Bad Image Error

kingviper12 · 09-26-2009, 01:14 PM

Recently i thought i had succesfully removed the Windows Pro Police virus, which i guess is a new virus? Not sure. Once i thought i removed it and restarted the comp, i began receiving bad error messages as such:

The application or DLL globalroot\systemroot\system32\gasfkyyktetnpf.dll is not a valid Windows image. Please check this against your installation diskette.

I have tried to read and apply the many posts i see on bad error messages but nothing has worked, and i really dont know what it is i am doing, so i am asking for help, and many thanks in advanced. I followed the steps to posting with DDS and such, so attached is the info needed and here is the DDS log, i also have a hijackthis log but since i didnt see it as a request before posting i am leaving it out for now, and again many many thanks for the help in advanced and thank you for taking the time to help newbies like me out!

DDS (Ver_09-09-24.01) - NTFSx86
Run by Julio at 15:03:40.84 on Sat 09/26/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.5.0_12
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.612 [GMT -4:00]

AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Julio\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.3.4501.1418\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: Verizon Broadband Toolbar: {4e7bd74f-2b8d-469e-8cb0-ab60bb9aae22} -
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [SpybotSD TeaTimer] "c:\program files\spybot - search & destroy\TeaTimer.exe"
mRun: [NvCplDaemon] "RUNDLL32.EXE" c:\windows\system32\NvCpl.dll,NvStartup
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [SpySweeper] "c:\program files\webroot\spy sweeper\SpySweeperUI.exe" /startintray
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1202821265734
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0016-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_16-windows-i586.cab
Notify: WRNotifier - WRLogonNTF.dll
SEH: {661778f7-cdda-4611-99b0-43245c7e971d} - c:\windows\system32\vtUkljKb.dll
LSA: Notification Packages = scecli

============= SERVICES / DRIVERS ===============

R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [2007-9-28 36368]
R2 WebrootSpySweeperService;Webroot Spy Sweeper Engine;c:\program files\webroot\spy sweeper\SpySweeper.exe [2008-2-12 3572592]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2008-2-12 52624]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\maplestory\gameguard\dump_wmimmc.sys --> c:\nexon\maplestory\gameguard\dump_wmimmc.sys [?]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\trend micro\internet security\TmProxy.exe [2008-2-12 648456]

=============== Created Last 30 ================

2009-09-26 14:41 73,728 a------- c:\windows\system32\javacpl.cpl
2009-09-25 12:30 795 a------- c:\windows\wininit.ini
2009-09-25 11:46 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-09-25 11:46 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-09-24 11:17 <DIR> --d----- c:\docume~1\julio\applic~1\Malwarebytes
2009-09-24 11:17 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-24 11:17 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-09-24 11:17 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-09-24 11:17 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-24 11:08 <DIR> --d----- C:\_OTM
2009-09-21 17:32 <DIR> --d----- c:\program files\uTorrent
2009-09-21 17:31 <DIR> --d----- c:\docume~1\julio\applic~1\uTorrent
2009-09-14 01:59 <DIR> --d----- c:\program files\Steam
2009-09-08 20:29 153,088 -c------ c:\windows\system32\dllcache\triedit.dll
2009-09-06 00:23 <DIR> --d----- c:\docume~1\alluse~1\applic~1\NexonUS
2009-09-04 14:19 411,368 a------- c:\windows\system32\deploytk.dll
2009-09-04 14:18 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PMB Files
2009-09-04 14:18 204 a------- C:\Plugins
2009-09-04 14:17 <DIR> --d----- c:\program files\Pando Networks

==================== Find3M ====================

2009-08-05 05:11 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-07-17 14:55 58,880 a------- c:\windows\system32\atl.dll
2009-07-13 02:18 233,472 a------- c:\windows\system32\wmpdxm.dll
2009-06-29 12:12 827,392 a------- c:\windows\system32\wininet.dll
2009-06-29 12:12 78,336 a------- c:\windows\system32\ieencode.dll
2009-06-29 12:12 17,408 a------- c:\windows\system32\corpol.dll

============= FINISH: 15:05:35.32 ===============

Ried · 09-27-2009, 08:45 AM

Hello kingviper12,

Even after your efforts, the rootkit is still active. Before we run our tools, your logs show that you currently have 2 Anti Virus programs installed and running on your system.

