Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91983 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Bad Image Error after virus removal


  • This topic is locked This topic is locked
44 replies to this topic

#1 Comcrap

Comcrap

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 24 September 2009 - 08:46 PM

I recently noticed my browser acting funny (redirecting me while I tried to browse google.) I did a Malwarebyte's AntiMalware quick scan, and it found 9 infected objects (rootkits, some Dlls with randomly generated letters for names) It deleted all but 3, located in the system32 folder and told me it'd have to delete them on restart, so I hesitantly restarted. Sure enough it started giving me weird stuff. Now every time a process starts, it gives me an error message saying notepad.exe - Bad Image The application or DLL Globalroot\systemroot\system32\gasfkybqqpkrod.dll is not a valid windows Image. Please check this against your installation diskette. how do I fix this? Right now, I'm running windows Xp professional on a Desktop system.

Edited by Comcrap, 24 September 2009 - 08:46 PM.

    Advertisements

Register to Remove


#2 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 24 September 2009 - 11:49 PM

Hi Comcrap, welcome to the forum.

To make cleaning this machine easier
  • Please do not uninstall/install any programs unless asked to
    It is more difficult when files/programs are appearing in/disappearing from the logs.
  • Please do not run any scans other than those requested
  • Please follow all instructions in the order posted
  • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
  • Do not attach any logs/reports, etc.. unless specifically requested to do so.
  • If you have problems with or do not understand the instructions, Please ask before continuing.
  • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.

That would indicate the possibilty of a still active rootkit activity.

Download the GMER Rootkit Scanner. Unzip it to your Desktop.

Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while the scan is being performed. Do not use your computer for anything else during the scan.

Double-click gmer.exe. The program will begin to run.

**Caution**
These types of scans can produce false positives. Do NOT take any action on any
"<--- ROOKIT" entries unless advised!

If possible rootkit activity is found, you will be asked if you would like to perform a full scan.
  • Click NO
  • In the right panel, you will see a bunch of boxes that have been checked ... leave everything checked and ensure the Show all box is un-checked.
  • Now click the Scan button.
    Once the scan is complete, you may receive another notice about rootkit activity.
  • Click OK.
  • GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "GMER.txt"
  • Save it where you can easily find it, such as your desktop.
If you do not receive notice about possible rootkit activity remain on the Rootkit/Malware tab & make sure the 'Show All' button is unticked.
  • Click the Scan button and let the program do its work. GMER will produce a log. Click on the [Save..] button, and in the File name area, type in "Gmer.txt" or it will save as a .log file which cannot be uploaded to your post.
  • Save it where you can easily find it, such as your desktop


Next

  • Open MBAM
  • Click on the Logs tab
  • Clcik on the log entry and click the Open button
  • It will open in a notepad, please copy and paste it's contents into your next reply
If you have ran MBAM multiple times, please post all the logs starting with the earliest one.

Please post back with
  • GMER log
  • MBAM log(s)

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#3 Comcrap

Comcrap

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 25 September 2009 - 03:47 AM

FOR GMER

GMER 1.0.15.15087 - http://www.gmer.net
Rootkit scan 2009-09-25 01:59:11
Windows 5.1.2600 Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\beta\LOCALS~1\Temp\ffrcrfow.sys


---- System - GMER 1.0.15 ----

INT 0x62 ? 898ABBF8
INT 0x63 ? 89640BF8
INT 0x63 ? 89640BF8
INT 0x63 ? 89640BF8
INT 0x63 ? 89640BF8
INT 0x63 ? 89640BF8
INT 0x63 ? 89640BF8
INT 0x82 ? 898ABBF8
INT 0x83 ? 8991ABF8

