lsass.exe bad image the application or dll - HomeworkEssaywritercsClub

lsass.exe bad image the application or dll

Learn when you want, where you want with convenient online training courses. Sign up now!

x

Experts Exchange

Technology Support

  • Training Courses

    • Individual
    • Business

Technology Support

  • Training Courses

    • Individual
    • Business

Log In

  • Go Premium

    • Individual
    • Business

Log In

  • Go Premium

    • Individual
    • Business

  • Anti-Virus Apps
    Anti-Virus Apps
  • Anti-Spyware
    Anti-Spyware

bad image error, .dll is not a valid windows image

Hello,

XP Home Edition.  Received IE popups (while using Firefox), redirecting to a variety of sites.  AVG reportedly found and cleaned:

prunnet.exe, trojanhorse clicker.vse
and generic12ASAI

I then installed and ran Malwarebyte in safe mode.  It found and removed:

rogue.virusremover
adware.mywebsearch
rogue.virusremove
malware.trace
trojan.vundo
adware.hotbar

I now cannot start up normally, it blue screens..  I can start up in safe mode but get a series of bad image errors that say:

mbam.exe – Bad Image

The application or DLL globalroot\systemroot\system32\senekaowkremev.dll is not a valid Windows image.  Please check this against your installation diskette.

I can click OK or Escape only to be prompted with more of the same error.  It changes to swreg.exe – Bad Disk
NirCmd.cfexe – Bad Disk
svchost.exe, sed, exe, ERUNT, services.exe, lsass.exe, userinit.exe, explorer.exe.

Occasionally while attempting to run malwarebytes or other virus / malware scanners it says this:

This shutdown was initiated by NT AUTHORITY\SYSTEM.  Windows must now restart because the DCOM Server Process Launcher service terminated unexpectedly.     I cannot stop it, it counts down from 60 and reboots.  

See attached hijack this log. Please note that I did not have system restore enabled so I can’t use that solution.   Thanks for the help.
hijackthis.log

0

Status
Solved
Priority
Medium
Security
Public
Views
8592

  • Facebook
  • Twitter
  • LinkedIn
  • https://www.experts-exchange.com/questions/24023297/bad-image-error-dll-is-not-a-valid-windows-image.html copy

Message

juliedoodle Asked:

Who is Participating?

  • Solutions
  • Learn More Through Courses

Experts Exchange Solution brought to you by

Enjoy your complimentary solution view.
Get every solution instantly with Premium.

Start your 7-day free trial.

I wear a lot of hats…

“The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats – Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform.” -Todd S.

LVL 35

BembiCEOCommented:
I would recommend first to scan your system using a bootable CDROM with a virus scanner. This should eleminate the files of the virus, whih may be recreated during boot.

If the files are removed, use a windows scanner to remove additional registr settings and other fragments. >

I assume that the virus is not really inactive.

After that you should goole for all the virus found to habve an idea, what they are changing and if you may habve to manually reconstruct some settings.

0

juliedoodleAuthor Commented:
Thank you for the response.  

Can you elaborate a bit on "bootable CDROM with a virus scanner" —- I have my XP CD that came with it, but how do I add a virus scanner?

0

juliedoodleAuthor Commented:
I should have mentioned that it consistently comes up first with:

services.exe – Bad Image
The application or DLL globalroot\systemroot\system32\senekaokremev.dll is not a valid Windows image.  Please check this against your installation diskette.

It then jumps to lsass.exe – BAd Image
same error.

Always does those two first, and then takes me to my users list.

0

What were the top attacks of Q1 2018?

Promoted by

Alexandra Lating


What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

Download today!

LVL 27

David-HowardCommented:
Your log file only has two entries that are questionable. Neither of these should be the cause of your issues.
O4 – HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User ‘?’)
O4 – HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User ‘Default user’)
Please try to log on as a different user and download Combofix. If you are unabel to log on as a different user then download it from another system and upload the program  to your system.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
You must rename the default download file. Meaning, when you download Combofix.exe rename it to something like CM.exe. THEN run the executeable.
If that fails, you can try rebooting into Safe Mode (F8 at Startup) and selecting Last Known Good Configuration.
http://support.microsoft.com/kb/307852
If the above fail you may need to run a Repair.
XP Repair. It’s not designed to overwrite your user data.
http://www.michaelstevenstech.com/XPrepairinstall.htm

0

juliedoodleAuthor Commented:
David-Howard,

Thank you.   I’ve decided to back up all my data while I still can…. will try to run combofix as soon as that is done.  Thanks for the tip on renaming it.  I had tried to run combofix earlier, but it would always stall on the first line – something like starting combofix, and never go any further.

0

LVL 35

BembiCEOCommented:
http://www.sophos.com/support/knowledgebase/article/13251.html
http://www.avira.de/en/support/support_downloads.html  (command line scanner)

You can burn it onto a cd with is bootable or you can copy it onto a disk, or boot from a disk and than run it from CD.

0

LVL 47

rpggamergirlCommented:
Hijackthis log is not helping much as the system in running in diagnostic startup mode and Hijackthis doesn’t scan disabled startup programs.

