"Bad Image"&"Unexpected Error" Messages,
Hi:
:confused: Im not sure if this is the forum I should be writing to for help, but I need to start somewhere . Im sure that some "bug" or "parasite" has done something but I dont want to do a reformat unless I absolutely have to.
SITUATION/PROBLEM:
1. Infected with Application.Adware.NewDotNet.Dropper according to [Bit Defender Virus scan].
2. "Bad Image", & "Unexpected Error" messages come up for various programs/applications-see below for list & particulars.
3. Cant access System Restore, Task Manager, or HiJack This.
HISTORY:
Starting on late evening Jan30/06, a message box showed up in the lower right side of task bar saying a chkdsk needed to be done. The message mentioned something about ICQ (ICQ is on the computer but hasnt been accessed in a few months).
I was told about the message 1&1/2 hours after it appeared; I clicked the 2 boxes in the chkdsk window from "tools", & restarted the computer so the chkdsk could run.
As soon as the chkdsk started, in the first section, all of a sudden there were "tons" of files scrolling down as if being added or accesssed. The chkdsk continued & finished.
NOTE:I'm never quick enough to read the report so I didnt see what it said. (Also, I dont even know how to access the report after the chkdsk is done).
When I opened up my user account, I noticed that the AVG icon on taskbar was grey. I clicked on it to update and a message said "no new updates".
When I clicked the desktop AVG icon , I received a message (see message 1).
I was able to open the AVG Control Center-Database said it hadnt been updated since Dec.17 2005(or approx.). However I KNOW I received an update just a few days before(I check daily for updates).
Antivirus AVG is now up to date(I was able to get the Jan31/2006 update late evening that night).
At first I kept receiving the "Bad Image" message for AVG desktop icon, but once the Jan31 update was on the computer, I dont get that message for AVG anymore.
I continue to receive the "Bad Image" message for various other applications/programs.
Windows Version: Windows XP SP2 Home Edition- 2 user Accounts set up (mine password controlled)
Firewall: WindowsXP SP2 default firewall
Anti virus program: AVG Free 7.1.375 database 267.15.0 249 02/02/2006-set to auto update daily but I check manually as well to make sure-auto scan daily.
Other Protection Software:
Spybot Search & Destroy1.4 detection date 2006-01-27 Default Mode-manual check daily for updates-scan daily
Spyware Blaster-manual daily check for updates(BEFORE when I could access the program)
Lavasoft Ad-Aware SE Personal Edition(downloaded Feb2/06(after the troubles happened-manual check daily for updates-scan daily-NO "Bad Image" or "Unexpected Error" message received-works great!!!
Content Advisor Program activated & password controlled by me(I have 2 late teen boys)
NOTE: Used to have Spyware Guard-deleted June2005 but I think restricted sites are still active on list.
Exact error message 1: "The application or DLL C:/Windows/system32/.......is not a valid Windows image. Please check your installation disk." (not sure what that is-installation disk cause computer came new with pre-programmed operating system).
Exact error message 2: "Unexpected Error".(for Spyware Blaster & HijackThis ONLY)
Programs/applications affected (ones that Ive noticed so far):
taskmgr.exe (see message1)...VDMDBG.dll . Task manager WONT load from right click on taskbar OR from CTRL ALT DEL keys.
spybotSD.exe (see message1) ...Srclient.dll Program DOES load, scan & update.
spywareblaster.exe see message 2)( Program tries to load page but then message appears.
rundll.exe(see message 1)
msnmgr.exe (see message1) ....msdmo.dll
HijackThis
System Restore (see message1) ...rstrui.exe
I cant access system restore to turn it off OR to go back to a restore point. The window loads for me to choose a previous point or to create a new one; however, the "Bad Image" message comes up when I choose "previous restore point". It appears that I may be able to create a NEW restore point though.
WHAT IVE DONE SO FAR:
1. "How to clean an infected computer" (AVG Free forum instructions) -followed all instructions-thats when I discovered that System Restore couldnt be accessed.
2. Ran Disk Cleanup utility [Cleanup]-program used 2X monthly
on my computer since May2005 when "little eagle"-Spybot Moderator instructed me to download & use it.