Code 8920BB10 ZwEnumerateKey
Code 89205E68 ZwFlushInstructionCache
Code 8928CCCE ZwSaveKey
Code 8928787E ZwSaveKeyEx
Code 89287CCE IofCallDriver
Code 892882BE IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!IofCallDriver 804E37C5 5 Bytes JMP 89287CD3
.text ntoskrnl.exe!IofCompleteRequest 804E3BF6 5 Bytes JMP 892882C3
PAGE ntoskrnl.exe!ZwEnumerateKey 8056EF30 5 Bytes JMP 8920BB14
PAGE ntoskrnl.exe!ZwFlushInstructionCache 80576A6A 5 Bytes JMP 89205E6C
PAGE ntoskrnl.exe!ZwSaveKey 8064C1EF 5 Bytes JMP 8928CCD2
PAGE ntoskrnl.exe!ZwSaveKeyEx 8064C287 5 Bytes JMP 89287882
? spoh.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload BA55C62C 5 Bytes JMP 896401D8

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8991A2D8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7507C4C] spoh.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7507CA0] spoh.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D7042] spoh.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D713E] spoh.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D70C0] spoh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D7800] spoh.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D76D6] spoh.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 896402D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E6E9C] spoh.sys

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 899161F8
Device \FileSystem\Fastfat \FatCdrom 896681F8
Device \Driver\usbuhci \Device\USBPDO-0 8963F1F8
Device \Driver\usbuhci \Device\USBPDO-1 8963F1F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 899181F8
Device \Driver\dmio \Device\DmControl\DmConfig 899181F8
Device \Driver\dmio \Device\DmControl\DmPnP 899181F8
Device \Driver\dmio \Device\DmControl\DmInfo 899181F8
Device \Driver\usbuhci \Device\USBPDO-2 8963F1F8
Device \Driver\usbuhci \Device\USBPDO-3 8963F1F8
Device \Driver\usbehci \Device\USBPDO-4 896121F8
Device \Driver\Ftdisk \Device\HarddiskVolume1 898AC1F8
Device \Driver\usbstor \Device\00000064 891B7500
Device \Driver\Ftdisk \Device\HarddiskVolume2 898AC1F8
Device \Driver\Cdrom \Device\CdRom0 896411F8
Device \Driver\atapi \Device\Ide\IdePort0 898AB1F8
Device \Driver\atapi \Device\Ide\IdePort1 898AB1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 898AB1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 898AB1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 898AB1F8
Device \Driver\Cdrom \Device\CdRom1 896411F8
Device \Driver\usbstor \Device\00000068 891B7500
Device \Driver\PCI_PNP8060 \Device\0000003d spoh.sys
Device \Driver\PCI_PNP8060 \Device\0000003d spoh.sys
Device \Driver\NetBT \Device\NetBt_Wins_Export 894E21F8
Device \Driver\NetBT \Device\NetbiosSmb 894E21F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{4B6535BD-24A5-4CF9-8AE3-61810A429ACA} 894E21F8
Device \Driver\usbuhci \Device\USBFDO-0 8963F1F8
Device \Driver\usbuhci \Device\USBFDO-1 8963F1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 890CE1F8
Device \Driver\usbuhci \Device\USBFDO-2 8963F1F8
Device \Driver\sptd \Device\621396810 spoh.sys
Device \FileSystem\MRxSmb \Device\LanmanRedirector 890CE1F8
Device \Driver\usbuhci \Device\USBFDO-3 8963F1F8
Device \Driver\usbehci \Device\USBFDO-4 896121F8
Device \Driver\Ftdisk \Device\FtControl 898AC1F8
Device \Driver\viasraid \Device\Scsi\viasraid1 899171F8
Device \Driver\aszspgts \Device\Scsi\aszspgts1 895A71F8
Device \Driver\aszspgts \Device\Scsi\aszspgts1Port3Path0Target0Lun0 895A71F8
Device \FileSystem\Fastfat \Fat 896681F8
Device \FileSystem\Cdfs \Cdfs 896661F8

