Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bad Image rootbug?


  • This topic is locked This topic is locked
21 replies to this topic

#1 MikeWater

MikeWater

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 03 July 2009 - 12:47 PM

Hi, I’m afraid that this will have to be my introduction post.

As of 7/03/09 (around 1:30 AM EST), whenever I start Firefox I am greeted with this message next to a red circled “X”:

“firefox.exe – Bad Image
globalroot\systemroot\system32\MSIVXnspwdmaxqwxiypxuqauptbitipujqrtx.dll is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.”

Unfortunately I don’t really know how to create screenshots, but what I typed out is exactly what is displayed. I tried looking up this strange file but the closest I’ve seen anyone else have is “something””random characters”.dll
So far, whatever is on my computer has slowed it down tremendously, and I get occasional pop-ups that open up in internet explorer even though I am running Firefox. I’ve reinstalled Firefox (which hasn’t changed a thing), and any attempt at doing a system scan on symantic antivirus seems to be forbidden (It says that symantic cannot run a system scan as there is already another scan in process on my computer, when there isn’t). When I open Windows Defender I tried to check for updates (since it had been a long time since I last used it) but I get the following message: “The program can’t check for definition updates” “Error found: Code 0x80244019.” I was able to do a quick scan with Windows Defender but it didn’t find anything.

I am running Windows Vista Home Premium. I want to know if there is anything on my computer in danger, if it is safe to backup anything, what this infection is doing and will do to my computer, and of course how to rid my hard drive of it.

Any assistance in this urgent matter will be greatly appreciated!

--Mike

BC AdBot (Login to Remove)

 


#2 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 03 July 2009 - 02:38 PM

Status Update: I ran RootRepeal and did a scan on drivers, it found the hidden MSIV driver but it couldn't wipe or force delete it. However, I was able to wipe files on the file scan that were MSIV related. I shut down my computer after it froze and now I can open Firefox without the "Bad Image" error. What's more, my computer runs considerably faster. I don't know if I've seen the last of this thing, but it's clearly better now than it was. If there is anything I should still do to make sure it's gone, please let me know.

Also, on a possibly unrelated note, I found this unusual process running in my windows task manager: 124365463.tmp

Anyone seen this before? Also, is my MSIV problem fixed?

--Mike

#3 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 03 July 2009 - 06:58 PM

HELP PLEASE!

Okay, this "124365463.tmp" process is becoming more of a hazard than I originally thought. It's been taking up CPU usage, and delivering ads/news through my speakers even though no applications are running. Everytime I terminate this process it eventually comes back. Symantic is constantly notifying me of "Downloader.MisleadApp" being cleaned by deletion, over and over.

Please if anyone can help me with getting rid of this I will very much appreciate it. I don't want any outside source utilizing or damaging anything on my computer.

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:08 PM

Posted 03 July 2009 - 09:55 PM

Hello. Sorry all the repliese to yourself I thought someone was handling this already..

Please run ROOTREPEAL

Next Please install RootRepeal

Go HERE, and download RootRepeal.zip to your Desktop.
Tutorial with images ,if needed >> L@@K.
Unzip that,(7-zip tool if needed) and then click RootRepeal.exe to open the scanner.
Next click on the Report tab, now click on Scan. A Window will open asking what to include in the scan. Check all of the below and then click OK.

Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services


Now you'll be asked which drive to scan. Check C: and click OK again and the scan will start. Please be patient as the scan runs. When the scan has finished, click on Save Report.
Name the log RootRepeal.txt and save it to your Documents folder (it should automatically save it there).
Please copy and paste that into your next reply.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 03 July 2009 - 11:37 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/04 00:04
Program Version: Version 1.3.0.0
Windows Version: Windows Vista SP1
==================================================

Drivers
-------------------
Name:

Image Path:

Address: 0x8C84D000 Size: 212992 File Visible: No Signed: -
Status: Hidden from Windows API!

Name: dump_dumpata.sys
Image Path: C:\Windows\System32\Drivers\dump_dumpata.sys
Address: 0x8E7CD000 Size: 45056 File Visible: No Signed: -
Status: -

Name: dump_msahci.sys
Image Path: C:\Windows\System32\Drivers\dump_msahci.sys
Address: 0x8E7D8000 Size: 40960 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\Windows\system32\drivers\rootrepeal.sys
Address: 0x8D2D5000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{3b444e03-683c-11de-9d16-001636b94659}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{4929ad06-6803-11de-8108-001636b94659}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{c91e0ef3-666d-11de-821b-001636b94659}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: C:\System Volume Information\{ce2323df-681b-11de-b1f8-001636b94659}{3808876b-c176-4e48-b7ae-04046e6cc752}
Status: Locked to the Windows API!

