TechSpot

Bad image errors

Solved
By Zowat
May 25, 2010
  1. Hello

    I have been infected by viruses and malware i stubbled upon this forum and i hope someone can give me some advise. I have attached the log files that are stated in the 8 step virus and malware removal.

    Over the past few days i have tried several antivirus programs, adware and malware programs
    they all find viruses and remove them but the problems keep coming back. Yesterday i started getting a bad image error message when any program is launched. if i click ok on the message the program launches and runs normally.

    thank you for any help


    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4143

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    25-05-2010 21:04:51
    mbam-log-2010-05-25 (21-04-51).txt

    Scan type: Quick scan
    Objects scanned: 124769
    Time elapsed: 6 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 2
    Registry Data Items Infected: 1
    Folders Infected: 2
    Files Infected: 15

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\NOD32KVBIT (Trojan.Frethog) -> No action taken.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bb4c402f-882a-4526-8c08-51278ea437c1} (Spyware.OnlineGames) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\crntdll (Trojan.Witkinat) -> No action taken.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

    Folders Infected:
    C:\Documents and Settings\All Users\_qbothome (Trojan.Qakbot) -> No action taken.
    C:\Documents and Settings\All Users\_qbothome\u (Trojan.Qakbot) -> No action taken.

    Files Infected:
    C:\Documents and Settings\All Users\_qbothome\seclog.txt (Trojan.Qakbot) -> No action taken.
    C:\Documents and Settings\Erik Kirschberg\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> No action taken.
    C:\Documents and Settings\All Users\_qbothome\crontab.cb (Trojan.Qakbot) -> No action taken.
    C:\Documents and Settings\All Users\_qbothome\ps_dump_Erik Kirschberg.txt (Trojan.Qakbot) -> No action taken.
    C:\Documents and Settings\All Users\_qbothome\_qbot.cb (Trojan.Qakbot) -> No action taken.
    C:\Documents and Settings\All Users\_qbothome\si.txt (Trojan.Qakbot) -> No action taken.
    C:\Documents and Settings\All Users\_qbothome\updates.cb (Trojan.Qakbot) -> No action taken.
    C:\Documents and Settings\All Users\_qbothome\updates1.cb (Trojan.Qakbot) -> No action taken.
    C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> No action taken.
    C:\Documents and Settings\All Users\_qbothome\_qbot_installed (Trojan.Qakbot) -> No action taken.
    C:\Documents and Settings\All Users\_qbothome\~efd9452.tmp (Trojan.Qakbot) -> No action taken.
    C:\Documents and Settings\Erik Kirschberg\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> No action taken.
    C:\WINDOWS\system32\WORK.DAT (Malware.Trace) -> No action taken.
    C:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> No action taken.
    C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> No action taken.






    GMER 1.0.15.15281 - http://www.gmer.net
    Rootkit quick scan 2010-05-25 21:17:06
    Windows 5.1.2600 Service Pack 3
    Running: lug4zfju.exe; Driver: C:\DOCUME~1\ERIKKI~1\LOCALS~1\Temp\pxtdapoc.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \Driver\Tcpip \Device\Ip sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp sbtis.sys (Sunbelt TDI Inspection System/Sunbelt Software, Inc.)

    Device -> \Driver\atapi \Device\Harddisk0\DR0 8A6B1D01

    ---- Files - GMER 1.0.15 ----

    File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification

    ---- EOF - GMER 1.0.15 ----
     
  2. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Malwarebytes log shows "No action taken" after each line.
    Please, re-run Malwarebytes, fix all issues and post fresh log.

    Both DDS logs are missing.
     
  3. Zowat

    Zowat TS Rookie Topic Starter

    Hi broni

    Sorry about the missing logs i had trouble posting last night with all the log for some reason i kept timing out. so i figured i would post what i could and reply with the rest of the logs but being my first post i got an message that an admin needed to check it first. Anyway here are the dds logs i will reply with the correct malware in my next post

    i have run another virus scan and malwarebytes scan and they both come up with no viruses now so hopefully the 8 step virus removal worked for me, but i am still getting the bad image error on start up and everytime i launch a new program

    thank you



    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-03-17.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 29-11-2007 16:30:55
    System Uptime: 25-05-2010 21:26:36 (0 hours ago)

