Adlice forum

General Category => Malware removal help => Topic started by: pluresmens on March 12, 2015, 03:04:42 AM

Title: Badimage.exe
Post by: pluresmens on March 12, 2015, 03:04:42 AM

Hello Computer Warlocks :o

I've been wrestling with a badimage.exe virus for some time and i've employed roguekiller and malawarebytes to help with the issue. I know I cleaned the system up some, but im running into errors with cleaning known malware with rogue killer.

Ill attach the report. C :-\an you help a brother out?

-----------------
RogueKiller V10.5.3.0 (x64) [Mar 10 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Martin [Administrator]
Started from : C:\Users\Martin\Desktop\RogueKillerX64.exe
Mode : Delete -- Date : 03/11/2015  21:57:12

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 7 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 2  -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 2  -> Replaced (2)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 0  -> Replaced (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 0  -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 0  -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 0  -> Replaced (0)
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs : 

• -> Replaced ()

¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] {284EBAD3-68A9-44FB-A9C3-4E876834B1CC}.job -- C:\ProgramData\BetterSoft\SaveAs\SaveAs.exe (/schedule /profile "C:\PROGRA~3\BETTER~1\SaveAs\profile.ini") -> ERROR

¤¤¤ Files : 1 ¤¤¤
[File.Forged][File] xnacc.sys -- C:\Windows\System32\drivers\xnacc.sys -> ERROR [32]

¤¤¤ Hosts File : 0 [Too big!] ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: RAID0 +++++
--- User ---
[MBR] 19cbe3ea4a1c9388a555bab5a62c8c8a
[BSP] 91472c7336a6339c15c60405684d34ec : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 14009 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 28692090 | Size: 367541 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([57] The parameter is incorrect. )

+++++ PhysicalDrive1: Generic-Multi-Card       USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

Title: Re: Badimage.exe
Post by: Curson on March 12, 2015, 03:03:06 PM

Hi pluresmens,

Welcome to Adlice.com Forum.

• Please download TDSSKiller (http://media.kaspersky.com/utilities/VirusUtilities/EN/tdsskiller.exe) and save it to your Desktop.
  
• Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
  
  (http://i1118.photobucket.com/albums/k611/lhs22/tds2.jpg)
  
  
• Check Loaded Modules and Detect TDLFS file system. 
  
• If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now.
  
  (http://i1118.photobucket.com/albums/k611/lhs22/2012081514h0118.png)
  
  
• Click Start Scan and allow the scan process to run.
  If threats are detected select Skip for all of them unless I instruct you otherwise.
  
• Click Continue
  
  (http://i1118.photobucket.com/albums/k611/lhs22/tds6.jpg)
  
  
• Click Reboot computer
  

Please post the contents of TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically C:\) in your next reply.

Regards.

Title: Re: Badimage.exe
Post by: pluresmens on March 13, 2015, 02:35:27 AM

Curson, I'm happy to report that the updated roguekiller driver did stop the badimage windows. Below you will find my log from the TDDSSKiller scan

21:19:01.0012 0x1608  TDSS rootkit removing tool 3.0.0.44 Jan 22 2015 08:27:04
21:19:15.0672 0x1608  ============================================================
21:19:15.0672 0x1608  Current date / time: 2015/03/12 21:19:15.0672
21:19:15.0672 0x1608  SystemInfo:
21:19:15.0673 0x1608 
21:19:15.0673 0x1608  OS Version: 6.1.7601 ServicePack: 1.0
21:19:15.0673 0x1608  Product type: Workstation
21:19:15.0673 0x1608  ComputerName: MARTIN-PC
21:19:15.0673 0x1608  UserName: Martin
21:19:15.0673 0x1608  Windows directory: C:\Windows
21:19:15.0673 0x1608  System windows directory: C:\Windows
21:19:15.0673 0x1608  Running under WOW64
21:19:15.0673 0x1608  Processor architecture: Intel x64
21:19:15.0673 0x1608  Number of processors: 2
21:19:15.0673 0x1608  Page size: 0x1000
21:19:15.0673 0x1608  Boot type: Normal boot
21:19:15.0673 0x1608  ============================================================
21:19:17.0312 0x1608  KLMD registered as C:\Windows\system32\drivers\96494859.sys
21:19:17.0674 0x1608  System UUID: {CCAE5EBC-7580-8082-4472-9C95289E85AD}
21:19:18.0357 0x1608  Drive \Device\Harddisk0\DR0 - Size: 0x5D27700000 ( 372.62 Gb ), SectorSize: 0x200, Cylinders: 0xBE01, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000040
21:19:18.0385 0x1608  ============================================================
21:19:18.0385 0x1608  \Device\Harddisk0\DR0:
21:19:18.0390 0x1608  MBR partitions:
21:19:18.0390 0x1608  \Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x1B5CE3B
21:19:18.0390 0x1608  \Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x1B5CE7A, BlocksNum 0x2CDDAE47
21:19:18.0390 0x1608  ============================================================
21:19:18.0418 0x1608  C: <-> \Device\Harddisk0\DR0\Partition2
21:19:18.0457 0x1608  K: <-> \Device\Harddisk0\DR0\Partition1
21:19:18.0457 0x1608  ============================================================
21:19:18.0457 0x1608  Initialize success
21:19:18.0457 0x1608  ============================================================
21:20:11.0211 0x1604  KLMD registered as C:\Windows\system32\drivers\75398767.sys
21:20:12.0568 0x1604  Deinitialize success

Title: Re: Badimage.exe
Post by: Curson on March 13, 2015, 12:04:08 PM

Hi pluresmens,

TDSSKiller's report is unusually short.
Has the tool encountered any issue during the scan ?

Regards.