Path: c:\windows\system32\wbem\wpcuninst.mof
Status: Allocation size mismatch (API: 4096, Raw: 472)

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_a6e7a8e20e9863b4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_58b1a5ca663317c4.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_9193a620671dde41.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_0c178a139ee2a7ed.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_a6e6a8980e994a5d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_11ecb0ab9b2caf3c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.debugcrt_1fc8b3b9a1e18e3b_8.0.50727.42_none_3825408a574a21cb.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_a6dea5dc0ea08098.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.debugcrt_1fc8b3b9a1e18e3b_8.0.50727.42_none_ef74ff32550b5bf0.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.windows.networking.dxmrtp_6595b64144ccf1df_5.2.1002.3_none_3b4992a44ea4e480.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.1.0.0_none_6c030d6fdc86522c.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9848.0_none_b7e811287b298060.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_b7e10f227b2fceff.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.20.microsoft.msxml2_6bd6b9abf345378f_4.20.9841.0_none_a6dfa6920e9f98fc.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.debugmfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_3389d53e5a2d10c0.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_5c4003bc63e949f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_43efccf17831d131.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.0.0_none_3658456fda6654f6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.debugmfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_f455012451df8b23.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_58b19c2866332652.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_5c400d5e63e93b68.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.91_none_db5f5c9d98cb161f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.91_none_dc9917e997f80c63.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_d6c3e7af9bae13a2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_7658964504b9f3b6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.762_none_8e053e8c6967ba9d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9849.0_none_b7e911727b2899b7.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_7b33aa7d218504d2.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_d6c3f1519bae0514.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9870.0_none_b7e00e6c7b30b69b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_0e9c342f74fd2e58.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.windows.networking.rtcdll_6595b64144ccf1df_5.2.1002.3_none_af1aecad9109b29e.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8dd7dea5d5a7a18a.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.42_none_54c11df268b7c6d9.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.91_none_588445e3d272feb1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.762_none_abac38a907ee8801.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.762_none_10b2f55f9bffb8f8.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.42_none_dc990e4797f81af1.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.91_none_54c1279468b7b84b.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.4.1.microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_8b7b15c031cda6db.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_0e9c2a8d74fd3ce6.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.42_none_45e008191e507087.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.9.0.microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_60a5df56e60dc5df.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2_6bd6b9abf345378f_4.20.9818.0_none_b7e811947b297f6d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.762_none_8a14c0566bec5b24.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.42_none_db5f52fb98cb24ad.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.windows.networking.rtcres_6595b64144ccf1df_5.2.1002.3_none_b5a302ab8cccdfca.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.21022.8_none_bcb86ed6ac711f91.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_microsoft.msxml2r_6bd6b9abf345378f_4.1.1.0_none_365945b9da656e4d.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Catalogs\x86_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.42_none_58843c41d2730d3f.cat
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_sv-se_9bfb2a309351ac4c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_ja-jp_4c1b4ff6e64be921\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_ko-kr_ef852cabd8bcb037\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_nb-no_d817ade0b0e1dbf3\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_nl-nl_d656f91eb20de5c8\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_pl-pl_1c9353a09730537c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_pt-br_1ee73e4495b9e760\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_ru-ru_666c1f747a0ae568\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_sv-se_026709e97133efc3\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_tr-tr_ab7454305feff1b4\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_zh-cn_7cd1722e1027c3d3\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_zh-hk_7b7c6abc11033663\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_zh-tw_80cdaf840d98a043\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..ager-pcat.resources_31bf3856ad364e35_6.0.6000.16386_pt-pt_1fc90db09529573c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_ko-kr_89194cf2fada6cc0\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_nb-no_71abce27d2ff987c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_nl-nl_6feb1965d42ba251\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_pl-pl_b62773e7b94e1005\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_pt-br_b87b5e8bb7d7a3e9\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_pt-pt_b95d2df7b74713c5\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_ru-ru_00003fbb9c28a1f1\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_tr-tr_45087477820dae3d\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_zh-cn_166592753245805c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_zh-hk_15108b033320f2ec\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_zh-tw_1a61cfcb2fb65ccc\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_ja-jp_cbb0c8ced5936cb1\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_sv-se_81fc82c1607b7353\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_ko-kr_6f1aa583c80433c7\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_nb-no_57ad26b8a0295f83\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_nl-nl_55ec71f6a1556958\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_pl-pl_9c28cc788677d70c\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_pt-br_9e7cb71c85016af0\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_pt-pt_9f5e86888470dacc\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_ru-ru_e601984c695268f8\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_tr-tr_2b09cd084f377544\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_zh-cn_fc66eb05ff6f4763\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_zh-hk_fb11e394004ab9f3\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-d..files-x64.resources_31bf3856ad364e35_6.0.6000.16386_zh-tw_0063285bfce023d3\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.16789_none_09360999522be962\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6000.20976_none_09c777586b441e5d\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18000_none_0b69c31f4f19b995\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.18185_none_0b1847174f5614f7\RENDER~1.XML
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\x86_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.0.6001.22331_none_0bd3f43c684ec0d7\RENDER~1.XML
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.0.6001.18000_en-us_b5bb8a749a95e0e0\report.system.performance.xml
Status: Allocation size mismatch (API: 4096, Raw: 360)

