Yet another "Bad Image - Not a valid Windows image. Malware??

[Tecknoted]

Hi Chris here from way down here in NZ.

Came across this site with the search for the above (same problem as others here) and saw some positive replies and practical help on this issue so - signed up. ; )

We have a kids PC that is using a fresh install of WinXP and have been dealing with some issues of the 'updates' et unsettling the system and making the installed games nonoperational... This week the system on "Log in selection" shows the 'Bad Image Error for Explorer.exe' and then sometimes the Browseui.dll error??

So when clicking to close this and startup - we now get the desktop showing nil icons, no toolbars etc, however, did get the task manager to startup and were able to select Firefox to install Avira Antivirus files but - failed to run for some reason? I have seen several here that have had similar "error messages" of the "Bad Image" type and - so here I am - stuck with this too and with some unhappy Teens! 
I have installed already the program "Highjack This" and have not done any 'delete this on nothing at this stage - however I'm typing this on my Linux system as my email is functional there and dont use the XP for any.

Tia

[Dr Jay]

Hi there!

Follow instructions here and post back logs please: http://www.computerhope.com/forum/index.php/topic,46313.0.html

[Tecknoted]

Hi DM Jay

Done

# AdwCleaner v2.005 - Logfile created 10/22/2012 at 14:19:59
# Updated 14/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Admin - HOME-BF5F8D8B79
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Admin.HOME-BF5F8D8B79\My Documents\Downloads\adwcleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

Folder Found : C:\Program Files\Ask.com
Folder Found : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v6.0.2900.5512

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.1 (en-US)

*************************

AdwCleaner[R1].txt - [723 octets] - [22/10/2012 14:19:59]

########## EOF - C:\AdwCleaner[R1].txt - [782 octets] ##########

[Tecknoted]

Here's the Malwarebytes log

Malwarebytes Anti-Malware (Trial) 1.65.1.1000
www.malwarebytes.org

Database version: v2012.10.21.08

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 6.0.2900.5512
Admin :: HOME-BF5F8D8B79 [administrator]

Protection: Enabled

22/10/2012 2:37:33 p.m.
mbam-log-2012-10-22 (14-37-33).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 307912
Time elapsed: 9 minute(s), 10 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

[Tecknoted]

And the DDS

DDS (Ver_2012-10-19.01) - NTFS_x86
Internet Explorer: 6.0.2900.5512
Run by Admin at 14:53:33 on 2012-10-22
Microsoft Windows XP Home Edition  5.1.2600.3.1252.64.1033.18.767.172 [GMT 13:00]
.
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
.
============== Running Processes ================
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k NetworkService
C:\WINDOWS\system32\svchost.exe -k LocalService
.
============== Pseudo HJT Report ===============
.
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
mRun: [KernelFaultCheck] c:\windows\system32\dumprep 0 -k
mRunOnce: [Malwarebytes Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-Explorer: NoDriveTypeAutoRun = dword:145
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
TCP: NameServer = 58.28.5.2 58.28.6.2
TCP: Interfaces\{AA82C5AA-98E2-4F51-A82E-7C1A2B2106C5} : DHCPNameServer = 58.28.5.2 58.28.6.2
Notify: AtiExtEvent - Ati2evxx.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\admin.home-bf5f8d8b79\application data\mozilla\firefox\profiles\ckmnnc06.default\
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - ExtSQL: 2012-10-21 20:23; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\documents and settings\admin.home-bf5f8d8b79\application data\mozilla\firefox\profiles\ckmnnc06.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2012-10-21 20:31; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\admin.home-bf5f8d8b79\application data\mozilla\firefox\profiles\ckmnnc06.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
============= SERVICES / DRIVERS ===============
.
R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2012-10-5 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2012-6-4 136360]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2012-6-4 269480]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2012-10-5 66616]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2012-10-22 399432]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2012-10-22 676936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2012-10-22 22856]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-10-22 40776]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\mozilla maintenance service\maintenanceservice.exe [2012-6-4 115168]
.
=============== Created Last 30 ================
.
2012-10-22 01:30:28   40776   ----a-w-   c:\windows\system32\drivers\mbamswissarmy.sys
2012-10-22 01:30:28   --------   d-----w-   c:\documents and settings\admin.home-bf5f8d8b79\application data\Malwarebytes
2012-10-22 01:30:18   --------   d-----w-   c:\documents and settings\all users.windows\application data\Malwarebytes
2012-10-22 01:30:16   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-10-22 01:30:16   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-10-22 01:06:40   --------   d-----w-   c:\program files\CCleaner
2012-10-20 06:53:57   96224   ----a-w-   c:\program files\mozilla firefox\webapprt-stub.exe
2012-10-20 06:53:57   157272   ----a-w-   c:\program files\mozilla firefox\webapp-uninstaller.exe
2012-10-20 06:51:59   159744   ----a-w-   c:\program files\mozilla firefox\plugins\npqtplugin.dll
2012-10-20 05:41:37   --------   d-----w-   c:\documents and settings\admin.home-bf5f8d8b79\application data\Avira
2012-10-20 04:27:21   21504   -c--a-w-   c:\windows\system32\dllcache\hidserv.dll
2012-10-20 04:27:21   21504   ----a-w-   c:\windows\system32\hidserv.dll
2012-10-20 04:27:15   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2012-10-20 04:27:15   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2012-10-20 04:27:11   14592   -c--a-w-   c:\windows\system32\dllcache\kbdhid.sys
2012-10-20 04:27:11   14592   ----a-w-   c:\windows\system32\drivers\kbdhid.sys
2012-10-20 04:26:59   10368   -c--a-w-   c:\windows\system32\dllcache\hidusb.sys
2012-10-20 04:26:59   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2012-10-20 04:26:54   32128   -c--a-w-   c:\windows\system32\dllcache\usbccgp.sys
2012-10-20 04:26:54   32128   ----a-w-   c:\windows\system32\drivers\usbccgp.sys
2012-10-05 03:54:25   --------   d-----w-   c:\documents and settings\admin.home-bf5f8d8b79\local settings\application data\Mozilla
2012-10-05 03:19:32   66616   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2012-10-05 03:19:23   --------   d-----w-   c:\documents and settings\all users.windows\application data\Avira
.
==================== Find3M  ====================
.
.
============= FINISH: 14:54:44.53 ===============

