MSASCui.exe - Bad Image

Hello everyone,
I started getting the following error on startup:

MSASCui.exe - Bad Image
The application or DLL C:\Windows\system32\Winhttp.dll is not a valid windows image. Please check this against your installation diskette.

After some research, I found that this error is not exclusive to this file (comes from Windows Defender) but can be generated by other programs. I have found that my World of Warcraft updater is causing the same error. I uninstalled Windows Defender and the error went away on startup. As soon as I reinstalled it, it came back. Attached is my HJT log. I sure hope you folks can help me. I've been searching for 2 days now.
Thanks,
Bruce

Logfile of HijackThis v1.99.1
Scan saved at 7:00:21 PM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE
C:\WINDOWS\Logi_MwX.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
c:\program files\panda software\panda titanium antivirus 2005\WebProxy.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\psimreal.exe
C:\WINDOWS\system32\msiexec.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\regedit /s C:\pav.reg,C:\WINDOWS\system32\pavdr.exe,C:\WINDOWS\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe "
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [DeviceDiscovery] "C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe "
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SmcService] "C:\PROGRA~1\Sygate\SPF\smc.exe" -startgui
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {512FC5A1-7DE1-43F1-BC0C-371622FCB409} (Installer Class) - http://www.nanoscan.com/as/v1/cabs/ascinstie.cab
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\psimsvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software - C:\Program Files\Panda Software\Panda Titanium Antivirus 2005\TPSrv.exe

 

Hi, BruceV. I expect this thread will be moved to the Windows XP forum as it appears (to me) to be an OS-related issue.

Thank you for being so patient. I'm sorry you hadn't received a response yet. The malware-removal experts spread themselves pretty thin and I expect they overlooked posting a response.

Since there has been no response to your post, I am assuming your HijackThis log appears clean and the experts overlooked confirmation. I did not notice any obvious signs of malware in your HJT log. However, I am not a malware-removal expert so I could be wrong.

C:\Windows\system32\Winhttp.dll is a Windows system protected file. I suspect yours is corrupt. Here are the details FileAlyzer reports about my corresponding Windows XP Home SP2 winhttp.dll file (in case you wish to compare) followed by my suggestion for a possible fix.

http://www.spybot.info/en/download/index.html

My C:\WINDOWS\system32\winhttp.dll Properties (as reported by FileAlyzer):

Alternatively, you can use Karen's Hasher to verify whether your MD5 and SHA-1 values match the values above for my C:\WINDOWS\system32\winhttp.dll file or not.

If your C:\WINDOWS\system32\winhttp.dll file differs from mine (or if you don't wish to compare yours with mine), then please submit the file to Jotti's Online Malware Scan just to be sure it is not malicious before proceeding with my suggestion below. If it is identified as malware, then please let us know the details of the report and wait for further guidance from our malware-removal experts.


==========
Suggestion:
==========

If your C:\WINDOWS\system32\winhttp.dll file is reported "OK" at Jotti's, then perhaps Windows XP's System File Checker (SFC) will help you resolve your issue.

• Have your Windows XP CD handy because you may be prompted to insert it into your CD drive during this process.
• Click Start > Run...
• Type [FONT= "Courier New"][SIZE= "3"]sfc /scannow[/SIZE][/FONT] in the "Open:" field.
• Click the OK button.

A "Windows File Protection" window will open and display its progress. If SFC runs successfully without any intervention from you, it will take approximately 15-25 minutes to complete. When SFC completes, the "Windows File Protection" window will simply disappear.

To see any changes that may have been made by SFC after it completes:

• Click Start > Run...
• Type [FONT= "Courier New"][SIZE= "3"]eventvwr.msc[/SIZE][/FONT] in the "Open:" field.
• Click the OK button.
• Click the "System" item on the left side of the "Event Viewer" window.

Any changes made by SFC will be displayed (in reverse order) as "Windows File Protection" events between Event ID 64016 (Windows File Protection started) and 64017 (Windows File Protection completed).

Double-click on an event (or right-click on the event and select "Properties ") to view details about the event. You can use the up/down arrow buttons on the right side of the event's "Properties" window to view details about adjacent events without having to close the event's "Properties" window.

If you want to copy event details to your clipboard (for pasting into Notepad or a forum message, for example), use the button immediately below the up/down arrow buttons in the event's "Properties" window.

Please let us know whether this suggestion works for you or not.

 

Thank you, Mailman, for your response. I ended up replacing the winhttp.dll file and it took care of a lot of the problems. But after a few more days of strange issues, I finally decided to reformat and start over clean. Now everything works smooth again.

Thanks again for your reply.

Bruce

 

You're welcome, BruceV.

Thanks for letting us know the details about how you resolved your issue.

Here's a link to TeMerc's suggestions about actions one can take to help prevent one's computer from becoming infected.

• TeMerc's Ultimate Countermeasures Page

Please feel free to post again if you have any computer troubles you want assistance with.

Good luck!

 

BTW, TeMerc, your Ultimate Countermeasures Page needs to be updated to refelect the new version of Ad-Aware 2007 Free.

I would normally remind you via PM. However, since BruceV (and others) might be confused by the old link on your page I posted the link to above, my suggestion is going here.


The "Welcome" step-by-step instructions here at Windows BBS about how malware victims should apply Ad-Aware 2007 Free in preparation for further assistance might need to be updated by an expert. PeteC already updated the link.