Question

bad image error, .dll is not a valid windows image

Asked by: juliedoodle

Hello,

XP Home Edition.  Received IE popups (while using Firefox), redirecting to a variety of sites.  AVG reportedly found and cleaned:

prunnet.exe, trojanhorse clicker.vse
and generic12ASAI


I then installed and ran Malwarebyte in safe mode.  It found and removed:

rogue.virusremover
adware.mywebsearch
rogue.virusremove
malware.trace
trojan.vundo
adware.hotbar

I now cannot start up normally, it blue screens..  I can start up in safe mode but get a series of bad image errors that say:

mbam.exe - Bad Image

The application or DLL globalroot\systemroot\system32\senekaowkremev.dll is not a valid Windows image.  Please check this against your installation diskette.

I can click OK or Escape only to be prompted with more of the same error.  It changes to swreg.exe - Bad Disk
NirCmd.cfexe - Bad Disk
svchost.exe, sed, exe, ERUNT, services.exe, lsass.exe, userinit.exe, explorer.exe.

Occasionally while attempting to run malwarebytes or other virus / malware scanners it says this:

This shutdown was initiated by NT AUTHORITY\SYSTEM.  Windows must now restart because the DCOM Server Process Launcher service terminated unexpectedly.     I cannot stop it, it counts down from 60 and reboots.  

See attached hijack this log. Please note that I did not have system restore enabled so I can't use that solution.   Thanks for the help.

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-01-03 at 22:41:43ID24023297
Topics

HijackThis Software

,

Anti-Spyware

,

Anti-Virus

Participating Experts
3
Points
500
Comments
24

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. svchost.exe
    Hi all, I have found five svchost.exe listed on my task manager. Originally, i have only 4 of them. According from my friend, if my list has 5 svchost.exe, my computer is being hacked. However, i have no idea how to find out which programs are running which svchost.exe. Even...
  2. services.exe - bad image
    When I boot up my system and xp starts I get the error SERVICES.EXE - BAD IMAGE The Application or DLL C:WINDOWS\SYSTEM32\NCObjAPI.DLL is not a valid windows image. Please check this against your installation disk" when I select OK the next screen shows lsass.exe - syste...
  3. Strange services.exe running at Windows startup
    I am running Windows XP Pro, and for the past few days, I have had a strange version of services.exe running at startup. It looks to me like some sort of threat, and I cannot disable it. Here is what I've found so far: 1. The file is located in the C:\Windows folder, not ...
  4. SVCHOST.EXE Errors
    I have a Laptop running Windows XP Pro. Every startup, it generates an SVCHOST.EXE Error. But it is not just at start up, when I try to open things, i.e. My Computer, Internet, anything! It thinks about it(Hour Glass), then generates the SVCHOST error. This does not do th...
  5. C:\\WINDOWS\system32\services.exe'
    I am getting this error message The system process C:\\WINDOWS\system32\services.exe' terminated unexpectedly with status code 203. The system will now shut down and restart. After which my computer shuts down after 60 seconds. I don't think t his is because of the sasser...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: BembiPosted on 2009-01-03 at 22:55:24ID: 23288633

I would recommend first to scan your system using a bootable CDROM with a virus scanner. This should eleminate the files of the virus, whih may be recreated during boot.

If the files are removed, use a windows scanner to remove additional registr settings and other fragments. >

I assume that the virus is not really inactive.

After that you should goole for all the virus found to habve an idea, what they are changing and if you may habve to manually reconstruct some settings.

 

by: juliedoodlePosted on 2009-01-03 at 22:59:25ID: 23288649

Thank you for the response.  

Can you elaborate a bit on "bootable CDROM with a virus scanner" ---- I have my XP CD that came with it, but how do I add a virus scanner?

 

by: juliedoodlePosted on 2009-01-03 at 23:02:18ID: 23288655

I should have mentioned that it consistently comes up first with:

services.exe - Bad Image
The application or DLL globalroot\systemroot\system32\senekaokremev.dll is not a valid Windows image.  Please check this against your installation diskette.

