'Bad image' popup

By mp1
Mar 22, 2009
Topic Status:
Not open for further replies.
  1. Hello,

    Just think that it would be helpful for me to mention straight away that im not the most adept at computers so i apologise if i seem very slow on the advice you give me.

    The problem:

    Each time i run a program i recieve a message which says:

    'name of program'.exe - bad image

    The application or DLL c:\windows\system32\pagifali.dll is not a valid windows image. Please check this against your installation diskette.

    For example for trying to run mozilla firefox:

    firefox.exe - Bad image

    The application or DLL c:\windows\system32\pagifali.dll is not a valid windows image. Please check this against your installation diskette.

    General:
    I recieve this message when i turn my computer on, even before i click on my user name.
    The messages initially only appeared once for each time i ran a seperate application, however now two messages appear for each time that i run an application.
    I have a trial version of Avg 8.5, and have recently added 'Hijack this' after viewing some of the other people who have posted on this forum as i thought that this might be needed or of some help.
    Also i attempted a system restore to an earlier point to when i did not have the virus, however the messages still appear each time i run a program.

    Important:
    Im unsure but i think that the problem maybe as a result of a trojan horse virus, which is why ive placed this in virus and malware removal. After running avg it said that i had been infected by trojan horse, at which point the virus was moved into the virus vault and later deleted, i had no problems for some time, however after using avg later (some days ahead) it once again said that i was infected by trojan horse, which avg moved into the virus vault. Most if not all of the infections were in cookies, with all but one in system c.

    Im unsure what i can do to fix this, but any advice and help would be much appreciated, and once again i apologise for not giving you a more in depth description, however i'll do my best to answer your questions as fully as i can when you respond.

    Thanks in advance

    mp1
  2. touch

    touch Newcomer, in training Posts: 978

    Hello mp1

    PAGIFALI.DLL is an infection (cloaked malware)

    I´ll therefore suggest you run the steps in this guide:
    8-step Viruses/Spyware/Malware Preliminary Removal Instructions
    http://www.techspot.com/vb/topic58138.html

    Post attached log´s from:

    Malwarebyte
    Superantispyware
    Hijackthis


    In your next reply
  3. mp1

    mp1 Newcomer, in training Topic Starter

    hello,

    I've attached the requested logs and also a log from another antivirus program; i think from avg or avira. I followed the 8 steps, and have uploaded; avast, commodo, avira, superantispyware, hijackthis, ccleaner, Malwarebytes Anti Malware, and java.
    Also, the pop-ups still remain.
    Hope that this is all correct, please let me know what i need to do next

    thanks
    mp1

    Attached Files:

  4. touch

    touch Newcomer, in training Posts: 978

    Yes, I can see you still have popups.

    You also have 3 antivirus programs running !

    Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
    Not more."

    Remove/uninstall from " add/remove programs" in controlpanel:
    AVG8
    Avast


    Also remove:
    BitTorrent DNA

    "Since we find the nature of P2P programs counter productive to restoring your PC to a healthy state, we ask that you remove P2P file sharing programs prior to our providing you with malware removal assistance."


    Reboot.

    Then, please download Combofix from:
    http://subs.geekstogo.com/ComboFix.exe

    And save to the desktop.

    Close all other browser windows.

    Double-click on the combofix icon found on your desktop.

    Please note, that once you start combofix you should not click anywhere on the combofix window as it can cause the program to stall. In fact, when combofix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

    When finished, it will produce a logfile located at C:\combofix.txt.

    Attach the contents of that log in your next reply
  5. mp1

    mp1 Newcomer, in training Topic Starter

    hello,

    Ive followed the instructions that u've given me so far. Ive uninstalled; Avast, AVG8 and BitTorrent DNA, then used combofix.
    Ive attached the log to this reply. Hope this is all ok

    thanks

    mp1

    Attached Files:

    • log.txt
      File size:
      16 KB
      Views:
      6
  6. touch

    touch Newcomer, in training Posts: 978

    Looking better but there's still work left to do.