Combofix as suggested is a good idea, also show us the resulting logfile. You would need to rename combofix before saving to your desktop or if using another pc rename it before transfering to the infected pc.

I wouldn’t suggest a reinstall in an infected system just yet (unless a reformat is imminent).

0

juliedoodleAuthor Commented:
I cannot get ComboFix to run.  I renamed it on a different computer, downloaded the recovery console for home xp sp2.  Dragged both to my PC, under a different user, not in safe mode.

Drag the sp2 utility to the file that has the combofix icon (both are on my desktop) and nothing happens.

0

juliedoodleAuthor Commented:
Tried again to run Combo Fix, under another admin user.  I get it to start, can click Yes to agree to the terms and then suddenly I get "This system is shutting down.  Please save all work in progress and log off…. NT Authority/system    DCOM Server Process Launcher service terminated unexpectedly.

0

juliedoodleAuthor Commented:
New hijack this log, not in safe mode.  Thank you.
hijackthis2.log

0

LVL 35

BembiCEOCommented:
May be, that you have a sasser or blaster virus which produces an effect similar to what you descibe. They have special removal programms, you may find under my links. Nevertheless it seems to, that the virus is still active, what I’m not wondering about if it is blaster or sasser.

If the shut down dialog comes up, you can run shutdown -a at the command promt.

0

LVL 47

rpggamergirlCommented:

>>>downloaded the recovery console for home xp sp2.  Dragged both to my PC, under a different user, not in safe mode.
Drag the sp2 utility to the file that has the combofix icon (both are on my desktop) and nothing happens.<<<

We would like you to just concentrate on installing combofix on the infected pc. You don’t have to install Recovery Console, don’t have to install other things. Not good to install SP2 etc, in an infected pc as the result can be worse.
So the renamed combofix or the MalwareBytes till won’t run? there’s another tool we can try.

Also fix these entries in Hijackthis:
O2 – BHO: 9e92804c-294b-0539-a594-4f8491286f3b – b3f68219-48f4-495a-9350-b492c40829e9 – C:\WINDOWS\system32\ycehjw.dll
O4 – HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User ‘?’)  
O4 – HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User ‘Default user’)

0

juliedoodleAuthor Commented:
I will try rpggamegirl’s solution this evening.  I did check for blaster and sasser – nothing found.

Is it okay to run ComboFix in safe mode?

Julie

0

LVL 47

rpggamergirlCommented:
>>>Is it okay to run ComboFix in safe mode?<<<
Combofix is optimized to run in normal mode so it should be run in that mode unless pc only boots in safe mode.
Same goes for Hijackthis, it should be run in normal mode.

Please attach the combofix log.

0

LVL 47

rpggamergirlCommented:
It’s important to disable your antivirus/security shield while running combofix.

Here’s a short canned if needed:
Please download ComboFix by sUBs:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

You must download it to and run it from your Desktop
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log and attach it in your next reply by pasting it in the "Code Snippet" or "Attach File" window.
Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix’s window while it is running. That may cause it to stall.
CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
 

0

juliedoodleAuthor Commented:
Thank you.  I finally got combo fix to run.  Attached is my logfile.  I have not run HJT yet, was just thankful to finally get combofix running.
combofixlog.txt

0

juliedoodleAuthor Commented:
New HJT log, after running combofix.  Thank you for reviewing this for me.
hijackthis010709.log

0

LVL 35

BembiCEOCommented:
First post points to Trojan Seneka
Have a look here: http://www.myantispyware.com/2008/11/05/how-to-remove-trojan-tdsserv/

The I see c:\windows\system32\k9261108.exe

Thats what I can see at the moment from my side.

0

LVL 47

rpggamergirlCommented:

Run combofix again using this script.

1. Open Notepad.
2. Now copy/paste the text between the lines below into the Notepad window:
————————–———-———-———-———-——
File::
C:\32788R22FWJFW.6.tmp
C:\32788R22FWJFW.5.tmp
C:\32788R22FWJFW.4.tmp
C:\32788R22FWJFW.3.tmp
C:\32788R22FWJFW.2.tmp
C:\32788R22FWJFW.1.tmp
C:\32788R22FWJFW.0.tmp
c:\windows\system32\k9261108.exe
c:\windows\system32\D7A23C43EA.sys

————————–———-———-———-———-——
3. Save the above as CFScript.txt on your desktop.
4. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

c:\program files\calc.exe <– did you install or know this calc.exe in this folder?

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.


Start your 7-day free trial

juliedoodleAuthor Commented:
Hello,

Thank you again for your help.  Yes, I did put calc.exe there some time ago.

I ran the combofix app with the notepad file as you said.  Attached is the latest combofix log and HJT log.

Thanks again – I hope we are getting close.

Julie
combofixlog010809.txt
hijackthis010809.log

0

LVL 47

rpggamergirlCommented:
Can you please run other scanners on this pc, like MalwareBytes if you haven’t yet.
And an online scan with Kaspersky, please save the log.
http://www.kaspersky.com/virusscanner  

0

juliedoodleAuthor Commented:
Kaspersky and Malwarebytes both report NO malware or infections.  Thank you!!!!

You are wonderful.

Best wishes.  Julie

0

juliedoodleAuthor Commented:
Thank you so much for your help.  This was my first experts-exchange experience and it was great.  I’m going to have our company buy a subscription!  Best Wishes. Julie

0

LVL 47

rpggamergirlCommented:
No problem. And thanks for attaching the logs.
Since MBAM and Kaspersky didn’t find any threats either, that’s great.
Glad to know it’s resolved, and thanks for the points.

Unless you’re not aware, you can award points to more than one experts by clicking the "Accept Multiple Solutions" button and then distribute the points to your liking. Let me know if you want to do that and I’ll re-open the thread for you.
To uninstall Combofix:
Go to Start > Run and ‘copy and paste’ next command in the field:

ComboFix /u

System Restore will be reset and one restore point will be created.

Thank you for using Experts-Exchange!

0

It’s more than this solution.Get answers and train to solve all your tech problems – anytime, anywhere. Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications. Get started today Stand Outas the employee with proven skills. Start learning today for free Move Your Career Forwardwith certification training in the latest technologies. Start your trial today

Anti-Virus Apps

From novice to tech pro — start learning today.

  • Vulnerabilities

    By:
    Ken Mayer
    Certification

    Certification: CompTIA Security+

    Premium

    Premium members can enroll in this course at no extra cost.

    Learn More

    484 lessons

  • Vulnerabilities

    By:
    Patrick Loner
    Certification

    CompTIA Security+ (Exam SY0-501)

    Premium

    Premium members can enroll in this course at no extra cost.

    Learn More

    607 lessons

  • Anti-Virus Apps

    By:
    Thomas Zucker-Scharff

    How to Prepare for and Navigate a Ransomware Attack

    Premium

    Premium members can enroll in this course at no extra cost.

    Learn More

    36 lessons

  • Storage

    By:
    Patrick Loner

    Certification: CompTIA Cloud+ – Part 1 Basic

    Premium

    Premium members can enroll in this course at no extra cost.

    Learn More

    48 lessons

  • Business Management

    By:
    Martin VanDerSchouw
    Certification

    Certification: PMP Project Management Professional – Exam Prep Six…

    Premium

    Premium members can enroll in this course at no extra cost.

    Learn More

    469 lessons

  • Business Management

    By:
    Martin VanDerSchouw
    Certification

    Quality Management

    Premium

    Premium members can enroll in this course at no extra cost.

    Learn More

    118 lessons

  • Virtualization

    By:
    Phil Phillips

    FreeBSD Jails

    Premium

    Premium members can enroll in this course at no extra cost.

    Learn More

    3 lessons

  • IT Administration

    By:
    Patrick von Schlag
    Certification

    Certification: ITIL Service Design

    Premium

    Premium members can enroll in this course at no extra cost.

    Learn More

    334 lessons

  • Software

    By:
    Tracy Preston
    Certification

    Certification: IS20 Information Systems 20 Controls – Security Co…

    Premium

    Premium members can enroll in this course at no extra cost.

    Learn More

    39 lessons

  • Microsoft Applications

    By:
    Sandra Batakis
    Certification

    Certification: MOS Microsoft Office Specialist – Outlook 2013 Par…

    Premium

    Premium members can enroll in this course at no extra cost.

    Learn More

    191 lessons

Services
Plans and Pricing
For Business
Become an Expert
Advertise
Our Mission
Who We Are
Join Our Team
Blog
Contact Us
Reviews
Expert Hall of Fame

Experts Exchange

© 1996-2018 Experts Exchange, LLC. All rights reserved. Covered by US Patent.

Topics

Support

Privacy Policy

Terms of Use

Experts Exchange Solution brought to you by

Enjoy your complimentary solution view.
Get every solution instantly with Premium.

Start your 7-day free trial.

  • Login _
  • Social Sharing
    Find TechSpot on…

    Facebook

    Twitter

    YouTube

    Instagram

    Subscribe to TechSpot RSS
    Get our weekly newsletter

  • Search
TechSpot

Lsass.exe and Services.exe Bad Image messages – DLL is not valid

wiggles123

By  wiggles123
· 21 replies

Sep 4, 2011

Show Ignored Content

Topic Status:

Not open for further replies.

Similar Topics

  • [Closed] Windows XP message".dll file is not valid or missing message (Bad image)

    Feb 5, 2012

  • Windows XP message shows ".dll file is not valid or missing message (Bad image)

    Feb 5, 2012

  • "Bad image" Windows box says – the application or dll is not a valid windows image

    Dec 3, 2010

  • Bad image popups C:\windows\system32\smtens.dll is not a valid windows image

    Dec 5, 2010

  • Need Help to Remove Bad Image DLL messages

    Oct 17, 2009

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.

TechSpot Account

Sign up for free , it takes 30 seconds.

Already have an account? Login now .
You may also…