TechSpot

"Bad image" Windows box says - the application or dll is not a valid windows image

Inactive
By snowscreen
Dec 3, 2010
  1. Hi,
    Problem has just came on today out of nowhere...
    It's an old HP desktop PC, 1gb ram, Windows XP SP 2

    AVG doesn't find anything and malwarebytes only found a little adware.

    It's my otherhalfs parents PC who have been away so i've been using it to check his emails/run his business. PC was fine yesterday but on turning it on today I was greeted by the dialog box saying - "the application or dll is not a valid windows image. please check this against your installation diskette"

    This happens with each program I open, it happens on the windows start up screen a couple of times when selecting which user to log in as, then comes up alot when the PC has started up


    I've noticed in msconfig that there is 2 odd looking entries, If I uncheck them and restart, when I go back into msconfig they are back again and checked

    'Start Item' and 'Command' heading = load of oriental characters
    (2 lines with 2 squares, 2 lines with 6 squares, Start + Command are the same on each line)
    Under 'Location' heading;
    HKCU\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\Windows:Run
    HKCU\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\Windows:Load



    I've followed the 8 step removal guidelines so please could someone view my logs below, be greatly appreciated





    *****

    MalwareBytes Log:

    Malwarebytes' Anti-Malware 1.50
    www.malwarebytes.org

    Database version: 5214

    Windows 5.1.2600 Service Pack 2
    Internet Explorer 8.0.6001.18702

    03/12/2010 23:10:14
    mbam-log-2010-12-03 (23-10-14).txt

    Scan type: Quick scan
    Objects scanned: 176282
    Time elapsed: 2 hour(s), 6 minute(s), 56 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 18
    Files Infected: 34

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    c:\documents and settings\Nicola\application data\starware368 (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\browsersearch (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Button_6 (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Button_7 (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Button_8 (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\configurator (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Download (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\errorsearch (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Layouts (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Lyrics (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Manager (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\music_search (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Radio_UK (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\relatedsearch (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Toolbar (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\toolbarlogo (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\toolbarsearch (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\travelsearch (Adware.Starware) -> Quarantined and deleted successfully.

    Files Infected:
    c:\documents and settings\Nicola\application data\starware368\browsersearch\browsersearch.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\browsersearch\browsersearch.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Button_6\button_6options.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Button_6\button_6options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Button_7\button_7options.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Button_7\button_7options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Button_8\button_8options.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Button_8\button_8options.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\configurator\configurator.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\configurator\configurator.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Download\downloadoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Download\downloadoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\errorsearch\errorsearchoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\errorsearch\errorsearchoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Layouts\toolbarlayout.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Layouts\toolbarlayout.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Lyrics\lyricsoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Lyrics\lyricsoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Manager\manageroptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Manager\manageroptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\music_search\music_searchoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\music_search\music_searchoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Radio_UK\radio_ukoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Radio_UK\radio_ukoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\relatedsearch\relatedsearchoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\relatedsearch\relatedsearchoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Toolbar\tbproductsoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\Toolbar\tbproductsoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\toolbarlogo\toolbarlogooptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\toolbarlogo\toolbarlogooptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\toolbarsearch\toolbarsearchoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\toolbarsearch\toolbarsearchoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\travelsearch\travelsearchoptions.xml (Adware.Starware) -> Quarantined and deleted successfully.
    c:\documents and settings\Nicola\application data\starware368\travelsearch\travelsearchoptions.xml.backup (Adware.Starware) -> Quarantined and deleted successfully.



    GMER LOG *******


    GMER 1.0.15.15530 - http://www.gmer.net
    Rootkit quick scan 2010-12-04 00:20:19
    Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380011A rev.3.08
    Running: GMER.exe; Driver: C:\DOCUME~1\Keith\LOCALS~1\Temp\pwdyypob.sys


    ---- Devices - GMER 1.0.15 ----

    AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
    AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.Sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
    AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
    AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)

    ---- EOF - GMER 1.0.15 ----






    ****
    DDS.txt

    DDS (Ver_10-11-27.01) - NTFSx86
    Run by Keith at 0:22:57.81 on 04/12/2010
    Internet Explorer: 8.0.6001.18702
    Microsoft Windows XP Professional 5.1.2600.2.1252.44.1033.18.1015.361 [GMT 0:00]

    AV: AVG Anti-Virus Free Edition 2011 *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