[Tecknoted]

And the "Attach"

.
DDS (Ver_2012-10-19.01)
.
Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 8/19/2012 1:07:55 PM
System Uptime: 10/22/2012 1:46:32 PM (1 hours ago)
.
Motherboard: MSI |  | MS-6712
Processor: AMD Athlon(tm) XP 2700+ | Socket-A | 2171/166mhz
.
==== Disk Partitions =========================
.
A: is Removable
C: is FIXED (NTFS) - 37 GiB total, 17.938 GiB free.
D: is CDROM ()
E: is CDROM ()
.
==== Disabled Device Manager Items =============
.
==== System Restore Points ===================
.
RP1: 8/19/2012 1:13:43 PM - System Checkpoint
RP2: 8/31/2012 10:39:11 AM - System Checkpoint
RP3: 9/2/2012 8:48:19 AM - Installed Windows Media Format 9 Series Runtime Setup
RP4: 10/21/2012 9:46:55 PM - System Checkpoint
.
==== Installed Programs ======================
.
Adobe Flash Player Plugin
ATI Display Driver
Avira AntiVir Personal - Free Antivirus
CCleaner
GameSpy Arcade
Malwarebytes Anti-Malware version 1.65.1.1000
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Rise Of Nations
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
Mozilla Firefox 16.0.1 (x86 en-US)
Mozilla Maintenance Service
MSXML4 Parser
Rise of Nations Thrones and Patriots
Synaptics Pointing Device Driver
WebFldrs XP
Worms 4 Mayhem
.
==== Event Viewer Messages From Past Week ========
.
10/21/2012 8:08:05 PM, error: Dhcp [1002]  - The IP address lease 192.168.1.100 for the Network Card with network address 00045A782D73 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/21/2012 7:56:11 AM, error: Service Control Manager [7023]  - The Network Connections service terminated with the following error:  %1 is not a valid Win32 application.
10/21/2012 7:56:11 AM, error: Service Control Manager [7001]  - The Windows Firewall/Internet Connection Sharing (ICS) service depends on the Network Connections service which failed to start because of the following error:  %1 is not a valid Win32 application.
10/21/2012 1:28:28 PM, error: Service Control Manager [7023]  - The Telephony service terminated with the following error:  %1 is not a valid Win32 application.
10/21/2012 1:28:28 PM, error: Service Control Manager [7001]  - The Remote Access Connection Manager service depends on the Telephony service which failed to start because of the following error:  %1 is not a valid Win32 application.
10/21/2012 1:24:51 PM, error: Dhcp [1002]  - The IP address lease 192.168.1.101 for the Network Card with network address 00045A782D73 has been denied by the DHCP server 192.168.1.1 (The DHCP Server sent a DHCPNACK message).
10/20/2012 7:40:22 PM, error: VolSnap [25]  - The shadow copy of volume C: was aborted because the diff area file could not grow in time.  Consider reducing the IO load on this system to avoid this problem in the future.
10/20/2012 7:39:29 PM, error: VolSnap [12]  - The shadow copy of volume C: became low on diff area space before it was properly installed.
10/20/2012 5:23:11 PM, error: Service Control Manager [7001]  - The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error:  %1 is not a valid Win32 application.
10/20/2012 5:22:56 PM, error: Service Control Manager [7023]  - The Terminal Services service terminated with the following error:  %1 is not a valid Win32 application.
.
==== End Of File ===========================

[Dr Jay]

• Double click on AdwCleaner.exe to run the tool.
  
