Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Bad Image hebitozu.dll


  • Please log in to reply

#1
eMoRTaL

eMoRTaL

    Member

  • Member
  • PipPip
  • 29 posts
Hi I just recently bought a laptop in hopes of "fixing" it for myself. Didn't spend much money on it...but while I was looking through it...the guy said that it had "errors". Well the system itself is sluggish...but it's really nice. However whenever I go to open up pretty much anything...it gives me an error example (opening up msconfig) - msconfig.exe - Bad Image (X) The application or DLL C:\WINDOWS\System32\hebitozu.dll is not a valid Windows Image. Please check this against your installation diskette. Obviously I the guy didn't have any restore disks...so I took it because upon after clicking the OK button...it opens up whatever program I want. I'm having trouble though, like when I restarted it after I got home...the errors were on everything that was pre-loading as well as loading. It seems to have disabled the Wireless function because it doesn't even pick up my wifi I got at home. When I tried to "hard-wire" it through my ISP's cable...it kept trying to download something but not sure what...and then a .NET Framework error which I can't get rid of...I have to shut it down cold. I am able to get to the Safe Mode into the Administrators access. This is pretty much all the info I've got so far. I'm hoping you'll help me out. Thanks in advance.
  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
If you can get an OTL or even a Hijackthis log it should be no problem to fix it.

Download OTL from
http://www.geekstogo...timers-list-it/
and Save it to your desktop. You may need to download it on a different PC and put it on a CD or clean (never been on your sick PC) USB drive then move it to your desktop.

Run OTL (Vista or Win 7 => right click and Run As Administrator)

select the All option in the Extra Registry group then Run Scan.

You should get two logs. Please copy and paste both of them. IF you can't do that then look through the OTL log yourself and copy down the line that shows hebitozu.dll. It's probably an O20 line.

Ron
  • 0

#3
eMoRTaL

eMoRTaL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Ron I found that line on

o20 - AppInit_DLLs: (C:\WINDOWS\system32\hebitozu.dll) - C:\WINDOWS\system32\hebitozu.dll ()

On another instance the computer tries to download Status and to insert the 'Status' disk. and then another window opens up Microsoft .NET Framework (X) An unhandled exception has occured in a component in your application. Click continue and application will ignore this error and attempt to continue. Object reference not set to an instance of an object. Then those two screens seem to stay up. Continue just brings the box up.
  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
This is how you remove the O20 line with OTL, Might be better to copy the O20 line from your OTL scan and paste it on top of the one I put in as it needs to be exact.

Copy the text in the code box by highlighting and Ctrl + c

:OTL
O20 - AppInit_DLLs: (C:\WINDOWS\system32\hebitozu.dll) - C:\WINDOWS\system32\hebitozu.dll ()

:Commands
[Reboot]


then Rightclick on OTL and select Run As Administrator to start. Under the Custom Scans/Fixes box at the bottom, paste (ctrl +v) the text. Verify that you got it all and Then click the RUN FIX button (NOT THE QUICK SCAN button!) at the top
Let the program run unhindered, OTL will reboot the PC when it is done. Save the log and copy and paste it into a reply.
It appears that Old Timer is now hiding the log in c:\_OTL\MovedFiles\09092013-some number.log so look there if you don't see it.
  • 0

#5
eMoRTaL

eMoRTaL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
Hey Ron,
I tried that and it seems to ave worked....the only thing is that afterward it restarted and never brought up anything but the wallpaper...and I left it for a while to see if everything would come up but nothing has come up but the wallpaper.
  • 0

#6
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Right click on the clock and select Task Manager. If no clock then Ctrl Alt Delete and select Task Manager. Then File new and type in explorer and hit Enter. If that doesn't work then try booting into Safe Mode with Command Prompt.
  • 0

#7
eMoRTaL

eMoRTaL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
ok now the explorer part worked...when i looked at the system configuration utility...it looks like av2009 = AntiVirus2009 has been exposed to this computer...ok the log says :

OTL: Registry Value HKEY_LOCAL_MACHINE\SOFTWARE\Microsof\Windows NT\CurrentVersion\windows\\AppInit_)DLLs:C:\WINDOWS\system32\hebitozu.dll deleted successfully.
C:\WINDOWS\system32\hebitozu.dll moved successfully.
=======COMMANDS=========

OTL by OldTimer - version 3.2.69.0 log created on 09102013_181715

Is AUTOEXEC.BAT supposed to even be in C: ?

Edited by eMoRTaL, 10 September 2013 - 05:04 PM.

  • 0

#8
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Which version of Windows is this?

