Bad Image rootbug?

When posting your problem, do not run and post a ComboFix logs. ComboFix is a tool that should only be run under the supervision of someone who has been trained in its use. Using it on your own can cause problems with your computer. Any posts containing CF Logs will be ignored.

To receive help, you should instead provide a detailed description of your problem, detailed word-for-word error messages that you are receiving, screenshots of strange behaviour, and your operating system. This information is much more useful to our helpers than a ComboFix log.

Bad Image rootbug?

Options

MikeWater View Member Profile	Jul 3 2009, 12:47 PM Post #1
Member Group: Members Posts: 21 Joined: 3-July 09 Member No.: 347,783	Hi, I’m afraid that this will have to be my introduction post. As of 7/03/09 (around 1:30 AM EST), whenever I start Firefox I am greeted with this message next to a red circled “X”: “firefox.exe – Bad Image globalroot\systemroot\system32\MSIVXnspwdmaxqwxiypxuqauptbitipujqrtx.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.” Unfortunately I don’t really know how to create screenshots, but what I typed out is exactly what is displayed. I tried looking up this strange file but the closest I’ve seen anyone else have is “something””random characters”.dll So far, whatever is on my computer has slowed it down tremendously, and I get occasional pop-ups that open up in internet explorer even though I am running Firefox. I’ve reinstalled Firefox (which hasn’t changed a thing), and any attempt at doing a system scan on symantic antivirus seems to be forbidden (It says that symantic cannot run a system scan as there is already another scan in process on my computer, when there isn’t). When I open Windows Defender I tried to check for updates (since it had been a long time since I last used it) but I get the following message: “The program can’t check for definition updates” “Error found: Code 0x80244019.” I was able to do a quick scan with Windows Defender but it didn’t find anything. I am running Windows Vista Home Premium. I want to know if there is anything on my computer in danger, if it is safe to backup anything, what this infection is doing and will do to my computer, and of course how to rid my hard drive of it. Any assistance in this urgent matter will be greatly appreciated! --Mike

MikeWater View Member Profile	Jul 3 2009, 02:38 PM Post #2
Member Group: Members Posts: 21 Joined: 3-July 09 Member No.: 347,783	Status Update: I ran RootRepeal and did a scan on drivers, it found the hidden MSIV driver but it couldn't wipe or force delete it. However, I was able to wipe files on the file scan that were MSIV related. I shut down my computer after it froze and now I can open Firefox without the "Bad Image" error. What's more, my computer runs considerably faster. I don't know if I've seen the last of this thing, but it's clearly better now than it was. If there is anything I should still do to make sure it's gone, please let me know. Also, on a possibly unrelated note, I found this unusual process running in my windows task manager: 124365463.tmp Anyone seen this before? Also, is my MSIV problem fixed? --Mike

MikeWater View Member Profile	Jul 3 2009, 06:58 PM Post #3
Member Group: Members Posts: 21 Joined: 3-July 09 Member No.: 347,783	HELP PLEASE! Okay, this "124365463.tmp" process is becoming more of a hazard than I originally thought. It's been taking up CPU usage, and delivering ads/news through my speakers even though no applications are running. Everytime I terminate this process it eventually comes back. Symantic is constantly notifying me of "Downloader.MisleadApp" being cleaned by deletion, over and over. Please if anyone can help me with getting rid of this I will very much appreciate it. I don't want any outside source utilizing or damaging anything on my computer.

boopme View Member Profile	Jul 3 2009, 09:55 PM Post #4
To INSANITY and BEYOND !! Group: Moderator Posts: 25,414 Joined: 10-September 04 From: NJ USA Member No.: 2,608	Hello. Sorry all the repliese to yourself I thought someone was handling this already.. Please run ROOTREPEAL Next Please install RootRepeal Go HERE, and download RootRepeal.zip to your Desktop. Tutorial with images ,if needed >> L@@K. Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner. Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK. Drivers Files Processes SSDT Stealth Objects Hidden Services Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report. Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there). Please copy and paste that into your next reply. -------------------- How do I get help? Who is helping me? Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook

MikeWater View Member Profile	Jul 3 2009, 11:37 PM Post #5
Member Group: Members Posts: 21 Joined: 3-July 09 Member No.: 347,783	ROOTREPEAL © AD, 2007-2009 ================================================== Scan Time: 2009/07/04 00:04 Program Version: Version 1.3.0.0 Windows Version: Windows Vista SP1 ================================================== Drivers ------------------- Name: Image Path: Address: 0x8C84D000 Size: 212992 File Visible: No Signed: - Status: Hidden from Windows API! Name: dump_dumpata.sys Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys Address: 0x8E7CD000 Size: 45056 File Visible: No Signed: - Status: - Name: dump_msahci.sys Image Path: C:\Windows\System32\Drivers\dump_msahci.sys Address: 0x8E7D8000 Size: 40960 File Visible: No Signed: - Status: - Name: rootrepeal.sys Image Path: C:\Windows\system32\drivers\rootrepeal.sys Address: 0x8D2D5000 Size: 49152 File Visible: No Signed: - Status: - Hidden/Locked Files ------------------- Path: C:\hiberfil.sys Status: Locked to the Windows API! Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{3b444e03-683c-11de-9d16-001636b94659}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{4929ad06-6803-11de-8108-001636b94659}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{c91e0ef3-666d-11de-821b-001636b94659}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: C:\System Volume Information\{ce2323df-681b-11de-b1f8-001636b94659}{3808876b-c176-4e48-b7ae-04046e6cc752} Status: Locked to the Windows API! Path: c:\windows\system32\wbem\wpcuninst.mof Status: Allocation size mismatch (API: 4096, Raw: 472) Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e2 0e9863b4.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_58b1a5 ca663317c4.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a 620671dde41.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed .cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_a6e6a898 0e994a5d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c .cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.debugcrt_1fc8b3b9a1e18e3b_8.0.50727.42_none_3 825408a574a21cb.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc 0ea08098.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.debugcrt_1fc8b3b9a1e18e3b_8.0.50727.42_none_ef74ff32550b 5bf0.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.windows.networking.dxmrtp_6595b64144ccf1df_5.2.1002.3_none_3b 4992a44ea4e480.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.1.0.0_none_6c030d6fdc86522c.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa692 0e9f98fc.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.debugmfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_3 389d53e5a2d10c0.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003 bc63e949f6.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d 131.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.debugmfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_f455012451df 8b23.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c 2866332652.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_5c400d 5e63e93b68.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f. cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_dc9917e997f80c63. cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2. cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_765 8964504b9f3b6.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053 e8c6967ba9d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d21850 4d2.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514. cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e 58.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.windows.networking.rtcdll_6595b64144ccf1df_5.2.1002.3_none_af 1aecad9109b29e.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8d d7dea5d5a7a18a.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11d f268b7c6d9.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_588 445e3d272feb1.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_ab ac38a907ee8801.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8 .cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1. cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_54c127 9468b7b84b.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cd a6db.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3c e6.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e5070 87.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df5 6e60dc5df.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c 0566bec5b24.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad. cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.windows.networking.rtcres_6595b64144ccf1df_5.2.1002.3_none_b5 a302ab8cccdfca.