• Click on Delete.
  
• A logfile will automatically open after the scan has finished.
• Please post the content of that logfile in your reply.
• You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

ComboFix scan
 
Please download ComboFix by sUBs
From BleepingComputer.com
 
Please save the file to your Desktop.
 
Important information about ComboFix
 

After the download:

• Close any open browsers.
• Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
  
• WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  
• Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
• If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

• Double click on ComboFix.exe & follow the prompts.
  
• When ComboFix finishes, it will produce a report for you.
• Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
  

Troubleshooting ComboFix
 
Safe Mode:
 
If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.
 
(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")
 
Re-downloading:
 
If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.
 
Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.
 
NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

[Tecknoted]

# AdwCleaner v2.005 - Logfile created 10/24/2012 at 12:28:28
# Updated 14/10/2012 by Xplode
# Operating system : Microsoft Windows XP Service Pack 3 (32 bits)
# User : Admin - HOME-BF5F8D8B79
# Boot Mode : Normal
# Running from : C:\Documents and Settings\Admin.HOME-BF5F8D8B79\My Documents\Downloads\adwcleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****

Folder Deleted : C:\Program Files\Ask.com
Folder Deleted : C:\WINDOWS\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v6.0.2900.5512

[OK] Registry is clean.

-\\ Mozilla Firefox v16.0.1 (en-US)

*************************

AdwCleaner[R1].txt - [850 octets] - [22/10/2012 14:19:59]
AdwCleaner[R2].txt - [909 octets] - [24/10/2012 12:27:52]
AdwCleaner[S1].txt - [845 octets] - [24/10/2012 12:28:28]

########## EOF - C:\AdwCleaner[S1].txt - [904 octets] ##########

Still working on the other file and will get back to that asap. Thanks

[Tecknoted]

Here is the Combofix log.

ComboFix 12-10-23.01 - Admin 24/10/2012  13:41:06.1.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.64.1033.18.767.455 [GMT 13:00]
Running from: c:\documents and settings\Admin.HOME-BF5F8D8B79\My Documents\Downloads\ComboFix.exe
AV: AntiVir Desktop *Enabled/Updated* {AD166499-45F9-482A-A743-FDD3350758C7}
 * Created a new restore point
.
.
(((((((((((((((((((((((((   Files Created from 2012-09-24 to 2012-10-24  )))))))))))))))))))))))))))))))
.
.
2012-10-22 01:30 . 2012-10-22 01:30   --------   d-----w-   c:\documents and settings\Admin.HOME-BF5F8D8B79\Application Data\Malwarebytes
2012-10-22 01:30 . 2012-10-22 01:30   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\Malwarebytes
2012-10-22 01:30 . 2012-10-22 01:30   --------   d-----w-   c:\program files\Malwarebytes' Anti-Malware
2012-10-22 01:30 . 2012-09-29 06:54   22856   ----a-w-   c:\windows\system32\drivers\mbam.sys
2012-10-22 01:06 . 2012-10-22 01:06   --------   d-----w-   c:\program files\CCleaner
2012-10-20 05:41 . 2012-10-20 05:41   --------   d-----w-   c:\documents and settings\Admin.HOME-BF5F8D8B79\Application Data\Avira
2012-10-20 04:27 . 2008-04-13 16:41   21504   -c--a-w-   c:\windows\system32\dllcache\hidserv.dll
2012-10-20 04:27 . 2008-04-13 16:41   21504   ----a-w-   c:\windows\system32\hidserv.dll
2012-10-20 04:27 . 2001-08-17 00:48   12160   -c--a-w-   c:\windows\system32\dllcache\mouhid.sys
2012-10-20 04:27 . 2001-08-17 00:48   12160   ----a-w-   c:\windows\system32\drivers\mouhid.sys
2012-10-20 04:27 . 2008-04-13 11:09   14592   -c--a-w-   c:\windows\system32\dllcache\kbdhid.sys
2012-10-20 04:27 . 2008-04-13 11:09   14592   ----a-w-   c:\windows\system32\drivers\kbdhid.sys
2012-10-20 04:26 . 2008-04-13 11:15   10368   -c--a-w-   c:\windows\system32\dllcache\hidusb.sys
2012-10-20 04:26 . 2008-04-13 11:15   10368   ----a-w-   c:\windows\system32\drivers\hidusb.sys
2012-10-20 04:26 . 2008-04-13 11:15   32128   -c--a-w-   c:\windows\system32\dllcache\usbccgp.sys
2012-10-20 04:26 . 2008-04-13 11:15   32128   ----a-w-   c:\windows\system32\drivers\usbccgp.sys
2012-10-05 03:54 . 2012-10-05 03:54   --------   d-----w-   c:\documents and settings\Admin.HOME-BF5F8D8B79\Local Settings\Application Data\Mozilla
2012-10-05 03:19 . 2012-10-20 06:16   66616   ----a-w-   c:\windows\system32\drivers\avgntflt.sys
2012-10-05 03:19 . 2012-10-20 06:16   138192   ----a-w-   c:\windows\system32\drivers\avipbb.sys
2012-10-05 03:19 . 2010-06-17 02:27   45416   ----a-w-   c:\windows\system32\drivers\avgntdd.sys
2012-10-05 03:19 . 2010-06-17 02:27   22360   ----a-w-   c:\windows\system32\drivers\avgntmgr.sys
2012-10-05 03:19 . 2012-10-05 03:19   --------   d-----w-   c:\documents and settings\All Users.WINDOWS\Application Data\Avira
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-10-20 06:53 . 2012-10-20 06:51   261600   ----a-w-   c:\program files\mozilla firefox\components\browsercomps.dll
.
.
------- Sigcheck -------
Note: Unsigned files aren't necessarily malware.
.
[-] 2010-11-26 . 362BC5AF8EAF712832C58CC13AE05750 . 1614848 . . [5.1.2600.5512] . . c:\windows\system32\sfcfiles.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-11-26 761946]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2010-12-12 281768]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Malwarebytes Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-09-29 766536]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\rise.exe"=
"c:\\Program Files\\Microsoft Games\\Rise of Nations\\thrones.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)
.
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [6/4/2012 1:45 PM 136360]
R2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [10/22/2012 2:30 PM 399432]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [10/22/2012 2:30 PM 676936]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [10/22/2012 2:30 PM 22856]
S3 MozillaMaintenance;Mozilla Maintenance Service;c:\program files\Mozilla Maintenance Service\maintenanceservice.exe [6/4/2012 1:37 PM 115168]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc   REG_MULTI_SZ      p2psvc p2pimsvc p2pgasvc PNRPSvc
.
.
------- Supplementary Scan -------
.
TCP: DhcpNameServer = 58.28.5.2 58.28.6.2
FF - ProfilePath - c:\documents and settings\Admin.HOME-BF5F8D8B79\Application Data\Mozilla\Firefox\Profiles\ckmnnc06.default\
FF - ExtSQL: 2012-10-21 20:23; {a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}; c:\documents and settings\Admin.HOME-BF5F8D8B79\Application Data\Mozilla\Firefox\Profiles\ckmnnc06.default\extensions\{a0d7ccb3-214d-498b-b4aa-0e8fda9a7bf7}
FF - ExtSQL: 2012-10-21 20:31; {d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}; c:\documents and settings\Admin.HOME-BF5F8D8B79\Application Data\Mozilla\Firefox\Profiles\ckmnnc06.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-10-24 13:47
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ... 
.
scanning hidden autostart entries ...
.
scanning hidden files ... 
.   
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(556)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2012-10-24  13:49:21
ComboFix-quarantined-files.txt  2012-10-24 00:49
.
Pre-Run: 19,177,746,432 bytes free
Post-Run: 19,236,704,256 bytes free
.
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
.
- - End Of File - - 2DFF07A0227767E2BA8D4AF447413AF2

[Tecknoted]

Still nothing has changed. On boot up the start screen on XP is ready but as soon as you select person, the same error messages pop up Bad image file on explorer.exe... etc and some other "bad image" mssg's when I try to get anything to run under the task manager (that the only way to access any software at the moment)

Are these "scans" showing anything helpful?

Thanks

[Dr Jay]

ESET Online Scan
 
Please run a free online scan with the ESET Online Scanner

• Tick the box next to YES, I accept the Terms of Use
  
• Click Start
  
• When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
• Click Start or wait for the scanner to load.
  
• Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
  
• Click Scan (This scan can take several hours, so please be patient)
  
• Once the scan is completed, there are a couple of things to keep in mind:
• 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
• 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
• Open the logfile from wherever you saved it
• Copy and paste the contents in your next reply.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

• Slow computer
• Error messages
• Fake antivirus alerts or the icon in the system tray
• svchost.exe running at 100%
• System crashes or blue screen of death

[Tecknoted]

Hi DMJ

Sorry for late reply - the Winxp system has been put into storage because it can be used and I've been focusing on other work and emails.
 Will try this new scanner and post back here asap. Thanks for the heads up tips too.

Thanks

[Dr Jay]

OKay