Solved System32 - bad image

[Gwlott]

Roger that. Ill get on it after shower just got done mowing.

 

[Gwlott]

Here is the OTL Scan you requested. McAfee is unistalled also.

All processes killed
========== OTL ==========
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3CA2F312-6F6E-4B53-A66E-4E65E497C8C0}\ not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C255C8A-E604-49b4-9D64-90988571CECB}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{5C255C8A-E604-49b4-9D64-90988571CECB}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully.
Starting removal of ActiveX control {E06E2E99-0AA1-11D4-ABA6-0060082AA75C}
C:\ProgramData\webex\ieatgpc.inf moved successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E06E2E99-0AA1-11D4-ABA6-0060082AA75C}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\Windows\SysWow64\sho6E4.tmp deleted successfully.
C:\Windows\SysWow64\sho7A6E.tmp deleted successfully.
C:\kleaner.tmp\kln10AA.tmp deleted successfully.
C:\kleaner.tmp\kln1369.tmp deleted successfully.
C:\kleaner.tmp\kln136A.tmp deleted successfully.
C:\kleaner.tmp\kln136B.tmp deleted successfully.
C:\kleaner.tmp\kln1446.tmp deleted successfully.
C:\kleaner.tmp\kln14B4.tmp deleted successfully.
C:\kleaner.tmp\kln16A8.tmp deleted successfully.
C:\kleaner.tmp\kln1E77.tmp deleted successfully.
C:\kleaner.tmp\kln1E78.tmp deleted successfully.
C:\kleaner.tmp\kln1E79.tmp deleted successfully.
C:\kleaner.tmp\kln1E7A.tmp deleted successfully.
C:\kleaner.tmp\kln1E9A.tmp deleted successfully.
C:\kleaner.tmp\kln1E9B.tmp deleted successfully.
C:\kleaner.tmp\kln1E9C.tmp deleted successfully.
C:\kleaner.tmp\kln1E9D.tmp deleted successfully.
C:\kleaner.tmp\klnFDE.tmp deleted successfully.
C:\kleaner.tmp folder deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: George
->Temp folder emptied: 318066 bytes
->Temporary Internet Files folder emptied: 184990488 bytes
->Flash cache emptied: 112347 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 3354 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50467 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 177.00 mb


[EMPTYFLASH]

User: All Users

User: Default

User: Default User

User: George
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.26.5 log created on 08232011_210250

Files\Folders moved on Reboot...
C:\Users\George\AppData\Local\Temp\FXSAPIDebugLogFile.txt moved successfully.

Registry entries deleted on Reboot...

 

[Gwlott]

SecurityCheck log is here. Moving on to step 2 now.