Path: c:\windows\winsxs\x86_microsoft-windows-p..econsumer.resources_31bf3856ad364e35_6.0.6001.18000_en-us_b5bb8a749a95e0e0\rules.system.performance.xml
Status: Allocation size mismatch (API: 4096, Raw: 296)

Path: c:\windows\winsxs\x86_microsoft-windows-p..talcontrolssettings_31bf3856ad364e35_6.0.6001.18000_none_f3ec70780f6f64fc\wpcuninst.mof
Status: Allocation size mismatch (API: 4096, Raw: 472)

Path: C:\Windows\winsxs\x86_policy.1.2.microsof..op.security.azroles_31bf3856ad364e35_6.0.6000.16386_none_ea83414c2e75b887\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_microsoft-windows-wmi-mof.resources_31bf3856ad364e35_6.0.6001.18000_en-us_6d2cbd70bfeb5621\subscrpt.mfl
Status: Allocation size mismatch (API: 4096, Raw: 560)

Path: C:\Windows\winsxs\x86_microsoft-windows-b..nment-pxe.resources_31bf3856ad364e35_6.0.6000.16386_ja-jp_e5af703e0869a5aa\BOOTMG~1.MUI
Status: Locked to the Windows API!

Path: c:\windows\winsxs\x86_msbuild_b03f5f7f11d50a3a_6.0.6001.18000_none_8133189db1382d8a\msbuild.exe.config
Status: Allocation size mismatch (API: 4096, Raw: 560)

Path: C:\Windows\winsxs\msil_microsoft.mediacenter.ui_31bf3856ad364e35_6.0.6001.18177_none_32dd9ace5766e23e\$$DeleteMe.Microsoft.MediaCenter.UI.dll.01c9ecc7dc4c8fd6.0001
Status: Locked to the Windows API!

Path: C:\Windows\Microsoft.NET\Framework\v2.0.50727\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Temp\PendingDeletes\sortkey.nlp
Status: Locked to the Windows API!

Path: C:\Windows\winsxs\Temp\PendingDeletes\sorttbls.nlp
Status: Locked to the Windows API!

Path: c:\windows\pla\reports\en-us\report.system.performance.xml
Status: Allocation size mismatch (API: 4096, Raw: 360)

Path: c:\windows\pla\rules\en-us\rules.system.performance.xml
Status: Allocation size mismatch (API: 4096, Raw: 296)

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\errorlog
Status: Allocation size mismatch (API: 16384, Raw: 8192)

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_218.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: c:\program files\microsoft sql server\mssql.1\mssql\log\log_222.trc
Status: Allocation size mismatch (API: 4096, Raw: 0)

Path: C:\Users\Mr. Roboto\AppData\Roaming\BitTorrent\size=120x90;noperf=1;alias=93245558;cfp=1;noaddonpl=y;kvmn=93245558;target=_blank;aduho=240;grp=681062686;misc=681062686[1].htm
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_32\Policy.1.2.Microsoft.Interop.Security.AzRoles\6.0.6000.16386__31bf3856ad364e35\Microsoft.Interop.Security.AzRoles.config
Status: Locked to the Windows API!

Path: C:\Windows\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\SYSTEM~1.DLL
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTDiagLog.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-Application.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventlog-Security.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTEventLog-System.etl
Status: Locked to the Windows API!

Path: C:\Windows\System32\LogFiles\WMI\RtBackup\EtwRTMsMpPsSession.etl
Status: Locked to the Windows API!