    Motherboard: ASUSTeK Computer INC. | | P5K
    Processor: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz | LGA775 | 2671/333mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 233 GiB total, 18,497 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    Class GUID: {4D36E96B-E325-11CE-BFC1-08002BE10318}
    Description: PS/2 Keyboard
    Device ID: ACPI\PNP0303\4&1400782C&0
    Manufacturer: Logitech
    Name: PS/2 Keyboard
    PNP Device ID: ACPI\PNP0303\4&1400782C&0
    Service: i8042prt

    ==== System Restore Points ===================

    RP897: 14-05-2010 17:48:15 - System Checkpoint
    RP898: 14-05-2010 22:45:58 - Software Distribution Service 3.0
    RP899: 15-05-2010 20:45:39 - Software Distribution Service 3.0
    RP900: 17-05-2010 07:15:41 - System Checkpoint
    RP901: 18-05-2010 07:54:46 - System Checkpoint
    RP902: 19-05-2010 10:03:37 - System Checkpoint
    RP903: 20-05-2010 10:06:50 - System Checkpoint
    RP904: 21-05-2010 16:22:00 - System Checkpoint
    RP905: 22-05-2010 15:25:45 - Installed Windows Internet Explorer 8.
    RP906: 22-05-2010 15:34:51 - Removed SPORE™ Creature Creator Trial Edition
    RP907: 24-05-2010 22:13:29 - Installed VIPRE Antivirus.
    RP908: 25-05-2010 20:39:50 - Installed Java(TM) 6 Update 20

