"Bad Image" popups when programs opened

S

Stevect143

Hi,

Would you please help me get rid of a particularly nasty and hard to remove virus? It causes the familiar "bad image" popup to appear whenever a program is started. I've uninstalled older versions of adobe reader and java, replacing them with the newest version. I have Norton Internet Security and Microsoft Security Essentials, so I'm not sure how I got a virus in the first place. I've tried to go through the 8-step virus removal process from your website, and am posting/attaching the files here as requested. Because the Gmer log file has text wrapping issues, I've attached the text file instead of posting the text in this message. Also as you requested, I have not done the combofix step. Please help me through the next phase in this process and/or let me know what is missing. I can't thank you enough, and I really appreciate your help.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4156

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

5/30/2010 4:13:22 PM
mbam-log-2010-05-30 (16-13-22).txt

Scan type: Quick scan
Objects scanned: 132282
Time elapsed: 15 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 

Attachments

  • gmer2.log
    13.4 KB · Views: 2
  • DDS2.txt
    18.1 KB · Views: 2
  • Attach2.txt
    14.6 KB · Views: 2
Welcome to TechSpot, Steve. I'll help with the malware. thank you for not going ahead and running Combofix until instructed to do so.

It looks like you are running the Zone Alarm firwall in addition to Norton Security. You should only have one software firewall, so suggest you remove ZA.

Appears you may have a Rootkit, so I will have you run combofix:

Please download ComboFix from Here and save to your Desktop.

  • [1]. Do NOT rename Combofix unless instructed.
    [2].Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3].Close any open browsers.
    [4]. Double click combofix.exe & follow the prompts to run.
  • NOTE: Combofix will disconnect your machine from the Internet as soon as it starts. The connection is automatically restored before CF completes its run. If it does not, restart your computer to restore your connection.
    [5]. If Combofix asks you to install Recovery Console, please allow it.
    [6]. If Combofix asks you to update the program, always allow.
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    [7]. A report will be generated after the scan. Please post the C:\ComboFix.txt in next reply.
Note: Do not mouseclick combofix's window while it's running. That may cause it to stall.
Note: Make sure you re-enable your security programs, when you're done with Combofix..
=================================
After that scan is complete, proceed with this:
Custom CFScript


  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:

Code: 
File::

Folder::

Registry::

Driver::

FCopy::
C:\WINDOWS\ServicePackFiles\i386\atapi.sys | C:\Windows\System32\drivers\atapi.sys
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
The run Run Eset NOD32 Online AntiVirus Scanner HERE
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the Active X control to install
  • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
  • Click Start
  • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
  • Click Scan
  • Wait for the scan to finish
  • Re-enable your Antivirus software.
  • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Please include the logs with your next reply.
 
After Combofixand Eset

Hi Bobbye,

Thank you for your help. As you recommended, I ran ComboFix twice and both of those log files are included. In addition, the ESET scanner log file is attached. Notably, during the combofix run, I had to close countless (probably several hundred) popup windows. I ended up just holding the 'enter' key.

I searched my computer for zonealarm, but couldn't find it. Is it the same thing as spybot or Microsoft Security essentials? I have those in addition to Norton. Perhaps I will remove Microsoft Security essentials because it hogs so much RAM. If you have a chance to look, since the combofix and eset run, my computer keeps crashing to a blue screen. I've attached the report of the latest error report. Any ideas?

Awaiting your reply for the next step in the process.

Sincerely,
Steve
 

Attachments

  • After First ComboFix Run.txt
    16.5 KB · Views: 0
  • ComboFix after creating CFScript text file.txt
    16.7 KB · Views: 1
  • Eset Scan log file.txt
    974 bytes · Views: 1
  • crash report.txt
    338 bytes · Views: 1
Microsoft Security Essentials has an antivirus program but not a firewall. You should only have one AV program. If you keep MSE, enable the built in Windows Firewall. If you keep Norton, use the AV and firewall it has.

Spybot Search & Destroy is an antimalware program and you can have multiples of this type of program. But watch for programs that now include antivirus with antispyware as some are now doing.

By the way, you are running out of hard drive:
C: is FIXED (NTFS) - 37 GiB total, 3.72 GiB free.= 10% free.
Suggest you uninstall anything you aren't using.

I don't do the minidumps, but from the little I know, the BCC 0a if with 'bad image' can refer to some kind of memory problem or a driver. I'll have you remove the ZA entry driver and see if that helps:

Custom CFScript

  • [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad and copy/paste the text in the code below into it:
Code: 
File::
c:\windows\system32\vsdatant.sys
C:\AOL Instant Messenger\AIM.exe 

Folder::
c:\documents and settings\All Users\Application Data\McAfee.com

Extra::
File::
c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
Firefox::
Firefox:- Profile - c:\documents and settings\Stephen Chamberland\Application Data\Mozilla\Firefox\Profiles\jxth1wx8.default\

DDS::
BHO: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - No File
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {4982D40A-C53B-4615-B15B-B5B5E98D167C} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File

RegNull::
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{564572D7-BA6B-A81E-17332C14105A24EF}\{35AC4256-1B84-66D8-7C4583AC3B4AA35B}\{791C0703-8CF5-813B-67470F66B09458B3}*]
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A31F0760-3CAF-40FF-C311EB15E667F290}\{E2D01E6A-D52B-9055-85F4CB9FDFA44017}\{62A48FA1-2175-E3E4-19BA4655EA387446}*]
RegLock::
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]

Driver::
vsdatant
Save this as CFScript.txt, in the same location as ComboFix.exe
CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at C:\ComboFix.txt . Please attach to your next reply.
====================
I included the AIM file that Eset found infected with the minibug adware. you might want to stay away from the Weather programs. Some are okay, others bring trash with them.
=========================
There are 2 files I'd like you to submit for identification:
Pease put each in to the dialog box here, one at a time:
http://www.virscan.org/

Suspicious file(s) to scan: > browse or upload.

c:\windows\system32\drivers\pkdjepxt.sys

c:\windows\system32\drivers\mclpqlle.sys

1, You can UPLOAD any files, but there is 20Mb limit per file.
2, VirSCAN supports Rar/Zip decompression, but it must be less than 20 files.
3, VirSCAN can scan compressed files with password 'infected' or 'virus'.

Leave the logs produced in your next reply.
 

Similar threads

D
Mini PCs sold on Amazon contained factory-installed spyware
Replies
16
Views
1K
Fastturtle
F
S
Microsoft releases patch to fix critical Wi-Fi flaw in Windows, Windows Server
Replies
0
Views
321
Skye Jacobs
S
Bob O'Donnell
Google's Pixel 9 series stands out by bringing practical AI to your pocket
Replies
3
Views
426
p51d007
p51d007

Latest posts

Back