    ============== Running Processes ===============

    C:\WINDOWS\system32\svchost -k DcomLaunch
    svchost.exe
    C:\WINDOWS\System32\svchost.exe -k netsvcs
    svchost.exe
    svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    svchost.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
    C:\Program Files\AVG\AVG10\avgwdsvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    svchost.exe
    C:\WINDOWS\system32\CTsvcCDA.EXE
    C:\Program Files\Common Files\Motive\McciCMService.exe
    C:\WINDOWS\system32\svchost.exe -k imgsvc
    C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
    C:\Program Files\Yahoo!\SoftwareUpdate\YahooAUService.exe
    C:\Program Files\AVG\AVG PC Tuneup 2011\BoostSpeed.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe -k HTTPFilter
    C:\Program Files\Microsoft IntelliPoint\ipoint.exe
    C:\WINDOWS\C0130Mon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
    C:\Program Files\AVG\AVG10\avgtray.exe
    C:\Program Files\Creative\Creative Live! Cam\Live! Cam Manager\CTLCMgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Skype\Phone\Skype.exe
    C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
    C:\Program Files\Microsoft ActiveSync\wcescomm.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\AVG\AVG10\Identity Protection\agent\bin\avgidsmonitor.exe
    C:\PROGRA~1\MICROS~3\rapimgr.exe
    C:\Program Files\Skype\Plugin Manager\skypePM.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Documents and Settings\Keith\Desktop\dds.scr

    ============== Pseudo HJT Report ===============

    uSearch Page =
    uStart Page = bt.yahoo.com
    uWindow Title = Windows Internet Explorer provided by Yahoo!
    uDefault_Page_URL = hxxp://uk.yahoo.com/?fr=fp-yie8
    mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    uSearchAssistant =
    mSearchAssistant =
    uURLSearchHooks: H - No File
    uURLSearchHooks: BT Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

    files\yahoo!\companion\installs\cpn5\yt.dll
    mURLSearchHooks: BT Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program

    files\yahoo!\companion\installs\cpn5\yt.dll
    mURLSearchHooks: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program

    files\avg\avg10\toolbar\IEToolbar.dll
    uWindows: load=U??
    ?, ?
    uWindows: Run=U??
    ?, ?
    BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
    BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg10\avgssie.dll
    BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
    BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_01\bin\ssv.dll
    BHO: {96fd54c8-037e-4586-a8ff-3e71cb1e3800} - No File
    BHO: AVG Security Toolbar BHO: {a3bc75a2-1f87-4686-aa43-5347d756017c} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    BHO: {D3CD283D-58AA-4FD8-93C9-BDEB288398EE} - No File
    BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
    BHO: SingleInstance Class: {fdad4da1-61a2-4fd8-9c17-86f7ac245081} - c:\program

    files\yahoo!\companion\installs\cpn5\YTSingleInstance.dll
    TB: BT Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn5\yt.dll
    TB: AVG Security Toolbar: {ccc7a320-b3ca-4199-b1a6-9f516dd69829} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
    TB: {A057A204-BACC-4D26-9990-79A187E2698E} - No File
    EB: {2D51D869-C36B-42BD-AE68-0A81BC771FA5} - No File
    EB: BT Yahoo! Sidebar: {51085e3d-a958-42a2-a6be-a6a9b0baf276} - c:\program files\yahoo!\browser\ysidebarIE.dll
    uRun: [Creative Live! Cam Manager] "c:\program files\creative\creative live! cam\live! cam manager\CTLCMgr.exe"
    uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
    uRun: [Skype] "c:\program files\skype\phone\Skype.exe" /nosplash /minimized
    uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
    mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
    mRun: [C0130Mon.exe] c:\windows\C0130Mon.exe
    mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\AppleSyncNotifier.exe
    mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
    mRun: [btbb_McciTrayApp] "c:\program files\bt broadband desktop help\btbb\BTHelpNotifier.exe"
    mRun: [AVG_TRAY] c:\program files\avg\avg10\avgtray.exe
    mRun: [MSConfig] c:\windows\pchealth\helpctr\binaries\MSConfig.exe /auto
    dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
    dRun: [Picasa Media Detector] c:\program files\picasa2\PicasaMediaDetector.exe
    StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\winzip~1.lnk - c:\program files\winzip\WZQKPICK.EXE
    IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
    IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
    IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - c:\program

    files\java\jre1.6.0_01\bin\ssv.dll
    IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
    IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dll
    IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} -

    c:\progra~1\micros~2\office11\REFIEBAR.DLL
    DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
    DPF: RaptisoftGameLoader - hxxp://www.miniclip.com/haphazard/raptisoftgameloader.cab
    DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} -

    hxxp://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
    DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
    DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://niknak694.spaces.msn.com//PhotoUpload/MsnPUpld.cab
    DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader.cab
    DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} -

    hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129224412609
    DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} -

    hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} - hxxp://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
    DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_09-windows-i586.cab
    DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
    DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} - hxxp://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    DPF: {DC75FEF6-165D-4D25-A518-C8C4BDA7BAA6} -

    hxxp://msnuk.oberon-media.com/online2/MSN_INTL_UK/diner_dash/DinerDash.1.0.0.80.cab
    DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/softwareupdate/su2/ocx/15035/CTPID.cab
    Handler: avgsecuritytoolbar - {F2DDE6B2-9684-4A55-86D4-E255E237B77C} - c:\program files\avg\avg10\toolbar\IEToolbar.dll
    Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg10\avgpp.dll
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
    Notify: geBrppNg - geBrppNg.dll
    Notify: GoToAssist - c:\program files\citrix\gotoassist\570\G2AWinLogon.dll
    Notify: igfxcui - igfxdev.dll
    AppInit_DLLs: suvauk.dll
    SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
    LSA: Authentication Packages = msv1_0 c:\windows\system32\nnnlkIby
    mASetup: {A509B1FF-37FF-4bFF-8CFF-4F3A747040FF} - c:\windows\system32\rundll32.exe

    c:\windows\system32\advpack.dll,launchinfsectionex c:\program files\internet

    explorer\clrtour.inf,DefaultInstall.ResetTour,,12

    ============= SERVICES / DRIVERS ===============

    R0 AVGIDSEH;AVGIDSEH;c:\windows\system32\drivers\AVGIDSEH.sys [2010-9-13 25680]
    R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2010-9-7 26064]
    R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2010-9-7 249424]
    R1 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2010-9-7 34384]
    R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2010-9-7 299984]
    R2 avgwd;AVG WatchDog;c:\program files\avg\avg10\avgwdsvc.exe [2010-10-22 265400]
    R2 TomTomHOMEService;TomTomHOMEService;c:\program files\tomtom home 2\TomTomHOMEService.exe [2010-5-7 92008]
    R3 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\AVGIDSDriver.sys [2010-8-19 123472]
    R3 AVGIDSFilter;AVGIDSFilter;c:\windows\system32\drivers\AVGIDSFilter.sys [2010-8-19 30288]
    R3 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\AVGIDSShim.sys [2010-8-19 26192]
    R3 Bonifay;Bonifay;c:\windows\system32\drivers\Bonifay.sys [2007-5-13 12160]
    R3 RLDesignVirtualAudioCableWdm;Live! Cam Virtual;c:\windows\system32\drivers\livecamv.sys [2008-5-20 31616]
    R3 VC0130Afx;VC130 Audio FX;c:\windows\system32\drivers\C0130Afx.sys [2008-5-20 142656]
    R3 VC0130Aud;VC0130 Audio;c:\windows\system32\drivers\C0130Aud.sys [2008-5-20 94976]
    R3 VC0130Dev;Live! Cam Notebook Ultra;c:\windows\system32\drivers\C0130Vid.sys [2008-5-20 690528]
    R3 VC0130Vfx;VC0130 Video FX;c:\windows\system32\drivers\C0130Vfx.sys [2008-5-20 6912]
    S2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg10\identity protection\agent\bin\AVGIDSAgent.exe [2010-11-10 6127184]
    S2 gupdate;Google Update Service (gupdate);c:\program files\google\update\GoogleUpdate.exe [2010-8-8 136176]
    S3 AVG Security Toolbar Service;AVG Security Toolbar Service;c:\program files\avg\avg10\toolbar\ToolbarBroker.exe [2010-10-20

    517448]
    S3 Gonzales;Gonzales;c:\windows\system32\drivers\Gonzales.sys [2007-5-13 7040]

    =============== Created Last 30 ================

    2010-12-03 20:27:05 -------- d-----w- c:\docume~1\alluse~1\applic~1\UAB
    2010-12-03 20:26:50 -------- d-----w- c:\docume~1\keith\locals~1\applic~1\PC_Drivers_Headquarters
    2010-12-03 20:26:12 -------- d-----w- c:\docume~1\alluse~1\applic~1\Driver Mender
    2010-12-03 20:22:12 -------- d-----w- c:\program files\Driver Mender
    2010-12-03 18:08:08 20 ----a-w- c:\windows\system32\SUVAUK.DLL

    ==================== Find3M ====================


    ============= FINISH: 0:24:45.75 ===============





    ***
    attach.txt


    UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
    IF REQUESTED, ZIP IT UP & ATTACH IT

    DDS (Ver_10-11-27.01)

    Microsoft Windows XP Professional
    Boot Device: \Device\HarddiskVolume1
    Install Date: 09/10/2005 19:43:38
    System Uptime: 12/04/2010 00:14:36 (5664 hours ago)

    Motherboard: | | P4i65G
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | mPGA478 | 2999/200mhz
    Processor: Intel(R) Pentium(R) 4 CPU 3.00GHz | mPGA478 | 2999/200mhz

    ==== Disk Partitions =========================

    A: is Removable
    C: is FIXED (NTFS) - 75 GiB total, 50.298 GiB free.
    D: is CDROM ()

    ==== Disabled Device Manager Items =============

    ==== System Restore Points ===================

    RP1308: 06/09/2010 07:23:01 - System Checkpoint
    RP1309: 07/09/2010 08:37:30 - System Checkpoint
    RP1310: 08/09/2010 08:39:37 - System Checkpoint
    RP1311: 09/09/2010 08:56:39 - Avg Update
    RP1312: 10/09/2010 10:42:43 - System Checkpoint
    RP1313: 13/09/2010 11:24:29 - System Checkpoint
    RP1314: 14/09/2010 12:04:46 - System Checkpoint
    RP1315: 15/09/2010 12:51:18 - System Checkpoint
    RP1316: 15/09/2010 20:50:14 - Software Distribution Service 3.0
    RP1317: 17/09/2010 07:35:33 - System Checkpoint
    RP1318: 18/09/2010 17:18:51 - System Checkpoint
    RP1319: 19/09/2010 18:14:00 - System Checkpoint
    RP1320: 21/09/2010 08:33:07 - System Checkpoint
    RP1321: 22/09/2010 16:33:37 - System Checkpoint
    RP1322: 23/09/2010 11:39:55 - Avg Update
    RP1323: 23/09/2010 11:42:06 - Avg Update
    RP1324: 24/09/2010 12:04:16 - System Checkpoint
    RP1325: 29/09/2010 10:53:20 - System Checkpoint
    RP1326: 30/09/2010 12:04:10 - System Checkpoint
    RP1327: 01/10/2010 17:41:22 - System Checkpoint
    RP1328: 03/10/2010 15:02:23 - System Checkpoint
    RP1329: 04/10/2010 15:20:30 - System Checkpoint
    RP1330: 05/10/2010 08:14:25 - Avg Update
    RP1331: 06/10/2010 09:51:16 - System Checkpoint
    RP1332: 07/10/2010 16:57:05 - System Checkpoint
    RP1333: 08/10/2010 16:59:55 - System Checkpoint
    RP1334: 10/10/2010 09:35:18 - System Checkpoint
    RP1335: 11/10/2010 10:01:59 - System Checkpoint
    RP1336: 12/10/2010 12:19:16 - System Checkpoint
    RP1337: 13/10/2010 13:34:46 - System Checkpoint
    RP1338: 14/10/2010 10:26:21 - Software Distribution Service 3.0
    RP1339: 17/10/2010 13:30:21 - System Checkpoint
    RP1340: 18/10/2010 18:23:48 - System Checkpoint
    RP1341: 20/10/2010 08:27:23 - System Checkpoint
    RP1342: 20/10/2010 09:58:10 - Installed Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    RP1343: 20/10/2010 09:59:33 - Installed AVG 2011
    RP1344: 20/10/2010 10:04:02 - Removed AVG 2011
    RP1345: 20/10/2010 10:09:32 - Removed AVG Free 9.0
    RP1346: 20/10/2010 11:02:07 - Installed AVG Free 9.0
    RP1347: 20/10/2010 11:29:35 - Installed AVG 2011
    RP1348: 20/10/2010 11:31:30 - Installed AVG 2011
    RP1349: 25/10/2010 07:51:50 - System Checkpoint
    RP1350: 26/10/2010 10:47:43 - System Checkpoint
    RP1351: 27/10/2010 13:16:30 - System Checkpoint
    RP1352: 28/10/2010 13:39:15 - System Checkpoint
    RP1353: 31/10/2010 08:53:08 - System Checkpoint
    RP1354: 01/11/2010 11:38:03 - System Checkpoint
    RP1355: 03/11/2010 07:36:29 - System Checkpoint
    RP1356: 04/11/2010 13:07:19 - System Checkpoint
    RP1357: 05/11/2010 13:39:17 - System Checkpoint
    RP1358: 09/11/2010 19:04:31 - System Checkpoint
    RP1359: 10/11/2010 08:40:33 - Software Distribution Service 3.0
    RP1360: 12/11/2010 14:00:01 - System Checkpoint
    RP1361: 17/11/2010 21:14:33 - System Checkpoint
    RP1362: 19/11/2010 18:08:39 - System Checkpoint
    RP1363: 21/11/2010 12:46:57 - System Checkpoint
    RP1364: 23/11/2010 19:04:38 - System Checkpoint
    RP1365: 24/11/2010 19:06:10 - System Checkpoint
    RP1366: 28/11/2010 15:46:38 - System Checkpoint
    RP1367: 29/11/2010 18:08:40 - System Checkpoint
    RP1368: 30/11/2010 18:55:05 - System Checkpoint
    RP1369: 01/12/2010 19:59:29 - System Checkpoint
    RP1370: 03/12/2010 19:33:56 - System Checkpoint
    RP1371: 03/12/2010 20:22:09 - Installed Driver Mender.