Spy Sweeper with AntiVirus
Trend Micro AntiVirus

While it may seem to be added protection for you, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel.

After you've completed the above, It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate.

***************************************************

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT- Save ComboFix.exe to your Desktop

====================================================

Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal.

====================================================

Double click on combofix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.

kingviper12 · 09-28-2009, 07:32 AM

As requested. The messages have stopped now and this is the log. thanks again for your help.

ComboFix 09-09-25.01 - Julio 09/27/2009 0:27.2.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.657 [GMT -4:00]
Running from: c:\documents and settings\Julio\Desktop\meals.exe
AV: Spy Sweeper with AntiVirus *On-access scanning disabled* (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D}
AV: Trend Micro AntiVirus *On-access scanning disabled* (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\windows\system32\drivers\gasfkymvufyuyl.sys
c:\windows\system32\drivers\Sonyhcp.dll
c:\windows\system32\gasfkydndbwrrw.dat
c:\windows\system32\gasfkyeoanvbvp.dat
c:\windows\system32\gasfkyexmnmpcb.dll
c:\windows\system32\gasfkyostypykt.dll
c:\windows\system32\gasfkyyktetnpf.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_gasfkygyspqjwb
-------\Legacy_gasfkygyspqjwb
-------\Service_gasfkygyspqjwb

((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 )))))))))))))))))))))))))))))))
.

2009-09-25 15:46 . 2009-09-25 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-09-25 15:46 . 2009-09-25 15:47 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-09-24 15:17 . 2009-09-24 15:17 -------- d-----w- c:\documents and settings\Julio\Application Data\Malwarebytes
2009-09-24 15:17 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-24 15:17 . 2009-09-25 15:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-24 15:17 . 2009-09-24 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-09-24 15:17 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-24 15:08 . 2009-09-24 15:08 -------- d-----w- C:\_OTM
2009-09-21 21:32 . 2009-09-21 21:32 -------- d-----w- c:\program files\uTorrent
2009-09-21 21:31 . 2009-09-21 23:18 -------- d-----w- c:\documents and settings\Julio\Application Data\uTorrent
2009-09-14 05:59 . 2009-09-24 15:32 -------- d-----w- c:\program files\Steam
2009-09-10 22:33 . 2009-09-10 22:33 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple
2009-09-10 22:30 . 2009-09-10 22:30 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer
2009-09-09 00:29 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 23:34 . 2009-09-07 23:34 -------- d-----w- c:\documents and settings\Judy\Application Data\Corel
2009-09-06 04:23 . 2009-09-06 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS
2009-09-06 03:24 . 2009-09-06 15:01 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PMB Files
2009-09-04 18:19 . 2009-09-26 18:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-04 18:19 . 2009-09-05 02:08 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\PMB Files
2009-09-04 18:18 . 2009-09-06 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files
2009-09-04 18:17 . 2009-09-04 18:17 -------- d-----w- c:\program files\Pando Networks
2009-08-30 16:35 . 2009-08-30 16:35 -------- d-----w- c:\documents and settings\User\Application Data\U3

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-26 18:41 . 2008-05-27 01:10 -------- d-----w- c:\program files\Java
2009-08-25 21:38 . 2007-06-29 02:18 42560 ----a-w- c:\documents and settings\Julissa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-05 09:11 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-05 01:12 . 2009-08-05 01:10 -------- d-----w- c:\documents and settings\Julio\Application Data\FUJIFILM
2009-07-17 18:55 . 2003-07-16 20:24 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 06:18 . 2004-08-04 07:56 233472 ----a-w- c:\windows\system32\wmpdxm.dll
2009-06-29 16:12 . 2006-06-23 15:33 827392 ----a-w- c:\windows\system32\wininet.dll
2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll
2009-06-29 16:12 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-12 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-26 149280]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208]
"SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-05 5367664]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^Julio^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk]
path=c:\documents and settings\Julio\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk
backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Nexon\\MapleStory\\MapleStory.exe"=
"c:\\Nexon\\MapleStory\\Patcher.exe"=
"c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=
"c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"=
"c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:*Enabled:CombatArms.exe
"c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:*Enabled:Engine.exe
"c:\\Nexon\\Combat Arms\\NMService.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"58099:TCP"= 58099:TCP:Pando Media Booster
"58099:UDP"= 58099:UDP:Pando Media Booster

