'Bad image' popup

[mp1]

Hello,

Just think that it would be helpful for me to mention straight away that im not the most adept at computers so i apologise if i seem very slow on the advice you give me.

The problem:

Each time i run a program i recieve a message which says:

'name of program'.exe - bad image

The application or DLL c:\windows\system32\pagifali.dll is not a valid windows image. Please check this against your installation diskette.

For example for trying to run mozilla firefox:

firefox.exe - Bad image

The application or DLL c:\windows\system32\pagifali.dll is not a valid windows image. Please check this against your installation diskette.

General:
I recieve this message when i turn my computer on, even before i click on my user name.
The messages initially only appeared once for each time i ran a seperate application, however now two messages appear for each time that i run an application.
I have a trial version of Avg 8.5, and have recently added 'Hijack this' after viewing some of the other people who have posted on this forum as i thought that this might be needed or of some help.
Also i attempted a system restore to an earlier point to when i did not have the virus, however the messages still appear each time i run a program.

Important:
Im unsure but i think that the problem maybe as a result of a trojan horse virus, which is why ive placed this in virus and malware removal. After running avg it said that i had been infected by trojan horse, at which point the virus was moved into the virus vault and later deleted, i had no problems for some time, however after using avg later (some days ahead) it once again said that i was infected by trojan horse, which avg moved into the virus vault. Most if not all of the infections were in cookies, with all but one in system c.

Im unsure what i can do to fix this, but any advice and help would be much appreciated, and once again i apologise for not giving you a more in depth description, however i'll do my best to answer your questions as fully as i can when you respond.

Thanks in advance

mp1

 

[touch]

Hello mp1

PAGIFALI.DLL is an infection (cloaked malware)

I´ll therefore suggest you run the steps in this guide:
8-step Viruses/Spyware/Malware Preliminary Removal Instructions
https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/

Post attached log´s from:

Malwarebyte
Superantispyware
Hijackthis

In your next reply

 

[mp1]

Hello,

I've attached the requested logs and also a log from another antivirus program; I think from avg or avira. I followed the 8 steps, and have uploaded; avast, commodo, avira, superantispyware, hijackthis, ccleaner, Malwarebytes Anti Malware, and java.
Also, the pop-ups still remain.
Hope that this is all correct, please let me know what I need to do next

thanks
mp1

 

[touch]

Yes, I can see you still have popups.

You also have 3 antivirus programs running !

Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
Not more."

Remove/uninstall from " add/remove programs" in controlpanel:
AVG8
Avast

Also remove:
BitTorrent DNA

"Since we find the nature of P2P programs counter productive to restoring your PC to a healthy state, we ask that you remove P2P file sharing programs prior to our providing you with malware removal assistance."


Reboot.

Then, please download Combofix from:
http://subs.geekstogo.com/ComboFix.exe

And save to the desktop.

Close all other browser windows.

Double-click on the combofix icon found on your desktop.

Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When finished, it will produce a logfile located at C:\combofix.txt.

Attach the contents of that log in your next reply

 

[mp1]

hello,

Ive followed the instructions that u've given me so far. Ive uninstalled; Avast, AVG8 and BitTorrent DNA, then used combofix.
Ive attached the log to this reply. Hope this is all ok

thanks

mp1

 

[touch]

Looking better but there's still work left to do.

Open notepad and copy/paste the text in the quotebox below into it:
Name the file as CFScript
and Save it on the desktop

Killall::
Snapshot::

File::
C:\mooo.exe
Folder::
c:\documents and settings\Matt\Application Data\BitTorrent
c:\program files\BitTorrent
FileLook::
c:\windows\system32\Drivers\Chl37.sys

Registry::
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
[-HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[-HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

http://img.photobucket.com/albums/v6...FScriptB-4.gif

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

 

[mp1]

hello,

I did what you instructed me to do, except that the link didnt go to any album or photo, it went to the photobucket website but didnt show a picture relating to this. Therefore i simply dragged the saved log off the desktop into the combofix logo, at which point combofix asked me to run the program, i did so. I've attached the log it gave to this reply, hope this is ok, please let me know what i need to do next

thanks

mp1

 

[touch]

It looks ok. Please attach fresh hijackthis log

 

[mp1]

Hello,

I've attached the hijackthis log to this reply. Also thought i'd mention that i dont receive the popups anymore so thankyou very much.
Thanks

mp1

 

[touch]

It sounds good you´ve got rid of the popups :grinthumb

If you don´t know and recognize these, I´ll suggest you run HijackThis , and place a check mark next to the following entries and hit 'Fix checked' .

O4 - HKCU\..\Run: [\\BEDROOM2\EPSON Stylus DX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU \"C:\DOCUME~1\Matt\LOCALS~1\Temp\E_SE.tmp\" /EF \"HKCU\"
(Description: Program running on startup from a temporary folder.)

O4 - HKCU\..\Run: [Auto EPSON Stylus DX7400 Series (Copy 1) on BEDROOM2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU \"C:\WINDOWS\TEMP\E_S5C.tmp\" /EF \"HKCU\"
(Description: Program running on startup from a temporary folder.)

The following are not spyware/malware, but I suggest you place a check mark next to the following entries and hit 'Fix checked' , as these programs may be taking up system resources.

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
(Description: RealPlayer system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [ISUSScheduler] \"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe\" -start
(Description: InstallShield updater - not needed at startup. Removing this may free up system resources.)

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
(Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe\"
(Description: Adobe reader startup - unnecessarily uses system resources.)


Reboot, attach a final hijackthis log

 

[mp1]

hello,

I've followed your instructions; i ran hijack this with the checks against all the things you suggested i put a check against, except the first two which are for the printer. I've attached the hijackthis log with the results. Hope this ok.

Thanks

mp1

 

[touch]

It´s ok


How are things running now ?

 

[mp1]

Hello,

well thats good news. Yeah i dont get any pop-ups any more which is good. Do you have any advice for me to avoid getting any in the future? Thanks

mp1

 

[touch]

The good advice come here

But first is it time for the clean-up procedure ->

You should Create a New Restore Point to prevent possible reinfection from an old one.
The easiest and safest way to do this is:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.


Please download OTCleanIt
Save it to desktop.
This will remove all the tools we used to clean your computer.

Double-click OTCleanIt.exe. Click CleanUp. Say Yes to the "Begin cleanup Process?"
When asked if you want to proceed with the cleanup process, click Yes. Restart your computer when prompted.

Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
How did I get infected in the first place

Keep safe :wave:

 

[pretzel]

Hello,

I'm a newbie in this forum and this is my first post. I also have the same problem regarding "bad image" pop up everytime I start my computer or if I open any software program. Only, the dll that is involved is "mgbswk.dll". I am currently doing the 8-step Preliminary Removal Instructions and would be able to post the log files later. I would like, however, to ask if I need to start a new thread or if I can post my log files in this thread.

 

[touch]

Hello pretzel


Since you asked so nicely, so please make a new thread -Thank you

 

[pretzel]

Thanks for the response. I will start a new thread once I finished scanning and log files are available.