Bad Image Error, please help.

**seed323** · 04-26-2009, 08:44 AM

Good morning all, I recieved this error last night, but before I get into that, I must mention a few things that may help in troubleshooting this.
-I am in the Navy, and just returned to the states from the middle east on April 18th, the last time my laptop had an internet connection was early febuary of 09, and that was on a USO filtered network, in the middle east.
-The said laptop does not currently have an internet connection, i am currently using the computer in work center onboard my ship, so massive downloads that cannot fit on a 4 gig thumb drive cant happen.

Okay so the situation is a few days ago i returned to the states, and enjoyed some high speed interenet for the 1st time in 8 months. The 1st few pages I went to, would bring me several pop-ups and errors, common spyware crap it looked like, so i just canceled them, then IE crashed on me, restart IE, and it was fine. for the next few days i resumed my ignorance of this problem until i finally decided to download the trial edition of Norton 360, and during the scan, my laptop crashed. Apon restart I get a "LogonUI.exe - Bad Image" error, stating that "C:\windows\stystem32\gosufido.dll is either not designed to run on windows or it contains an error. Try installing the program again using original installation media or contact system admin or the spftware vendor for support". the only option is to click ok, apon doing so another comes up, this time a logon.scr bad image, and the same thing, another, i click past about 8 of them and windows will launch. apon running any program i will get the same thing, and the program will run after i click past these errors. I have searched many forums, and saw this problem dates back to as far as 03. non of the forums had any fixes that i saw. The laptop is an HP dv6500 running Vista. I do not have the roboot CD, and am willing to try nearly anything at this point. a speedy responce is much appreciated, but i do have all day speaking that im stuck on this damn boat for the next 24 hours. any questions, i will answer. Im not too computer savy, so if its something too complicated, give descent instructions, thank you for your time.

**Sylvander** · 04-26-2009, 09:31 AM

1. To QUICKLY get an OS back up and running...
Download an iso of some puplet of Puppy Linux...
Make the "live" optical disk [DVD or CD]...
Boot that into the desktop [make configuration choices during boot]...
If there is available some internet connection...
Click the "Connect" icon on the desktop...
Or else use "Setup->Network Wizard" to do the necessary.

2. Then you can take your time trying to fix Windows, whilst you have a working OS.

3. Recommended puplets of Puppy Linux:
(a) SMALL.
Use this BoxPup 4.1.3 ISO file to make a bootable CD [rewritable is good].
md5sum for BoxPup 4.1.3
This latest updated version was only recently released a few days back.
Elegant, stylish, minimalist, small [87MB ISO], FAST, nice features.
If asked:
Name = puppy
Password = linux
You may need to enter these twice.

(b) LARGE.
Muppy Linux 008.4c
Large ISO [764MB] needs a DVD.
Comprehensive, lots of goodies, colorful, slightly slower than boxPup but still MUCH faster than Windows.
Go for this if you can.

4. See logonUI.exe - Bad Image for possible fix for your Vista.

**seed323** · 04-26-2009, 09:54 AM

Im going to go with option 4 for now, because the others were too much for me to do without detailed instructions, i read through the link and hopefully it will work, will post back shortly

**seed323** · 04-26-2009, 10:06 AM

Okay no fix, that thread states that i can find the original logonui.exe in
C:Windows\winsxs\x86_microsoft-windows-authentication-logonui_31bf3856ad364e35_6.0.6000.16386_none_635c5 092764d99de, and that i have to replace the corrupted file with the origional, well i tried to do that in safe mode like it said, and then i had to kill explorer like the thread also stated, but then he said to replace the file via cmd or disable wfp, and i really dont know how to do either, any thoughts?

**Sylvander** · 04-26-2009, 11:08 AM

Well, it's very easy to manipulate the folders/files on your Windows partition using "X File Explorer" [Xfe], which is included in Muppy, but needs to be installed in BoxPup.
[Unless there is some difficulty caused by this being the Vista file system]
Because you would be doing this whilst Vista is dormant [you're not attempting to mess with files that are in use] I'd expect there to be no problems.
In Puppy you work as ROOT by default, so have total power.

I can give you detailed instructions on how to bring a puplet into use if you want them.