    ==== Installed Programs ======================

    Acrobat.com
    Ad-Aware
    Ad-Aware Email Scanner for Outlook
    Adobe AIR
    Adobe Flash Player 10 ActiveX
    Adobe Flash Player 10 Plugin
    Adobe Photoshop 6.0
    Adobe Reader 9.1
    Adobe Shockwave Player 11
    Adobe SVG Viewer
    Advertising Center
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    Ask Toolbar
    µTorrent
    Attansic Ethernet Utility
    Attansic L1 Gigabit Ethernet Driver
    AutoUpdate
    AVG Free 9.0
    BeerSmith Brewing Software
    Bioshock Demo
    Camera RAW Plug-In for EPSON Creativity Suite
    CDBurnerXP
    CDDRV_Installer
    Creative Live! Cam Notebook Pro Driver (1.01.02.00)
    Creative Software AutoUpdate
    Critical Update for Windows Media Player 11 (KB959772)
    CuteFTP 8 Professional
    CutePDF Writer 2.7
    DAoC Portal
    Digital Signatur
    DivX Codec
    DivX Converter
    DivX Player
    DivX Web Player
    Drive 3 professional KatBS
    DWGeditor
    Easy MPEG/AVI/DIVX/WMV/RM to DVD 2.0.2
    eDrawings 2008
    EPSON Attach To Email
    EPSON Easy Photo Print
    EPSON File Manager
    EPSON Scan
    EPSON Scan Assistant
    EPSON Stylus SX200 Series Printer Uninstall
    EPSON Stylus SX200_SX400_TX200_TX400 Manual
    EPSON Web-To-Page
    EVGA Display Driver
    Facebook Plug-In
    Free CD Ripper 3.1
    getPlus(R) for Adobe
    Google Chrome
    Google Earth
    Google SketchUp 7
    Google Update Helper
    Google Updater
    Grand Theft Auto IV
    Half-Life 2: Lost Coast
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
    Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows Media Player 11 (KB939683)
    Hotfix for Windows XP (KB952287)
    Hotfix for Windows XP (KB954550-v5)
    Hotfix for Windows XP (KB961118)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    iTunes
    Java Auto Updater
    Java(TM) 6 Update 20
    Java(TM) 6 Update 3
    Java(TM) 6 Update 7
    JMB36X Raid Configurer
    KhalInstallWrapper
    Left 4 Dead
    Logitech SetPoint
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB953297)
    Microsoft .NET Framework 2.0 Service Pack 2
    Microsoft .NET Framework 3.0 Service Pack 2
    Microsoft .NET Framework 3.5 SP1
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft Games for Windows - LIVE Redistributable
    Microsoft IntelliType Pro 7.0
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office 2003 Web Components
    Microsoft Office 2007 Service Pack 2 (SP2)
    Microsoft Office Access MUI (English) 2007
    Microsoft Office Access Setup Metadata MUI (English) 2007
    Microsoft Office Excel MUI (English) 2007
    Microsoft Office Outlook MUI (English) 2007
    Microsoft Office PowerPoint MUI (English) 2007
    Microsoft Office Professional 2007
    Microsoft Office Professional 2007 Trial
    Microsoft Office Proof (English) 2007
    Microsoft Office Proof (French) 2007
    Microsoft Office Proof (Spanish) 2007
    Microsoft Office Proofing (English) 2007
    Microsoft Office Proofing Tools 2007 Service Pack 2 (SP2)
    Microsoft Office Publisher MUI (English) 2007
    Microsoft Office Shared MUI (English) 2007
    Microsoft Office Shared Setup Metadata MUI (English) 2007
    Microsoft Office Word MUI (English) 2007
    Microsoft Silverlight
    Microsoft Software Update for Web Folders (English) 12
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Mobilt Bredband
    Mozilla Firefox (3.6.3)
    Mozilla Thunderbird (2.0.0.24)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 6.0 Parser (KB925673)
    Nero 9 Lite
    Nero ControlCenter
    Nero Installer
    Nero Online Upgrade
    Nero StartSmart
    neroxml
    NVIDIA Drivers
    NVIDIA PhysX v8.10.13
    OGA Notifier 2.0.0048.0
    Pdf995
    PeerGuardian 2.0
    Portal
    ProMash
    PunkBuster Services
    Quake 4 Multiplayer Demo 1.4.2
    Quake 4(TM)
    QuickTime
    Realtek High Definition Audio Driver
    Rosetta Stone 2.2.0.0A
    Security Update for 2007 Microsoft Office System (KB969559)
    Security Update for 2007 Microsoft Office System (KB976321)
    Security Update for 2007 Microsoft Office System (KB978380)
    Security Update for Microsoft Office Excel 2007 (KB978382)
    Security Update for Microsoft Office Outlook 2007 (KB972363)
    Security Update for Microsoft Office PowerPoint 2007 (KB957789)
    Security Update for Microsoft Office Publisher 2007 (KB980470)
    Security Update for Microsoft Office system 2007 (972581)
    Security Update for Microsoft Office system 2007 (KB974234)
    Security Update for Microsoft Office Visio Viewer 2007 (KB973709)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player 11 (KB936782)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 8 (KB917734)
    Security Update for Windows Media Player 9 (KB936782)
    Security Update for Windows XP (KB923561)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923789)
    Security Update for Windows XP (KB938464-v2)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB941569)
    Security Update for Windows XP (KB946648)
    Security Update for Windows XP (KB950759)
    Security Update for Windows XP (KB950760)
    Security Update for Windows XP (KB950762)
    Security Update for Windows XP (KB950974)
    Security Update for Windows XP (KB951066)
    Security Update for Windows XP (KB951376-v2)
    Security Update for Windows XP (KB951376)
    Security Update for Windows XP (KB951698)
    Security Update for Windows XP (KB951748)
    Security Update for Windows XP (KB952004)
    Security Update for Windows XP (KB952954)
    Security Update for Windows XP (KB953838)
    Security Update for Windows XP (KB953839)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954459)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956572)
    Security Update for Windows XP (KB956744)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB959426)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960803)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961373)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB963027)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969897)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB971961)
    Security Update for Windows XP (KB972260)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974455)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB976325)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980232)
    Security Update for Windows XP (KB981349)
    Skype™ 4.2
    Smart WAV Converter Pro
    SmartCDRipper Pro
    SopCast 3.2.8
    Steam
    Team Fortress 2
    TmNationsForever
    TrackMania Nations ESWC 0.1.7.5
    Update for 2007 Microsoft Office System (KB967642)
    Update for 2007 Microsoft Office System (KB981715)
    Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
    Update for Microsoft Office InfoPath 2007 (KB976416)
    Update for Microsoft Office Word 2007 (KB974631)
    Update for Outlook 2007 Junk Email Filter (kb981726)
    Update for Windows XP (KB951072-v2)
    Update for Windows XP (KB951978)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    Update for Windows XP (KB976749)
    Update for Windows XP (KB978207)
    Update for Windows XP (KB980182)
    Ventrilo Client
    VIPRE Antivirus
    Visual C++ 2008 x86 Runtime - (v9.0.30729)
    Visual C++ 2008 x86 Runtime - v9.0.30729.01
    VLC media player 1.0.5
    WebFldrs XP
    WIFI Max
    Winamp
    Winamp Toolbar for Firefox
    WinDirStat 1.1.2
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Imaging Component
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows Media Player Firefox Plugin
    Windows Presentation Foundation
    Windows XP Service Pack 3
    WinRAR archiver
    WinZip
    XML Paper Specification Shared Components Pack 1.0
    Yahoo! BrowserPlus
    Yahoo! Messenger
    Yahoo! Search Protection
    Yahoo! Software Update
    Yahoo! Toolbar

