"Bad Image" pop-up not resolved by 8 step virus removal

[okdp]

Hello All,

I have followed the 8-step removal process and still get a bad image error for Itunes helper on bootup. My Logs are attatched.

Is this a vestage from the infection or is there another step I need to take?

Thanks in advance.

 

[Bobbye]

Malware is not the only cause of a Bad Image error.

I notice that you have both Combofix and OTM on the system. We remove these programs when the system is clean. This makes me wonder if you have gotten help elsewhere and not removed the programs properly. IF you just ran Combofix(which you should not have), give me the log from the scan. If you have not run it, don't. Instead do this:

Uninstall ComboFix and all Backups of the files it deleted

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.
  
  

Then download and run a current copy of Combofix:

Please download ComboFix from Here and save to your Desktop.

• 
  [1]. Do NOT rename Combofix unless instructed.
  [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3].Close any open browsers.
  [4]. Double click combofix.exe & follow the prompts to run.
• NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
  [5]. If Combofix asks you to install Recovery Console, please allow it.
  [6]. If Combofix asks you to update the program, always allow.
• Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.

Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
======================================
Follow with Run Eset NOD32 Online AntiVirus Scanner HERE

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the Active X control to install
• Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

There is also another part to the DDS log named Attach.txt. I need that.
====================================
Include the new logs in next reply.

There are 2 questionable drivers/Services running. I can handle these after you have run Combofix. I can't identify them.

Please do not use any other cleaning programs or scans while I'm helping you, unless I direct you to. Do not use a Registry cleaner or make any changes in the Registry.

 

[okdp]

Bobbye,

Thanks for you help. I had tried combofix previously when I was trying to fix this myself(stumbled across a different thread). That was prior to finding the 8 step thread.

I followed your instructions and the log files you requested are attached.

Thanks,

OKDP

 

[okdp]

Anything further I can do? There were some threats identified by ESET...

Thanks,

OKDP

 

[Bobbye]

So sorry- had family matters come up. Trying to catch up. Autorun infection on Drives C,D and F. If one is a flash drive, it will need to be disinfected also.

Please download OTMovit by Old Timer and save to your desktop.

• Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  

  :Processes	
  
  :Services
  
  :Reg
  
  :Files 
  C:\Program Files\Alcohol Soft\Alcohol 120\Patch.exe	
  D:\Program Files\Alcohol Soft\Alcohol 120\Patch.exe	
  F:\Images\alt.binaries.boneless\msgid_2063559_Microsoft_Office_2003\Office 2003 AIO EN SP2.part01.rar	
  F:\Images\alt.binaries.boneless\msgid_2063559_Microsoft_Office_2003\Office 2003 AIO EN SP2\Office.2003.SP2.AIO.DVD-XiSO.iso	
  F:\necessaryprograms\alcy.rar	
  F:\necessaryprograms\alcy\alcy\Patch.exe	
  F:\Program Files\Alcohol Soft\Alcohol 120\Patch.exe	
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]

• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
• Click the red Moveit! button.
• A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Go ahead and run this. Looks like you tried to pirate some programs and got malware instead. That's why you're getting the 'bad image.'.

 

[okdp]

The requested log file is attached. It did not fix the problem. The bad image thing started about a week ago.

I don't download programs I don't have the license to (no piracy but the files could certainly have malware), but at any rate, I haven't downloaded anything except for music files from amazon.com in about two years. Could something like this lay dormant?

 

[Bobbye]

Custom CFScript

• 
  [1]. Close any open browsers.
  [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  [3]. Open notepad and copy/paste the text in the code below into it:

File::
c:\windows\system32\drivers\hbnpbkxc.sys
c:\windows\system32\drivers\rsmftkvd.sys

Folder::

Registry::
RegNull::
[HKEY_USERS\S-1-5-21-2025429265-308236825-839522115-1003\Software\SecuROM\License information*]
RegLock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
Driver::
hbnpbkxc
rsmftkvd

Save this as CFScript.txt, in the same location as ComboFix.exe

Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
Please run a new HijackThis scan and paste it in to the next reply. I'll see if there are any bad entries in that. If the bad image problem continues after that, I will refer you to the Windows OS forum to get help on the system problem,

still get a bad image error for Itunes helper on bootup.

As I told you at the beginning, malware is not the only cause of this.

As for these infected files on C,D & F Drives: C:\Program Files\Alcohol Soft\Alcohol 120\Patch.exe
The only 'patch' I find for these are on torrent sites. Which means at some time, you attempted to either crack or use a keygen for Soft Alcohol. And you put it on 3 different drives, C, D and F. The infected files were removed.

And you got some kind of images which were infected through usenet..

 

[okdp]

Bobbye - Thanks for all your help so far.

The Hijack This Log follows:

"
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:19:51 PM, on 6/29/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.17055)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\krendaman\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8942.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Performance Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Update Center Service (UpdateCenterService) - NVIDIA - C:\Program Files\NVIDIA Corporation\System Update\UpdateCenterService.exe

--
End of file - 6111 bytes
"

The problem still persists. Thanks, OKDP

 

[Bobbye]

What does this do: Gigabyte Raid Configurer?

MBR Rootkit Detector

Please download MBR Rootkit Detector and save it on your desktop.

• Pause/Stop all antivirus/spyware active protection.
• Then double click on mbr.exe to run it.
• Select Run when you receive a Security Warning
• The process is automatic, a black DOS window will appear and disappear suddenly. This is normal.
• A log file will the be created on your desktop where you ran mbr.exe
• Copy and paste the contents of mbr.log on your next reply.

============================

 

[okdp]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

 

[Bobbye]

Goodness, I did a bad job on the URL for the program!

I think we're working way too hard for something that is right in front of us! The iTunes Helper is on Startup> it shouldn't be, it doesn't need to be. It is trying to run and not finding something in the system, so you're getting the 'Bad image' message.

Please reopen Hijackthis to 'do system scan only.' Check the following if present:
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunes\iTunesHelper.exe"
04 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

Close all Windows except HijackThis and click on "Fix Checked."

Boot into Safe Mode

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

Click on Start> Run> type in msconfig> enter> choose Selective Startup> Startup tab> Uncheck:
iTuner Helper
qtask
Apply> OK.

Reboot. You will get a nag message that you can ignore and close after checking 'don't show this message again.' Stay in Selective Startup.

iTunesHelper.exe What it is.
Background task installed by Apple's iTunes music player and also by version 7 of QuickTime which now comes inseparably bundled with iTunes. It is thought that this task used to be a 3rd party add-on program in the early days of Apple's iPod when its iTunes software was incompatible with many CD-Writers. This task does not need to be installed as a startup since iTunes starts it up anyway when it needs it.
This causes a pain in the side of all the users that have it. See if that doesn't handle the error message.

Here's another unnecessary process on Startup: Disable QuickTime:

• Open QuickTime.
• Click Edit> Preferences> click QuickTime Preferences.
• Now use the dropdown box to adjust Preferences.
• You need to disable (usually uncheck) all boxes related to Auto Updates,
  Tray Icon, other Automatic features, etc.
• Close the window when you are done.
• Close QuickTime.