Solved BAD IMAGE error, can't click anything on desktop with Windows Explorer open

my bad sorry..

OTL logfile created on: 24-May-12 6:36:56 AM - Run 3
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Users\NOOR\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd-MMM-yy

2.00 Gb Total Physical Memory | 1.09 Gb Available Physical Memory | 54.59% Memory free
3.99 Gb Paging File | 3.00 Gb Available in Paging File | 75.07% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 146.48 Gb Total Space | 100.89 Gb Free Space | 68.88% Space Free | Partition Type: NTFS
Drive D: | 146.48 Gb Total Space | 80.88 Gb Free Space | 55.21% Space Free | Partition Type: NTFS
Drive E: | 172.79 Gb Total Space | 57.19 Gb Free Space | 33.10% Space Free | Partition Type: NTFS

Computer Name: NOOR-PC | User Name: NOOR | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< MD5 for: MLANG.DLL >
[2008-01-19 12:34:49 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=3EB6D30D82F0E300FCFBAD0498F654FD -- C:\mlang.dll
[2008-01-19 12:34:49 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=3EB6D30D82F0E300FCFBAD0498F654FD -- C:\Users\Administrator\Downloads\mlang\mlang.dll
[2008-01-19 12:34:49 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=3EB6D30D82F0E300FCFBAD0498F654FD -- C:\Users\NOOR\Desktop\mlang\mlang.dll
[2008-01-19 12:34:49 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=3EB6D30D82F0E300FCFBAD0498F654FD -- C:\Windows\mlang.dll
[2009-07-14 06:15:40 | 000,177,664 | ---- | M] () MD5=7E2FB1071CE770D72F22B4C5C9E661D6 -- C:\Windows\System32\mlang.dll
[2009-07-14 06:15:40 | 000,177,664 | ---- | M] () MD5=7E2FB1071CE770D72F22B4C5C9E661D6 -- C:\Windows\winsxs\x86_microsoft-windows-mlang_31bf3856ad364e35_6.1.7600.16385_none_56b5a19c4551e3b0\mlang.dll

< End of report >
 
Good :)

Download BlitzBlank and save it to your desktop.
Double click on Blitzblank.exe

  • Click OK at the warning.
  • Click the Script tab and copy/paste the following text there:
Code:
CopyFile:
C:\mlang.dll C:\Windows\System32\mlang.dll
  • Click Execute Now. Your computer will need to reboot in order to replace the files.
  • When done, post the report created by Blitzblank.
    You can find it in the root of the drive, normally C:\
 
BlitzBlank 1.0.0.32

File/Registry Modification Engine native application
CopyFileOnReboot: sourceFile = "\??\c:\mlang.dll", destinationFile = "\??\c:\windows\system32\mlang.dll"CopyFile: ZwCreateFile failed: status = c0000022
 
Didn't work.

Let's try Combofix.

1. Please open Notepad (Start>All Programs>Accessories>Notepad).

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
FCopy::
C:\mlang.dll | C:\Windows\System32\mlang.dll

ClearJavaCache::