    ==== End Of File ===========================







    DDS (Ver_10-03-17.01) - NTFSx86
    Run by Erik Kirschberg at 21:32:15,12 on 25-05-2010
    Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20
    Microsoft Windows XP Professional 5.1.2600.3.1252.45.1033.18.2047.1338 [GMT 2:00]

    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
    svchost.exe
    C:\Program Files\AVG\AVG9\avgchsvx.exe
    C:\Program Files\AVG\AVG9\avgrsx.exe
    svchost.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Google\Update\1.2.183.23\GoogleCrashHandler.exe
    C:\WINDOWS\system32\ctfmon.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG9\avgwdsvc.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\CDBurnerXP\NMSAccessU.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Common Files\Java\Java Update\jusched.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
    C:\Program Files\Logitech\SetPoint\SetPoint.exe
    C:\Program Files\AVG\AVG9\avgnsx.exe
    C:\Program Files\Sunbelt Software\VIPRE\SBPIMSvc.exe
    C:\WINDOWS\System32\svchost.exe -k imgsvc
    C:\Program Files\Common Files\Logitech\KhalShared\KHALMNPR.EXE
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\AVG\AVG9\avgemc.exe
    C:\Program Files\AVG\AVG9\avgcsrvx.exe
    C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Erik Kirschberg\My Documents\Downloads\dds.scr

    ============== Pseudo HJT Report ===============

    uStart Page = hxxp://www.yahoo.com/
    uSearch Page = hxxp://us.rd.yahoo.com/customize/ie/defaults/sp/msgr10/*http://www.yahoo.com
    uSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr10/*http://www.yahoo.com/ext/search/search.html
    mSearch Bar = hxxp://us.rd.yahoo.com/customize/ie/defaults/sb/msgr10/*http://www.yahoo.com/ext/search/search.html
    uInternet Settings,ProxyServer = 0.0.0.0:80
    uSearchURL,(Default) = hxxp://us.rd.yahoo.com/customize/ie/defaults/su/msgr10/*http://www.yahoo.com
    uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    uURLSearchHooks: UrlSearchHook Class: {00000000-6e41-4fd3-8538-502f5495e5fc} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
    BHO: Yahooo Search Protection: {25bc7718-0bfa-40ea-b381-4b2d9732d686} - c:\program files\yahoo!\search protection\ysp.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg9\avgssie.dll
    BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
    BHO: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
    BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    BHO: EpsonToolBandKicker Class: {e99421fb-68dd-40f0-b4ac-b7027cae2f1a} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program files\yahoo!\companion\installs\cpn0\YTSingleInstance.dll
    TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
    TB: EPSON Web-To-Page: {ee5d279f-081b-4404-994d-c6b60aaeba6d} - c:\program files\epson\epson web-to-page\EPSON Web-To-Page.dll
    TB: Nero Toolbar: {d4027c7f-154a-4066-a1ad-4243d8127440} - c:\program files\ask.com\GenericAskToolbar.dll
    EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
     
  4. Zowat

    Zowat TS Rookie Topic Starter

    here is the malwarebytes log i must have saved a log file before i clicked remove all and posted the wrong one



    Malwarebytes' Anti-Malware 1.46
    www.malwarebytes.org

    Database version: 4143

    Windows 5.1.2600 Service Pack 3
    Internet Explorer 8.0.6001.18702

    25-05-2010 21:05:06
    mbam-log-2010-05-25 (21-05-06).txt

    Scan type: Quick scan
    Objects scanned: 124769
    Time elapsed: 6 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 2
    Registry Data Items Infected: 1
    Folders Infected: 2
    Files Infected: 15

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CURRENT_USER\Software\M5T8QL3YW3 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\NOD32KVBIT (Trojan.Frethog) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SSHNAS (Trojan.Renos) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\QZAIB7KITK (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{bb4c402f-882a-4526-8c08-51278ea437c1} (Spyware.OnlineGames) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\crntdll (Trojan.Witkinat) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