R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/12/2008 8:22 AM 52624]
R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/28/2007 2:09 AM 36368]
S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\MapleStory\GameGuard\dump_wmimmc.sys --> c:\nexon\MapleStory\GameGuard\dump_wmimmc.sys [?]
S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2/12/2008 8:23 AM 648456]
.
Contents of the 'Scheduled Tasks' folder

2008-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/
mDefault_Page_URL = hxxp://www.yahoo.com
mStart Page = hxxp://www.yahoo.com
mSearchAssistant = hxxp://www.google.com/ie
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
.
- - - - ORPHANS REMOVED - - - -

AddRemove-MWASPI - c:\mwaspi\uninst.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-27 00:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}]
@Denied: (A 2) (Everyone)
@="IFlashBroker3"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(648)
c:\windows\system32\WRLogonNTF.dll

- - - - - - - > 'explorer.exe'(3356)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\windows\system32\nvsvc32.exe
c:\program files\Webroot\Spy Sweeper\SpySweeper.exe
c:\program files\Trend Micro\BM\TMBMSRV.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-27 1:03 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-27 05:03

Pre-Run: 1,804,963,840 bytes free
Post-Run: 1,696,833,536 bytes free

171 --- E O F --- 2009-09-09 00:38

Ried · 09-28-2009, 08:34 AM

You're welcome, kingviper12.

It would be prudent to run an online scan to search for remnants that may be lurking about. Please go here to run an online scannner from ESET.

Note: You will need to use Internet explorer for this scan
Turn off the real time scanner of any existing antivirus program while performing the online scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt
Copy and paste that log as a reply to this topic.

09-27-2009, 08:45 AM	#2 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,017 OS: WinXP and Vista	Re: Bad Image Error Hello kingviper12, Even after your efforts, the rootkit is still active. Before we run our tools, your logs show that you currently have 2 Anti Virus programs installed and running on your system. Spy Sweeper with AntiVirus Trend Micro AntiVirus While it may seem to be added protection for you, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel. After you've completed the above, It will require more than one round to properly clean your system. Please stay with me until given the 'all clear' even if symptoms seemingly abate. ************************************************* Download ComboFix from one of these locations: Link 1 Link 2** * IMPORTANT- Save ComboFix.exe to your Desktop ==================================================== Disable your AntiVirus and AntiSpyware applications as they will interfere with our tools and the removal. ==================================================== Double click on combofix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, it shall produce a log for you. Please include the C:\ComboFix.txt** in your next reply for further review. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."

