juliedoodle
asked on
bad image error, .dll is not a valid windows image
Hello,
XP Home Edition. Received IE popups (while using Firefox), redirecting to a variety of sites. AVG reportedly found and cleaned:
prunnet.exe, trojanhorse clicker.vse
and generic12ASAI
I then installed and ran Malwarebyte in safe mode. It found and removed:
rogue.virusremover
adware.mywebsearch
rogue.virusremove
malware.trace
trojan.vundo
adware.hotbar
I now cannot start up normally, it blue screens.. I can start up in safe mode but get a series of bad image errors that say:
mbam.exe - Bad Image
The application or DLL globalroot\systemroot\syst
I can click OK or Escape only to be prompted with more of the same error. It changes to swreg.exe - Bad Disk
NirCmd.cfexe - Bad Disk
svchost.exe, sed, exe, ERUNT, services.exe, lsass.exe, userinit.exe, explorer.exe.
Occasionally while attempting to run malwarebytes or other virus / malware scanners it says this:
This shutdown was initiated by NT AUTHORITY\SYSTEM. Windows must now restart because the DCOM Server Process Launcher service terminated unexpectedly. I cannot stop it, it counts down from 60 and reboots.
See attached hijack this log. Please note that I did not have system restore enabled so I can't use that solution. Thanks for the help.
hijackthis.log
XP Home Edition. Received IE popups (while using Firefox), redirecting to a variety of sites. AVG reportedly found and cleaned:
prunnet.exe, trojanhorse clicker.vse
and generic12ASAI
I then installed and ran Malwarebyte in safe mode. It found and removed:
rogue.virusremover
adware.mywebsearch
rogue.virusremove
malware.trace
trojan.vundo
adware.hotbar
I now cannot start up normally, it blue screens.. I can start up in safe mode but get a series of bad image errors that say:
mbam.exe - Bad Image
The application or DLL globalroot\systemroot\syst
I can click OK or Escape only to be prompted with more of the same error. It changes to swreg.exe - Bad Disk
NirCmd.cfexe - Bad Disk
svchost.exe, sed, exe, ERUNT, services.exe, lsass.exe, userinit.exe, explorer.exe.
Occasionally while attempting to run malwarebytes or other virus / malware scanners it says this:
This shutdown was initiated by NT AUTHORITY\SYSTEM. Windows must now restart because the DCOM Server Process Launcher service terminated unexpectedly. I cannot stop it, it counts down from 60 and reboots.
See attached hijack this log. Please note that I did not have system restore enabled so I can't use that solution. Thanks for the help.
hijackthis.log
ASKER
Thank you for the response.
Can you elaborate a bit on "bootable CDROM with a virus scanner" ---- I have my XP CD that came with it, but how do I add a virus scanner?
Can you elaborate a bit on "bootable CDROM with a virus scanner" ---- I have my XP CD that came with it, but how do I add a virus scanner?
ASKER
I should have mentioned that it consistently comes up first with:
services.exe - Bad Image
The application or DLL globalroot\systemroot\syst
It then jumps to lsass.exe - BAd Image
same error.
Always does those two first, and then takes me to my users list.
services.exe - Bad Image
The application or DLL globalroot\systemroot\syst
It then jumps to lsass.exe - BAd Image
same error.
Always does those two first, and then takes me to my users list.
Your log file only has two entries that are questionable. Neither of these should be the cause of your issues.
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
Please try to log on as a different user and download Combofix. If you are unabel to log on as a different user then download it from another system and upload the program to your system.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
You must rename the default download file. Meaning, when you download Combofix.exe rename it to something like CM.exe. THEN run the executeable.
If that fails, you can try rebooting into Safe Mode (F8 at Startup) and selecting Last Known Good Configuration.
http://support.microsoft.com/kb/307852
If the above fail you may need to run a Repair.
XP Repair. It's not designed to overwrite your user data.
http://www.michaelstevenstech.com/XPrepairinstall.htm
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
Please try to log on as a different user and download Combofix. If you are unabel to log on as a different user then download it from another system and upload the program to your system.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
You must rename the default download file. Meaning, when you download Combofix.exe rename it to something like CM.exe. THEN run the executeable.
If that fails, you can try rebooting into Safe Mode (F8 at Startup) and selecting Last Known Good Configuration.
http://support.microsoft.com/kb/307852
If the above fail you may need to run a Repair.
XP Repair. It's not designed to overwrite your user data.
http://www.michaelstevenstech.com/XPrepairinstall.htm
ASKER
David-Howard,
Thank you. I've decided to back up all my data while I still can.... will try to run combofix as soon as that is done. Thanks for the tip on renaming it. I had tried to run combofix earlier, but it would always stall on the first line - something like starting combofix, and never go any further.
Thank you. I've decided to back up all my data while I still can.... will try to run combofix as soon as that is done. Thanks for the tip on renaming it. I had tried to run combofix earlier, but it would always stall on the first line - something like starting combofix, and never go any further.
http://www.sophos.com/support/knowledgebase/article/13251.html
http://www.avira.de/en/support/support_downloads.html (command line scanner)
You can burn it onto a cd with is bootable or you can copy it onto a disk, or boot from a disk and than run it from CD.
http://www.avira.de/en/support/support_downloads.html (command line scanner)
You can burn it onto a cd with is bootable or you can copy it onto a disk, or boot from a disk and than run it from CD.
Hijackthis log is not helping much as the system in running in diagnostic startup mode and Hijackthis doesn't scan disabled startup programs.
Combofix as suggested is a good idea, also show us the resulting logfile. You would need to rename combofix before saving to your desktop or if using another pc rename it before transfering to the infected pc.
I wouldn't suggest a reinstall in an infected system just yet (unless a reformat is imminent).