3. AVG Complete Scan (Normal & Safe modes)-NO VIRUSES
4. Spybot S&D scan (Normal & Safe modes)-up to date definitions-NO PROBLEMS
5. Ad-Aware scan-NO PROBLEMS
6. Defrag
7. Chkdsk -including fix & repair (Normal & Safe modes)
8. Feb 2/06 Posted for help on Antivirus free forum[http://forum.grisoft.cz/freeforum]
9. Directed from there to [aumha.org] to "The Parasite Fight" pages for info & a copy of Hijack his(I got it here instead)& told by moderator to go with info/situation to Spyware site where I trust the people.
10. Today Read at Spybot "Before you post a log", followed instructions, did scan at [Bit Defender Virus Scan] site, Spybot scan & downloaded HJT files into [C:Antispyware2006] folder(there is a previous "Antispyware" folder from when I got help here in May2005-didnt know if I was supposed to erase it.).
11. Attempted to use HJT to scan but got "Unexpected Error" message.
:o I sure hope that you can help me or direct me to where I can get help.
I also hope I didnt give TOO much info BUT that I gave enough.
Thank you from Dorothy-Im still hopeful that this situation can be fixed:bigthumb:
"Bad Image" & "Unexpected Error" messages
Hi "illukka":
Thank you for your reply and request. Yes...I can download new programs.:)
Sorry I took so long to get back to you.I had to go out of town for a few days. I will do as you requested and get back to you as soon as I've finished.
Thanks again.:) from Dorothy
"Bad Image" & "Unexpected Error" messages
Hi illukka:
Here are the "ewido anti malware reports that you requested.
I had to use the "manual updates" link.
There were 2 choices of update databases that seemed to be both the same size, (didnt know which to choose),so I installed the "most recent database" choice first ,rebooted into Safe Mode, chose "Complete System Scan".
A message came up that said "Remove"(I had no choice of "Clean") so I clicked it, saved the first scan in "My Documents".
I then went back to the manual updates link, installed the full update database, rebooted to safe mode, chose Complete Computer Scan-, and saved that report as well (2nd report).
ewido first report
--------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 2:17:33 AM, 12/02/2006
+ Report-Checksum: 42C5A90A
+ Scan result:
C:\WINDOWS\cpbrkpie.ocx -> Adware.Coupons : Cleaned with backup
::Report End
ewido 2nd report
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 3:41:52 AM, 12/02/2006
+ Report-Checksum: 71C78A61
+ Scan result:
C:\System Volume Information\_restore{4FB30166-1CDF-4883-93F0-E2BED21D25AA}\RP154\A0057426.ocx -> Adware.Coupons : Cleaned with backup
::Report End
Question:
Should I do another scan? It seems that there were 2 different things found.
Error Messages
I will write out the error messages just as they appear so you can see the file names. I'll be back to post them in another reply.
Thanks for your help. Please let me know what else I should do...another ewido scan, etc.
from Dorothy...still hopeful:)
"Bad Image" & "Unexpected Error" Messages
Hi:
I downloaded & saved Blacklight as you requested.
:confused: I didnt see "scan through Windows Explorer";
I only saw a "box" for hidden processes,(:confused: was it supposed to scan more???)so I clicked scan, then next.
The results were no hidden processes.
Here is copy of the log that was on my desktop.
Log fsbl-2--6-215190329
02/15/06 14:03:29 [Info]: BlackLight Engine 1.0.30 initialized
02/15/06 14:03:29 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/15/06 14:03:29 [Note]: 7019 4
02/15/06 14:03:29 [Note]: 7005 0
02/15/06 14:04:02 [Note]: 7006 0
02/15/06 14:04:02 [Note]: 7011 472
02/15/06 14:04:03 [Note]: FSRAW library version 1.7.1014
02/15/06 14:05:41 [Note]: 7006 0
02/15/06 14:05:41 [Note]: 7011 472
02/15/06 14:05:41 [Note]: FSRAW library version 1.7.1014
02/15/06 14:07:13 [Note]: 7007 0
I hope this is okay & what you were looking for. Pls let me know.
Im going to post the "Unexpected Error " essages & "Bad Image" message in a separate reply, just to keep things organized.
Thanks...looking forward to hearing from you.
from Dorothy:)
"Bad Image" & "Unexpected Error" Messages
Hi again::)
Here are the particulars of the message boxes that appear:
1. Task Manager:
[taskmgr.exe-Bad Image]
[This application or DLL C:Windows/system32/VDMDBG.dll is not a valid Windows image. Please check this against your installation diskette.]