3. Save the above as CFScript.txt

4. Close/disable all anti virus and anti malware programs again, so they do not interfere with the running of ComboFix.

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif



6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
 
ComboFix 12-05-23.06 - NOOR 24-May-12 7:09.2.2 - x86
Microsoft Windows 7 Ultimate 6.1.7601.1.1252.1.1033.18.2044.1235 [GMT 5:00]
Running from: c:\users\NOOR\Desktop\ComboFix.exe
Command switches used :: c:\users\NOOR\Desktop\CFScript.txt
AV: Microsoft Security Essentials *Disabled/Updated* {9765EA51-0D3C-7DFB-6091-10E4E1F341F6}
SP: Microsoft Security Essentials *Disabled/Updated* {2C040BB5-2B06-7275-5A21-2B969A740B4B}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
C:\Install.exe
.
.
--------------- FCopy ---------------
.
c:\mlang.dll --> c:\Windows\System32\mlang.dll
.
((((((((((((((((((((((((( Files Created from 2012-04-24 to 2012-05-24 )))))))))))))))))))))))))))))))
.
.
2012-05-24 02:15 . 2012-05-24 02:15--------d-----w-c:\users\NOOR\AppData\Local\temp
2012-05-24 02:15 . 2012-05-24 02:15--------d-----w-c:\users\UpdatusUser\AppData\Local\temp
2012-05-24 02:15 . 2012-05-24 02:15--------d-----w-c:\users\Default\AppData\Local\temp
2012-05-24 02:15 . 2012-05-24 02:15--------d-----w-c:\users\Administrator\AppData\Local\temp
2012-05-24 01:30 . 2008-01-19 07:34187904----a-w-c:\windows\mlang.dll
2012-05-24 01:25 . 2012-05-24 01:25--------d-----w-c:\users\Administrator\AppData\Roaming\Media Player Classic
2012-05-24 01:14 . 2012-05-24 01:14--------d-----w-c:\users\Administrator\AppData\Roaming\Intel
2012-05-24 01:13 . 2012-05-08 16:406737808----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{F54E0DBB-9F2A-4F00-90B6-118DBF71E92E}\mpengine.dll
2012-05-24 01:12 . 2008-01-19 07:34187904------w-C:\mlang.dll
2012-05-24 00:54 . 2012-05-24 00:54--------d-----w-C:\_OTL
2012-05-23 19:29 . 2012-05-23 19:40--------d-----w-c:\program files\SlimCleaner
2012-05-23 19:28 . 2012-05-23 19:29--------d-----w-c:\program files\SlimComputer
2012-05-23 18:40 . 2012-05-23 18:41--------d-----w-c:\windows\Sun
2012-05-23 18:22 . 2012-05-23 18:22--------d-----w-c:\users\NOOR\AppData\Roaming\Intel
2012-05-23 18:21 . 2012-05-23 18:21--------d-----w-c:\programdata\Intel
2012-05-23 18:19 . 2012-05-23 18:188192----a-w-c:\windows\system32\drivers\cpuio.sys
2012-05-23 18:19 . 2000-01-01 00:00970752----a-w-c:\windows\system32\ismbun.exe
2012-05-23 18:19 . 2012-05-23 18:187680----a-w-c:\windows\system32\drivers\variable.sys
2012-05-23 18:18 . 2000-01-01 00:0022272----a-w-c:\windows\system32\drivers\intelsmb.sys
2012-05-23 18:11 . 2000-01-01 00:005982528----a-w-c:\windows\system32\nvcuda.dll
2012-05-23 18:11 . 2000-01-01 00:002524992----a-w-c:\windows\system32\nvcuvid.dll
2012-05-23 18:11 . 2000-01-01 00:002445120----a-w-c:\windows\system32\nvcuvenc.dll
2012-05-23 18:11 . 2000-01-01 00:0019607872----a-w-c:\windows\system32\nvoglv32.dll
2012-05-23 18:11 . 2000-01-01 00:0017551680----a-w-c:\windows\system32\nvcompiler.dll
2012-05-23 18:11 . 2000-01-01 00:0011354944----a-w-c:\windows\system32\drivers\nvlddmkm.sys
2012-05-23 17:53 . 2012-05-23 17:53--------d-----w-c:\windows\system32\RTCOM
2012-05-23 17:43 . 2012-05-24 01:5711232----a-w-c:\windows\system32\drivers\SWDUMon.sys
2012-05-23 17:43 . 2012-05-23 19:39--------d-----w-c:\users\NOOR\AppData\Local\SlimWare Utilities Inc
2012-05-23 17:43 . 2012-05-23 17:43--------d-----w-c:\program files\SlimDrivers
2012-05-23 15:21 . 2012-05-08 16:406737808----a-w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2012-05-22 20:21 . 2012-05-14 20:436737808----a-w-c:\programdata\Microsoft\Windows Defender\Definition Updates\{1CD05E98-61D5-404C-8CC3-2446DC22B29C}\mpengine.dll
2012-05-15 20:13 . 2012-05-15 20:13--------d-----w-c:\programdata\Yahoo!
2012-05-13 20:02 . 2012-05-24 01:12--------d-----w-c:\users\NOOR\AppData\Roaming\GarenaPlus
2012-05-13 20:02 . 2012-05-24 01:12--------d-----w-c:\programdata\GarenaMessenger
2012-05-12 19:52 . 2012-05-12 19:52--------d-----w-c:\users\NOOR\AppData\Roaming\Malwarebytes
2012-05-12 19:34 . 2012-05-12 19:34--------d-----w-c:\users\Administrator\AppData\Roaming\Malwarebytes
2012-05-12 19:33 . 2012-05-12 19:33--------d-----w-c:\programdata\Malwarebytes
2012-05-12 19:33 . 2012-05-12 19:33--------d-----w-c:\program files\Malwarebytes' Anti-Malware