If Win 7 or Vista you can use Task Manager to tell it to do:

sfc /scannow


If you run regedit you can look at:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

These two should say:

Shell REG_SZ Explorer.exe

Userinit REG_SZ C:\Windows\system32\userinit.exe,

Explorer.exe should be located in C:\Windows\Explorer.exe


You can also try a system restore from Task Manager: File, New then type:

rstrui.exe

If there are any old points you can try them.
  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Is AUTOEXEC.BAT supposed to even be in C: ?

yes check the date on it to make sure it hasn't been modified recently. It's not much used these days and is normally a hidden system file but if you want you can right click on it and Edit. That should bring it up notepad so you can see what it is trying to do.
  • 0

#10
eMoRTaL

eMoRTaL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
this is Windows XP Pro however the screen says Media Edition 2005 something like that...it had been updated but only has SP1. I still can't get wifi up for some reason either. Can't use system restore either because the date I got it...is the same date I can restore it to....but why...now it at lease is working without the errors. There are also some noticeable things in run command...I pressed c by accident and it has some commands such as: file:///C:/WINDOWS/system32/oobe/actshell.htm <---is something like this normal?

a little update : the commands in regedit are as you wrote...the autoexec file is created/modified the same date : Wednesday, January 30, 2008, 6:16:20 PM
there is nothing in the autoexec.bat file when i edit it

Edited by eMoRTaL, 10 September 2013 - 05:30 PM.

  • 0

Advertisements


#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Can you hook it up with an Ethernet cable?
  • 0

#12
eMoRTaL

eMoRTaL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
I tried hooking it up to ethernet cable...but it's still not picking it up. I've tried scanning with MBAM and there are 87 objects detected so far...I'm going to "clean it up" and see what happens. What other scan can I do to post on here for you to look through and see if there is anything keeping the laptop from connecting to the internet?
  • 0

#13
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Start, All Programs, Accessories, Command Prompt. Type with an Enter after each line in the code box:

net start dhcp
proxycfg  -d
ipconfig  /release
ipconfig  /renew
ipconfig  /all
nslookup att.com

Report any errors you get (first one should say dhcp is already started if not let me know) and the IP addresses of the last ipconfig /all. Does the nslookup command come back with:

Non-authoritative answer:
Name: att.com
Addresses:144.160.155.43
144.160.36.42

Or does it just time out?
  • 0

#14
eMoRTaL

eMoRTaL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
hey Ron,
I've run all the commands and here is what comes up:

C:\>net start dhcp
The requested service has already been started.

C:\>proxycfg -d
Updating proxy settings under
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
WinHttpSettings :

Flags = PROXY_TYPE_DIRECT
Proxy Server = -not set-
Bypass List = -not set-

C:\>ipconfig /release

Windows IP Configuration

No operation can be performed on Wireless Network Connection while it has its media disconnected.

C:\>ipconfig /renew

Windows IP Configuration

No operation can be performed on Wireless Network Connection while it has its media disconnected.

C:\>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : stacy-e0b1e99e2
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Broadcast
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Wireless Network Connection:

Media State . . . . . . . . . . . : Media Disconnected
Description . . . . . . . . . . . : Broadcom 802.11b/g WLAN
Physical Address. . . . . . . . . : 00-14-A5-75-F7-00

C:\>nslookup att.com
*** Default servers are not available
Server: UnKnown
Address: 127.0.0.1

***Unknown can't find att.com: No response from server

Edited by eMoRTaL, 11 September 2013 - 05:22 PM.

  • 0

#15
eMoRTaL

eMoRTaL

    Member

  • Topic Starter
  • Member
  • PipPip
  • 29 posts
WOW...I just finished the scan...176 Errors...
Backdoor.Bot
IPH.GenericBHO
Worm.Koobface
Trojan.FakeAlert
Trojan.Vundo
Trojan.Agent
Trojan.akeAlert
Trojan.BHO
Adware.ShopperReports
Adware.Zango
Trojan.Dropper
Rogue.Installer
Rootkit.TDSS
Malware.Packer.Gen
Rootkit.Agent
Rogue.AntiSpyCheck
Malware.Trace
Adware.SurfAccuracy
Rogue.VirusRemove
Rogue.AntiVirus2009
Trojan.Zlob
Rogue.AntiVirus2008
Rogue.XPantiVirus
Hijack.SearchPage
PUM.Disabled.SecurityCenter

With multiple entries on all of these...I've never seen a computer with this much corruption...
I've still got the screen up and I'll wait on your response on how to remove all these...whether through MBAM or a different way.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP