Show Posts
1
Malware removal help / Badimage.exe
« on: March 12, 2015, 03:04:42 AM »
Hello Computer Warlocks 
I've been wrestling with a badimage.exe virus for some time and i've employed roguekiller and malawarebytes to help with the issue. I know I cleaned the system up some, but im running into errors with cleaning known malware with rogue killer.
Ill attach the report. C :-\an you help a brother out?
-----------------
RogueKiller V10.5.3.0 (x64) [Mar 10 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Martin [Administrator]
Started from : C:\Users\Martin\Desktop\RogueKillerX64.exe
Mode : Delete -- Date : 03/11/2015 21:57:12
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 7 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 2 -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 2 -> Replaced (2)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 0 -> Replaced (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 0 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 0 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 0 -> Replaced (0)
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs :
¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] {284EBAD3-68A9-44FB-A9C3-4E876834B1CC}.job -- C:\ProgramData\BetterSoft\SaveAs\SaveAs.exe (/schedule /profile "C:\PROGRA~3\BETTER~1\SaveAs\profile.ini") -> ERROR
¤¤¤ Files : 1 ¤¤¤
[File.Forged][File] xnacc.sys -- C:\Windows\System32\drivers\xnacc.sys -> ERROR [32]
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: RAID0 +++++
--- User ---
[MBR] 19cbe3ea4a1c9388a555bab5a62c8c8a
[BSP] 91472c7336a6339c15c60405684d34ec : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 14009 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 28692090 | Size: 367541 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([57] The parameter is incorrect. )
+++++ PhysicalDrive1: Generic-Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
I've been wrestling with a badimage.exe virus for some time and i've employed roguekiller and malawarebytes to help with the issue. I know I cleaned the system up some, but im running into errors with cleaning known malware with rogue killer.
Ill attach the report. C :-\an you help a brother out?
-----------------
RogueKiller V10.5.3.0 (x64) [Mar 10 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Martin [Administrator]
Started from : C:\Users\Martin\Desktop\RogueKillerX64.exe
Mode : Delete -- Date : 03/11/2015 21:57:12
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 7 ¤¤¤
[PUM.Policies] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 2 -> Replaced (2)
[PUM.Policies] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System | ConsentPromptBehaviorAdmin : 2 -> Replaced (2)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 0 -> Replaced (0)
[PUM.DesktopIcons] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 0 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {20D04FE0-3AEA-1069-A2D8-08002B30309D} : 0 -> Replaced (0)
[PUM.DesktopIcons] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel | {59031a47-3f72-44a7-89c5-5595fe6b30ee} : 0 -> Replaced (0)
[Suspicious.Path] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows | AppInit_DLLs :
- -> Replaced ()
¤¤¤ Tasks : 1 ¤¤¤
[Suspicious.Path] {284EBAD3-68A9-44FB-A9C3-4E876834B1CC}.job -- C:\ProgramData\BetterSoft\SaveAs\SaveAs.exe (/schedule /profile "C:\PROGRA~3\BETTER~1\SaveAs\profile.ini") -> ERROR
¤¤¤ Files : 1 ¤¤¤
[File.Forged][File] xnacc.sys -- C:\Windows\System32\drivers\xnacc.sys -> ERROR [32]
¤¤¤ Hosts File : 0 [Too big!] ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Loaded) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: RAID0 +++++
--- User ---
[MBR] 19cbe3ea4a1c9388a555bab5a62c8c8a
[BSP] 91472c7336a6339c15c60405684d34ec : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 63 | Size: 14009 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 28692090 | Size: 367541 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
Error reading LL2 MBR! ([57] The parameter is incorrect. )
+++++ PhysicalDrive1: Generic-Multi-Card USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
