"Bad Image" pop-up not resolved by 8 step virus removal - Help

By jscruffy
Dec 5, 2009
Topic Status:
Not open for further replies.
  1. Pop up see preceding each application start-up; Must be closed to procede:

    "Program abbreviation". exe Bad Image

    "The application or DLL C:\\windows system 32\albbvx.dll Is not a valid image. Please check this against your install diskette"


    Scan logs are as follows: On reply attachment
  2. jscruffy

    jscruffy Newcomer, in training Topic Starter

    Logs Attached

    Logs..........................................
  3. AnonymousSurfer

    AnonymousSurfer TechSpot Enthusiast Posts: 312   +12

    Hi scruffy,

    No action taken is not something we here at techspot like to see. Please make sure that you Quarantine and Delete all viruses found with Malwarebyte's. Currently reviewing your HijackThis logs, so please be patient.
  4. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot, jscruffy. Let me clarify this for you.

    First, please disable this program while cleaning:
    C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe> please disable TeaTimer while cleaning:
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • (One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

    P2P Warning:
    I notice you are using Bearshare which is a file sharing program.
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Bearshare for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Ma;warebytes and Sup[erantispyware each have a line for you to check to remove the entries they find. In the first program,Mbam, when this isn't checked, the entries will show No action taken.

    So please go back to Mbam and update it, Make sure that everything is checked, and click Remove Selected.> rescan

    There are numerous entries in the HJT log to remove, but finish up on the two previous programs first.

    Are you currently posting for this same problem now on the bleeping computer site?
  5. jscruffy

    jscruffy Newcomer, in training Topic Starter

    yes,

    Sorry about that. I was just a bit anxious. I will try that right away!;)
  6. jscruffy

    jscruffy Newcomer, in training Topic Starter

    Greetings,

    Instructions followed; New Malware/Antispy logs attached:
  7. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Please either withdraw from that thread or this. It is not fair to expect helpers on multiple forums to be helping the same person at the same time for the same problem. While it is your choice where and when to post, using multiple valuable resources is frowned on.

    http://www.bleepingcomputer.com/forums/topic276629.html

    Kindly advise them-or us-that you are receiving help on another forum so valuable time isn't wasted.

    If you stay here, I need you to rescan with HijackThis and paste a new log in the next reply. I saved a list of entries to be removed in the original HLT log, but need to see what is still running.
  8. jscruffy

    jscruffy Newcomer, in training Topic Starter

    Greetings,

    I have not acted on any advice, OR replied to any replies at the other site. Below is the repeat HJT log. Thank you for your assistance.:)
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Okay, thanks. Please let the other forum know you are getting help elsewhere.

    Please reopen HijackThis to 'do system scan only'. Check each of the following entries if present. Optional entries have been color coded in green.

    O2 - BHO: (no name) - {1C335F06-FB3F-4104-9F8C-E3F1EA1DDDA0} - (no file)
    O2 - BHO: (no name) - {1F26BC84-1C70-4C22-B563-6D4D610F2DD6} - (no file)
    O2 - BHO: (no name) - {201f27d4-3704-41d6-89c1-aa35e39143ed} - (no file)>> (AskBar)> See Optional 2
    O2 - BHO: {020dbdef-6a55-cd98-45d4-32f856b03ae3} - {3ea30b65-8f23-4d54-89dc-55a6fedbd020} - (no file)
    O3 - Toolbar: BearShare MediaBar - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)> See Optional 1
    O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
    {2318C2B1-4965-11d4-9B18-009027A5CD4F} Google Toolbar Helper googletoolbar1.dll, googletoolbar2.dll, googletoolbar3.dll, GoogleToolbar.dll, GoogleToolbar_32.dll (Malware, detected as Troj/BHO-DC - NOTE: The CLSID in question is ALSO used by the Google Toolbar, although NOT for the BHO but for the Toolbar itself_)


    Close all Windows except Hijackthis and click on "Fix Checked"

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode option when the Windows Advanced Options menu appears, and then press ENTER.