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.c at Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_588 43c41d2730d3f.cat Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_sv-se_9bfb2a309351ac4c\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_ja-jp_4c1b4ff6e64be921\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_ko-kr_ef852cabd8bcb037\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_nb-no_d817ade0b0e1dbf3\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_nl-nl_d656f91eb20de5c8\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_pl-pl_1c9353a09730537c\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_pt-br_1ee73e4495b9e760\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_ru-ru_666c1f747a0ae568\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_sv-se_026709e97133efc3\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_tr-tr_ab7454305feff1b4\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_zh-cn_7cd1722e1027c3d3\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_zh-hk_7b7c6abc11033663\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_zh-tw_80cdaf840d98a043\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_pt-pt_1fc90db09529573c\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_ko-kr_89194cf2fada6cc0\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_nb-no_71abce27d2ff987c\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_nl-nl_6feb1965d42ba251\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_pl-pl_b62773e7b94e1005\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_pt-br_b87b5e8bb7d7a3e9\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_pt-pt_b95d2df7b74713c5\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_ru-ru_00003fbb9c28a1f1\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_tr-tr_45087477820dae3d\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_zh-cn_166592753245805c\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_zh-hk_15108b033320f2ec\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_zh-tw_1a61cfcb2fb65ccc\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_ja-jp_cbb0c8ced5936cb1\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_sv-se_81fc82c1607b7353\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_ko-kr_6f1aa583c80433c7\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_nb-no_57ad26b8a0295f83\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_nl-nl_55ec71f6a1556958\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_pl-pl_9c28cc788677d70c\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_pt-br_9e7cb71c85016af0\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_pt-pt_9f5e86888470dacc\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_ru-ru_e601984c695268f8\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_tr-tr_2b09cd084f377544\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_zh-cn_fc66eb05ff6f4763\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_zh-hk_fb11e394004ab9f3\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_zh-tw_0063285bfce023d3\BOOTMG~1.MUI Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4f19b995\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\RENDER~1.XML Status: Locked to the Windows API! Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\RENDER~1.XML Status: Locked to the Windows API! Path: c:\windows\winsxs\x86_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.0.6001.18000_en-us_b5bb8a749a95e0e0\report.system.performance.xml Status: Allocation size mismatch (API: 4096, Raw: 360) Path: c:\windows\winsxs\x86_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.0.6001.18000_en-us_b5bb8a749a95e0e0\rules.system.performance.xml Status: Allocation size mismatch (API: 4096, Raw: 296) Path: c:\windows\winsxs\x86_microsoft-windows-p..talcontrolssettings_31bf3856ad364e35_6.0.6001.18000_none_f3ec70780f6f64fc\wpcuninst.mof Status: Allocation size mismatch (API: 4096, Raw: 472) Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.1638 6_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config Status: Locked to the Windows API! Path: c:\windows\winsxs\x86_microsoft-windows-wmi-mof.resources_31bf3856ad364e35_6.0.6001.18000_en-us_6d2cbd70bfeb5621\subscrpt.mfl Status: Allocation size mismatch (API: 4096, Raw: 560) Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_ja-jp_e5af703e0869a5aa\BOOTMG~1.MUI Status: Locked to the Windows API! Path: c:\windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.0.6001.18000_none_8133189db1382d8a\msbuild.exe.config Status: Allocation size mismatch (API: 4096, Raw: 560) Path: C:\Windows\winsxs\msil_microsoft.mediacenter.ui_31bf3856ad364e35_6.0.6001.18177_none_32dd9ace 5766e23e\$$DeleteMe.Microsoft.MediaCenter.UI.dll.01c9ecc7dc4c8fd6.0001 Status: Locked to the Windows API! Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SYSTEM~1.DLL Status: Locked to the Windows API! Path: C:\Windows\winsxs\Temp\PendingDeletes\sortkey.nlp Status: Locked to the Windows API! Path: C:\Windows\winsxs\Temp\PendingDeletes\sorttbls.nlp Status: Locked to the Windows API! Path: c:\windows\pla\reports\en-us\report.system.performance.xml Status: Allocation size mismatch (API: 4096, Raw: 360) Path: c:\windows\pla\rules\en-us\rules.system.performance.xml Status: Allocation size mismatch (API: 4096, Raw: 296) Path: c:\program files\microsoft sql server\mssql.1\mssql\log\errorlog Status: Allocation size mismatch (API: 16384, Raw: 8192) Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_218.trc Status: Allocation size mismatch (API: 4096, Raw: 0) Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_222.trc Status: Allocation size mismatch (API: 4096, Raw: 0) Path: C:\Users\Mr. Roboto\AppData\Roaming\BitTorrent\size=120x90;noperf=1;alias=93245558;cfp=1;noaddonpl=y;kvmn=93245558;target= _blank;aduho=240;grp=681062686;misc=681062686[1].htm Status: Locked to the Windows API! Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config Status: Locked to the Windows API! Path: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\SYSTEM~1.DLL Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl Status: Locked to the Windows API! Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl Status: Locked to the Windows API! Path: c:\windows\system32\driverstore\filerepository\winmobil.inf_a7c8ce31\wmdsynce.man Status: Allocation size mismatch (API: 4096, Raw: 688) Path: c:\windows\system32\driverstore\filerepository\prnhp001.inf_2ade4966\i386\hpfdj920.gpd Status: Allocation size mismatch (API: 4096, Raw: 648) nternet Files\Content.IE5\4Z2XWRO7\Com_Mess;MN=93215866;u=3A8B5C244F25957D;wm=o;rm=1;r128=1;r6=1;l72=1;dwe=2;l 0=1;l2=1;l11=1;l23=1;lProcesses ------------------- Path: System PID: 4 Status: Locked to the Windows API! Path: C:\Windows\System32\audiodg.exe PID: 1248 Status: Locked to the Windows API! SSDT ------------------- #: 013 Function Name: NtAlertResumeThread Status: Hooked by "<unknown>" at address 0x87198ef0 #: 014 Function Name: NtAlertThread Status: Hooked by "<unknown>" at address 0x87198fd0 #: 018 Function Name: NtAllocateVirtualMemory Status: Hooked by "<unknown>" at address 0x8717eb00 #: 054 Function Name: NtConnectPort Status: Hooked by "<unknown>" at address 0x8716a788 #: 067 Function Name: NtCreateMutant Status: Hooked by "<unknown>" at address 0x87198c50 #: 078 Function Name: NtCreateThread Status: Hooked by "<unknown>" at address 0x8717d5e0 #: 147 Function Name: NtFreeVirtualMemory Status: Hooked by "<unknown>" at address 0x8717e950 #: 156 Function Name: NtImpersonateAnonymousToken Status: Hooked by "<unknown>" at address 0x87198d30 #: 158 Function Name: NtImpersonateThread Status: Hooked by "<unknown>" at address 0x87198e10 #: 177 Function Name: NtMapViewOfSection Status: Hooked by "<unknown>" at address 0x8717e850 #: 184 Function Name: NtOpenEvent Status: Hooked by "<unknown>" at address 0x87198b70 #: 195 Function Name: NtOpenProcessToken Status: Hooked by "<unknown>" at address 0x8717d520 #: 202 Function Name: NtOpenThreadToken Status: Hooked by "<unknown>" at address 0x8717e5b0 #: 282 Function Name: NtResumeThread Status: Hooked by "<unknown>" at address 0x8716a050 #: 289 Function Name: NtSetContextThread Status: Hooked by "<unknown>" at address 0x8717e4d0 #: 305 Function Name: NtSetInformationProcess Status: Hooked by "<unknown>" at address 0x8717e690 #: 306 Function Name: NtSetInformationThread Status: Hooked by "<unknown>" at address 0x8717e3f0 #: 330 Function Name: NtSuspendProcess Status: Hooked by "<unknown>" at address 0x87198a90 #: 331 Function Name: NtSuspendThread Status: Hooked by "<unknown>" at address 0x8717e230 #: 334 Function Name: NtTerminateProcess Status: Hooked by "<unknown>" at address 0x8717d6b0 #: 335 Function Name: NtTerminateThread Status: Hooked by "<unknown>" at address 0x8717e310 #: 348 Function Name: NtUnmapViewOfSection Status: Hooked by "<unknown>" at address 0x8717e770 #: 358 Function Name: NtWriteVirtualMemory Status: Hooked by "<unknown>" at address 0x8717ea30 Stealth Objects ------------------- Object: Hidden Module [Name: msimsg.dll] Process: svchost.exe (PID: 880) Address: 0x6f1a0000 Size: 4096 Object: Hidden Module [Name: msimsg.dll] Process: svchost.exe (PID: 952) Address: 0x6f1a0000 Size: 4096 Object: Hidden Module [Name: winlogon.exe] Process: svchost.exe (PID: 1088) Address: 0x01ef0000 Size: 323584 Object: Hidden Module [Name: winlogon.exe] Process: svchost.exe (PID: 1088) Address: 0x022f0000 Size: 323584 Object: Hidden Module [Name: tquery.dll] Process: svchost.exe (PID: 1088) Address: 0x6ef80000 Size: 1589248 Object: Hidden Module [Name: WinMgmtR.dll] Process: svchost.exe (PID: 1088) Address: 0x6ede0000 Size: 8192 Object: Hidden Module [Name: profsvc.dll] Process: svchost.exe (PID: 1088) Address: 0x73e00000 Size: 163840 Object: Hidden Module [Name: wevtapi.dll] Process: svchost.exe (PID: 1088) Address: 0x75220000 Size: 258048 Object: Hidden Module [Name: imageres.dll] Process: Explorer.EXE (PID: 664) Address: 0x66c00000 Size: 15822848 Object: Hidden Module [Name: HP.ActiveSupportLibrary.dll] Process: hphc_service.exe (PID: 3192) Address: 0x009a0000 Size: 110592 Object: Hidden Module [Name: ieframe.dll] Process: aim6.exe (PID: 3432) Address: 0x70400000 Size: 6082560 Object: Hidden Code [ETHREAD: 0x83a564e8] Process: System Address: 0x884665b0 Size: 2643 Object: Hidden Code [ETHREAD: 0x83a7f580] Process: System Address: 0x88466930 Size: 1747 Object: Hidden Code [ETHREAD: 0x83a7f2d8] Process: System Address: 0x83a7f4cc Size: 1574 Object: Hidden Code [ETHREAD: 0x83a80d78] Process: System Address: 0x96368f50 Size: 102 Object: Hidden Code [ETHREAD: 0x83a80828] Process: System Address: 0x9d169670 Size: 1181 Object: Hidden Code [ETHREAD: 0x83a80580] Process: System Address: 0xb5b34348 Size: 215 Object: Hidden Code [ETHREAD: 0x87199788] Process: System Address: 0x96329578 Size: 2696 Hidden Services ------------------- Service Name: MSIVXserv.sys Image Path: C:\Windows\system32\drivers\MSIVXjtxqgsqppimmmrtirhetwbskrwcydbmh.sys ==EOF== This post has been edited by boopme: Jul 3 2009, 11:53 PM