09-28-2009, 07:32 AM	#3 (permalink)
kingviper12 Registered User Join Date: Sep 2009 Posts: 2 OS: xp	Re: Bad Image Error As requested. The messages have stopped now and this is the log. thanks again for your help. ComboFix 09-09-25.01 - Julio 09/27/2009 0:27.2.1 - NTFSx86 Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1023.657 [GMT -4:00] Running from: c:\documents and settings\Julio\Desktop\meals.exe AV: Spy Sweeper with AntiVirus On-access scanning disabled (Updated) {B3891867-7230-459B-9987-E7CCFA7A7D1D} AV: Trend Micro AntiVirus On-access scanning disabled (Updated) {7D2296BC-32CC-4519-917E-52E652474AF5} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . c:\windows\system32\drivers\gasfkymvufyuyl.sys c:\windows\system32\drivers\Sonyhcp.dll c:\windows\system32\gasfkydndbwrrw.dat c:\windows\system32\gasfkyeoanvbvp.dat c:\windows\system32\gasfkyexmnmpcb.dll c:\windows\system32\gasfkyostypykt.dll c:\windows\system32\gasfkyyktetnpf.dll . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Service_gasfkygyspqjwb -------\Legacy_gasfkygyspqjwb -------\Service_gasfkygyspqjwb ((((((((((((((((((((((((( Files Created from 2009-08-27 to 2009-09-27 ))))))))))))))))))))))))))))))) . 2009-09-25 15:46 . 2009-09-25 15:48 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy 2009-09-25 15:46 . 2009-09-25 15:47 -------- d-----w- c:\program files\Spybot - Search & Destroy 2009-09-24 15:17 . 2009-09-24 15:17 -------- d-----w- c:\documents and settings\Julio\Application Data\Malwarebytes 2009-09-24 15:17 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-09-24 15:17 . 2009-09-25 15:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-09-24 15:17 . 2009-09-24 15:17 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes 2009-09-24 15:17 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-09-24 15:08 . 2009-09-24 15:08 -------- d-----w- C:\_OTM 2009-09-21 21:32 . 2009-09-21 21:32 -------- d-----w- c:\program files\uTorrent 2009-09-21 21:31 . 2009-09-21 23:18 -------- d-----w- c:\documents and settings\Julio\Application Data\uTorrent 2009-09-14 05:59 . 2009-09-24 15:32 -------- d-----w- c:\program files\Steam 2009-09-10 22:33 . 2009-09-10 22:33 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\Apple 2009-09-10 22:30 . 2009-09-10 22:30 -------- d-----w- c:\documents and settings\User\Application Data\Apple Computer 2009-09-09 00:29 . 2009-06-21 22:04 153088 -c----w- c:\windows\system32\dllcache\triedit.dll 2009-09-07 23:34 . 2009-09-07 23:34 -------- d-----w- c:\documents and settings\Judy\Application Data\Corel 2009-09-06 04:23 . 2009-09-06 16:25 -------- d-----w- c:\documents and settings\All Users\Application Data\NexonUS 2009-09-06 03:24 . 2009-09-06 15:01 -------- d-----w- c:\documents and settings\User\Local Settings\Application Data\PMB Files 2009-09-04 18:19 . 2009-09-26 18:41 411368 ----a-w- c:\windows\system32\deploytk.dll 2009-09-04 18:19 . 2009-09-05 02:08 -------- d-----w- c:\documents and settings\Julio\Local Settings\Application Data\PMB Files 2009-09-04 18:18 . 2009-09-06 03:29 -------- d-----w- c:\documents and settings\All Users\Application Data\PMB Files 2009-09-04 18:17 . 2009-09-04 18:17 -------- d-----w- c:\program files\Pando Networks 2009-08-30 16:35 . 2009-08-30 16:35 -------- d-----w- c:\documents and settings\User\Application Data\U3 . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-09-26 18:41 . 2008-05-27 01:10 -------- d-----w- c:\program files\Java 2009-08-25 21:38 . 2007-06-29 02:18 42560 ----a-w- c:\documents and settings\Julissa\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-08-05 09:11 . 2003-07-16 20:37 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-08-05 01:12 . 2009-08-05 01:10 -------- d-----w- c:\documents and settings\Julio\Application Data\FUJIFILM 2009-07-17 18:55 . 2003-07-16 20:24 58880 ----a-w- c:\windows\system32\atl.dll 2009-07-13 06:18 . 2004-08-04 07:56 233472 ----a-w- c:\windows\system32\wmpdxm.dll 2009-06-29 16:12 . 2006-06-23 15:33 827392 ----a-w- c:\windows\system32\wininet.dll 2009-06-29 16:12 . 2004-08-04 07:56 78336 ----a-w- c:\windows\system32\ieencode.dll 2009-06-29 16:12 . 2003-07-16 20:25 17408 ----a-w- c:\windows\system32\corpol.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-12 68856] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2003-10-06 5058560] "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-26 149280] "MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2004-08-04 158208] "SpySweeper"="c:\program files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-05 5367664] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService] @="Service" [HKLM\~\startupfolder\C:^Documents and Settings^Julio^Start Menu^Programs^Startup^Picture Motion Browser Media Check Tool.lnk] path=c:\documents and settings\Julio\Start Menu\Programs\Startup\Picture Motion Browser Media Check Tool.lnk backup=c:\windows\pss\Picture Motion Browser Media Check Tool.