Path: c:\windows\system32\driverstore\filerepository\winmobil.inf_a7c8ce31\wmdsynce.man
Status: Allocation size mismatch (API: 4096, Raw: 688)

Path: c:\windows\system32\driverstore\filerepository\prnhp001.inf_2ade4966\i386\hpfdj920.gpd
Status: Allocation size mismatch (API: 4096, Raw: 648)

nternet Files\Content.IE5\4Z2XWRO7\Com_Mess;MN=93215866;u=3A8B5C244F25957D;wm=o;rm=1;r128=1;r6=1;l72=1;dwe=2;l0=1;l2=1;l11=1;l23=1;lProcesses
-------------------
Path: System
PID: 4 Status: Locked to the Windows API!

Path: C:\Windows\System32\audiodg.exe
PID: 1248 Status: Locked to the Windows API!

SSDT
-------------------
#: 013 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x87198ef0

#: 014 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x87198fd0

#: 018 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x8717eb00

#: 054 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x8716a788

#: 067 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x87198c50

#: 078 Function Name: NtCreateThread
Status: Hooked by "<unknown>" at address 0x8717d5e0

#: 147 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x8717e950

#: 156 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x87198d30

#: 158 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x87198e10

#: 177 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x8717e850

#: 184 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x87198b70

#: 195 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8717d520

#: 202 Function Name: NtOpenThreadToken
Status: Hooked by "<unknown>" at address 0x8717e5b0

#: 282 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8716a050

#: 289 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8717e4d0

#: 305 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x8717e690

#: 306 Function Name: NtSetInformationThread
Status: Hooked by "<unknown>" at address 0x8717e3f0

#: 330 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x87198a90

#: 331 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8717e230

#: 334 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8717d6b0

#: 335 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8717e310

#: 348 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8717e770

#: 358 Function Name: NtWriteVirtualMemory
Status: Hooked by "<unknown>" at address 0x8717ea30

Stealth Objects
-------------------
Object: Hidden Module [Name: msimsg.dll]
Process: svchost.exe (PID: 880) Address: 0x6f1a0000 Size: 4096

Object: Hidden Module [Name: msimsg.dll]
Process: svchost.exe (PID: 952) Address: 0x6f1a0000 Size: 4096

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1088) Address: 0x01ef0000 Size: 323584

Object: Hidden Module [Name: winlogon.exe]
Process: svchost.exe (PID: 1088) Address: 0x022f0000 Size: 323584

Object: Hidden Module [Name: tquery.dll]
Process: svchost.exe (PID: 1088) Address: 0x6ef80000 Size: 1589248

Object: Hidden Module [Name: WinMgmtR.dll]
Process: svchost.exe (PID: 1088) Address: 0x6ede0000 Size: 8192

Object: Hidden Module [Name: profsvc.dll]
Process: svchost.exe (PID: 1088) Address: 0x73e00000 Size: 163840

Object: Hidden Module [Name: wevtapi.dll]
Process: svchost.exe (PID: 1088) Address: 0x75220000 Size: 258048

Object: Hidden Module [Name: imageres.dll]
Process: Explorer.EXE (PID: 664) Address: 0x66c00000 Size: 15822848

Object: Hidden Module [Name: HP.ActiveSupportLibrary.dll]
Process: hphc_service.exe (PID: 3192) Address: 0x009a0000 Size: 110592

Object: Hidden Module [Name: ieframe.dll]
Process: aim6.exe (PID: 3432) Address: 0x70400000 Size: 6082560

Object: Hidden Code [ETHREAD: 0x83a564e8]
Process: System Address: 0x884665b0 Size: 2643

Object: Hidden Code [ETHREAD: 0x83a7f580]
Process: System Address: 0x88466930 Size: 1747

Object: Hidden Code [ETHREAD: 0x83a7f2d8]
Process: System Address: 0x83a7f4cc Size: 1574

Object: Hidden Code [ETHREAD: 0x83a80d78]
Process: System Address: 0x96368f50 Size: 102

Object: Hidden Code [ETHREAD: 0x83a80828]
Process: System Address: 0x9d169670 Size: 1181

Object: Hidden Code [ETHREAD: 0x83a80580]
Process: System Address: 0xb5b34348 Size: 215

Object: Hidden Code [ETHREAD: 0x87199788]
Process: System Address: 0x96329578 Size: 2696

Hidden Services
-------------------
Service Name: MSIVXserv.sys
Image Path: C:\Windows\system32\drivers\MSIVXjtxqgsqppimmmrtirhetwbskrwcydbmh.sys

==EOF==

Edited by boopme, 03 July 2009 - 11:53 PM.


