPWuSchd.exe" [2003-06-25 10:24 49152]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SynTPEnh"="C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe" [2007-12-06 17:20 1024000]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 09:03 15360]

C:\Documents and Settings\All Users\Start-meny\Programmer\Oppstart\
Microsoft Office.lnk - C:\Programfiler\Microsoft Office\Office10\OSA.EXE [2001-02-13 10:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"TkBellExe"="C:\Programfiler\Fellesfiler\Real\Update_OB\realsched.exe" -osboot

S3 3C154G;3Com OfficeConnect 802.11g PC Card Driver;C:\WINDOWS\system32\DRIVERS\3C154G72.sys []
S3 AIT800AC;BenQ-Siemens CF61;C:\WINDOWS\system32\DRIVERS\AIT800C.sys [2006-03-17 02:22]
S3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;C:\WINDOWS\system32\DRIVERS\rt2870.sys [2007-03-13 12:35]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-01-29 21:48:13 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Programfiler\TuneUp Utilities 2007\SystemOptimizer.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 18:17:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Programfiler\HPQ\Default Settings\cpqset.exe?????????8?1?9?6??????? ???B???????????????B????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 18:19:34
ComboFix-quarantined-files.txt 2008-01-31 17:19:17
ComboFix2.txt 2008-01-31 08:30:46
.
2008-01-31 08:59:07 --- E O F ---
Nilz1
Active Member
 
Posts: 9
Joined: January 30th, 2008, 4:29 pm

Re: HijackThis NT_Kernel error1256

Unread postby amateur » January 31st, 2008, 1:53 pm

Hi,

Go to Start>Control Panel>Add/Remove Programs and remove if Kaspersky online scanner is present prior to downloading the most up-to-date one.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
  • Standard
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
  • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop in txt format.

Image
Copy and paste that information from Kapersky in your next post.


*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans for no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Or use Firefox with IE-Tab plugin



Also, let me know how the system is running now.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Re: HijackThis NT_Kernel error1256

Unread postby Nilz1 » January 31st, 2008, 2:57 pm

Cant get the scan to work, it downloaded all the updates but then it stalls, done it twice now.

Edit: Gave up after 4 times, any other ways?
Nilz1
Active Member
 
Posts: 9
Joined: January 30th, 2008, 4:29 pm

Re: HijackThis NT_Kernel error1256

Unread postby amateur » January 31st, 2008, 3:12 pm

OK. We can try another scanner.

Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Re: HijackThis NT_Kernel error1256

Unread postby Nilz1 » January 31st, 2008, 6:47 pm

Ok, this one worked.
Must say thanx for all the help, this is by far the best help I have ever gotten on any forums out there, you are :king:
Still som trojans not willing to go away.
The computer is stil slow, but other than that it works ok

log file from scan:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2840 (20080131)
# vers_arch_module=1.063 (20080117)
# vers_adv_heur_module=1.060 (20070601)
# EOSSerial=b842adf5636a9843ab5a2e436421817a
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-01-31 08:15:42
# local_time=2008-01-31 09:15:42 (+0100, Vest-Europa (normaltid))
# country="Norway"
# osver=5.1.2600 NT Service Pack 2
# scanned=366485
# found=3
# scan_time=3425
C:\Documents and Settings\Wenche\Skrivebord\Bilde20-2008.JPG-www.nettby.com probably a variant of Win32/Injector.K trojan 6659C02E5C2E9E86521770E268538F2A
C:\QooBox\Quarantine\C\WINDOWS\RBossing05.exe.vir Win32/TrojanDropper.Delf.NGP trojan 44C5CBD4ACA6F126DA29F492FAD26595
C:\QooBox\Quarantine\C\WINDOWS\system32\sysregi.exe.vir Win32/TrojanDropper.Delf.NGP trojan 44C5CBD4ACA6F126DA29F492FAD26595


Log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:45, on 2008-01-31
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Programfiler\iTunes\iTunesHelper.exe
C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe
C:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe
C:\Programfiler\HP\HP Software Update\HPWuSchd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\iPod\bin\iPodService.exe
C:\Programfiler\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\explorer.exe
C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Programfiler\internet explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Programfiler\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adressa.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.no/0SENBNO/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Påloggingshjelp for Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Programfiler\Fellesfiler\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Programfiler\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Programfiler\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Programfiler\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Programfiler\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [D-Link D-Link Wireless N DWA-140] C:\Programfiler\D-Link\D-Link Wireless N DWA-140\AirNCFG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Programfiler\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Programfiler\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Programfiler\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETTVERKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Programfiler\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {112857FE-03FF-11D5-9A3F-0080C8D85044} (GameDesire Solitaires) - http://67.15.101.33/g_bin/eng/solitaire_2_0_0_28.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/ms ... b56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b56986.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resourc ... oscan8.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9122D757-5A4F-4768-82C5-B4171D8556A7} (PhotoPickConvert Class) - http://appdirectory.messenger.msn.com/A ... tPkMSN.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/Mi ... b56986.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Wireless Service - C:\Programfiler\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Programfiler\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Programfiler\Fellesfiler\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Programfiler\iPod\bin\iPodService.exe

--
End of file - 8334 bytes
Nilz1
Active Member
 
Posts: 9
Joined: January 30th, 2008, 4:29 pm

Re: HijackThis NT_Kernel error1256

Unread postby amateur » January 31st, 2008, 7:28 pm

Hi,

Must say thanx for all the help, this is by far the best help I have ever gotten on any forums out there, you are :king:
Still som trojans not willing to go away.


You're welcome. Please delete the following image from the desktop (I assume Skrivebord means desktop) of user Wenche.

C:\Documents and Settings\Wenche\Skrivebord\Bilde20-2008.JPG-www.nettby.com

The other reported items are in the Quarantine folder of the Combofix which will be removed when we uninstall Combofix shortly. If all is well, you can go ahead with the following final steps:

  • Click Start then Run
  • Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /

    Image

    This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.


Here are some steps to make your surfing more secure in future:

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site http://windowsupdate.microsoft.com/ to get the critical updates.

If you are running Microsoft, or any portion thereof, go to the Microsoft's Office Update site
http://office.microsoft.com/officeupdat ... x?lc=en-us and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster A tutorial on installing & using this product can be found here
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet. A tutorial on Firewalls and a listing of some available ones can be found
here and here.

Test your firewall here to make sure that it's working properly

A colleague of ours has excellent information and tips on the prevention of malware here and more on improving speed/system performance after malware removal here .

If you want to fight back the Malware Writers, please take a look here and read what you can do against it.

Please respond to this thread one more time so we can mark this thread as resolved.

Happy Surfing! :)
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Re: HijackThis NT_Kernel error1256

Unread postby Nilz1 » January 31st, 2008, 8:35 pm

Yepp, finally it looks like it is free from MalWare.
As it is not my PC I must say it was really poorly protected. But have now updated the anivirus-program, updated both IE and Firefox (she usually uses Firefox) and installed a firewall. Have also removed all p2p programs.
Luckily its her birthday on Sunday, so will install some more RAM and give her a virus/malware free pc with more power for her day :)
Thanx allot again for all the help.
Nilz1
Active Member
 
Posts: 9
Joined: January 30th, 2008, 4:29 pm
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: random/random and 55 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware