svchost.exe bad image error

rpgragnarok

16 Aug 09, 13:31

hiya guys,

can anyone help me with an error i get everytime i start up my com?

it says svchost.exe bad error. the application or DLL C:\docume~1\zak\locals~1\temp\cya1.tmp is not a valid windows image. Please check this against your installation diskette.

The thing is everytime i delete the file, it comes back with another xxx1.tmp when i reboot the com. Any solution to this problem?

In case you need a hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:29:15 PM, on 8/16/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite aysat_3dsMax2009_32server.exe
C:\WINDOWS\system32 vsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\TUProgSt.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\TuneUp Utilities 2009\MemOptimizer.exe
C:\Program Files\NVTray\NVTray.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Documents and Settings\Zak\Application Data\Microsoft\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2009\MemOptimizer.exe" autostart
O4 - HKCU\..\Run: [NVTray] C:\Program Files\NVTray\NVTray.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [svchost.exe] C:\Documents and Settings\Zak\Application Data\Microsoft\svchost.exe
O8 - Extra context menu item: Send to &Bluetooth Device... - c:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/MessengerGamesContent/GameContent/Default/uno1/GAME_UNO1.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFF160CB-3BE6-43A4-AB1A-C79C3AB497F7}: NameServer = 218.186.1.38,202.156.1.68
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - c:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: mental ray 3.6 Satellite for Autodesk 3ds Max 2009 32-bit 32-bit (mi-raysat_3dsMax2009_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 2009\mentalray\satellite aysat_3dsMax2009_32server.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32 vsvc32.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap pcapd.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

--
End of file - 6487 bytes

Thanks in advance guys, zak

ndmmxiaomayi

16 Aug 09, 23:34

C:\Documents and Settings\Zak\Application Data\Microsoft\svchost.exe

Upload this file to Virus Total or VirScan for a scan.

Copy and paste in the file path into the Browse text box.

rpgragnarok

17 Aug 09, 10:30

Antivirus Version Last Update Result a-squared 4.5.0.24 2009.08.17 Riskware.Win32.Injector!IK AhnLab-V3 5.0.0.2 2009.08.15 - AntiVir 7.9.1.1 2009.08.14 - Antiy-AVL 2.0.3.7 2009.08.14 Backdoor/Win32.Rbot.gen Authentium 5.1.2.4 2009.08.16 - Avast 4.8.1335.0 2009.08.17 - AVG 8.5.0.406 2009.08.17 Injector.FF BitDefender 7.2 2009.08.17 - CAT-QuickHeal 10.00 2009.08.16 - ClamAV 0.94.1 2009.08.17 - Comodo 1995 2009.08.17 - DrWeb 5.0.0.12182 2009.08.17 Win32.HLLW.MyBot eSafe 7.0.17.0 2009.08.16 - eTrust-Vet 31.6.6678 2009.08.14 - F-Prot 4.4.4.56 2009.08.16 - F-Secure 8.0.14470.0 2009.08.17 - Fortinet 3.120.0.0 2009.08.17 - GData 19 2009.08.17 - Ikarus T3.1.1.64.0 2009.08.17 VirTool.Win32.Injector Jiangmin 11.0.800 2009.08.16 Backdoor/Poison.bxn K7AntiVirus 7.10.819 2009.08.14 - Kaspersky 7.0.0.125 2009.08.17 - McAfee 5711 2009.08.16 BackDoor-EBI.gen McAfee+Artemis 5711 2009.08.16 BackDoor-EBI.gen McAfee-GW-Edition 6.8.5 2009.08.16 - Microsoft 1.4903 2009.08.16 VirTool:Win32/Injector.gen!AC NOD32 4340 2009.08.16 a variant of Win32/Kryptik.ACB Norman 6.01.09 2009.08.14 - nProtect 2009.1.8.0 2009.08.16 - Panda 10.0.0.14 2009.08.16 - PCTools 4.4.2.0 2009.08.16 - Prevx 3.0 2009.08.17 - Rising 21.42.62.00 2009.08.16 - Sophos 4.44.0 2009.08.17 - Sunbelt 3.2.1858.2 2009.08.16 - Symantec 1.4.4.12 2009.08.17 - TheHacker 6.3.4.3.383 2009.08.13 - TrendMicro 8.950.0.1094 2009.08.14 - VBA32 3.12.10.9 2009.08.17 Backdoor.Win32.Rbot.afjd ViRobot 2009.8.14.1885 2009.08.14 - VirusBuster 4.6.5.0 2009.08.16 - Additional information File size: 512512 bytes MD5...: 23dd1acc8761e0b4a5b5210a2af37652 SHA1..: 3c20d8bcb1198af7e14c35ca3401cf6e09db14bb SHA256: d2973b3b6feda6d521df1fabf44c4f29ca20b81231727fbe29089b7ec35c6084 ssdeep: 12288:XHU9VcX5oNys+qm/VLeaZeLAiUUp9ckKfG3F7/dM1d:FWLoUnXAkFJ8d PEiD..: Armadillo v1.71 TrID..: File type identification Win32 Dynamic Link Library (generic) (65.4%) Generic Win/DOS Executable (17.2%) DOS Executable Generic (17.2%) Autodesk FLIC Image File (extensions: flc, fli, cel) (0.0%) PEInfo: PE Structure information ( base data ) entrypointaddress.: 0x4e44 timedatestamp.....: 0x4a6bd0bd (Sun Jul 26 03:42:53 2009) machinetype.......: 0x14c (I386) ( 4 sections ) name viradd virsiz rawdsiz ntrpy md5 .text 0x1000 0x403f 0x4200 5.40 b1850a1e550043e6d03175c2bac05034 .rdata 0x6000 0x9d6 0xa00 5.06 87fc5bb2c1254e136ff3606a182e50b6 .data 0x7000 0x3fc4 0x800 5.94 a6b7c792aeff279aea3fbcdb2eb63b5c .rsrc 0xb000 0x77914 0x77a00 7.98 e0900fa97f6d26f0c19e183171d744a3 ( 7 imports )