---- Services - GMER 1.0.15 ----

Service C:\WINDOWS\system32\drivers\gasfkypxllgqqk.sys (*** hidden *** ) [SYSTEM] gasfkyuoyxgroa <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa@start 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa@type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa@group file system
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa@imagepath \systemroot\system32\drivers\gasfkypxllgqqk.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\main
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\main@aid 10096
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\main@sid 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\main@cmddelay 14400
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\main\connections
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\main\delete
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\main\injector
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\main\injector@* gasfkywsp8y.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\main\tasks
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\modules
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkypxllgqqk.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\modules@gasfkycmd.dll \systemroot\system32\gasfkymxoddrjj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\modules@gasfkylog.dat \systemroot\system32\gasfkyehrlntrp.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\modules@gasfkywsp.dll \systemroot\system32\gasfkysaejecuj.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\modules@gasfky.dat \systemroot\system32\gasfkyndwrqkxx.dat
Reg HKLM\SYSTEM\CurrentControlSet\Services\gasfkyuoyxgroa\modules@gasfkywsp8y.dll \systemroot\system32\gasfkybqqpkrod.dll
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC1 0xDD 0x58 0x66 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA3 0x0F 0xB5 0x62 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x89 0x79 0xD2 0x61 ...
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa@start 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa@type 1
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa@group file system
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa@imagepath \systemroot\system32\drivers\gasfkypxllgqqk.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\main (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\main@aid 10096
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\main@sid 0
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\main@cmddelay 14400
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\main\connections (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\main\delete (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\main\injector (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\main\injector@* gasfkywsp8y.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\main\tasks (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\modules (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\modules@gasfkyrk.sys \systemroot\system32\drivers\gasfkypxllgqqk.sys
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\modules@gasfkycmd.dll \systemroot\system32\gasfkymxoddrjj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\modules@gasfkylog.dat \systemroot\system32\gasfkyehrlntrp.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\modules@gasfkywsp.dll \systemroot\system32\gasfkysaejecuj.dll
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\modules@gasfky.dat \systemroot\system32\gasfkyndwrqkxx.dat
Reg HKLM\SYSTEM\ControlSet002\Services\gasfkyuoyxgroa\modules@gasfkywsp8y.dll \systemroot\system32\gasfkybqqpkrod.dll
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC1 0xDD 0x58 0x66 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA3 0x0F 0xB5 0x62 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x89 0x79 0xD2 0x61 ...

---- Files - GMER 1.0.15 ----

File C:\Program Files\Adobe\Acrobat 8.0\Acrobat\plug_ins3d\3difr.x3d (size mismatch) 538112/262144 bytes executable
File C:\Program Files\Adobe\Adobe InDesign CS3\Adobe_epic\Personalization\Cs_CZ\FrameWork.log 58756 bytes
File C:\Program Files\Adobe\Adobe InDesign CS3\Adobe_epic\Personalization\Cs_CZ\mofcomp.log 14617 bytes
File C:\Program Files\Adobe\Adobe InDesign CS3\Adobe_epic\Personalization\Cs_CZ\replog.log 405 bytes
File C:\Program Files\Adobe\Adobe InDesign CS3\Adobe_epic\Personalization\Cs_CZ\setup.log 4961 bytes
File C:\Program Files\Adobe\Adobe InDesign CS3\Adobe_epic\Personalization\Cs_CZ\wbemcore.log 143 bytes
File C:\Program Files\Adobe\Adobe InDesign CS3\Adobe_epic\Personalization\Cs_CZ\wbemess.log 52759 bytes
File C:\Program Files\Adobe\Adobe InDesign CS3\Adobe_epic\Personalization\Cs_CZ\wbemess.lo_ 65611 bytes
File C:\Program Files\Adobe\Adobe InDesign CS3\Adobe_epic\Personalization\Cs_CZ\wbemprox.log 152 bytes
File C:\Program Files\Adobe\Adobe InDesign CS3\Adobe_epic\Personalization\Cs_CZ\wmiadap.log 4839 bytes
File C:\Program Files\Adobe\Adobe InDesign CS3\Adobe_epic\Personalization\Cs_CZ\wmiprov.log 31187 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\AppEvent.Evt 524288 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\default.LOG 1024 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\default.sav 94208 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\SAM 262144 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\SAM.LOG 1024 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\SecEvent.Evt 65536 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\SECURITY 262144 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\SECURITY.LOG 1024 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\software 23855104 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\software.LOG 1024 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\software.sav 659456 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\SysEvent.Evt 524288 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\system 4718592 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\system.LOG 1024 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\system.sav 892928 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\systemprofile 0 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\TempKey.LOG 1024 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\userdiff 262144 bytes
File C:\Program Files\AIM6\services\imApp\ver6_9_15_1\resources\en-US\userdiff.LOG 1024 bytes