Combofix as suggested is a good idea, also show us the resulting logfile. You would need to rename combofix before saving to your desktop or if using another pc rename it before transfering to the infected pc.
I wouldn't suggest a reinstall in an infected system just yet (unless a reformat is imminent).
ASKER
I cannot get ComboFix to run. I renamed it on a different computer, downloaded the recovery console for home xp sp2. Dragged both to my PC, under a different user, not in safe mode.
Drag the sp2 utility to the file that has the combofix icon (both are on my desktop) and nothing happens.
Drag the sp2 utility to the file that has the combofix icon (both are on my desktop) and nothing happens.
ASKER
Tried again to run Combo Fix, under another admin user. I get it to start, can click Yes to agree to the terms and then suddenly I get "This system is shutting down. Please save all work in progress and log off.... NT Authority/system DCOM Server Process Launcher service terminated unexpectedly.
ASKER
New hijack this log, not in safe mode. Thank you.
hijackthis2.log
hijackthis2.log
May be, that you have a sasser or blaster virus which produces an effect similar to what you descibe. They have special removal programms, you may find under my links. Nevertheless it seems to, that the virus is still active, what I'm not wondering about if it is blaster or sasser.
If the shut down dialog comes up, you can run shutdown -a at the command promt.
If the shut down dialog comes up, you can run shutdown -a at the command promt.
>>>downloaded the recovery console for home xp sp2. Dragged both to my PC, under a different user, not in safe mode.
Drag the sp2 utility to the file that has the combofix icon (both are on my desktop) and nothing happens.<<<
We would like you to just concentrate on installing combofix on the infected pc. You don't have to install Recovery Console, don't have to install other things. Not good to install SP2 etc, in an infected pc as the result can be worse.
So the renamed combofix or the MalwareBytes till won't run? there's another tool we can try.
Also fix these entries in Hijackthis:
O2 - BHO: {9e92804c-294b-0539-a594-4
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
ASKER
I will try rpggamegirl's solution this evening. I did check for blaster and sasser - nothing found.
Is it okay to run ComboFix in safe mode?
Julie
Is it okay to run ComboFix in safe mode?
Julie
>>>Is it okay to run ComboFix in safe mode?<<<
Combofix is optimized to run in normal mode so it should be run in that mode unless pc only boots in safe mode.
Same goes for Hijackthis, it should be run in normal mode.
Please attach the combofix log.
Combofix is optimized to run in normal mode so it should be run in that mode unless pc only boots in safe mode.
Same goes for Hijackthis, it should be run in normal mode.
Please attach the combofix log.
It's important to disable your antivirus/security shield while running combofix.
Here's a short canned if needed:
Please download ComboFix by sUBs:
http://download.bleepingco
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
Here's a short canned if needed:
Please download ComboFix by sUBs:
http://download.bleepingco
You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
ASKER
Thank you. I finally got combo fix to run. Attached is my logfile. I have not run HJT yet, was just thankful to finally get combofix running.
combofixlog.txt
combofixlog.txt
ASKER
New HJT log, after running combofix. Thank you for reviewing this for me.
hijackthis010709.log
hijackthis010709.log
First post points to Trojan Seneka
Have a look here: http://www.myantispyware.com/2008/11/05/how-to-remove-trojan-tdsserv/
The I see c:\windows\system32\k92611
Thats what I can see at the moment from my side.
Have a look here: http://www.myantispyware.com/2008/11/05/how-to-remove-trojan-tdsserv/
The I see c:\windows\system32\k92611
Thats what I can see at the moment from my side.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hello,
Thank you again for your help. Yes, I did put calc.exe there some time ago.
I ran the combofix app with the notepad file as you said. Attached is the latest combofix log and HJT log.
Thanks again - I hope we are getting close.
Julie
combofixlog010809.txt
hijackthis010809.log
Thank you again for your help. Yes, I did put calc.exe there some time ago.
I ran the combofix app with the notepad file as you said. Attached is the latest combofix log and HJT log.
Thanks again - I hope we are getting close.
Julie
combofixlog010809.txt
hijackthis010809.log
Can you please run other scanners on this pc, like MalwareBytes if you haven't yet.
And an online scan with Kaspersky, please save the log.
http://www.kaspersky.com/virusscanner
And an online scan with Kaspersky, please save the log.
http://www.kaspersky.com/virusscanner
ASKER
Kaspersky and Malwarebytes both report NO malware or infections. Thank you!!!!
You are wonderful.
Best wishes. Julie
You are wonderful.
Best wishes. Julie
ASKER
Thank you so much for your help. This was my first experts-exchange experience and it was great. I'm going to have our company buy a subscription! Best Wishes. Julie
No problem. And thanks for attaching the logs.
Since MBAM and Kaspersky didn't find any threats either, that's great.
Glad to know it's resolved, and thanks for the points.
Unless you're not aware, you can award points to more than one experts by clicking the "Accept Multiple Solutions" button and then distribute the points to your liking. Let me know if you want to do that and I'll re-open the thread for you.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
System Restore will be reset and one restore point will be created.
Thank you for using Experts-Exchange!
Since MBAM and Kaspersky didn't find any threats either, that's great.
Glad to know it's resolved, and thanks for the points.
Unless you're not aware, you can award points to more than one experts by clicking the "Accept Multiple Solutions" button and then distribute the points to your liking. Let me know if you want to do that and I'll re-open the thread for you.
To uninstall Combofix:
Go to Start > Run and 'copy and paste' next command in the field:
ComboFix /u
System Restore will be reset and one restore point will be created.
Thank you for using Experts-Exchange!
If the files are removed, use a windows scanner to remove additional registr settings and other fragments. >
I assume that the virus is not really inactive.
After that you should goole for all the virus found to habve an idea, what they are changing and if you may habve to manually reconstruct some settings.