This is the message that appears for Task Manager when I hit
Ctrl>Alt>Delete. Nothing shows up when I right-click on the lower taskbar..
This message keeps coming up 4 to 5 times after clicking [ok] or [X], before it disappears.Task Manager window does not appear.
2. Spybot-Search & Destroy version 1.4:
[SpybotSD.exe-Bad Image]
[The application or DLL C:Windows/system32/SrClient.dll is not a valid Windows Image. Please check this against your installation diskette.]
This message box appears no matter what I click for Spybot(desktop icon,or from [start]>[all programs].
However, when you click [ok] or [X] to close the message, the program does load and check for updates and check for problems.
3. MSN Messenger version 7.5(Build 7.5.0324):
[msnmsgr.exe-Bad Image]
[The application or DLL C:Windows/system32/msdmo.dll is not a valid Windows image. Please check this against your installlation diskette.]
When you click [ok] or [X] to close the message, MSN does load and run without any problems as far as I know.
4. Spyware Blaster:
[SpywareBlaster]
[Unexpected error]
For a split second, I can see that the Spyware Blaster window is trying to open, but then the [Unexpected error] message appears. Spyware Blaster opening window does not load so I cant even check for updates....not sure if it is blocking the sites its supposed to and I dont know how to check if it is running.
5. System Restore:
[rstrui.exe-Bad Image]
[The application or DLL C:Windows/system32/srclient.dll is not a valid Windows image. Please check this against your installation diskette.]
Takes 6-7 clicks on [ok] or [X] to close this message box; then [Welcome to System Restore] window comes up, showing a dot in [Restore my computer to an earlier time]. I click [next], then this message box below appears:
[System restor:rstrui.exe-Bad Image]
I can click on link for [System Restore Settings] and access [System Properties]. I am afraid to click the box for [turn off system restore] because message comes up telling me all restore points will be lost.
I can click[Create a restore point]>[next] and the window comes up for me to create a restore point & type a description.
I can click [back], and click back and forth between [Restore computer...] and [Create a restore....]. The error messages dont show up, but I cant access calendars to choose a restore date.
As far as I know, these are the only messages and programs affected.
:scratch: Any ideas? Please let me know.
Thanks a lot for your help so far. Still hopeful.:)
from Dorothy
"Bad Imaage"&"Unexpected Error" messages
Hi again:
I got your post of Feb.16. I was unavailable yesterday to follow your instructions. Doing them. Will get back to you with info when I'm finished.
Thanks from Dorothy:) ....still hopeful
"Bad Image"&"Unexpected Error" messages
Hi illukka:
Below is the log for the MWAV antivirus tool. I clicked on [view log] and copied from MWAV Notepad. Hope this is what you wanted.
By the way, a [Bad Image] message came up when I double-clicked the MWAV icon on my desktop but it appears to have run anyway. The DLL mentioned is the same one as mention for the Task Manager [Bad Image] message.(Just curious if this means anything).
MWAV antivirus tool message:
[mwavscan.com-Bad Image]
[The application DLL or C:windows/system32/VDMDBG.DLL is not a valid Windows image. Please check this against your installation diskette.]
Log for the MWAV antivirus tool:
Sat Feb 18 13:01:02 2006 => **********************************************************
Sat Feb 18 13:01:02 2006 => MicroWorld Anti Virus & Spyware Toolkit Utility.
Sat Feb 18 13:01:02 2006 => Copyright © 2003-2006, MicroWorld Technologies Inc.
Sat Feb 18 13:01:02 2006 => **********************************************************
Sat Feb 18 13:01:02 2006 => Source: C:\DOCUME~1\DOROTH~1\Desktop\mwav.exe
Sat Feb 18 13:01:03 2006 => Version 8.1.8 (C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\mwavscan.com)
Sat Feb 18 13:01:03 2006 => Log File: C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\MWAV.LOG
Sat Feb 18 13:01:03 2006 => MWAV Registered: FALSE.
Sat Feb 18 13:01:03 2006 => OS Type: Windows Workstation
Sat Feb 18 13:01:03 2006 => Local Fixed Drives: c:\
Sat Feb 18 13:01:03 2006 => MWAV Mode: Only Scan files.
Sat Feb 18 13:01:03 2006 => Latest Date of files inside MWAV: 16 Feb 2006 12:40:42.
Sat Feb 18 13:01:08 2006 => AV Library Loaded...
Sat Feb 18 13:01:08 2006 => MWAV doing self scanning...