---- EOF - GMER 1.0.15 ----


FOR MBAM

Malwarebytes' Anti-Malware 1.41
Database version: 2857
Windows 5.1.2600 Service Pack 2

9/24/2009 7:21:20 PM
mbam-log-2009-09-24 (19-21-20).txt

Scan type: Quick Scan
Objects scanned: 98014
Time elapsed: 15 minute(s), 14 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 1
Files Infected: 7

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Generic.Bot.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> Delete on reboot.

Files Infected:
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe (Generic.Bot.H) -> Delete on reboot.
C:\WINDOWS\system32\gasfkybqqpkrod.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\gasfkymxoddrjj.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\gasfkysaejecuj.dll (Rootkit.TDSS) -> Delete on reboot.
C:\WINDOWS\Temp\gasfkyksvmtvsirb.tmp (Rootkit.TDSS) -> Delete on reboot.
C:\Documents and Settings\beta\Local Settings\Temporary Internet Files\Content.IE5\SX6FSL6V\load[1].php (Rootkit.TDSS) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.


Still getting these error messages every time I open a program (or it does any kind of process.)

#4 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 25 September 2009 - 07:42 PM

Hi Comcrap,

Still getting these error messages

Yes the rootkit is still here.

Your system has been infected by one or more Rootkits/Backdoor Trojans.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

More information on Remote Access Trojans can be found here.

I strongly suggest you do the following immediately:
  • From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

I suggest you read:


If you wish to continue:

Please read through the instructions to familarize youself with what to expect when the tool runs.

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab
    -Set to "Always ask me where to Save the files".
During the download, before you save it to your desktop, rename Combofix to jgh.exe

  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------

  • Double click on the renamed ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.[/b]

Please post back with
  • combofix log
How is the computer?

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#5 Comcrap

Comcrap

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 26 September 2009 - 12:06 AM

I cannot run combofix. It seems everytime something runs, it gives me a bunch of BAD IMAGE errors, about some processes that combofix is trying to run and it just repeats the errors over and over, making it impossible to run the program.

#6 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 26 September 2009 - 01:36 AM

Hi Comcrap,


Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix.
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of log.txt (Will be created in the directory where you ran exeHelper.com)
Note If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

NEXT

Download and run Win32kDiag:
  • Download Win32kDiag from any of the following locations and save it to your Desktop.
  • Double-click Win32kDiag.exe to run Win32kDiag and let it finish.
  • When it states "Finished! Press any key to exit...", press any key on your keyboard to close the program.
  • Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as a reply to this topic.
    • To ensure the entire contents are copied, right click anywhere in the notepad and click Select All
    • Right click the highlited text and click copy

Please post back with the log.txt and the Win32kDiag.txt

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#7 Comcrap

Comcrap

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 26 September 2009 - 01:45 AM

first exeHelper by Raktor - 09 Build 20090925 Run at 00:42:08 on 09/26/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished-- Still getting errors Win32 Running from: C:\Documents and Settings\beta\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\beta\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished!

Edited by Comcrap, 26 September 2009 - 01:45 AM.


#8 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 26 September 2009 - 08:28 AM

Hi Comcrap,

When you tried to run combofix, were the errors "application or DLL Globalroot\systemroot\system32\gasfkybqqpkrod.dll " or a similar name?

Let's see if we can get a look at it with this tool.


Please run RootRepeal
  • Download RootRepeal from one of the following locations and save it to your desktop.
    Here
    Here
    or Here

  • Open Posted Image on your desktop.

  • Click the Posted Image tab.

  • Click the Posted Image button.

  • In the Select Scan dialog, check

    Posted Image

  • Push Ok
  • Check the box for your main system drive (Usually C:), and press OK.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.

Next

Please download DDS and save it to your desktop.
  • Disable any script blocking protection
  • Double click dds.scr to run the tool.
  • When done, DDS.txt will open.
  • Click Yes at the next prompt for Optional Scan.
  • Save both reports to your desktop.
---------------------------------------------------

Please include the contents of the following in your next reply:

DDS.txt

Please attach the second file; Attach.txt. To attach a file, do the following:
  • Under the reply panel is the Attachments Panel
  • Browse for the attachment file you want to upload, then click the green Upload button
  • Once it has uploaded, click the Manage Current Attachments drop down box
  • Click on Posted Image to insert the attachment into your post

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#9 Comcrap

Comcrap

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 26 September 2009 - 02:12 PM

The same thing that happened with ComboFix happened with DDS. It'd turn on, then every time it did something, it'd give me repeated errors (the same error as before) with Fi.exe, Cmd.exe, and so on. over and over, making it impossible to run. here's the other log though

Attached Files

  • Attached File  rr.txt   2.35KB   294 downloads
  • Attached File  2.txt   7.37KB   494 downloads
  • Attached File  ssdt.txt   36.32KB   297 downloads
  • Attached File  drivers.txt   34.01KB   530 downloads

Edited by Comcrap, 26 September 2009 - 02:14 PM.


#10 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 27 September 2009 - 03:20 AM

Hi Comcrap, Try running combofix in safe mode. Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

    Advertisements

Register to Remove


#11 Comcrap

Comcrap

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 27 September 2009 - 01:07 PM

Does the exact same thing in safe mode. Every process it runs, it gives an error message.

#12 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 27 September 2009 - 01:26 PM

Hi

Something is really messing with combofix. Let's see if we can get a look with this.

Download OTListIt2 to your desktop.
  • Double click on OTL.exe to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output
  • In the Services section, change it to All
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.

Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply. You may need two posts to fit them all in.

Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#13 Comcrap

Comcrap

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 27 September 2009 - 02:08 PM

files attached

Attached Files



#14 oldman960

oldman960

    Forum God

  • Classroom Teacher
  • 14,755 posts

Posted 27 September 2009 - 02:15 PM

Hi Comcrap,

Click Ok to any Windows errors you may recieve when running this tool.

Please click here to download AVP Tool by Kaspersky.
  • Save it to your desktop.
  • Reboot your computer into SafeMode.

    You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
    Use your up arrow key to highlight SafeMode then hit enter
    .

  • Double click the setup file to run it.
  • Click Next to continue.
  • It will by default install it to your desktop folder.Click Next.
  • Hit ok at the prompt for scanning in Safe Mode.
  • It will then open a box There will be a tab that says Automatic scan.
  • Under Automatic scan make sure these are checked.

  • System Memory
  • Startup Objects
  • Disk Boot Sectors.
  • My Computer.
  • Also any other drives (Removable that you may have)


After that click on Security level then choose Customize then click on the tab that says Heuristic Analyzer then choose Enable Deep rootkit search then choose ok.
Then choose OK again then you are back to the main screen.

  • Then click on Scan at the to right hand Corner.
  • It will automatically Neutralize any objects found.
  • If some objects are left un-neutralized then click the button that says Neutralize all
  • If it says it cannot be Neutralized then chooose The delete option when prompted.
  • After that is done click on the reports button at the bottom and save it to file name it Kas.
  • Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.

    Note: This tool will self uninstall when you close it so please save the log before closing it.



Thanks

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation Posted Image
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Posted Image

Threads will be closed if no response after 5 days.

#15 Comcrap

Comcrap

    Authentic Member

  • Authentic Member
  • PipPip
  • 22 posts

Posted 28 September 2009 - 02:40 AM

Well it deleted two viruses, but didn't do much for my problem. Scan ---- Scanned: 1187936 Detected: 2 Untreated: 0 Start time: 9/27/2009 1:55:56 PM Duration: 11:24:54 Finish time: 9/28/2009 1:20:50 AM Detected -------- Status Object ------ ------ deleted: adware not-a-virus:AdWare.Win32.Dap.d File: D:\Program Files\DAP\DAPIEBar.dll deleted: virus Worm.Win32.AutoRun.aevb File: E:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\win32.exe

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users