2012-05-12 19:33 . 2012-04-04 10:5622344----a-w-c:\windows\system32\drivers\mbam.sys
2012-05-12 19:20 . 2012-05-12 19:20--------d-----w-c:\users\Administrator\AppData\Roaming\DAEMON Tools Lite
2012-05-12 16:29 . 2012-05-12 16:292560----a-w-c:\windows\_MSRSTRT.EXE
2012-05-12 00:28 . 2012-05-12 00:28242240----a-w-c:\windows\system32\drivers\dtsoftbus01.sys
2012-05-12 00:28 . 2012-05-12 00:28--------d-----w-c:\program files\DAEMON Tools Lite
2012-05-12 00:08 . 2012-03-30 10:231291632----a-w-c:\windows\system32\drivers\tcpip.sys
2012-05-12 00:08 . 2012-03-31 04:393968368----a-w-c:\windows\system32\ntkrnlpa.exe
2012-05-12 00:08 . 2012-03-31 04:393913072----a-w-c:\windows\system32\ntoskrnl.exe
2012-05-12 00:08 . 2012-03-31 02:362343424----a-w-c:\windows\system32\win32k.sys
2012-05-12 00:08 . 2012-03-17 07:2756176----a-w-c:\windows\system32\drivers\partmgr.sys
2012-05-12 00:08 . 2012-03-31 04:29936960----a-w-c:\program files\Common Files\Microsoft Shared\ink\journal.dll
2012-05-12 00:08 . 2012-03-31 04:301221632----a-w-c:\program files\Windows Journal\NBDoc.DLL
2012-05-12 00:08 . 2012-03-31 04:29989184----a-w-c:\program files\Windows Journal\JNTFiltr.dll
2012-05-12 00:08 . 2012-03-31 04:29969216----a-w-c:\program files\Windows Journal\JNWDRV.dll
2012-05-12 00:08 . 2012-03-03 05:311077248----a-w-c:\windows\system32\DWrite.dll
2012-05-09 23:53 . 2012-05-10 00:36--------d-----w-c:\program files\Common Files\Blizzard Entertainment
2012-05-07 16:09 . 2012-05-07 16:09--------d-----w-c:\program files\Common Files\xing shared
2012-05-03 20:45 . 2012-05-03 20:45--------d-----w-c:\users\NOOR\AppData\Roaming\Spearit
2012-05-03 20:45 . 2012-05-03 20:45--------d-----w-c:\users\Administrator\AppData\Roaming\Spearit
2012-05-03 20:45 . 2012-05-03 20:45--------d-----w-c:\programdata\Spearit
2012-05-03 20:45 . 2012-05-03 20:45--------d-----w-c:\programdata\Laplink
2012-05-01 09:47 . 2012-05-01 09:48--------d-----w-c:\program files\Futuremark
2012-05-01 09:28 . 2012-05-01 09:28--------d-----w-c:\users\NOOR\AppData\Local\WinZip
2012-05-01 09:28 . 2012-05-01 09:28--------d-----w-c:\users\NOOR\AppData\Local\CRE
2012-05-01 09:27 . 2012-05-01 09:27--------d-----w-c:\programdata\WinZip
2012-04-29 18:39 . 2012-04-29 18:39--------d-----w-c:\program files\Moozy
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-05-22 02:12 . 2012-02-12 11:11139128----a-w-c:\windows\system32\drivers\PnkBstrK.sys
2012-05-22 02:12 . 2012-02-12 11:11215128----a-w-c:\windows\system32\PnkBstrB.exe
2012-05-22 02:12 . 2011-10-12 20:20215128----a-w-c:\windows\system32\PnkBstrB.xtr
2012-05-15 09:28 . 2011-08-15 11:05645440----a-w-c:\windows\system32\nvvsvc.exe
2012-05-15 09:28 . 2011-08-15 11:0562272----a-w-c:\windows\system32\nvshext.dll
2012-05-15 09:28 . 2011-08-15 11:05108352----a-w-c:\windows\system32\nvmctray.dll
2012-05-15 09:28 . 2011-08-15 11:053931456----a-w-c:\windows\system32\nvcpl.dll
2012-05-15 09:27 . 2011-08-15 11:052759488----a-w-c:\windows\system32\nvsvc.dll
2012-05-10 19:01 . 2011-10-12 17:30737072----a-w-c:\programdata\Microsoft\eHome\Packages\SportsV2\SportsTemplateCore-2\Microsoft.MediaCenter.Sports.UI.dll
2012-05-10 19:01 . 2011-10-06 20:544283672----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\UpdateableMarkup\markup.dll
2012-05-10 18:50 . 2011-10-06 20:5342776----a-w-c:\programdata\Microsoft\eHome\Packages\MCEClientUX\dSM\StartResources.dll
2012-05-10 18:50 . 2011-10-21 13:37539984----a-w-c:\programdata\Microsoft\eHome\Packages\MCESpotlight\MCESpotlight-2\SpotlightResources.dll
2012-05-07 16:14 . 2012-01-16 00:3770304----a-w-c:\windows\system32\FlashPlayerCPLApp.cpl
2012-05-07 16:14 . 2011-11-25 06:09426144----a-w-c:\windows\system32\FlashPlayerApp.exe
2012-05-07 16:08 . 2011-12-06 22:00499712----a-w-c:\windows\system32\msvcp71.dll
2012-05-07 16:08 . 2011-12-06 22:00348160----a-w-c:\windows\system32\msvcr71.dll
2012-04-28 09:26 . 2012-01-03 14:15772552----a-w-c:\windows\system32\npdeployJava1.dll
2012-04-28 09:26 . 2011-11-16 05:40687560----a-w-c:\windows\system32\deployJava1.dll
2012-04-21 19:00 . 2012-04-21 19:0084480----a-w-c:\windows\system32\EasyHook32.dll
2012-04-21 19:00 . 2012-04-21 19:00109216----a-w-c:\windows\system32\EasyHook64.dll
2012-03-20 15:44 . 2011-04-27 10:2574112----a-w-c:\windows\system32\drivers\NisDrvWFP.sys
2012-03-20 15:44 . 2011-04-18 08:18171064----a-w-c:\windows\system32\drivers\MpFilter.sys
2012-03-15 02:15 . 2012-03-15 02:18713784------w-c:\programdata\Microsoft\Microsoft Antimalware\Definition Updates\{8B2B242B-8636-40E4-BA33-D65F64FC52C0}\gapaengine.dll
2012-03-08 13:50 . 2012-03-08 13:5049016----a-w-c:\windows\system32\sirenacm.dll
2012-03-08 13:37 . 2012-03-08 13:37302448----a-w-c:\windows\WLXPGSS.SCR
2012-03-08 13:32 . 2012-03-23 12:0539272----a-w-c:\windows\system32\drivers\fssfltr.sys
2012-03-01 05:46 . 2012-04-13 00:2919824----a-w-c:\windows\system32\drivers\fs_rec.sys
2012-03-01 05:37 . 2012-04-13 00:29172544----a-w-c:\windows\system32\wintrust.dll
2012-03-01 05:33 . 2012-04-13 00:29159232----a-w-c:\windows\system32\imagehlp.dll
2012-03-01 05:29 . 2012-04-13 00:295120----a-w-c:\windows\system32\wmi.dll
2012-02-29 08:26 . 2012-02-29 08:26416064----a-w-c:\windows\system32\nvStreaming.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}"= "c:\program files\WinZipBar\prxtbWin0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-03-28 16:22176936----a-w-c:\program files\ConduitEngine\prxConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
2011-05-09 08:49176936----a-w-c:\program files\WinZipBar\prxtbWin0.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-03-28 16:22176936----a-w-c:\program files\uTorrentBar\prxtbuTor.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTor.dll" [2011-03-28 176936]
"{30F9B915-B755-4826-820B-08FBA6BD249D}"= "c:\program files\ConduitEngine\prxConduitEngine.dll" [2011-03-28 176936]
"{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}"= "c:\program files\WinZipBar\prxtbWin0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_CLASSES_ROOT\clsid\{30f9b915-b755-4826-820b-08fba6bd249d}]
.
[HKEY_CLASSES_ROOT\clsid\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{50FAFAF0-70A9-419D-A109-FA4B4FFD4E37}"= "c:\program files\WinZipBar\prxtbWin0.dll" [2011-05-09 176936]
.
[HKEY_CLASSES_ROOT\clsid\{50fafaf0-70a9-419d-a109-fa4b4ffd4e37}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2011-08-15 39408]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2010-11-20 1174016]
"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" [2012-03-26 306688]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2012-05-18 893328]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-17 252296]
"RTHDVCPL"="c:\program files\Realtek\Audio\HDA\RtHDVCpl.exe" [2000-01-01 10967656]
"MSC"="c:\program files\Microsoft Security Client\msseces.exe" [2012-03-26 931200]
"ipTray.exe"="c:\program files\Intel\Intel Desktop Utilities\ipTray.exe" [2011-11-10 1632456]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2011-05-09 49208]
"BCSSync"="c:\program files\Microsoft Office\Office14\BCSSync.exe" [2010-01-21 91520]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-03 843712]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security PackagesREG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MsMpSvc]
@="Service"
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Browser companion helper]
2011-12-16 06:55187696----a-w-c:\program files\BrowserCompanion\BCHelper.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Lite]
2012-04-17 15:193671872----a-w-c:\program files\DAEMON Tools Lite\DTLite.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2012-02-22 15:496591800----a-w-c:\progra~1\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2012-05-07 16:08296056----a-w-c:\program files\Real\RealPlayer\Update\realsched.exe
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"FileHippo.com"="c:\program files\FileHippo.com\UpdateChecker.exe" /background
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Software Update"=c:\program files\Hp\HP Software Update\HPWuSchd2.exe
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"DivXUpdate"="c:\program files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"TkBellExe"="c:\program files\Real\RealPlayer\Update\realsched.exe" -osboot
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 gupdate;Google Update Service (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-15 136176]
R2 Intel(R) Desktop Boards FSC Application Service;Intel(R) Desktop Boards FSC Application Service;c:\program files\Intel\FSC\FSCAppServ.exe [2011-11-10 61440]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-10-15 2253120]
R2 SkypeUpdate;Skype Updater;c:\program files\Skype\Updater\Updater.exe [2012-04-05 158856]
R3 AdobeFlashPlayerUpdateSvc;Adobe Flash Player Update Service;c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2012-05-07 257184]
R3 BBSvc;Bing Bar Update Service;c:\program files\Microsoft\BingBar\BBSvc.EXE [2011-04-01 183560]
R3 cpuz135;cpuz135;c:\users\NOOR\AppData\Local\Temp\cpuz135\cpuz135_x32.sys [x]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2011-03-01 130976]
R3 GamesAppService;GamesAppService;c:\program files\WildTangent Games\App\GamesAppService.exe [2010-10-12 206072]
R3 GGSAFERDriver;GGSAFER Driver;c:\program files\Garena Plus\Room\safedrv.sys [x]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2011-08-15 136176]
R3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [2010-01-21 30963576]
R3 NisDrv;Microsoft Network Inspection System;c:\windows\system32\DRIVERS\NisDrvWFP.sys [2012-03-20 74112]
R3 NisSrv;Microsoft Network Inspection;c:\program files\Microsoft Security Client\NisSrv.exe [2012-03-26 214952]
R3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda32v.sys [2012-01-17 148800]
R3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [2010-01-09 4640000]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]
R3 SWDUMon;SWDUMon;c:\windows\system32\DRIVERS\SWDUMon.sys [2012-05-24 11232]
R3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\synth3dvsc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [2010-11-20 52224]
R3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [x]
R3 VGPU;VGPU;c:\windows\system32\drivers\rdvgkmd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [2011-08-15 1343400]
R4 wlcrasvc;Windows Live Mesh remote connections service;c:\program files\Windows Live\Mesh\wlcrasvc.exe [2010-09-22 51040]
S1 dtsoftbus01;DAEMON Tools Virtual Bus Driver;c:\windows\system32\DRIVERS\dtsoftbus01.sys [2012-05-12 242240]
S1 vwififlt;Virtual WiFi Filter Driver;c:\windows\system32\DRIVERS\vwififlt.sys [2009-07-13 48128]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files\Common Files\Adobe\ARM\1.0\armsvc.exe [2012-01-03 63928]
S2 IduService;Intel(R) Desktop Utilities Service;c:\program files\Intel\Intel Desktop Utilities\iduServ.exe [2011-11-10 124616]
S2 NitroReaderDriverReadSpool2;NitroPDFReaderDriverCreatorReadSpool2;c:\program files\Nitro PDF\Reader 2\NitroPDFReaderDriverService2.exe [2011-06-21 196912]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [2011-11-23 491112]
.
.
Contents of the 'Scheduled Tasks' folder
.
2012-05-24 c:\windows\Tasks\Adobe Flash Player Updater.job
- c:\windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2011-11-25 16:14]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-15 15:43]
.
2012-05-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-08-15 15:43]
.
2012-05-24 c:\windows\Tasks\SlimDrivers Startup.job
- c:\program files\SlimDrivers\SlimDrivers.exe [2012-05-01 07:55]
.
.
------- Supplementary Scan -------
.
uStart Page =
mStart Page = hxxp://www.bigseekpro.com/cheatengine/{EDF53788-ACE8-4588-8686-B75F26FD4C7F}
TCP: DhcpNameServer = 192.168.2.1
Handler: base64 - {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} - c:\program files\BrowserCompanion\tdataprotocol.dll
Handler: chrome - {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} - c:\program files\BrowserCompanion\tdataprotocol.dll
Handler: prox - {5ACE96C0-C70A-4A4D-AF14-2E7B869345E1} - c:\program files\BrowserCompanion\tdataprotocol.dll
.
- - - - ORPHANS REMOVED - - - -
.
WebBrowser-{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - (no file)
AddRemove-AVG Secure Search - c:\program files\AVG Secure Search\UNINSTALL.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1654780193-2357526987-3854253030-1001\Software\SecuROM\License information*]
"datasecu"=hex:a0,0d,c7,c9,86,38,f8,9e,0e,82,26,95,e6,fb,58,49,bf,ba,fc,41,fa,
f9,d9,9d,54,e2,21,0c,20,e7,a1,b8,da,df,b8,f2,4e,45,81,2c,c5,45,8b,9d,39,3f,\
"rkeysecu"=hex:55,f9,78,e8,3f,f2,a0,72,dd,a6,1b,7f,7b,c1,30,4c
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2012-05-24 07:16:14
ComboFix-quarantined-files.txt 2012-05-24 02:16
ComboFix2.txt 2012-05-23 14:58
.
Pre-Run: 108,281,257,984 bytes free
Post-Run: 108,220,452,864 bytes free
.
- - End Of File - - C592CE1CE6DCB18F219D0F7D43677ABB
 