It then jumps to lsass.exe - BAd Image
same error.

Always does those two first, and then takes me to my users list.

 

by: David-HowardPosted on 2009-01-03 at 23:13:47ID: 23288679

Your log file only has two entries that are questionable. Neither of these should be the cause of your issues.
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
Please try to log on as a different user and download Combofix. If you are unabel to log on as a different user then download it from another system and upload the program  to your system.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
You must rename the default download file. Meaning, when you download Combofix.exe rename it to something like CM.exe. THEN run the executeable.
If that fails, you can try rebooting into Safe Mode (F8 at Startup) and selecting Last Known Good Configuration.
http://support.microsoft.com/kb/307852
If the above fail you may need to run a Repair.
XP Repair. It's not designed to overwrite your user data.
http://www.michaelstevenstech.com/XPrepairinstall.htm

 

by: juliedoodlePosted on 2009-01-03 at 23:19:25ID: 23288692

David-Howard,

Thank you.   I've decided to back up all my data while I still can.... will try to run combofix as soon as that is done.  Thanks for the tip on renaming it.  I had tried to run combofix earlier, but it would always stall on the first line - something like starting combofix, and never go any further.

 

by: BembiPosted on 2009-01-03 at 23:32:31ID: 23288835

http://www.sophos.com/support/knowledgebase/article/13251.html
http://www.avira.de/en/support/support_downloads.html (command line scanner)

You can burn it onto a cd with is bootable or you can copy it onto a disk, or boot from a disk and than run it from CD.

 

by: rpggamergirlPosted on 2009-01-04 at 02:23:34ID: 23289145

Hijackthis log is not helping much as the system in running in diagnostic startup mode and Hijackthis doesn't scan disabled startup programs.

Combofix as suggested is a good idea, also show us the resulting logfile. You would need to rename combofix before saving to your desktop or if using another pc rename it before transfering to the infected pc.

I wouldn't suggest a reinstall in an infected system just yet (unless a reformat is imminent).

 

by: juliedoodlePosted on 2009-01-04 at 08:15:02ID: 23290244

I cannot get ComboFix to run.  I renamed it on a different computer, downloaded the recovery console for home xp sp2.  Dragged both to my PC, under a different user, not in safe mode.

Drag the sp2 utility to the file that has the combofix icon (both are on my desktop) and nothing happens.

 

by: juliedoodlePosted on 2009-01-04 at 08:21:48ID: 23290267

Tried again to run Combo Fix, under another admin user.  I get it to start, can click Yes to agree to the terms and then suddenly I get "This system is shutting down.  Please save all work in progress and log off.... NT Authority/system    DCOM Server Process Launcher service terminated unexpectedly.

 

by: juliedoodlePosted on 2009-01-04 at 08:31:44ID: 23290304

New hijack this log, not in safe mode.  Thank you.

 

by: BembiPosted on 2009-01-04 at 10:07:27ID: 23290702

May be, that you have a sasser or blaster virus which produces an effect similar to what you descibe. They have special removal programms, you may find under my links. Nevertheless it seems to, that the virus is still active, what I'm not wondering about if it is blaster or sasser.

If the shut down dialog comes up, you can run shutdown -a at the command promt.

 

by: rpggamergirlPosted on 2009-01-04 at 22:22:29ID: 23293388


>>>downloaded the recovery console for home xp sp2.  Dragged both to my PC, under a different user, not in safe mode.
Drag the sp2 utility to the file that has the combofix icon (both are on my desktop) and nothing happens.<<<


We would like you to just concentrate on installing combofix on the infected pc. You don't have to install Recovery Console, don't have to install other things. Not good to install SP2 etc, in an infected pc as the result can be worse.
So the renamed combofix or the MalwareBytes till won't run? there's another tool we can try.