Sat Feb 18 13:01:08 2006 => Scanning File C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\kavss.exe
Sat Feb 18 13:01:08 2006 => Scanning File C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\Getvlist.exe
Sat Feb 18 13:01:09 2006 => Scanning File C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\kavss.dll
Sat Feb 18 13:01:09 2006 => Scanning File C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\kavssdi.dll
Sat Feb 18 13:01:09 2006 => Scanning File C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\kavssi.dll
Sat Feb 18 13:01:09 2006 => Scanning File C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\kavvlg.dll
Sat Feb 18 13:01:09 2006 => Scanning File C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\msvlclnt.dll
Sat Feb 18 13:01:09 2006 => Scanning File C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\ipc.dll
Sat Feb 18 13:01:09 2006 => Scanning File C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\main.avi
Sat Feb 18 13:01:09 2006 => Scanning File C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\virus.avi
Sat Feb 18 13:01:09 2006 => MWAV files are clean.
Sat Feb 18 13:01:19 2006 => Virus Database Date: 2/16/2006
Sat Feb 18 13:01:19 2006 => Virus Database Count: 177018
Sat Feb 18 13:03:22 2006 => **********************************************************
Sat Feb 18 13:03:22 2006 => MicroWorld Anti Virus & Spyware Toolkit Utility.
Sat Feb 18 13:03:22 2006 => Copyright © 2003-2006, MicroWorld Technologies Inc.
Sat Feb 18 13:03:22 2006 =>
Sat Feb 18 13:03:22 2006 => Support: support@mwti.net
Sat Feb 18 13:03:22 2006 => Web: http://www.mwti.net
Sat Feb 18 13:03:22 2006 => **********************************************************
Sat Feb 18 13:03:22 2006 => Version 8.1.8 (C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\mwavscan.com)
Sat Feb 18 13:03:22 2006 => Log File: C:\DOCUME~1\DOROTH~1\LOCALS~1\Temp\MWAV.LOG
Sat Feb 18 13:03:22 2006 => User Account: Dorothy Blake
Sat Feb 18 13:03:22 2006 => Windows Root Folder: C:\WINDOWS
Sat Feb 18 13:03:22 2006 => Windows Sys32 Folder: C:\WINDOWS\system32
Sat Feb 18 13:03:22 2006 => OS: Windows XP
Sat Feb 18 13:03:23 2006 => Latest Date of files inside MWAV: 16 Feb 2006 12:40:42.
Sat Feb 18 13:03:23 2006 => Options Selected by User:
Sat Feb 18 13:03:23 2006 => Memory Check: Enabled
Sat Feb 18 13:03:23 2006 => Registry Check: Enabled
Sat Feb 18 13:03:23 2006 => StartUp Folder Check: Enabled
Sat Feb 18 13:03:23 2006 => System Folder Check: Enabled
Sat Feb 18 13:03:23 2006 => System Area Check: Disabled
Sat Feb 18 13:03:23 2006 => Services Check: Enabled
Sat Feb 18 13:03:23 2006 => Drive Check: Enabled
Sat Feb 18 13:03:23 2006 => All Drive Check :Disabled
Sat Feb 18 13:03:23 2006 => Drive Selected = C:\
Sat Feb 18 13:03:23 2006 => Folder Check: Disabled
Sat Feb 18 13:04:54 2006 => ERROR!!! Unable to Load Memory List...
Sat Feb 18 13:04:54 2006 => ERROR!!! LoadMemory Fails
Sat Feb 18 13:04:54 2006 => Total Objects Scanned: 0
Sat Feb 18 13:04:54 2006 => Total Critical Objects: 0
Sat Feb 18 13:04:54 2006 => Total Disinfected Objects: 0
Sat Feb 18 13:04:54 2006 => Total Objects Renamed: 0
Sat Feb 18 13:04:54 2006 => Total Deleted Objects: 0
Sat Feb 18 13:04:54 2006 => Total Errors: 2
Sat Feb 18 13:04:54 2006 => Time Elapsed: 00:01:31
Sat Feb 18 13:04:54 2006 => Virus Database Date: 2/16/2006
Sat Feb 18 13:04:54 2006 => Virus Database Count: 177018
Sat Feb 18 13:04:54 2006 => Scan Completed.
I will post this now; later I'll post the sysclean.log
Thanks again for your patience and help from Dorothy:) ...still hoping...