    Folders Infected:
    C:\Documents and Settings\All Users\_qbothome (Trojan.Qakbot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\_qbothome\u (Trojan.Qakbot) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\All Users\_qbothome\seclog.txt (Trojan.Qakbot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Erik Kirschberg\Application Data\Microsoft\Internet Explorer\Quick Launch\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\_qbothome\crontab.cb (Trojan.Qakbot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\_qbothome\ps_dump_Erik Kirschberg.txt (Trojan.Qakbot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\_qbothome\_qbot.cb (Trojan.Qakbot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\_qbothome\si.txt (Trojan.Qakbot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\_qbothome\updates.cb (Trojan.Qakbot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\_qbothome\updates1.cb (Trojan.Qakbot) -> Quarantined and deleted successfully.
    C:\WINDOWS\Tasks\{8C3FDD81-7AE0-4605-A46A-2488B179F2A3}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\_qbothome\_qbot_installed (Trojan.Qakbot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\_qbothome\~efd9452.tmp (Trojan.Qakbot) -> Quarantined and deleted successfully.
    C:\Documents and Settings\Erik Kirschberg\Start Menu\Antimalware Doctor.lnk (Rogue.AntimalwareDoctor) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\WORK.DAT (Malware.Trace) -> Quarantined and deleted successfully.
    C:\WINDOWS\AhnRpta.exe (Trojan.Backdoor) -> Quarantined and deleted successfully.
    C:\WINDOWS\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
     
  5. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Please, uninstall following through Add\Remove:
    Java(TM) 6 Update 3
    Java(TM) 6 Update 7


    DDS.txt file is incomplete.
    Please, repost.
     
  6. Zowat

    Zowat TS Rookie Topic Starter

    i removed the 2 java programs like you suggested and here is the dds.txt file for some reason i cant seem to post the whole thing if i copy and past into my message i keep timing out. here is a zip file instead. i hope it works
     

    Attached Files:

  7. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    I tried 3 different programs to unzip your file and they all failed.
    Attaching a file is fine, but don't zip them, unless I ask you to do so.
    Please, attach DDS.txt file (not zipped). I already have Attach.txt file.
     
  8. Zowat

    Zowat TS Rookie Topic Starter

    I dont know why i am unable to post the dds.txt or even if i just copy the text and paste it into the message all i get is "connection reset" error message. i have made the dds.txt file a pdf i hope your able to open it. i've never had so much trouble posting to a thread before.

    Thank you the help it is appreciated
     

    Attached Files:

    • dds.pdf
      File size:
      21.9 KB
      Views:
      1
  9. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

    Make sure, you re-enable your security programs, when you're done with Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  10. Zowat

    Zowat TS Rookie Topic Starter

    Here is the combofix log file
     

    Attached Files:

    • log.txt
      File size:
      24 KB
      Views:
      1
  11. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Combofix says:
    DENNE MASKINE HAR IKKE GENOPRETTELSESKONSOL INSTALLERET !!
    Please, allow recovery console installation on next Combofix run.

    Uninstall Ask.com through Add\Remove

    Open Windows Explorer. Go Tools>Folder Options>View tab, put a checkmark next to Show hidden files, and folders.
    Upload following files to http://www.virustotal.com/ for security check:
    c:\windows\system32\drivers\atapi.sys
    If the file is listed as already analyzed, click on Reanalyse file now button.
    Post scan results.

    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    c:\windows\CD95F661A5C444F5A6AAECDD91C240BD.TMP
    c:\windows\system32\0A44.DLL
    
    
    Folder::
    
    Driver::
    
    Registry::
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "DisableNotifications"=-
    
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
     
  12. Zowat

    Zowat TS Rookie Topic Starter

    i was not able to remove ask.com as it does not show up in my add/remove menu
     

    Attached Files:

  13. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    That's fine, we'll do it through Combofix.
    How is your computer doing at the moment?


    1. Please open Notepad
    • Click Start , then Run
    • Type notepad .exe in the Run Box.

    2. Now copy/paste the entire content of the codebox below into the Notepad window:

    Code:
    File::
    
    Folder::
    c:\program files\Ask.com
    
    
    Driver::
    
    Registry::
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{00000000-6E41-4FD3-8538-502F5495E5FC}"=-
    [-HKEY_CLASSES_ROOT\clsid\{00000000-6e41-4fd3-8538-502f5495e5fc}]
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4027C7F-154A-4066-A1AD-4243D8127440}]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{D4027C7F-154A-4066-A1AD-4243D8127440}"=-
    [-HKEY_CLASSES_ROOT\clsid\{d4027c7f-154a-4066-a1ad-4243d8127440}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd.1]
    [-HKEY_CLASSES_ROOT\TypeLib\{2996F0E7-292B-4CAE-893F-47B8B1C05B56}]
    [-HKEY_CLASSES_ROOT\GenericAskToolbar.ToolbarWnd]
    
    
    RegLockDel::
    
    

    3. Save the above as CFScript.txt

    4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

    [​IMG]


    5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    • Combofix.txt
    • A new HijackThis log.
     
