TechSpot

Bad Image errors and pop ups

By Farknocker
Oct 13, 2009
Topic Status:
Not open for further replies.
  1. My workstation recently got infected with a Windows Police Pro virus which (i think) I was able to remove. However, my workstation is still plagued with bad image pop ups on start up and every single time I try to initiate a program (e.g. mozilla firefox). It doesn't seem to affect my ability to run the programs.

    I ran through the 8-step virus/spyware/malware preliminary removal procedure then came up with these logs. Can someone help me to fix the problem?

    Thanks.
  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,824   +163

    Still got some nasties... and there are much better antivirus antimalware programs out there...
    Go here:
    On-Line Scanner

    Run the scanner, and repost the logs
  3. Farknocker

    Farknocker TS Rookie Topic Starter

    Ok, will do tonite. Thanks
  4. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,824   +163

    Your Windows Updates are way behind. Run Windows Update manually. Select Custom and install Service Pack 3, and IE8 along with any critical and hardware updates shown. Keep running Windows Update until no more updates are found
  5. Farknocker

    Farknocker TS Rookie Topic Starter

    I ran the on-line scanner and ran through the 8-step process again. I'm still in the process of updating my Windows and should be done by this weekend. In any event, I've attached the updated logs. Hopefully, things look a little better.
  6. Tmagic650

    Tmagic650 TS Ambassador Posts: 20,824   +163

    Good work,

    delete the line in your hijackthis log:
    "O20 - AppInit_DLLs: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\2425xxx.dll,duhajusa.dll,C:\DOCUME~1\rai\LOCALS~1\Temp\2423xxx.dll,C:\DOCUME~1\rai\LOCALS~1\Temp\3526xxx.dll,C:\DOCUME~1\rai\LOCALS~1\Temp\427xxx.dll,C:\DOCUME~1\rai\LOCALS~1\Temp\1135xxx.dll,C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1119xxx.dll"...
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Since HijackThis does not remove the AppInit entries, I will help you with that:

    First, I'd like you to run TFC which will remove the temp files:

    TFC (Temp File Cleaner)

    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    NOTE: some of the entries on the programs below might have been removed by TFC. This is okay- that's why I want you to run it first.

    Then Download and run LSP-Fix

    • 1)[Download LSP-Fix HERE and save to its own directory on the desktop..
      2) Double-click on the file to open.
      3) In the left hand column, you should see the following files listed:
      2425xxx.dll
      duhajusa.dll,
      2423xxx.dll,
      3526xxx.dll,
      427xxx.dll,
      1135xxx.dll,
      1119xxx.dll


      [o[Click on each to highlight
      [o] Click the arrow in the middle of the screen that points to the right
      4)This will move the filename to the right-hand column labeled Remove

      5) Do this same thing for each of the files. The xxx in the file may be random numbers.

      [o]NOTE: If the arrow is greyed out and does not allow you to click it, you need to check the box above labeled "I know what I'm doing"

      6) Once the file has been transferred to the Remove column, click Finish at the bottom of the screen.
      [o]You'll be presented with a results screen showing the file was removed from the Winsock layer entries in the registry.
      7) Close the LSPFix .

    Next, run SDFix: Download SDFix HERE and save it to your Desktop.
    • Double click SDFix.exe and it will extract the files to %systemdrive%
      (Drive that contains the Windows Directory, typically C:\SDFix)

      Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

      Run SDFix
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    • Attach Report.txt back here

    Open HijackThis to 'do system scan only'. Put a check by each of the following entries if present:
    O4 - HKCU\..\Run: [calc] rundll32.exe C:\DOCUME~1\rai\ntuser.dll,_IWMPEvents@0
    O4 - HKUS\S-1-5-18\..\Run: [calc] rundll32.exe C:\DOCUME~1\DEFAUL~1\ntuser.dll,_IWMPEvents@0 (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [calc] rundll32.exe C:\DOCUME~1\DEFAUL~1\ntuser.dll,_IWMPEvents@0 (User 'Default user')
    O4 - S-1-5-18 Startup: scandisk.lnk = ? (User 'SYSTEM')
    O4 - .DEFAULT Startup: scandisk.lnk = ? (User 'Default user')


    Close all open Windows except HijackThis and click on "Fix Checked."

    Follow by new scan with HijackThis.

    NOTE: Attach logs and reports except the new HijackThis log. PASTE that in to your next reply
  8. Farknocker

    Farknocker TS Rookie Topic Starter

    Bobbye,

    From the looks of the new Hijack log, it looks like I was able to remove the Applnit just using the preceding steps. Did I misread the log? Do you still recommend that I go through the steps you detailed in any event?

    Thanks in advance.
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Yes, the AppInit entries were removed by LSPFix. But there are still 2 entries of the 4 I had you check previously for removal-

    Did you run SDFix? If you did, please give me the log in next reply. If you did not, I'll have you run Combofix instead, (I will give you the site and instructions for it) You still have some left overs from the visiting Police Pro that we need to get rid of.

    Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

    If you are unable to run the activeX Antivirus Scanners, lets try this Java based solution from Trend Micro.

    Attach log from SDFix and the online scan.
    Rescan with HJT and paste log in next reply.
  10. Farknocker

    Farknocker TS Rookie Topic Starter

    Bobbye,

    I ran through the steps outlined in post #7 and ran TFC and LSP-Fix.

    When I rand LSP-Fix, only three files popped up, none of which was in your list. They were:
    mswsock.dll, winrnr.dll, rsvpsp.dll Since they didn't match, I didn't remove them.

    I then ran the SDFix but couldn't complete it. When I tried to boot in safemode, my pc wouldn't let me do it. When I select safe mode, it seems to go through the steps of loading the drivers. But tnen it resets and loads up windows like I did a soft reset. I recall that this was a problem I had before I got hit with the virus.

    Any suggestions on how to proceed?
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Let's try this instead:

    First Empty the Recycle Bin (I forget to put this in!)
    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Did you run the Kaspersky online scan? If not, please do it and attach log in next reply

    Rescan with HJT and paste in new log.

    So I need:
    Attach the Combofix report and Kaspersky log
    Paste the HijackThis log
     
  12. Farknocker

    Farknocker TS Rookie Topic Starter

    Ok.

    Recap. Since I couldn't boot in safemode, I couldn't run LSP-Fix and SDFix. I ran ComboFix instead. I couldn't run Kaspersky online scan because the website says the online scanner is no longer available.

    I've attached the latest ComboFix log and Hijack This log.

    See anything else?

    Thanks again

    Attached Files:

  13. kritius

    kritius TS Guru Posts: 2,087

    Here is the link to the Kaspersky scanner

    Click here
  14. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Have updated my Kaspersky link. Thanks.
  15. kritius

    kritius TS Guru Posts: 2,087

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    3. Open notepad and copy/paste the text in the quotebox below into it:

    Save this as CFScript.txt, in the same location as ComboFix.exe


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Thank you for your assistance kritius.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.