**seed323** · 04-26-2009, 12:11 PM

That sounds good, if i have to download them, then the file must be under 4 gig, my laptop is next to me, but i am on a govt computer, and the download speed is running between 13 - 100 kb/second. I prefer not to be farting around all day, but if its the only option, ill be patient

**seed323** · 04-26-2009, 01:47 PM

Right, ive been on the forums all day today, ive run a system scan in command prompt and it cant start the service. I did a clean boot and the problem still persists, im starting to lean toward the clean sweep, or the computer repair guys, but thats no guarentee

**Budfred** · 04-26-2009, 01:54 PM

It appears that you have a fake security (rogue) program problem... Please follow the instructions here to produce a HJT log:

http://www.pcguide.com/vb/showthread.php?t=60009

And then do this:

How to run a scan with Malwarebytes' Anti-Malware

Download Malwarebytes' Anti-Malware from Here or Here

Double click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

You will need to do a manual update of MBAM...

**Fruss Tray Ted** · 04-26-2009, 02:09 PM

gosufido.dll is a nasty!

Because your laptop crashed while Norton's was doing a scan, the file 'gosufido.dll' is broken because it was being removed or quarantined. From what I can gather it's a bunch of malware that will need to be purged out, possibly even using some custom scripts to get rid of it all.

Can you get to Safe Mode? Could you borrow a Vista OS DVD if you don't have restore disks or a restore partition? Also please wait for one of our more knowledgeable malware fighters to assist you further.

EDIT:
Budfred slipped in while I was replying.

Bud, I think he mentioned the inability to boot to Windows normally hence my questions.
/EDIT

**seed323** · 04-26-2009, 02:13 PM

I can get into safe mode just fine, gosufido.dll is nto the only file that shows up, i will get 5 or 6 of these messages each program i run, in replacement of gosufido.dll will sometimes be Johazaka.dll or larihisu.dll. Those 3 occur most commonly, in the mean time i will attempt bufreds post

**seed323** · 04-26-2009, 02:21 PM

Originally Posted by Fruss Tray Ted

gosufido.dll is a nasty!

Because your laptop crashed while Norton's was doing a scan, the file 'gosufido.dll' is broken because it was being removed or quarantined. From what I can gather it's a bunch of malware that will need to be purged out, possibly even using some custom scripts to get rid of it all.

Can you get to Safe Mode? Could you borrow a Vista OS DVD if you don't have restore disks or a restore partition? Also please wait for one of our more knowledgeable malware fighters to assist you further.

EDIT:
Budfred slipped in while I was replying.

Bud, I think he mentioned the inability to boot to Windows normally hence my questions.
/EDIT

I can boot to windows normally, but i have to click pas about 40 of these errors, then windows will boot, and all programs i try to run will give me about 5-6 of the same errors

**Fruss Tray Ted** · 04-26-2009, 02:32 PM

Yep. Follow Budfred's lead, use Safemode if you have to because of the program errors you're encountering.

I only quoted one file as a reference but it's definitely a malware issue, and Bud is about as good at it as any. His hound dogs got good noses for this kinda stuff...

**seed323** · 04-26-2009, 02:44 PM

I am unable to get malewarebytes from that website from this computer..... im not on the infected computer. do you have anothe rplace to get it from?

**seed323** · 04-26-2009, 02:52 PM

Heres the HJT log by the way, let me know what to do from here

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:50:32 PM, on 4/26/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?r65=1184465030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.134\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {a079832a-caa1-41af-bda4-8eb562fd1028} - C:\Windows\system32\rogiwofi.dll (file missing)
O2 - BHO: (no name) - {C5E84927-CFF0-4CA3-A068-02E7C01C1E7C} - C:\Windows\system32\wvUkIARh.dll (file missing)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [pipeneroru] Rundll32.exe "C:\Windows\system32\mopazazi.dll",s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CPM0d8469be] Rundll32.exe "c:\windows\system32\johazaka.dll",a
O4 - HKLM\..\Run: [0eb75a22] rundll32.exe "C:\Windows\system32\zisizaru.dll",b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Tom\lsass.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O20 - AppInit_DLLs: C:\Windows\system32\gosufido.dll c:\windows\system32\johazaka.dll c:\windows\system32\larihisu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\johazaka.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\johazaka.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\Windows\system32\UTSCSI.EXE

**Fruss Tray Ted** · 04-26-2009, 05:56 PM

Are you able to run HJT in regular boot mode? I'm sure Budfred will chime in the request to do so if possible. It may have more entries that will show up and possibly be of importance.