ndmmxiaomayi

17 Aug 09, 21:53

Do you do any sensitive activities such as internet banking?

rpgragnarok

18 Aug 09, 02:19

hmm.. so far i dun think so..

is the virus serious? i need my com for autocadding my schoolwork. need to rush for my project. i can reformat my com after 2 more weeks probably

ndmmxiaomayi

18 Aug 09, 23:18

It's a backdoor... in general if it's used for sensitive activities such as banking, a reformat is recommended.

But since that it isn't (I will take your word for it), we will proceed with some diagnostics scan.

Download DDS from Bleeping Computer. Save it to your desktop.
Double click on dds to run it. When done, it will produce two logs. Save the logs to a convenient location (such as desktop).

Download Gmer from here - http://www.gmer.net/#files by clicking on the Download EXE button.
Save this file to the desktop.
Untick all these boxes:
- Sections
- IAT/EAT
- Show All
Click on Scan.
When done, click on Save... to save the log.

Upload all 3 logs to a server such as Mediafire. Post back the links of these logs.

rpgragnarok

19 Aug 09, 00:40

erm... dds created an unreadable log for me.. the link's here :http://www.mediafire.com/?sharekey=fe06d11fe66b3b7ced24a2875c7fa58ee04e75f6e8ebb871

as for gmer, everytime i try to scan, the program crashes..

if this virus thing wont affect my schoolwork then im okay with it, cause i juz hope it doesnt kills my work. i will reformat asap after im done with my project.

sorry for all the troubles caused and thanks for all the help so far.

zak

ndmmxiaomayi

19 Aug 09, 22:19

Can't read the logs you posted... please make sure you save the logs properly.

Any errors for the Gmer crashes?

rpgragnarok

19 Aug 09, 23:39

i saved the log properly, it says cannot run with win32 system.

as for the gmer crash, its the same error u get when a program suddenly shuts down, then ask if u wan send the report to microsoft

ndmmxiaomayi

20 Aug 09, 23:07

Hmm... can't read the log.

Please run DDS again and save the logs and upload it again. I will think about the Gmer problem.