Tech Support Guy banner
Cancel

"Rundll32.exe-bad image"

1199 Views 7 Replies 2 Participants Last post by  Rollin' Rog
H
Upon startup of my computer, I get this message: "Rundll32.exe-bad image...The application or DLL C:\WINDOWS\System32\2ndsrch.dll is not a valid Windows image. Please check this against your installation diskette."

I don't have an installation diskette, since Windows XP was pre-installed on my computer. And I'm sure I should run HT, but I can't find a link for it in previous threads. Any help would be appreciated.
Save
Like
Status
Not open for further replies.
1 - 8 of 8 Posts
Rollin' Rog
Give us a copy/paste of a HijackThis Scanlog, as the problem is likely the result of a bad download of a Search hijacker.

http://www.tomcoyote.org/hjt/

http://216.239.39.104/search?q=cach...earchExplorer.html+2ndsrch.dll&hl=en&ie=UTF-8

You may have others as well.
Save
Like
H
Here's what I got when I ran HT:

Logfile of HijackThis v1.96.4
Scan saved at 8:55:17 AM, on 9/7/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\system32\msCMTSrvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\WildTangent\Apps\GameChannel.exe
C:\WINDOWS\System32\LXSUPMON.EXE
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\Program Files\RingCentral\BuzMe\BMUI.exe
C:\WINDOWS\wt\updater\wcmdmgr.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Program Files\Juno\bin\juno.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://home.peoplepc.com/search/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searching.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus7.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus7.hpwis.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {3DE88907-3E38-11D4-BEB2-CBE76C0598DD} - C:\Program Files\ISP50\bin\BandObject.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [WT GameChannel] C:\Program Files\WildTangent\Apps\GameChannel.exe
O4 - HKLM\..\Run: [LXSUPMON] C:\WINDOWS\System32\LXSUPMON.EXE RUN
O4 - HKLM\..\Run: [wcmdmgr] C:\WINDOWS\wt\updater\wcmdmgrl.exe -launch
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: BuzMe.lnk = C:\Program Files\RingCentral\BuzMe\BMUI.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O9 - Extra button: MoneySide (HKLM)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {13197ACE-6851-45C3-A7FF-C281324D5489} - http://www.2nd-thought.com/files/install.exe
O16 - DPF: {1954A4B1-9627-4CF2-A041-58AA2045CB35} (Brix6ie Control) - http://a19.g.akamai.net/7/19/7125/1269/ftp.coupons.com/v6/brix6ie.cab
O16 - DPF: {4C226336-4032-489F-9674-67E74225979B} (OTXMovie Class) - http://otx.ifilm.com/OTXMedia/OTXMedia.dll
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.142/code/PWActiveXImgCtl.CAB
O16 - DPF: {73954DC6-A1B2-4157-966F-D9914A39F59C} (Vividence Connector Launcher) - http://task.vividence.com/download/ConnectorLauncher.cab
O16 - DPF: {89D75D39-5531-47BA-9E4F-B346BA9C362C} (CWDL_DownLoadControl Class) - http://www.callwave.com/include/cab/CWDL_DownLoad.CAB
O16 - DPF: {B991DA79-51F7-4011-98D2-1F2592E82A56} (ACNPlayer2 Class) - http://204.118.132.145/2_0/ACNePlayer.cab
O16 - DPF: {C6B086D2-146B-47A4-A218-B82DCAF2D872} (cpbrxpie Control) - http://a19.g.akamai.net/7/19/7125/4003/ftp.coupons.com/r3120/cpbrxpie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{0A3DFA26-6944-47CF-87A2-4BF583F72918}: NameServer = 64.136.20.133 64.136.28.133
O17 - HKLM\System\CS1\Services\Tcpip\..\{0A3DFA26-6944-47CF-87A2-4BF583F72918}: NameServer = 64.136.20.133 64.136.28.133
See less See more
Save
Like
Rollin' Rog
Put checks in the following HijackThis Scanlog boxes, close all browser windows and click "Fix Checked":

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.searching.net/

O4 - HKLM\..\Run: [stcloader] C:\WINDOWS\System32\stcloader.exe

Reboot and navigate to c:\windows\system32 and look for both

stcloader.exe and 2ndsrch.dll there and delete both.

Check the program files directory fo an "STC" folder and delete that.

Review this link and you will see what we are trying to eliminate:

http://www.doxdesk.com/parasite/Pugi.html

Reboot and post another scanlog and let me know if you still get any errors.

Also, I can find very little information concerning this "service":

C:\WINDOWS\system32\msCMTSrvc.exe

It is reported to access "rdrstore.compaq.com".

Is this a relatively new HP that you have?
See less See more
Save
Like
H
The Compaq computer is very new, I only bought it about 4 months ago.
Save
Like
Rollin' Rog
Okedoke, who knows what they are doing these days, since they have merged with HP.

In anycase the real problem is with the entries I indicated above, just follow those instructions and let me know the results.
Save
Like
H
Thanks. I did all the steps until the "Check the program files directory fo an "STC" folder and delete that." I'm not 100% sure how to do that, can you help? I read the info you provided about the Pugi parasite, do I need to follow the steps on that page? Thanks again.
Save
Like
Rollin' Rog
I don't think you have the other variations described in that link.

To check whether you have the STC folder in Program Files, click Start, Run and enter explorer

Click on the + besides Program Files on the c: directory and scroll down and see if the STC folder is there.

If yes, try to delete it. You may get a message that access is denied. If that happens, reboot in Safe Mode and try to delete it again.

To start in Safe Mode, press f8 promptly on restart to access the Boot Menu and select Safe Mode.

If the STC folder is not there, you have probably completed all that you need to. Let me know if there are any continuing problems.
Save
Like
1 - 8 of 8 Posts
Status
Not open for further replies.
Tech Support Guy
A forum community dedicated to tech experts and enthusiasts. Come join the discussion about articles, computer security, Mac, Microsoft, Linux, hardware, networking, gaming, reviews, accessories, and more!
Full Forum Listing
Explore Our Forums
Hardware Virus & Other Malware Removal Off Topic Lounge Thread Games & Discussion Networking
Top