Very well.
Post new OTL log (same settings as in the second part of my reply #20).
 
OTL logfile created on: 24-May-12 7:30:31 AM - Run 4
OTL by OldTimer - Version 3.2.43.1 Folder = C:\Users\NOOR\Downloads
Ultimate Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: dd-MMM-yy

2.00 Gb Total Physical Memory | 0.99 Gb Available Physical Memory | 49.62% Memory free
3.99 Gb Paging File | 2.81 Gb Available in Paging File | 70.50% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 146.48 Gb Total Space | 100.87 Gb Free Space | 68.86% Space Free | Partition Type: NTFS
Drive D: | 146.48 Gb Total Space | 80.88 Gb Free Space | 55.21% Space Free | Partition Type: NTFS
Drive E: | 172.79 Gb Total Space | 57.19 Gb Free Space | 33.10% Space Free | Partition Type: NTFS

Computer Name: NOOR-PC | User Name: NOOR | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days

========== Custom Scans ==========

< MD5 for: MLANG.DLL >
[2008-01-19 12:34:49 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=3EB6D30D82F0E300FCFBAD0498F654FD -- C:\mlang.dll
[2008-01-19 12:34:49 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=3EB6D30D82F0E300FCFBAD0498F654FD -- C:\Users\Administrator\Downloads\mlang\mlang.dll
[2008-01-19 12:34:49 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=3EB6D30D82F0E300FCFBAD0498F654FD -- C:\Users\NOOR\Desktop\mlang\mlang.dll
[2008-01-19 12:34:49 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=3EB6D30D82F0E300FCFBAD0498F654FD -- C:\Windows\mlang.dll
[2008-01-19 12:34:49 | 000,187,904 | ---- | M] (Microsoft Corporation) MD5=3EB6D30D82F0E300FCFBAD0498F654FD -- C:\Windows\System32\mlang.dll
[2009-07-14 06:15:40 | 000,177,664 | ---- | M] () MD5=7E2FB1071CE770D72F22B4C5C9E661D6 -- C:\Windows\winsxs\x86_microsoft-windows-mlang_31bf3856ad364e35_6.1.7600.16385_none_56b5a19c4551e3b0\mlang.dll
< End of report >
 
Looks good.

