Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Various (about 15) Bad Image Windows Appear Upon Window Start Up, Following Attempt to Remove fake alert Virus

  • Please log in to reply
1 reply to this topic

#1 tonyb85


  • Members
  • 1 posts
  • Local time:04:56 AM

Posted 19 September 2009 - 12:38 AM

My version of Windows: Microsoft Windows XP, Media Center Edition, Version 2002, Service Pack

I have listed exact text for several Windows that popped up with error-type messages at the end of this post.

What I was doing that led to the problem?
Earlier in the day I was uninstalling Internet Explorer 8 (IE8) because I was having an unrelated problem with it's search bar not working for me. I wanted to uninstall it and then reinstall it to see if that would fix the problem. Once I uninstalled IE8 I found that only IE8 was uninstalled and Internet Explorer 7 (IE7) was still on my computer, which also was having the same problem with it's search bar. So I uninstalled IE7 and then had to leave for a while, without being able to reinstall IE7 and IE8. Later that night I was using Internet Explorer (I am guessing it is Internet Explorer 6, but I cannot find any Internet Explorer listed under my "Add or Remove Programs" under the Control Panel) to buy some RAM for a different computer of mine. All of a sudden I came to a website (I do not remember which site it was) that made all kinds of fake alerts appear.

Additional problems and my attempt to solve them...
If I remember correctly, the first thing I did was shut down my computer hoping the problem would disappear upon reboot. Of course it did not, upon reboot my McAfee Internet Security popped up the window for "VirusScan On-Access Scan Messages" which said it had discovered a virus/trojan. I do not remember exactly what the name said, but I believe it included the words "Fake" and "Alert" (in that order) and also said that the file was in the folder C:\WINDOWS\system32. Additionally I could not log on to the internet on my computer -- but the internet was working fine on all the other computers in my house. Another thing I remember is that there was an icon added to the windows taskbar (with the other items next to the clock in the bottom righthand corner of the screen). The icon was a red circle with a white "X" in the center of it (*not* the Windows Security Center Shield, I know that looks somewhat like that) - every once in a while it would have a small text bubble pop up from it saying something like my computer was infected and I should click "here" to have it cleaned - other times it would cause a Window to pop up with a similar infection message which I would just close.

After checking several websites for information on "fake alert" virus, I clicked a link that brought me to a post in the forum here -- this is the specific post: http://www.bleepingcomputer.com/virus-removal/remove-avcare. For some reason I thought that post was the same as the virus I had. It may have just been because the link showed up when I was doing Google searches for info on "Fake Alert virus" (or something similar to that). In any event, I followed all the steps provided in that post for removing AVCare using Malwarebytes' Anti-Malware (MBAM). After MBAM did its Quick Scan, it had found a lot of "Objects Infected," I believe it was over 40, maybe up to 80 or 90. After I did the steps to have the infected objects removed (which required me to restart my computer), upon reboot MBAM did not automatically start again (I was not clear if it was supposed to start by itself or not). Anyways, after I checked to see if my internet was working, which it still was not, I started MBAM manually. I chose to run another quick scan to see if anything else would be found. This time it did find some more "Objects Infected," like maybe about 10 total. Again it required me to reboot for the infected objects to be removed. After that reboot, my internet was working again. I can't remember if after that I did another Quick Scan with MBAM (to be sure my computer was clean), but for some reason I had to restart my computer. Upon reboot, all kinds off error windows began to pop up as Windows loaded (at the loading screen and continuing as my desktop began to show up). I have listed the specific text for the last 15 windows that popped up below, under the heading "Specific error messages I saw 2nd to Last time I booted my computer up." I have rebooted again now but this time the messages did not come up, but in my McAfee "VirusScan On-Access Scan Messages" the following Trojan is listed:

In Folder: C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP870
Detected As: Vundo.gen.aw
Detection Type: Trojan
Status: Deleted
Date and Time: 9/19/2009 12:20:17 AM
Application: svchost.exe

Please let me know if there is something I can do to assure that all viruses associated with the fake alert pop-ups and this Vundo Trojan are completely eliminated.

Thank you in advance for your time and help,

Specific error messages I saw 2nd to Last time I booted my computer up -- Upon Windows Start Up the following windows popped up:

Firstly, there were about 5 or so similar Window messages that appeared before the Windows I have listed exact text for below. I believe they had similar messages to those I have listed below, but do not know for sure.

1st Window (that I have exact text for)
Window Title: RUNDLL
Window Message (two line message): Error loading c:\windows\system32\difoyuro.dll
The specified module could not be found.
(the window has the option to click OK)

2nd - 15th Windows (that I have exact text for) - these windows popped up one after the other, the next one would only pop up after I had clicked OK on the previous Window
For the Following Windows that Popped up, the only thing that changes is the Window Title, the Window Message is always the same and the option to press OK is always present
Window Titles with an identical Window Message (the Window Message is listed below the enumerated list of Window Titles):
2) RUNDLL32.EXE Bad Image
3) UpdaterUI.exe Bad Image
4) issch.exe Bad Image
5) tfswctrl.exe Bad Image
6) IPHSend.exe Bad Image
7) msmsgs.exe Bad Image
8) SHSTAT.exe Bad Image
9) GoogleToolbarNotifier.exe Bad Image
10) DLG.exe Bad Image
11) qttask.exe Bad Image
12) MCC Monitor.exe - Bad Image
13) PlaxoHelper_en.exe - Bad Image
14) ctfmon.exe - Bad Image
15) PlaxoSysTray.exe - Bad Image

Window Message for Windows 2 through 15: The application or DLL c:\windows\system32\difoyuro.dll is not a valid Windows image. Please check this against your installation diskette.
(the windows all had the option to click OK)

BC AdBot (Login to Remove)


#2 garmanma


    Computer Masochist

  • Members
  • 27,809 posts
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:05:56 AM

Posted 19 September 2009 - 08:59 PM

It appears you have a rootkit infection

We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)

  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Riight-click on rootrepeal.exe and rename it to tatertot.scr
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.


Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to High
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users