All the computers in my office show a message "Bad Image". How do we locate and diagnose the virus.

Hello Experts,
We got in this morning and all the desktops on my office network show the message:
Bad Image (filename varies) is either not designed to run on Windows or it contains an error. (etc.)

This appears to be a new infection just out today 3/11/2015. We called Panda, our AV vendor and after being on hold for 20 minutes, the message said "We are busy please leave a message" then it said "Sorry the mailbox is full." Something definitely going on today.

We have downloaded and installed Malwarebytes and were able to update and run it, no virus found.
We tried looking at running processes with process explorer and that program was deleted off my thumb drive.
I am now looking at the drive from an infected computer using a USB to SATA adapter so there is nothing running from the drive.

Any thoughts would be greatly appreciated. Thanks for your help.



I would start by downloading autoruns from autoruns

it allows you to scan "offline" systems. It will show you all the locations that are set to auto launch applications at startup... Also look for files updated at/after the time of infection...

Here is a link about scanning offline systems with the newest version of autoruns:
Autoruns with offline systems

it walks you through mounting the system (which you've already done), and some things to look for...



I would start by downloading autoruns from autoruns

it allows you to scan "offline" systems. It will show you all the locations that are set to auto launch applications at startup... Also look for files updated at/after the time of infection...

Here is a link about scanning offline systems with the newest version of autoruns:
Autoruns with offline systems

it walks you through mounting the system (which you've already done), and some things to look for...



Do all scans in Safe Mode (Without networking if possible)

I would consider isolating each PC from the internal network to stop the infection spreading
(although that appears to be too late)

Try a scan with hitmanPro.
You can get a free 30 trial on each PC.



Thanks for the utility. I ran the utility on an infected computer in Safe Mode. There were no entries that showed a timestamp of today's date. Also the image paths did not raise any red flags. That does not mean that I know none of them were infected it just means that nothing jumped out with the random name or folder.

I am still looking through the HD of an infected computer to determine what files were updated today. I did find a lot of Java scripts in the user profile folders. Still checking.

Let me know what else you recommend.
Thanks



Bad Image (filename varies) is either not designed to run on Windows or it contains an error
Hopefully this message means that the malware could not run and no damage has been done.

It might not be malware - just an update issue
http://answers.microsoft.com/en-us/windows/forum/windows_vista-system/dll-is-either-not-designed-to-run-on-windows-or-it/96e04287-7e81-49ab-afe5-f44449dd8322



Hello dlb6597, My comment before was about the Autoruns. There were no entries with a time stamp of today and no Image Paths raised any red flags.

We have gotten this update from our Panda AV Vendor. Panda put out a bad signature file the morning of 3/11/2015. Here is a quote from their website:--------------------
We inform you that we have had a problem with our signature file that might have affected our PCOP and Retail 2015 customers. This issue causes some files to be moved to the quarantine.
The signature file has already been replaced, so this situation should not recur. Nonetheless, we advise our customers not to restart your computer. At Panda Security we are analyzing the impact and working to restore the situation at the endpoint.
------------------

So it looks like we don't have an infection, Panda our AV vendor broke their AV system.
Thanks for your attempts. I will let everyone know what the outcome it.

Share this

Related Posts

There was an error in this gadget