Is the error gone?

Last scans...

1. Download Security Check from HERE, and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

    NOTE SecurityCheck may produce some false warning(s), so leave the results reading to me.

2. Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.


3. Download Temp File Cleaner (TFC)
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.


4. Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
yes! finally! thanks to you brother..]

Results of screen317's Security Check version 0.99.24
Windows 7 Service Pack 1 x86 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:

Windows Firewall Enabled!
Microsoft Security Essentials
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:

CCleaner
SlimCleaner
Java(TM) 6 Update 29
Java(TM) 7 Update 4
Out of date Java installed!
Adobe Reader X (10.1.3)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Windows Defender MSMpEng.exe
``````````End of Log````````````
 
Farbar Service Scanner Version: 17-05-2012
Ran by NOOR (administrator) on 24-05-2012 at 07:44:19
Running from "C:\Users\NOOR\Desktop"
Microsoft Windows 7 Ultimate Service Pack 1 (X86)
Boot Mode: Normal
****************************************************************
Internet Services:
============
Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Yahoo IP is accessible.
Windows Firewall:
=============
Firewall Disabled Policy:
==================
System Restore:
============
SDRSVC Service is not running. Checking service configuration:
The start type of SDRSVC service is OK.
The ImagePath of SDRSVC service is OK.
The ServiceDll of SDRSVC service is OK.
VSS Service is not running. Checking service configuration:
The start type of VSS service is OK.
The ImagePath of VSS service is OK.
System Restore Disabled Policy:
========================
Action Center:
============
Windows Update:
============
BITS Service is not running. Checking service configuration:
The start type of BITS service is OK.
The ImagePath of BITS service is OK.
The ServiceDll of BITS service is OK.
Windows Autoupdate Disabled Policy:
============================
Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is OK.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.
Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1
RpcSs Service is not running. Checking service configuration:
The start type of RpcSs service is OK.
The ImagePath of RpcSs service is OK.
The ServiceDll of RpcSs service is OK.
File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcore.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit
**** End of log ****
 
Broni thanks a ton for the help I really appreciate it!. and can u give me any tips as to prevent such errors or malware/virus from infecting my system again in the future.
 
You'll find some tips below....

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

  • Under the Custom Scans/Fixes box at the bottom, paste in the following:

Code:
:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[emptyjava]
[CLEARALLRESTOREPOINTS]
[Reboot]

  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

  • Double-click OTL.exe to start the program.
  • Close all other programs apart from OTL as this step will require a reboot
  • On the OTL main screen, press the CLEANUP button
  • Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.
 
All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: NOOR
->Temp folder emptied: 116390 bytes
->Temporary Internet Files folder emptied: 53823 bytes
->Java cache emptied: 0 bytes
->Google Chrome cache emptied: 12506401 bytes
->Flash cache emptied: 607 bytes

User: Public
->Temp folder emptied: 0 bytes

User: UpdatusUser
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7892 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 12.00 mb


[EMPTYFLASH]

User: Administrator
->Flash cache emptied: 0 bytes

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: NOOR
->Flash cache emptied: 0 bytes

User: Public

User: UpdatusUser
->Flash cache emptied: 0 bytes

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator
->Java cache emptied: 0 bytes

User: All Users

User: Default

User: Default User

User: NOOR
->Java cache emptied: 0 bytes

User: Public

User: UpdatusUser

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.43.1 log created on 05242012_102537

Files\Folders moved on Reboot...
File\Folder C:\Users\NOOR\AppData\Local\Temp\etilqs_88eDwiVcRoobNkI not found!
File\Folder C:\Users\NOOR\AppData\Local\Temp\etilqs_FfuIYlXWv0k6cUF not found!
File\Folder C:\Users\NOOR\AppData\Local\Temp\etilqs_N4n8huPi3kbF3u3 not found!
File\Folder C:\Users\NOOR\AppData\Local\Temp\etilqs_PuqmWMBVxr10eKq not found!

Registry entries deleted on Reboot...
 
you are a real life saver Broni!. my computer is doing great thanks to you. one other thing I wanted to share with you was that whenever I try to update my graphics card (Nvidia Geforce) from the Nvidia control panel, it always gives me an error saying "Microsoft visual C++ runtime library" I wonder what that means. although I can update it manually from the website but even then the update tool does not install.. got any ideas?
 
Back