  14. Zowat

    Zowat TS Rookie Topic Starter

    my computer is running a lot better now. the bad image errors have gone away and so have all the ad ware pop ups.

    I can't thank you enough for your help
     

    Attached Files:

  15. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Very good :)

    Delete your GMER file, download fresh copy and give me new log, please.
     
  16. Zowat

    Zowat TS Rookie Topic Starter

    i have been trying to get a new gmer log but gmer restarts my computer after it scans and doesnt let me save a log file. i have tried disabling devices but still nothing.
     
  17. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Checkmark "Sections" only and try again.
    If still no fun, try same thing in Safe Mode.
     
  18. Zowat

    Zowat TS Rookie Topic Starter

    here is the gmer log
     

    Attached Files:

  19. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    GMER log looks good :)
    How is computer doing at the moment.

    You still didn't install recovery console.

    With malware infections being as they are today, it's strongly recommended to have the Windows Recovery Console pre-installed on your machine before doing any malware removal.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.


    Go to Microsoft's website => http://support.microsoft.com/kb/310994

    Select the download that's appropriate for your Operating System

    [​IMG]


    Download the file & save it as it's originally named.


    ---------------------------------------------------------------------

    Transfer all files you just downloaded, to the desktop of the infected computer.

    --------------------------------------------------------------------


    Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

    [​IMG]


    • Drag the setup package onto ComboFix.exe and drop it.

    • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.


      [​IMG]


    • At the next prompt, click 'Yes' to run the full ComboFix scan.

    • When the tool is finished, it will produce a report for you.
    Please post the C:\ComboFix.txt log in your next reply.
     
  20. Zowat

    Zowat TS Rookie Topic Starter

    here is the combofix log
     

    Attached Files:

  21. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Good :)
    How is computer doing at the moment?

    Uninstall Combofix:
    Go Start > Run [Vista users, go Start>"Start search"]
    Type in:
    Combofix /Uninstall
    Note the space between the "Combofix" and the "/Uninstall"
    Click OK (Vista users - press Enter).
    Restart computer.

    ================================================================

    1. Download Temp File Cleaner (TFC)
    Double click on TFC.exe to run the program.
    Click on Start button to begin cleaning process.
    TFC will close all running programs, and it may ask you to restart computer.


    2. Go to Kaspersky website and perform an online antivirus scan.

    1. Disable your active antivirus program.
    2. Read through the requirements and privacy statement and click on Accept button.
    3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
    4. When the downloads have finished, click on Settings.
    5. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:

    • Spyware, Adware, Dialers, and other potentially dangerous programs
      [*] Archives
      [*] Mail databases
    6. Click on My Computer under Scan.
    7. Once the scan is complete, it will display the results. Click on View Scan Report.
    8. You will see a list of infected items there. Click on Save Report As....
    9. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.


    Download HijackThis:
    http://free.antivirus.com/hijackthis/
    by clicking on Installer under Version 2.0.4
    Install, and run it.
    Post HijackTHis log.
    Do NOT attempt to fix anything!

    NOTE. If you're using Vista, or 7, right click on HijackThis, and click Run as Administrator
     
  22. Zowat

    Zowat TS Rookie Topic Starter

    the computer is running great at the moment. I
     

    Attached Files:

  23. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    Very good news then :)

    Kaspersky reports some suspicious file in your T-Bird Inbox. Surely, I don't want to yank a whole folder, so please, be careful with your newest mail, especially, if it includes any attachment.

    Other than that....


    Your computer is clean [​IMG]

    1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point.

    Turn off System Restore:

    - Windows XP:
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore".
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    - Windows Vista and 7:
    1. Click Start.
    2. Right-click the Computer icon, and then click Properties.
    3. Click on System Protection under the Tasks column on the left side
    4. Click on Continue on the "User Account Control" window that pops up
    5. Under the System Protection tab, find Available Disks
    6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C:")
    7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
    8. Click OK

    2. Restart computer.

    3. Turn System Restore on.

    4. Make sure, Windows Updates are current.

    5. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

    6. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

    7. Run defrag at your convenience.

    8. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

    9. Please, let me know, how is your computer doing.
     
  24. Zowat

    Zowat TS Rookie Topic Starter

    my computer is still going great. I cant thank you enough for all your help.
     
  25. Broni

    Broni Malware Annihilator Posts: 47,082   +258

    You're very welcome [​IMG]
    Good luck and stay safe :)
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.