I am surprised to see some nasties in that Safe Mode log but I will defer the prescribing to the doctor's..

I'm just a med student/nurse holding the penicillin...

**Budfred** · 04-26-2009, 06:40 PM

First: This computer is massively infected including a very nasty infection called virut... Since you are already considering it, my first recommendation would be to wipe and reinstall... If you choose to do that, wipe the hard drive as thoroughly as possible before installing the new install... It is possible that any personal information stored on the computer is already in the hands of criminals, so you may need to contact any credit card, bank or other financial companies you have done business with on this computer to change passwords, account numbers and so on... Use a phone or mail to contact them since anything done on this computer is likely to be stolen and you will be no better off...

If you opt to clean this up, there is no guarantee that it will ever be completely free again on this install... Keeping that in mind, if you choose to make the effort, please do this:

Try this site for MBAM

http://www.filehippo.com/download_ma..._anti_malware/

If you are connected to the Internet at all, please do NOT log on with "Safe mode with network support" -- it leaves your computer wide open to infection and strengthening the infections that are already there... Just use Safe Mode...

To see if you can weaken the pest, please open another HJT scan and put checks next to:

O1 - Hosts: ::1 localhost
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {a079832a-caa1-41af-bda4-8eb562fd1028} - C:\Windows\system32\rogiwofi.dll (file missing)
O2 - BHO: (no name) - {C5E84927-CFF0-4CA3-A068-02E7C01C1E7C} - C:\Windows\system32\wvUkIARh.dll (file missing)
O4 - HKLM\..\Run: [pipeneroru] Rundll32.exe "C:\Windows\system32\mopazazi.dll",s
O4 - HKLM\..\Run: [CPM0d8469be] Rundll32.exe "c:\windows\system32\johazaka.dll",a
O4 - HKLM\..\Run: [0eb75a22] rundll32.exe "C:\Windows\system32\zisizaru.dll",b
O13 - Gopher Prefix:
O20 - AppInit_DLLs: C:\Windows\system32\gosufido.dll c:\windows\system32\johazaka.dll c:\windows\system32\larihisu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\johazaka.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\johazaka.dll

Once you have checked all of these items, please close all windows except HJT and press "Fix checked"...

Reboot and post a new HJT log, preferably from Normal Mode...

You will also need to run this program, so please download it, run it and post that log along with the MBAM and HJT log... You will probably need several posts to post it all...

1. Download this file -
ComboFix
2. Double click ComboFix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick ComboFix's window whilst it's running. That may cause it to stall

**seed323** · 04-26-2009, 06:44 PM

This is the regular boot log of HJT, it failed the 1st time halfway through due to "Unknown Issues", told me to re-run as administrator, this is the administrative run.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:02 PM, on 4/26/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Windows\system32\SearchFilterHost.exe
C:\HJT\HijackThis.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\msfeedssync.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?r65=1184465030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.134\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {a079832a-caa1-41af-bda4-8eb562fd1028} - C:\Windows\system32\rogiwofi.dll (file missing)
O2 - BHO: (no name) - {C5E84927-CFF0-4CA3-A068-02E7C01C1E7C} - C:\Windows\system32\wvUkIARh.dll (file missing)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [pipeneroru] Rundll32.exe "C:\Windows\system32\mopazazi.dll",s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [CPM0d8469be] Rundll32.exe "c:\windows\system32\johazaka.dll",a
O4 - HKLM\..\Run: [0eb75a22] rundll32.exe "C:\Windows\system32\zisizaru.dll",b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Tom\lsass.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O20 - AppInit_DLLs: C:\Windows\system32\gosufido.dll c:\windows\system32\johazaka.dll c:\windows\system32\larihisu.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\johazaka.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\johazaka.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\Windows\system32\UTSCSI.EXE

--
End of file - 8298 bytes

**seed323** · 04-26-2009, 06:56 PM

Okay, i just had HJT fix those selected files from your post earlier, just rebooted in normal mode, and the error message is gone, but as you said before, there still may be more, and i want to ensure that it is clean before i close the case. I am in the process of getting malwarebyts, but im not sure it will work, that may have to wait until tomorrow afternoon when i get on an unfiltered connection, govt computer wont let me download most stuff, for this very reason. while i wait for this download to fail, im going to get an updated HJT log for you, will post it shortly.