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus] "DisableMonitoring"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\Program Files\\Messenger\\msmsgs.exe"= "c:\\Nexon\\MapleStory\\MapleStory.exe"= "c:\\Nexon\\MapleStory\\Patcher.exe"= "c:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"= "c:\\Program Files\\Bonjour\\mDNSResponder.exe"= "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"= "c:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"= "c:\nexon\Combat Arms\CombatArms.exe"= c:\nexon\Combat Arms\CombatArms.exe:Enabled:CombatArms.exe "c:\nexon\Combat Arms\Engine.exe"= c:\nexon\Combat Arms\Engine.exe:Enabled:Engine.exe "c:\\Nexon\\Combat Arms\\NMService.exe"= "c:\\Program Files\\iTunes\\iTunes.exe"= "c:\\Program Files\\uTorrent\\uTorrent.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "58099:TCP"= 58099:TCP:Pando Media Booster "58099:UDP"= 58099:UDP:Pando Media Booster R2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [2/12/2008 8:22 AM 52624] R2 tmpreflt;tmpreflt;c:\windows\system32\drivers\tmpreflt.sys [9/28/2007 2:09 AM 36368] S3 dump_wmimmc;dump_wmimmc;\??\c:\nexon\MapleStory\GameGuard\dump_wmimmc.sys --> c:\nexon\MapleStory\GameGuard\dump_wmimmc.sys [?] S3 tmproxy;Trend Micro Proxy Service;c:\program files\Trend Micro\Internet Security\TmProxy.exe [2/12/2008 8:23 AM 648456] . Contents of the 'Scheduled Tasks' folder 2008-10-30 c:\windows\Tasks\AppleSoftwareUpdate.job - c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:57] . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.google.com/ mDefault_Page_URL = hxxp://www.yahoo.com mStart Page = hxxp://www.yahoo.com mSearchAssistant = hxxp://www.google.com/ie IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200 . - - - - ORPHANS REMOVED - - - - AddRemove-MWASPI - c:\mwaspi\uninst.exe ************************************************************************ catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-09-27 00:53 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- LOCKED REGISTRY KEYS --------------------- [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}] @Denied: (A 2) (Everyone) @="FlashBroker" "LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe,-101" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\Elevation] "Enabled"=dword:00000001 [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\LocalServer32] @="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10c.exe" [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{19114156-8E9A-4D4E-9EE9-17A0E48D3BBB}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}] @Denied: (A 2) (Everyone) @="IFlashBroker3" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\ProxyStubClsid32] @="{00020424-0000-0000-C000-000000000046}" [HKEY_LOCAL_MACHINE\software\Classes\Interface\{1D4C8A81-B7AC-460A-8C23-98713C41D6B3}\TypeLib] @="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}" "Version"="1.0" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'winlogon.exe'(648) c:\windows\system32\WRLogonNTF.dll - - - - - - - > 'explorer.exe'(3356) c:\windows\system32\WININET.dll c:\windows\system32\ieframe.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe c:\program files\Java\jre6\bin\jqs.exe c:\windows\system32\nvsvc32.exe c:\program files\Webroot\Spy Sweeper\SpySweeper.exe c:\program files\Trend Micro\BM\TMBMSRV.exe c:\windows\system32\wscntfy.exe . ************************************************************************ . Completion time: 2009-09-27 1:03 - machine was rebooted ComboFix-quarantined-files.txt 2009-09-27 05:03 Pre-Run: 1,804,963,840 bytes free Post-Run: 1,696,833,536 bytes free 171 --- E O F --- 2009-09-09 00:38

09-28-2009, 08:34 AM	#4 (permalink)
Ried Assistant Manager, TSF Academy; Moderator/Analyst Security Team Join Date: Jan 2005 Location: Ohio Posts: 27,017 OS: WinXP and Vista	Re: Bad Image Error You're welcome, kingviper12. It would be prudent to run an online scan to search for remnants that may be lurking about. Please go here to run an online scannner from ESET. Note: You will need to use Internet explorer for this scan Turn off the real time scanner of any existing antivirus program while performing the online scan Tick the box next to YES, I accept the Terms of Use. Click Start When asked, allow the activex control to install Click Start Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked Click Scan Wait for the scan to finish Use notepad to open the logfile located at C:\Program Files\Eset\Eset Online Scanner\log.txt Copy and paste that log as a reply to this topic. __________________ Member of ASAP since 2005 Member of UNITE since 2006 "It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."