    Open notepad and copy/paste the text in the quotebox below into it:
    Name the file as CFScript
    and Save it on the desktop

    http://img.photobucket.com/albums/v6...FScriptB-4.gif

    Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  7. mp1

    mp1 Newcomer, in training Topic Starter

    hello,

    I did what you instructed me to do, except that the link didnt go to any album or photo, it went to the photobucket website but didnt show a picture relating to this. Therefore i simply dragged the saved log off the desktop into the combofix logo, at which point combofix asked me to run the program, i did so. I've attached the log it gave to this reply, hope this is ok, please let me know what i need to do next

    thanks

    mp1
  8. touch

    touch Newcomer, in training Posts: 978

    It looks ok. Please attach fresh hijackthis log
  9. mp1

    mp1 Newcomer, in training Topic Starter

    Hello,

    I've attached the hijackthis log to this reply. Also thought i'd mention that i dont receive the popups anymore so thankyou very much.
    Thanks

    mp1
  10. touch

    touch Newcomer, in training Posts: 978

    It sounds good you´ve got rid of the popups :grinthumb

    If you don´t know and recognize these, I´ll suggest you run HijackThis , and place a check mark next to the following entries and hit 'Fix checked' .

    O4 - HKCU\..\Run: [\\BEDROOM2\EPSON Stylus DX7400 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU \"C:\DOCUME~1\Matt\LOCALS~1\Temp\E_SE.tmp\" /EF \"HKCU\"
    (Description: Program running on startup from a temporary folder.)

    O4 - HKCU\..\Run: [Auto EPSON Stylus DX7400 Series (Copy 1) on BEDROOM2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICDE.EXE /FU \"C:\WINDOWS\TEMP\E_S5C.tmp\" /EF \"HKCU\"
    (Description: Program running on startup from a temporary folder.)


    The following are not spyware/malware, but I suggest you place a check mark next to the following entries and hit 'Fix checked' , as these programs may be taking up system resources.

    O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre6\bin\jusched.exe\"
    (Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    (Description: RealPlayer system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)

    O4 - HKLM\..\Run: [ISUSScheduler] \"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe\" -start
    (Description: InstallShield updater - not needed at startup. Removing this may free up system resources.)

    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    (Description: Intel hotkey applet. Unnecessary. Removing this will free up a small amount of system resources.)

    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] \"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe\"
    (Description: Adobe reader startup - unnecessarily uses system resources.)



    Reboot, attach a final hijackthis log
  11. mp1

    mp1 Newcomer, in training Topic Starter

    hello,

    I've followed your instructions; i ran hijack this with the checks against all the things you suggested i put a check against, except the first two which are for the printer. I've attached the hijackthis log with the results. Hope this ok.

    Thanks

    mp1
  12. touch

    touch Newcomer, in training Posts: 978

    It´s ok :)


    How are things running now ?
  13. mp1

    mp1 Newcomer, in training Topic Starter

    Hello,

    well thats good news. Yeah i dont get any pop-ups any more which is good. Do you have any advice for me to avoid getting any in the future? Thanks

    mp1
     
  14. touch

    touch Newcomer, in training Posts: 978

    The good advice come here ;)

    But first is it time for the clean-up procedure ->

    You should Create a New Restore Point to prevent possible reinfection from an old one.
    The easiest and safest way to do this is:
    Go to Start > All Programs > Accessories > System Tools > System Restore
    Select Create a restore point, and Ok it.
    Next, go to Start > Run and type in cleanmgr
    Select the More options tab
    Choose the option to clean up system restore and OK it.

    This will remove all restore points except the new one you just created.


    Please download OTCleanIt
    Save it to desktop.
    This will remove all the tools we used to clean your computer.
    Please note. It will NOT remove Mbam, Ccleaner and SuperAntispyware.

    To learn more about how to protect yourself while on the internet, please read Tony Klein´s guide:
    How did I get infected in the first place

    Keep safe :wave:
  15. pretzel

    pretzel Newcomer, in training

    Hello,

    I'm a newbie in this forum and this is my first post. I also have the same problem regarding "bad image" pop up everytime I start my computer or if I open any software program. Only, the dll that is involved is "mgbswk.dll". I am currently doing the 8-step Preliminary Removal Instructions and would be able to post the log files later. I would like, however, to ask if I need to start a new thread or if I can post my log files in this thread.
  16. touch

    touch Newcomer, in training Posts: 978

    Hello pretzel


    Since you asked so nicely, so please make a new thread -Thank you :)
  17. pretzel

    pretzel Newcomer, in training

    Thanks for the response. I will start a new thread once I finished scanning and log files are available.
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.