**seed323** · 04-26-2009, 07:00 PM

Updated HJT running normal boot

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:27 PM, on 4/26/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18226)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\WINDOWS\RtHDVCpl.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
C:\Windows\system32\taskeng.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/?r65=1184465030
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.0.0.134\IPSBHO.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [HP Health Check Scheduler] C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LSA Shellu] C:\Users\Tom\lsass.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\CLSched.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - C:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
O23 - Service: stllssvr - Unknown owner - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe (file missing)
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\Windows\system32\UTSCSI.EXE

--
End of file - 7008 bytes

**seed323** · 04-26-2009, 07:51 PM

Ha well, i just got my ass reamed for being late to my duty section muster, i was in the middle of transfering the HJT log earlier, when i heard the bell go off for muster, but they can deal with it, go figure my muster PO is a complete turd. but anyway, malwarebyts will not download on this computer, so i will have to wait till tomorrow to get it from my home connection in the afternoon. would you suggest i keep the tainted machine disconnect from web and just get malwarebytes from my roomate?

**Fruss Tray Ted** · 04-26-2009, 08:46 PM

would you suggest i keep the tainted machine disconnect from web ?

Absolutely! Either disconnect cables or if wireless, shut the thing down or disable the wireless network.

I don't know if Norton's360 has a firewall built in to it's AV and I didn't look hard to find another in your HJT log, but the safe bet is to disable communications except when actively downloading or uploading something YOU want. If unattended, the incoming and outgoing IP traffic could be worsening the issue without any of our knowing.

and just get malwarebytes from my roomate?

You may be able to keep this PC disconnected if you can download files with another and use a write protected file transfer with disks or pen drives with a specific ability to be write protected. Physically or with software. Personally, I like the fingernail switches on the device itself. You don't want to reverse flow (data, like tides..) and cause any other PC trying to help, to become infected.

This is why I still like write once, read only disks ie CD's. You can keep a huge pile of helpful apps without the risk of cross contamination.

**seed323** · 04-26-2009, 09:02 PM

Originally Posted by Fruss Tray Ted

I don't know if Norton's360 has a firewall built in .

yes norton does come with a firewall, but im looking to get Avast when i get back to my house tomorrow afternoon, along with it im looking to get the other programs you sugested earlier. Im going to try to ride this one out without wiping the hard drive, for i do have alot of music files that i would surely loose. But if the problem persists,i wont hesitate to wipe the thing. Im alittle nervouse about changing my account numbers and all that, because it may be overkill, i know im not very computer savvy, but im not stupid enough to store that kind of stuff on any thing i cant shread, but i do realize they can read my internet transactions, but i didnt buy anything with on the web since this problem occured, but if you still think im in danger, let me know, and actually explain that one very basically, i am interested if it is threatening. I believe this will be my last post for the night, but i will be back tomorrow afternoon to give the update after i do the malwarebytes scan. Thank you for your much needed/useful information guys, talk to you tomorrow.

**Fruss Tray Ted** · 04-26-2009, 09:58 PM

The firewall Norton bought rights to is the one I still use from back when it had a freeware version. You'll need something to accompany Avast AV. Try Sygate

**Budfred** · 04-27-2009, 12:02 AM

Virut is still showing in that log...

I agree with FTT to disconnect completely from the Internet... If you do connect, only do it long enough to download a tool and then get off again...

If you can't get MBAM, see if you can get ComboFix and run it -- it will probably do better with virut anyway...

Once you are cleaned up, I will give you more ideas about prevention... In the meanwhile, please don't remove your antivirus or change other parts of your security, it can actually make things worse...

**Paul Komski** · 04-27-2009, 02:54 AM

I fully agree with earlier suggestions to wipe and clean reinstall. Suspect you will save yourself much time in the long run and only then know you have a clean system. Burn any valuable data files to a CD beforehand. The CD can be scanned later for infected files and would be safe to access if it contains no autorun information. You can grab such data using Knoppix (as in my sig) if nothing else works.

Thread: Bad Image Error, please help.

Thread Tools

Bad Image Error, please help.

Thread Information

Users Browsing this Thread

Posting Permissions