boopme View Member Profile	Jul 4 2009, 12:02 AM Post #6
To INSANITY and BEYOND !! Group: Moderator Posts: 25,414 Joined: 10-September 04 From: NJ USA Member No.: 2,608	Now the next step... Rerun Rootrepeal. After the scan completes, go to the files tab and find these files: C:\Windows\system32\drivers\MSIVXjtxqgsqppimmmrtirhetwbskrwcydbmh.sys Then use your mouse to highlight it in the Rootrepeal window. Next right mouse click on it and select *wipe file* option only. Then immediately reboot the computer. Now run Dr.Web Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page. Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet. alternate download link Note: The file will be randomly named (i.e. 5mkuvc4z.exe). Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Scan with Dr.Web CureIt as follows: Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs. The Express scan will automatically begin. (This is a short scan of files currently running in memory, boot sectors, and targeted folders). If prompted to dowload the Full version Free Trial, ignore and click the X to close the window. If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured) After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media. In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok. Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo. Please be patient as this scan could take a long time to complete. When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found. Click Select All, then choose Cure > Move incurable. In the top menu, click file and choose save report list. Save the DrWeb.csv report to your desktop. Exit Dr.Web Cureit when done. Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report) -------------------- How do I get help? Who is helping me? Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook

MikeWater View Member Profile	Jul 4 2009, 01:09 AM Post #7
Member Group: Members Posts: 21 Joined: 3-July 09 Member No.: 347,783	I just ran the scan, and that file is not listed in the files tab, but it is listed in the hidden services tab. I tried to "wipe file", but I got this error message: "Could not find file on disk!" How should I proceed?