    If removing the AskBar and/or BearShare:
    Control Panel> Add/Remove Programs> Uninstall each of the following:
    AskBar
    BearShare


    Access Windows Explorer:Right click on Start> Explore> My Computer> Local Drive (usually C)> Programs> find the folder for each if uninstalled and do a right click> delete:
    AskBar
    BearShare


    Close Windows Explorer

    Optional 1:P2P Warning
    I notice that you are running Bearshare. This is a file sharing program.
    Note: Even if you are using a "safe" P2P program, it is only the program that is safe. I suggest that you uninstall Bearshare for the following reasons:
    • As long as you are using file sharing networks and programs which are from sources that are not documented, you cannot verity that a download is legitimate.
    • Malware writers use these program to include malicious content.
    • Fie sharing is usually unmonitored and there is a danger that your private files might be accessed.
    • The 'sharing' also includes malware that the shared system has on it.
    • Files that are illegal can be spread through file sharing.

    Please read the information on P2P Warning to help you better understand these dangers.

    Optional 2: AskBar Foistware:
    You have the Ask Toolbar installed, I would recommend you uninstall it - decide after taking a look at this article:
    http://www.benedelman.org/spyware/ask-toolbars/


    • Empty the Recycle Bin

      To remove the AppInit entries:
      Please download ComboFix HERE:
      • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
      • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
      • Run Combo-Fix.exe and follow the prompts.
        (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
      • Wait for the scan to be completed.
      • If it requires a reboot, please do it.
      • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

      Notes:

      • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
        2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
        3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
        4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

      Follow with rescan using HijackThis. Paste new log into next reply.

      Include attachment of Combofix report.
  10. jscruffy

    jscruffy Newcomer, in training Topic Starter

    Greetings,

    Pop-ups dissappeared after combofix reboot. Logs attached as requested. I have a question. How do you get out of safe mode? (Skipped that step; Have had problems with that in the past).
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Usually you just reboot and it will go into Normal Mode.

    You need to verify the presence of Rootkit infection:

    Please go to this TechNet page and carefully read the instructions for running the Rootkit Revealer:

    There are steps laid out here as well as screen shots that will help you>
    Start here for the program: Using RootkitRevealer
    The download link is at the bottom of the page

    Using RootkitRevealer


    • 1. Please study the RKR web page carefully. Don't use your computer while RKR is scanning.

      2. Start RKR> wait about 10 seconds> click Scan.Leave computer untouched until it completes. An idle machine will minimise the possibility of false positive reports caused by changes to the system during the scan. Background processes may still make intermittent changes, but resulting discrepancies tend to be obvious from their registry or file system branch; on a re-scan many may not recur.

      3. Save the discrepancy list to text file as needed.
      Using the File->Save dialog, select "My Computer" and work down to a suitable folder. The "My Documents" and "Desktop" buttons point to a System user's folders.

      4. Use the search feature in the RKR forums.
      For questionable discrepancies, search using a distinctive part of the registry key or path name. Very frequently the same item has appeared before and been commented upon. Often they turn out to be innocuous.

      5. Search Google.
      Googling a distinctive part of the registry key, especially the CLSID, can often lead to forum reports of the application responsible. Similarly, googling file names may lead to removal advice if malicious. If using long strings copied from posts, ensure that no extra blanks have become embedded in the search string.

      6. When posting a log, ATTACH either the full text log or a representative subsection if it's too large.
     
  12. jscruffy

    jscruffy Newcomer, in training Topic Starter

  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Yes, thank you. I have updated my URL. the newer one looks a lot cleaner, easier to understand.

    Thanks for the update.
  14. Burks

    Burks Newcomer, in training

    burks

  15. Burks

    Burks Newcomer, in training

    what to do about bad image pop ups
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Burks, this member left the thread 3 weeks ago. If you need help, please start your own thread.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.