Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Bad image error


  • Please log in to reply
38 replies to this topic

#1 newb2computers

newb2computers

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 09 July 2009 - 10:12 AM

Ok, so about a week ago i was having that whole google redirection problem, so i ran my antivirus program (Trendo Micro internet security Pro) and it found 3 things that is listed as trojans, it asked me to restart my computer, so i did, but on start up, i got a load of errors, all the same thing...

For example:

taskmgr.exe - Bad Image

The application or DLL globalroot\systemroot\system32\hjgruixkxrrayb.dll is not a valid Windows image. Please check this against your installation diskette.

the only thing that differs in these errors would be the taskmgr.exe thing, that could be any program that i open and/or process. the little description underneath all that is ALWAYS the same.

But after the error is closed, what ever i started up works as normal as ever.

I've run a windows Malware detection and removal thing, and the malwarebytes thing from this site, niether of them found anything.

Please help, newb2computers.

(P.S. I run windows XP professional)

BC AdBot (Login to Remove)

 


#2 newb2computers

newb2computers
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 09 July 2009 - 04:43 PM

Ok, I know im not really supposed to bump, but i was reading a post by frostwolf, it looks like the same thing im having, but the error message is a bit different, im tempted to do what the persons telling him to do, but im not entirely sure if it is the same thing, also, if that doenst work, i wouldnt know what to do after.

#3 newb2computers

newb2computers
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 10 July 2009 - 08:06 AM

ok....sorry to bump again, but still looking for help....

Also, just out of curiosity...

Has anyone actually gotten rid of this virus thing, or am i just wasting my time? and if so, would completely refreshing my computer to factory settings be better?

Edited by newb2computers, 10 July 2009 - 10:40 AM.


#4 newb2computers

newb2computers
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 10 July 2009 - 10:56 AM

I just remembered something that "might" help...

before this problem started my antivirus program was running and the trojans it found were called

*BKDR_TDSS.AZE
*BKDR_TDSS.AZE (yes, it found it twice somehow.)
*TROJ_BSCOPE.B (this one looks familiar from other posts here)

#5 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:49 AM

Posted 10 July 2009 - 11:42 AM

This is a very nasty infection

http://rootrepeal.googlepages.com/

http://rootrepeal.googlepages.com/RootRepeal.zip

Just use the file tab at the bottom, scan and paste the report into a reply here please

Here's a general guide to running rootrepeal in file mode


http://www.malwarebytes.org/forums/index.php?showtopic=12709

Let's just see the file scan log and go from there
Chewy

No. Try not. Do... or do not. There is no try.

#6 newb2computers

newb2computers
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 10 July 2009 - 07:29 PM

Heres the log, thx for any help, the people at trendo were no help, also, my antivirus found another trojan ealier. ill post what it is in the next post. but for now, heres the log.

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Time: 2009/07/10 20:25
Program Version: Version 1.3.0.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\system32\hjgruiibomnqga.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruiqtoiqaxy.dat
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruixgoorjne.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\hjgruixkxrrayb.dll
Status: Invisible to the Windows API!

Path: C:\WINDOWS\system32\drivers\hjgruiotxwiaky.sys
Status: Invisible to the Windows API!

Path: c:\documents and settings\chris\local settings\temp\etilqs_fc6veuhrucjwc7u70lji
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: C:\Program Files\Trend Micro\Internet Security\Quarantine\hjgruioptsirtceg.tmp
Status: Invisible to the Windows API!

Path: C:\Program Files\Trend Micro\Internet Security\Quarantine\hjgruiotxwiaky.sys
Status: Invisible to the Windows API!

Path: C:\Program Files\Trend Micro\Internet Security\Quarantine\hjgruiotxwiaky_1624.VIR
Status: Invisible to the Windows API!

Path: C:\Program Files\Trend Micro\Internet Security\Quarantine\hjgruixgoorjne.dll
Status: Invisible to the Windows API!

Path: C:\Program Files\Trend Micro\Internet Security\Quarantine\hjgruixkxrrayb.dll
Status: Invisible to the Windows API!

Path: C:\Documents and Settings\Chris\Local Settings\Temporary Internet Files\Content.IE5\GDYVWHE3\FoxyWolf - Commission - Lesbians
Status: Locked to the Windows API!

#7 newb2computers

newb2computers
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 10 July 2009 - 07:33 PM

and the trojan it found was called RTKT_AGENTT.CZ

it was found in the file C:\WINDOWS\system32\drivers\hjgruiotxwikay.sys which i believe is one of the files listed above.

#8 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:49 AM

Posted 10 July 2009 - 07:48 PM

As soon as the file is deleted, moved or quarantined, the infection recreates it.

If the file is still there use rootrepeal to highlight that line, right clicki and wipe file then immediately reboot and run MBAM.

The wipe tricks the infection
Chewy

No. Try not. Do... or do not. There is no try.

#9 newb2computers

newb2computers
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 10 July 2009 - 07:55 PM

Ok, 2 things, i run the scan i keep getting an error part way through that says.

RootRepeal error
---------------------------------------
attempt to read from address 0x00deb004

I think its onto us.... :thumbsup:

also one of those files listed looks like the bad image error, the Path: C:\WINDOWS\system32\hjgruixkxrrayb.dll one looks like the error from my original post

Edited by newb2computers, 10 July 2009 - 07:56 PM.


#10 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:49 AM

Posted 10 July 2009 - 07:59 PM

See if you can disable your AV to run RootRepeal or even use safe mode.
Chewy

No. Try not. Do... or do not. There is no try.

#11 newb2computers

newb2computers
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 10 July 2009 - 08:00 PM

sorry...whats the AV?

#12 D_N_M

D_N_M

  • Members
  • 200 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:49 AM

Posted 10 July 2009 - 08:11 PM

Hello newb2computers
the Av is your antivirus

#13 newb2computers

newb2computers
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 10 July 2009 - 08:18 PM

ok, went to safe mode, found and wiped that file, got back to normal mode, and when i tried to run mbam, it closes by itself, however, i did NOT get the bad image errors on start up like i was.

#14 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:01:49 AM

Posted 10 July 2009 - 08:34 PM

Use add/remove programs to uninstall MBAM

Reboot then

Please download Malwarebytes Anti-Malware (v1.38) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.

http://www.bleepingcomputer.com/forums/t/114351/how-to-temporarily-disable-your-anti-virus-firewall-and-anti-malware-programs/

You might have to try some renaming tricks with the installer and the executable in the program dirctory

Letting your AV update and rescan might also work
Chewy

No. Try not. Do... or do not. There is no try.

#15 newb2computers

newb2computers
  • Topic Starter

  • Members
  • 32 posts
  • OFFLINE
  •  
  • Local time:12:49 AM

Posted 10 July 2009 - 08:46 PM

ok, didnt work, and i dont know what you mean by renaming tricks, my forum name is more then a name :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users