    ==== Installed Programs ======================

    360Share Pro(remove only)
    Adobe Acrobat 5.0
    Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
    Adobe Flash Player 10 ActiveX
    Adobe Reader 8.1.2
    Adobe Reader 8.1.2 Security Update 1 (KB403742)
    Adobe® Photoshop® Album Starter Edition 3.2
    Advanced Audio FX Engine
    Advanced Video FX Engine
    Apple Application Support
    Apple Mobile Device Support
    Apple Software Update
    ArcSoft PhotoBase
    ArcSoft PhotoImpression 5
    ArcSoft PhotoStudio 2000
    AVG 2011
    AVG PC Tuneup 2011
    Bluetooth Stack for Windows by Technika
    Bonjour
    BT Broadband Desktop Help
    BT Yahoo! Applications
    BTHomeHub
    BTTotalBroadband210
    C-Media 3D Audio
    Canon ScanGear Toolbox 3.1
    CCleaner
    Creative Jukebox Driver
    Creative Live! Cam Center
    Creative Live! Cam Doodling
    Creative Live! Cam FX Creator
    Creative Live! Cam Manager
    Creative Live! Cam Notebook Ultra Driver (1.03.03.00)
    Creative Live! Cam Notebook Ultra User's Guide (English)
    Creative MediaSource
    Creative Photo Manager
    Creative Removable Disk Manager
    Creative Software AutoUpdate
    Creative System Information
    Creative Zen Micro
    Critical Update for Windows Media Player 11 (KB959772)
    Driver Mender
    EAF
    FinePix Studio
    FinePixViewer Resource
    FinePixViewer Ver.5.4
    Freecom Backup Software 1.15
    Freecom Personal Media Suite 2.24
    FrostWire 4.13.5
    FUJIFILM USB Driver
    Google Earth
    Google Update Helper
    GoToAssist Corporate
    Hotfix for Windows XP (KB909394)
    Hotfix for Windows XP (KB970653-v3)
    Hotfix for Windows XP (KB976002-v5)
    Hotfix for Windows XP (KB976098-v2)
    Hotfix for Windows XP (KB979306)
    Hotfix for Windows XP (KB981793)
    Intel(R) Extreme Graphics 2 Driver
    iPod for Windows 2005-09-23
    IrfanView (remove only)
    iTunes
    J2SE Runtime Environment 5.0 Update 11
    J2SE Runtime Environment 5.0 Update 9
    Java(TM) SE Runtime Environment 6 Update 1
    LaserJet 1018
    LightScribe 1.4.136.1
    Live! Cam Avatar Creator
    Live! Cam Avatar v1.0
    Malwarebytes' Anti-Malware
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 1.1 Security Update (KB979906)
    Microsoft .NET Framework 2.0
    Microsoft ActiveSync
    Microsoft Application Error Reporting
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft IntelliPoint 6.2
    Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
    Microsoft Office Professional Edition 2003
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft Visual C++ 2005 Redistributable
    Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
    MobileMe Control Panel
    MSXML 4.0 SP2 (KB927978)
    MSXML 4.0 SP2 (KB936181)
    MSXML 4.0 SP2 (KB954430)
    MSXML 4.0 SP2 (KB973688)
    MSXML 4.0 SP2 Parser and SDK
    MSXML 6 Service Pack 2 (KB973686)
    muveeNow 2.0 - Creative
    Nero - Burning Rom
    Nero 7 Essentials
    OLYMPUS CAMEDIA Master 4.1
    OmniPage Pro 9.0
    OutlookSpy
    Picasa 2
    PowerDVD
    QuickTime
    Safari
    Sage Accounts V11.01
    Sage MIS 3.01
    SageAcc
    Scan Manager 5.2
    Security Update for Windows Internet Explorer 8 (KB969897)
    Security Update for Windows Internet Explorer 8 (KB971961)
    Security Update for Windows Internet Explorer 8 (KB972260)
    Security Update for Windows Internet Explorer 8 (KB974455)
    Security Update for Windows Internet Explorer 8 (KB976325)
    Security Update for Windows Internet Explorer 8 (KB978207)
    Security Update for Windows Internet Explorer 8 (KB981332)
    Security Update for Windows Internet Explorer 8 (KB982381)
    Security Update for Windows Media Player (KB952069)
    Security Update for Windows Media Player (KB954155)
    Security Update for Windows Media Player (KB968816)
    Security Update for Windows Media Player (KB973540)
    Security Update for Windows Media Player (KB978695)
    Security Update for Windows Media Player 11 (KB954154)
    Security Update for Windows XP (KB2229593)
    Security Update for Windows XP (KB938464)
    Security Update for Windows XP (KB954211)
    Security Update for Windows XP (KB954600)
    Security Update for Windows XP (KB955069)
    Security Update for Windows XP (KB956390)
    Security Update for Windows XP (KB956391)
    Security Update for Windows XP (KB956802)
    Security Update for Windows XP (KB956803)
    Security Update for Windows XP (KB956841)
    Security Update for Windows XP (KB956844)
    Security Update for Windows XP (KB957095)
    Security Update for Windows XP (KB957097)
    Security Update for Windows XP (KB958215)
    Security Update for Windows XP (KB958470)
    Security Update for Windows XP (KB958644)
    Security Update for Windows XP (KB958687)
    Security Update for Windows XP (KB958690)
    Security Update for Windows XP (KB958869)
    Security Update for Windows XP (KB960225)
    Security Update for Windows XP (KB960714)
    Security Update for Windows XP (KB960715)
    Security Update for Windows XP (KB960859)
    Security Update for Windows XP (KB961371)
    Security Update for Windows XP (KB961501)
    Security Update for Windows XP (KB968537)
    Security Update for Windows XP (KB969059)
    Security Update for Windows XP (KB969898)
    Security Update for Windows XP (KB969947)
    Security Update for Windows XP (KB970238)
    Security Update for Windows XP (KB970430)
    Security Update for Windows XP (KB971032)
    Security Update for Windows XP (KB971468)
    Security Update for Windows XP (KB971486)
    Security Update for Windows XP (KB971557)
    Security Update for Windows XP (KB971633)
    Security Update for Windows XP (KB971657)
    Security Update for Windows XP (KB972270)
    Security Update for Windows XP (KB973346)
    Security Update for Windows XP (KB973354)
    Security Update for Windows XP (KB973507)
    Security Update for Windows XP (KB973525)
    Security Update for Windows XP (KB973869)
    Security Update for Windows XP (KB973904)
    Security Update for Windows XP (KB974112)
    Security Update for Windows XP (KB974318)
    Security Update for Windows XP (KB974392)
    Security Update for Windows XP (KB974571)
    Security Update for Windows XP (KB975025)
    Security Update for Windows XP (KB975467)
    Security Update for Windows XP (KB975560)
    Security Update for Windows XP (KB975561)
    Security Update for Windows XP (KB975562)
    Security Update for Windows XP (KB975713)
    Security Update for Windows XP (KB977165)
    Security Update for Windows XP (KB977816)
    Security Update for Windows XP (KB977914)
    Security Update for Windows XP (KB978037)
    Security Update for Windows XP (KB978251)
    Security Update for Windows XP (KB978262)
    Security Update for Windows XP (KB978338)
    Security Update for Windows XP (KB978542)
    Security Update for Windows XP (KB978601)
    Security Update for Windows XP (KB978706)
    Security Update for Windows XP (KB979309)
    Security Update for Windows XP (KB979482)
    Security Update for Windows XP (KB979559)
    Security Update for Windows XP (KB979683)
    Security Update for Windows XP (KB980195)
    Security Update for Windows XP (KB980218)
    Security Update for Windows XP (KB980232)
    SightSpeed (remove only)
    Skype™ 4.2
    TomTom HOME 2.7.4.1962
    TomTom HOME Visual Studio Merge Modules
    Update for Windows Internet Explorer 8 (KB968220)
    Update for Windows Internet Explorer 8 (KB976662)
    Update for Windows Internet Explorer 8 (KB976749)
    Update for Windows Internet Explorer 8 (KB980182)
    Update for Windows XP (KB932823-v3)
    Update for Windows XP (KB955759)
    Update for Windows XP (KB955839)
    Update for Windows XP (KB967715)
    Update for Windows XP (KB968389)
    Update for Windows XP (KB971737)
    Update for Windows XP (KB973687)
    Update for Windows XP (KB973815)
    VoiceOver Kit
    WebFldrs XP
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage v1.3.0254.0
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Internet Explorer 8
    Windows Media Format 11 runtime
    Windows Media Player 11
    WinZip 14.5
    Yahoo! Software Update