Also fix these entries in Hijackthis:
O2 - BHO: {9e92804c-294b-0539-a594-4f8491286f3b} - {b3f68219-48f4-495a-9350-b492c40829e9} - C:\WINDOWS\system32\ycehjw.dll
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User '?')  
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')

 

by: juliedoodlePosted on 2009-01-05 at 06:39:55ID: 23295630

I will try rpggamegirl's solution this evening.  I did check for blaster and sasser - nothing found.

Is it okay to run ComboFix in safe mode?

Julie

 

by: rpggamergirlPosted on 2009-01-05 at 15:06:29ID: 23300325

>>>Is it okay to run ComboFix in safe mode?<<<

Combofix is optimized to run in normal mode so it should be run in that mode unless pc only boots in safe mode.
Same goes for Hijackthis, it should be run in normal mode.

Please attach the combofix log.

 

by: rpggamergirlPosted on 2009-01-05 at 15:09:31ID: 23300342

It's important to disable your antivirus/security shield while running combofix.


Here's a short canned if needed:
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 

 

by: juliedoodlePosted on 2009-01-07 at 05:24:29ID: 23314289

Thank you.  I finally got combo fix to run.  Attached is my logfile.  I have not run HJT yet, was just thankful to finally get combofix running.

 

by: juliedoodlePosted on 2009-01-07 at 05:26:11ID: 23314308

New HJT log, after running combofix.  Thank you for reviewing this for me.

 

by: BembiPosted on 2009-01-07 at 05:53:52ID: 23314524

First post points to Trojan Seneka
Have a look here: http://www.myantispyware.com/2008/11/05/how-to-remove-trojan-tdsserv/

The I see c:\windows\system32\k9261108.exe

Thats what I can see at the moment from my side.

 

by: rpggamergirlPosted on 2009-01-07 at 15:01:25ID: 23320563


Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
------------------------------------------------------------------------
File::
C:\32788R22FWJFW.6.tmp
C:\32788R22FWJFW.5.tmp
C:\32788R22FWJFW.4.tmp
C:\32788R22FWJFW.3.tmp
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp
C:\32788R22FWJFW.0.tmp
c:\windows\system32\k9261108.exe
c:\windows\system32\D7A23C43EA.sys

------------------------------------------------------------------------
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

c:\program files\calc.exe <-- did you install or know this calc.exe in this folder?

 

by: juliedoodlePosted on 2009-01-08 at 20:44:12ID: 23332888

Hello,

Thank you again for your help.  Yes, I did put calc.exe there some time ago.

I ran the combofix app with the notepad file as you said.  Attached is the latest combofix log and HJT log.

Thanks again - I hope we are getting close.

Julie

 

by: rpggamergirlPosted on 2009-01-10 at 05:33:45ID: 23343657

Can you please run other scanners on this pc, like MalwareBytes if you haven't yet.

And an online scan with Kaspersky, please save the log.
http://www.kaspersky.com/virusscanner

 

by: juliedoodlePosted on 2009-01-11 at 06:30:17ID: 23348366

Kaspersky and Malwarebytes both report NO malware or infections.  Thank you!!!!

You are wonderful.

Best wishes.  Julie

 

by: juliedoodlePosted on 2009-01-11 at 06:31:32ID: 31530710

Thank you so much for your help.  This was my first experts-exchange experience and it was great.  I'm going to have our company buy a subscription!  Best Wishes. Julie

 

by: rpggamergirlPosted on 2009-01-11 at 17:43:40ID: 23350587

No problem. And thanks for attaching the logs.
Since MBAM and Kaspersky didn't find any threats either, that's great.
Glad to know it's resolved, and thanks for the points.

Unless you're not aware, you can award points to more than one experts by clicking the "Accept Multiple Solutions" button and then distribute the points to your liking. Let me know if you want to do that and I'll re-open the thread for you.

To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:

ComboFix /u


System Restore will be reset and one restore point will be created.

Thank you for using Experts-Exchange!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...