Results of screen317's Security Check version 0.99.7
Windows 7 (UAC is enabled)
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
Avira AntiVir Personal - Free Antivirus
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
Avira successfully updated!
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Adobe Flash Player
Adobe Reader 9.1 MUI
Out of date Adobe Reader installed!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Malwarebytes' Anti-Malware mbamservice.exe
Malwarebytes' Anti-Malware mbamgui.exe
Avira Antivir avgnt.exe
Avira Antivir avguard.exe
``````````End of Log````````````

 

[Gwlott]

Step 2 complete.

 

[Broni]

Update Adobe Reader

You can download it from https://www.techspot.com/downloads/2083-adobe-reader-dc.html
After installing the latest Adobe Reader, uninstall all previous versions.
Note. If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Alternatively, you can uninstall Adobe Reader (33.5 MB), download and install Foxit PDF Reader(3.5MB) from HERE.
It's a much smaller file to download and uses a lot less resources than Adobe Reader.
Note: When installing FoxitReader, make sure to UN-check any pre-checked toolbar, or any other garbage.

 

[Gwlott]

Okay eset finished just in time before I got the ccc.exe app error message and my computer locked up. No log from eset. Moving on to update adobe. Sent from phone.

 

[Broni]

Restart computer manually.

Download, and install Quick Startup: http://www.glarysoft.com/qs.html
Go File>Export, save report, and paste it into your next post.

 

[Gwlott]

Got this error message when I tried to run Quick Startup.

C:\Program Files(x86)\Quick Startup\startup.exe

CreateProcess failed; code 740
The requested operation requires elevation.

Should I unistall, reboot, reinstall?

 

[Broni]

No. Right click, click "Run as administrator".

 

[Gwlott]

Also, are these the Adobe files I should be unistalling?

Acrobat.com Installed 7/27/2010
Adobe AIR 7/27/2010
Adobe Flash Player10 ActiveX 3/8/2011

Thanks for your patience by the way

 

[Broni]

Leave this one alone:
Adobe Flash Player10 ActiveX 3/8/2011

 

[Gwlott]

Here is the Quick Starup Log.

Startup List report created on 8/23/2011 by Startup Manager


Name: BackupManagerTray
Path: "C:\Program Files (x86)\NewTech Infosystems\Gateway MyBackup\BackupManagerTray.exe" -h -k
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: THX Audio Control Panel
Path: "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: Hotkey Utility
Path: C:\Program Files (x86)\Gateway\Hotkey Utility\HotkeyUtility.exe
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: StartCCC
Path: "C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: ATICustomerCare
Path: "C:\Program Files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe"
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: nmctxth
Path: "C:\Program Files (x86)\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: nmapp
Path: "C:\Program Files (x86)\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: LogMeIn Hamachi Ui
Path: "C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: avgnt
Path: "C:\Program Files (x86)\Avira\AntiVir Desktop\avgnt.exe" /min
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: Malwarebytes' Anti-Malware
Path: "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: Adobe ARM
Path: "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: swg
Path: "C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Status: Enabled
------------------------------------------------------------------------------------------

Name: NETGEAR WNA3100 Smart Wizard
Path: C:\PROGRA~2\NETGEAR\WNA3100\WNA3100.exe
Location: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Status: Enabled
------------------------------------------------------------------------------------------

Name: Photo Frame
Path: C:\PROGRA~2\NORTHS~1\PHOTOF~1\PHOTOF~1.EXE
Location: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
Status: Enabled
------------------------------------------------------------------------------------------
Total 14 Items

 

[Broni]

Re-run "Quick startup" and UN-check following entries:

Name: THX Audio Control Panel
Name: StartCCC
Name: ATICustomerCare
Name: Adobe ARM

Restart computer and let me know about any errors.

If none....

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[Gwlott]

OTL Log is hurr.

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: George
->Temp folder emptied: 2848904 bytes
->Temporary Internet Files folder emptied: 16682168 bytes
->Flash cache emptied: 651 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 49554 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 19.00 mb

 

[Broni]

What about those errors?

 

[Gwlott]

Are there unistalls for the following?:

aswMBR
SecruityCheck
TFC
Glary utilities Freeware
Quick Startup

..or do I just drag to recycle Bin?

 

[Broni]

You're not saying, if unchecking those items cured the errors!

Glary utilities Freeware - I didn't mention this.

TFC you keep and run weekly as my instructions say.

All other can be simply deleted.

 

[Gwlott]

I havnt let my computer stay on long enough. It usually takes about 20 to 30 minutes for the errors to occur along with a freeze.
Im going to reinstall Steam and the software you suggested and that should be sufficient enough of time and programs running to cause the errors and freeze.
I will definatley keep you up to date if anything happens.

You are a Boss!
I thank you many times over that of the length of the number Pi.

 

[Broni]

Way to go!!

Good luck and stay safe

Let me know, if anything comes up.

 

[Gwlott]

Oh, my fault. I havnt got past the delete tools part of your instructions that is underlined. I didnt know which tools to keep and which ones to delete. I was having fun playing locate all the items on desktop and drag to other side to organize game.

 

[Broni]

No problem

 

[Gwlott]

Okay, first problem. I dont have sound on games. Second problem. I cannot go to Youtube, while it makes internet explorer not respond.

I can hear my friends on Vent so I know sound works but im no computer guru, there may be something im sure im not doing.

 

[Broni]

Re-run "Quick startup" and re-check:
Name: THX Audio Control Panel
Restart computer.

If THXAudio.exe error comes back you'll have to reinstall your audio driver.

 

[Gwlott]

Affirmative.

 

[Broni]

Say again...