    ==== Event Viewer Messages From Past Week ========

    04/12/2010 00:16:41, error: System Error [1003] - Error code 1000007f, parameter1 0000000d, parameter2

    00000000, parameter3 00000000, parameter4 00000000.
    04/12/2010 00:00:11, error: Service Control Manager [7034] - The Yahoo! Updater service terminated

    unexpectedly. It has done this 1 time(s).
    04/12/2010 00:00:11, error: Service Control Manager [7034] - The TomTomHOMEService service terminated

    unexpectedly. It has done this 1 time(s).
    04/12/2010 00:00:11, error: Service Control Manager [7034] - The McciCMService service terminated

    unexpectedly. It has done this 1 time(s).
    04/12/2010 00:00:11, error: Service Control Manager [7034] - The Creative Service for CDROM Access

    service terminated unexpectedly. It has done this 1 time(s).
    04/12/2010 00:00:11, error: Service Control Manager [7034] - The Bonjour Service service terminated

    unexpectedly. It has done this 1 time(s).
    04/12/2010 00:00:11, error: Service Control Manager [7031] - The Apple Mobile Device service

    terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in

    60000 milliseconds: Restart the service.
    03/12/2010 23:13:21, error: Service Control Manager [7026] - The following boot-start or system-start

    driver(s) failed to load: IntelIde
    02/12/2010 07:38:03, error: Service Control Manager [7023] - The HID Input Service service terminated

    with the following error: The specified module could not be found.
    02/12/2010 07:38:03, error: Service Control Manager [7000] - The Parallel port driver service failed

    to start due to the following error: The service cannot be started, either because it is disabled or

    because it has no enabled devices associated with it.

    ==== End Of File ===========================






    Thanks
     
  2. Broni

    Broni Malware Annihilator Posts: 47,973   +271

    Welcome aboard [​IMG]

    Please, disable "word wrap" in Notepad, because your logs are hard to read.

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    =======================================================================

    Download MBRCheck to your desktop

    Double click MBRCheck.exe to run (Vista and Windows 7 users, right click and select Run as Administrator).
    It will show a black screen with some data on it.
    Enter N to exit.
    A report called MBRcheckxxxx.txt will be on your desktop
    Open this report and post its content in your next reply.

    ======================================================================

    Please download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      NOTE1. If Combofix asks you to install Recovery Console, please allow it.
      NOTE 2. If Combofix asks you to update the program, always do so.
      • Close any open browsers.
      • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
      • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
      • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    4. Double click on combofix.exe & follow the prompts.
    5. When finished, it will produce a report for you.
    6. Please post the "C:\ComboFix.txt"
    **Note 1: Do not mouseclick combofix's window while it's running. That may cause it to stall
    **Note 2 for AVG users: ComboFix will not run until AVG is uninstalled as a protective measure against the anti-virus. This is because AVG "falsely" detects ComboFix (or its embedded files) as a threat and may remove them resulting in the tool not working correctly which in turn can cause "unpredictable results". Since AVG cannot be effectively disabled before running ComboFix, the author recommends you to uninstall AVG first.
    Use AVG Remover to uninstall it: http://www.avg.com/us-en/download-tools
    We can reinstall it when we're done with CF.
    **Note 3: If you receive an error "Illegal operation attempted on a registery key that has been marked for deletion", restart computer to fix the issue.



    Make sure, you re-enable your security programs, when you're done with Combofix.

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    NOTE.
    If, for some reason, Combofix refuses to run, try one of the following:

    1. Run Combofix from Safe Mode.

    2. Delete Combofix file, download fresh one, but rename combofix.exe to your_name.exe BEFORE saving it to your desktop.
    Do NOT run it yet.

    Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 4 different versions. If one of them won't run then download and try to run the other one.

    Vista and Win7 users need to right click Rkill and choose Run as Administrator

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

    Rkill.com
    Rkill.scr
    Rkill.pif
    Rkill.exe

    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • Do not reboot until instructed.
    • If the tool does not run from any of the links provided, please let me know.

    Once you've gotten one of them to run, immediately run your_name.exe by double clicking on it.

    If normal mode still doesn't work, run BOTH tools from safe mode.

    In case #2, please post BOTH logs, rKill and Combofix.

    DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!
     
  3. snowscreen

    snowscreen TS Rookie Topic Starter Posts: 19

    Hi Broni
    Thanks very much for giving help

    word wrap now off, sorry about that, let me know if you need logs ran again and re-posted.

    Having a problem getting CombiFix to run and I believe i've tried everything above...


    I had AVG free 2010 installed, think that was the one. I used the AVG remover tool to get rid of this, it ran fine and removed it, I've ran it a few times now to make sure its all gone.

    Tried to then run Combifix, said it cant run with AVG installed. I downloaded combifix again but named it something else when downloading, again the same problem when trying to start it.

    I then downloaded rkill and ran that in safemode followed by the renamed combifix, same problems each time, cant run with avg installed.


    What would you suggest?



    NOTE
    (also, on starting the PC this time the bad image error hasn't came up... not at start up and not when i've been opening folders/programs) strange, will restart again and see if it does it.... restarted, not had a bad image error just yet.

    When I started up and came into windows I did still get the -
    Could not load or run (theres two squares here)( 2nd error message has 4 squares) specified in the registry. make sure the file exists on your computer or remove the reference to it in the registry

    this will be these which I'm guessing is related to my bad image problem.. which currently has stopped

    Is it easy to stop this registry message, unchecking the items does not work as after start up they are checked again


    'Start Item' and 'Command' heading = load of oriental characters
    (2 lines with 2 squares, 2 lines with 6 squares, Start + Command are the same on each line)
    Under 'Location' heading;
    HKCU\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\Windows:Run
    HKCU\SOFTWARE\MICROSOFT\Windows NT\CurrentVersion\Windows:Load






    anyway back to AVG, can you help me on getting combifix to run


    The Rkill log was
    This log file is located at C:\rkill.log.
    Please post this only if requested to by the person helping you.
    Otherwise you can close this log when you wish.

    Rkill was run on 04/12/2010 at 6:32:33.
    Operating System: Microsoft Windows XP


    Processes terminated by Rkill or while it was running:



    Rkill completed on 04/12/2010 at 6:32:39.
     
  4. Broni

    Broni Malware Annihilator Posts: 47,973   +271

    Let's see where AVG is hiding....

    Download OTL to your Desktop.

    • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
    • Under the Custom Scan box paste this in:


    netsvcs
    drivers32
    %SYSTEMDRIVE%\*.*
    %systemroot%\Fonts\*.com
    %systemroot%\Fonts\*.dll
    %systemroot%\Fonts\*.ini
    %systemroot%\Fonts\*.ini2
    %systemroot%\Fonts\*.exe
    %systemroot%\system32\spool\prtprocs\w32x86\*.*
    %systemroot%\REPAIR\*.bak1
    %systemroot%\REPAIR\*.ini
    %systemroot%\system32\*.jpg
    %systemroot%\*.jpg
    %systemroot%\*.png
    %systemroot%\*.scr
    %systemroot%\*._sy
    %APPDATA%\Adobe\Update\*.*
    %ALLUSERSPROFILE%\Favorites\*.*
    %APPDATA%\Microsoft\*.*
    %PROGRAMFILES%\*.*
    %APPDATA%\Update\*.*
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT
    %systemroot%\System32\config\*.sav
    %PROGRAMFILES%\bak. /s
    %systemroot%\system32\bak. /s
    %ALLUSERSPROFILE%\Start Menu\*.lnk /x
    %systemroot%\system32\config\systemprofile\*.dat /x
    %systemroot%\*.config
    %systemroot%\system32\*.db
    %APPDATA%\Microsoft\Internet Explorer\Quick Launch\*.lnk /x
    %USERPROFILE%\Desktop\*.exe
    %PROGRAMFILES%\Common Files\*.*
    %systemroot%\*.src
    %systemroot%\install\*.*
    %systemroot%\system32\DLL\*.*
    %systemroot%\system32\HelpFiles\*.*
    %systemroot%\system32\rundll\*.*
    %systemroot%\winn32\*.*
    %systemroot%\Java\*.*
    %systemroot%\system32\test\*.*
    %systemroot%\system32\Rundll32\*.*
    %systemroot%\AppPatch\Custom\*.*
    %APPDATA%\Roaming\Microsoft\Windows\Recent\*.lnk /x
    %PROGRAMFILES%\PC-Doctor\Downloads\*.*
    %PROGRAMFILES%\Internet Explorer\*.tmp
    %PROGRAMFILES%\Internet Explorer\*.dat
    %USERPROFILE%\My Documents\*.exe
    %USERPROFILE%\*.exe
    %systemroot%\ADDINS\*.*
    %systemroot%\assembly\*.bak2
    %systemroot%\Config\*.*
    %systemroot%\REPAIR\*.bak2
    %systemroot%\SECURITY\Database\*.sdb /x
    %systemroot%\SYSTEM\*.bak2
    %systemroot%\Web\*.bak2
    %systemroot%\Driver Cache\*.*
    %PROGRAMFILES%\Mozilla Firefox\0*.exe
    %ProgramFiles%\Microsoft Common\*.*
    %ProgramFiles%\TinyProxy.
    %USERPROFILE%\Favorites\*.url /x
    %systemroot%\system32\*.bk
    %systemroot%\*.te
    %systemroot%\system32\system32\*.*
    %ALLUSERSPROFILE%\*.dat /x
    %systemroot%\system32\drivers\*.rmv
    dir /b "%systemroot%\system32\*.exe" | find /i " " /c
    dir /b "%systemroot%\*.exe" | find /i " " /c
    %PROGRAMFILES%\Microsoft\*.*
    %systemroot%\System32\Wbem\proquota.exe
    %PROGRAMFILES%\Mozilla Firefox\*.dat
    %USERPROFILE%\Cookies\*.txt /x
    %SystemRoot%\system32\fonts\*.*
    %systemroot%\system32\winlog\*.*
    %systemroot%\system32\Language\*.*
    %systemroot%\system32\Settings\*.*
    %systemroot%\system32\*.quo
    %SYSTEMROOT%\AppPatch\*.exe
    %SYSTEMROOT%\inf\*.exe
    %SYSTEMROOT%\Installer\*.exe
    %systemroot%\system32\config\*.bak2
    %systemroot%\system32\Computers\*.*
    %SystemRoot%\system32\Sound\*.*
    %SystemRoot%\system32\SpecialImg\*.*
    %SystemRoot%\system32\code\*.*
    %SystemRoot%\system32\draft\*.*
    %SystemRoot%\system32\MSSSys\*.*
    %ProgramFiles%\Javascript\*.*
    %systemroot%\pchealth\helpctr\System\*.exe /s
    %systemroot%\Web\*.exe
    %systemroot%\system32\msn\*.*
    %systemroot%\system32\*.tro
    %AppData%\Microsoft\Installer\msupdates\*.*
    %ProgramFiles%\Messenger\*.*
    %systemroot%\system32\systhem32\*.*
    %systemroot%\system\*.exe
    HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rs
    /md5start
    /md5stop


    • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
    • When the scan completes, it will open two notepad windows: OTL.txt and Extras.txt. These are saved in the same location as OTL.
    • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post them back here.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.