#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:08 PM

Posted 04 July 2009 - 12:02 AM

Now the next step...

Rerun Rootrepeal. After the scan completes, go to the files tab and find these files:

C:\Windows\system32\drivers\MSIVXjtxqgsqppimmmrtirhetwbskrwcydbmh.sys


Then use your mouse to highlight it in the Rootrepeal window.
Next right mouse click on it and select *wipe file* option only.
Then immediately reboot the computer.


Now run Dr.Web
Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 04 July 2009 - 01:09 AM

I just ran the scan, and that file is not listed in the files tab, but it is listed in the hidden services tab. I tried to "wipe file", but I got this error message:

"Could not find file on disk!"

How should I proceed?

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:08 PM

Posted 04 July 2009 - 10:28 AM

OK, I felt this may happen. Please run this next. We will gwt this.

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 04 July 2009 - 12:59 PM

Okay, I ran Dr. Web in Safe Mode and the express scan found no viruses. I then proceeded with the complete scan after unchecking the "heuristic analysis". About 5-10 minutes into this scan, the computer shut down. After turning it back on, it wanted to check the NTFS file system for consistency, it scanned files, indexes, and security descriptors among other things, and then allowed me to log in.

Should I try to run the scan with Dr. Web again or is there another way to proceed from here?

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:08 PM

Posted 04 July 2009 - 02:19 PM

OK first try theses from safe... If you still have an issue running any then run them in Normal mode.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 04 July 2009 - 11:14 PM

I cannot believe this! After a 7 hour scan by Dr. Web, I click to save the report and the screen turns blue with some error message and then shuts down, before restarting like it did before. It found 6 infections, 2 of which were deleted, and the rest moved. I don't think I saw any MSIV file in that batch, however.

I'm afraid I have nothing to report for you. This is unbelievably frustrating. Is this crashing a result of whatever rootkit I may have, or is it something else?

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:08 PM

Posted 05 July 2009 - 12:05 AM

Hi it is probably the result of the havoc the malware has wrought on the registry. But I think DrWeb may have removed enough for us to run MBAM in normal mode.

Next run ATF:
Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".


Please download ATF Cleaner by Atribune & save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.


Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link 1
alternate download link 2

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

Edited by boopme, 05 July 2009 - 12:06 AM.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 05 July 2009 - 06:30 PM

Malwarebytes' Anti-Malware 1.38
Database version: 2377
Windows 6.0.6001 Service Pack 1

7/5/2009 7:15:41 PM
mbam-log-2009-07-05 (19-15-41).txt

Scan type: Quick Scan
Objects scanned: 98785
Time elapsed: 9 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 7
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Security Tools (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{6f396a67-f473-48c9-9950-636ce17e584e} (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: ("regedit.exe" "%1") Good: (regedit.exe "%1") -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{71710f29-5ee9-4241-91c2-88f0c4581c9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{71710f29-5ee9-4241-91c2-88f0c4581c9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{71710f29-5ee9-4241-91c2-88f0c4581c9b}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.112.22,85.255.112.130 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\MSIVXlbewsyixbecnpupfwqviqefxnsefvbvv.dll (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Windows\System32\MSIVXnspwdmaxqwxiypxuqauptbitipujqrtx.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 72,740 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:04:08 PM

Posted 05 July 2009 - 06:43 PM

Finally something good..
Now we need another look. Sometimes it takes a few tools and several scans so bear with it.

Run part 1 of S!Ri's SmitfraudFix
Please download SmitfraudFix

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#15 MikeWater

MikeWater
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:03:08 PM

Posted 05 July 2009 - 07:12 PM

C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Hp\HP Software Update\hpwuSchd2.exe
C:\Program Files\Java\jre1.6.0\bin\jusched.exe
C:\Program Files\Hp\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec AntiVirus\VPTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\AirPort\APAgent.exe
C:\Program Files\Seagate\SeagateManager\FreeAgent Status\stxmenumgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Users\Mr. Roboto\Program Files\DNA\btdna.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Hp\Digital Imaging\bin\hpqtra08.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\PROGRA~1\HEWLET~1\Shared\HPQTOA~1.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Windows\system32\cmd.exe
C:\Windows\system32\cscript.exe

This is the text file (called "Process") that SmitFraudFix created when I did a scan. Are these infected files?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users