boopme View Member Profile	Jul 4 2009, 10:28 AM Post #8
To INSANITY and BEYOND !! Group: Moderator Posts: 25,414 Joined: 10-September 04 From: NJ USA Member No.: 2,608	OK, I felt this may happen. Please run this next. We will gwt this. Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page. Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet. alternate download link Note: The file will be randomly named (i.e. 5mkuvc4z.exe). Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode". Scan with Dr.Web CureIt as follows: Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs. The Express scan will automatically begin. (This is a short scan of files currently running in memory, boot sectors, and targeted folders). If prompted to dowload the Full version Free Trial, ignore and click the X to close the window. If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured) After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media. In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok. Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo. Please be patient as this scan could take a long time to complete. When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found. Click Select All, then choose Cure > Move incurable. In the top menu, click file and choose save report list. Save the DrWeb.csv report to your desktop. Exit Dr.Web Cureit when done. Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot. After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report) -------------------- How do I get help? Who is helping me? Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook

MikeWater View Member Profile	Jul 4 2009, 12:59 PM Post #9
Member Group: Members Posts: 21 Joined: 3-July 09 Member No.: 347,783	Okay, I ran Dr. Web in Safe Mode and the express scan found no viruses. I then proceeded with the complete scan after unchecking the "heuristic analysis". About 5-10 minutes into this scan, the computer shut down. After turning it back on, it wanted to check the NTFS file system for consistency, it scanned files, indexes, and security descriptors among other things, and then allowed me to log in. Should I try to run the scan with Dr. Web again or is there another way to proceed from here?

boopme View Member Profile	Jul 4 2009, 02:19 PM Post #10
To INSANITY and BEYOND !! Group: Moderator Posts: 25,414 Joined: 10-September 04 From: NJ USA Member No.: 2,608	OK first try theses from safe... If you still have an issue running any then run them in Normal mode. -------------------- How do I get help? Who is helping me? Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook

MikeWater View Member Profile	Jul 4 2009, 11:14 PM Post #11
Member Group: Members Posts: 21 Joined: 3-July 09 Member No.: 347,783	I cannot believe this! After a 7 hour scan by Dr. Web, I click to save the report and the screen turns blue with some error message and then shuts down, before restarting like it did before. It found 6 infections, 2 of which were deleted, and the rest moved. I don't think I saw any MSIV file in that batch, however. I'm afraid I have nothing to report for you. This is unbelievably frustrating. Is this crashing a result of whatever rootkit I may have, or is it something else?

boopme View Member Profile	Jul 5 2009, 12:05 AM Post #12
To INSANITY and BEYOND !! Group: Moderator Posts: 25,414 Joined: 10-September 04 From: NJ USA Member No.: 2,608	Hi it is probably the result of the havoc the malware has wrought on the registry. But I think DrWeb may have removed enough for us to run MBAM in normal mode. Next run ATF: Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator". Please download ATF Cleaner by Atribune & save it to your desktop. Double-click ATF-Cleaner.exe to run the program. Under Main "*Select Files to Delete" choose: Select All. Click the Empty Selected* button. If you use Firefox browser click Firefox at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. If you use Opera browser click Opera at the top and choose: Select All Click the Empty Selected button. If you would like to keep your saved passwords, please click No at the prompt. Click Exit on the Main menu to close the program. Next run MBAM (MalwareBytes): NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop. Please download Malwarebytes Anti-Malware and save it to your desktop. alternate download link 1 alternate download link 2 MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes. Make sure you are connected to the Internet. Double-click on mbam-setup.exe to install the application. When the installation begins, follow the prompts and do not make any changes to default settings. When installation has finished, make sure you leave both of these checked: Update Malwarebytes' Anti-Malware Launch Malwarebytes' Anti-Malware Then click Finish. MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install. On the Scanner tab: Make sure the "Perform Quick Scan" option is selected. Then click on the Scan button. If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button. The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient. When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found". Click OK to close the message box and continue with the removal process. Back at the main Scanner screen: Click on the Show Results button to see a list of any malware that was found. Make sure that *everything is checked, and click Remove Selected. When removal is completed, a log report will open in Notepad. The log is automatically saved and can be viewed by clicking the Logs* tab in MBAM. Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system. Exit MBAM when done. Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. This post has been edited by boopme: Jul 5 2009, 12:06 AM -------------------- How do I get help? Who is helping me? Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook

MikeWater View Member Profile	Jul 5 2009, 06:30 PM Post #13
Member Group: Members Posts: 21 Joined: 3-July 09 Member No.: 347,783	Malwarebytes' Anti-Malware 1.38 Database version: 2377 Windows 6.0.6001 Service Pack 1 7/5/2009 7:15:41 PM mbam-log-2009-07-05 (19-15-41).txt Scan type: Quick Scan Objects scanned: 98785 Time elapsed: 9 minute(s), 45 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 2 Registry Values Infected: 1 Registry Data Items Infected: 7 Folders Infected: 0 Files Infected: 4 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CURRENT_USER\SOFTWARE\Security Tools (Trojan.Zlob) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{6f396a67-f473-48c9-9950-636ce17e584e} (Trojan.Zlob) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{71710f29-5ee9-4241-91c2-88f0c4581c9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{71710f29-5ee9-4241-91c2-88f0c4581c9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{71710f29-5ee9-4241-91c2-88f0c4581c9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Quarantined and deleted successfully. c:\Windows\System32\MSIVXlbewsyixbecnpupfwqviqefxnsefvbvv.dll (Trojan.Agent) -> Quarantined and deleted successfully. c:\Windows\System32\MSIVXnspwdmaxqwxiypxuqauptbitipujqrtx.dll (Trojan.Agent) -> Quarantined and deleted successfully.

boopme View Member Profile	Jul 5 2009, 06:43 PM Post #14
To INSANITY and BEYOND !! Group: Moderator Posts: 25,414 Joined: 10-September 04 From: NJ USA Member No.: 2,608	Finally something good.. Now we need another look. Sometimes it takes a few tools and several scans so bear with it. Run part 1 of S!Ri's SmitfraudFix Please download SmitfraudFix Double-click SmitfraudFix.exe Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Please copy/paste the content of that report into your next reply. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. http://www.beyondlogic.org/consulting/proc...processutil.htm -------------------- How do I get help? Who is helping me? Staying Updated Calendar of Updates. For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear.... Become a BleepingComputer fan: Facebook

MikeWater View Member Profile	Jul 5 2009, 07:12 PM Post #15
Member Group: Members Posts: 21 Joined: 3-July 09 Member No.: 347,783	C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Windows\Explorer.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe C:\Program Files\Java\jre1.6.0\bin\jusched.exe C:\Program Files\Hp\QuickPlay\QPService.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe C:\Program Files\Common Files\Symantec Shared\ccApp.exe C:\Program Files\Symantec AntiVirus\VPTray.exe C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe C:\Program Files\AirPort\APAgent.exe C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Windows\System32\rundll32.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\ehome\ehtray.exe C:\Program Files\TomTom HOME 2\HOMERunner.exe C:\Users\Mr. Roboto\Program Files\DNA\btdna.exe C:\Program Files\Windows Media Player\wmpnscfg.exe C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe C:\Windows\ehome\ehmsas.exe C:\Windows\system32\wbem\unsecapp.exe C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Windows NT\Accessories\WORDPAD.EXE C:\Windows\system32\cmd.exe C:\Windows\system32\cscript.exe This is the text file (called "Process") that SmitFraudFix created when I did a scan. Are these infected files?

« Next Oldest · Am I infected? What do I do? · Next Newest »

1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)

0 Members:

Advertise \| About Us \| Terms of Use \| Privacy Policy \| Contact Us \| Site Map \| Chat \| Tutorials \| Uninstall List
Discussion Forums \| The Computer Glossary \| Resources \| RSS Feeds \| Startups \| The File Database \| Virus Removal Guides