Jump to content

Recommended Posts

Hi, I was reading through the forum and trying different suggestions but seem to keep running into walls. I was hoping someone could help me.

My laptop (WinXP) was infected with a fake AV program at first which norton didn't pick up or clean and then the computer just progressively circled the drain to the point where i now have to boot into safe mode and explorer doesn't load up so i run things through the task manager.

I installed mbam.exe and ran it once but it shut down of its own accord during the first scan. Since then if i try to run it I get an error message: 'windows cannot access the specified device, path or file. You may not have appropriate permissions to access the item.'

I tried reinstalling the program in a different folder with the same result. And when I tried to rename mbam.exe, i was told that access is denied.

I tried the process explorer to see if there was anything to stop but can't find anything suspicious.

I then installed rootrepeal and ran it according to your directions but it also shut down of its own accord while scanning and now it will not run again (same error message as with mbam.exe)

I ran the Kaspersky online scanner and it showed 8 threats and 25 infected objects but doesn't seem to have an option for cleaning or removing the infected items.

I'm kind of at wit's end. Is there anything else I can do or is it fruitless? I would be ever so grateful for any advice and thanks in advance for any help you may have.

Link to post
Share on other sites

  • Replies 59
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Hi, jkim :)

:)

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved and renamed following this process directly to your desktop**

  1. If you are using Firefox, make sure that your download settings are as follows:
    • Tools->Options->Main tab
    • Set to "Always ask me where to Save the files".

[*]During the download, rename Combofix to Combo-Fix as follows:

CF_download_FF.gif

CF_download_rename.gif

[*]It is important you rename Combofix during the download, but not after.

[*]Please do not rename Combofix to other names, but only to the one indicated.

[*]Close any open browsers.

[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

    -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combo-Fix.exe & follow the prompts.

[*]Install the Recovery Console if prompted.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\Combo-Fix.txt" .

**Note: Do not mouseclick combo-fix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Link to post
Share on other sites

Hi JSntgRvr

A problem came up when trying to run Combo-Fix. A dialog box popped up stating that Combofix detected the real time scanner Symantec Antivrus to be active. I looked at your instructions for disabling Symantec it but I have no taskbar or desktop to click on the icon (just a black background). I looked through Process Manager to see if Symantec had a process that i could end but did not see anything. Should I just go ahead with the Combo-fix or is there another way to disable symantec (should i just try to delete the whole folder in program files?)

thanks again . . .

Link to post
Share on other sites

If Combofix was saved on your desktop as requested, go to Start -> Run, copy the following command (including the quotation marks) and click OK:

"%Userprofile%\Desktop\Combo-fix" /killall

Let it run.

I entered the command into Task Manager -> Run but still got the same dialog box about symantec still running as before . . . should i just let it continue?

Link to post
Share on other sites

1. Click on the Start menu.

2. Select Run...

3. Type wbemtest and click OK

4. Click on Connect

5. Under NameSpace type in or copy/paste root\SecurityCenter

6. Click on Connect

5. Click on Query

6. Type in or copy/paste SELECT * FROM AntiVirusProduct and click on Apply

If there is more than one result, it means there is more than one Antivirus program installed. Double click on each result to view the properties for that Antivirus product. Identify the product(s) installed and DELETE any records for an Antivirus software that is no longer installed.

Link to post
Share on other sites

1. Click on the Start menu.

2. Select Run...

3. Type wbemtest and click OK

4. Click on Connect

5. Under NameSpace type in or copy/paste root\SecurityCenter

6. Click on Connect

5. Click on Query

6. Type in or copy/paste SELECT * FROM AntiVirusProduct and click on Apply

If there is more than one result, it means there is more than one Antivirus program installed. Double click on each result to view the properties for that Antivirus product. Identify the product(s) installed and DELETE any records for an Antivirus software that is no longer installed.

did so and there was one result linked to symantec which i deleted . . . then i tried running combo-fix as you described in the earlier post (nothing came up about symantec). . . it started (a blue dos like window came up) but then 20 seconds into it i get a dialog box that says 'Error' in the title bar with no other information . . . if I click OK (the only option) the whole computer reboots . . .

Link to post
Share on other sites

did so and there was one result linked to symantec which i deleted . . . then i tried running combo-fix as you described in the earlier post (nothing came up about symantec). . . it started (a blue dos like window came up) but then 20 seconds into it i get a dialog box that says 'Error' in the title bar with no other information . . . if I click OK (the only option) the whole computer reboots . . .

Restart the computer.

Remove Combo-fix and download another copy following the same instructions. If the error is returned, write down the exact message in case we need to contact the developer.

Link to post
Share on other sites

Restart the computer.

Remove Combo-fix and download another copy following the same instructions. If the error is returned, write down the exact message in case we need to contact the developer.

removed combo-fix and when i try to download another copy from the provided link (Save Link As), it tries to save a 345KB html doc (the one i downloaded originally was ~3.7mb) . . . if i click on the link it just says 404 not found (bleepingcomputer link)

Link to post
Share on other sites

Seems the links are unavailable at this time. Lets try other tools meanwhile.

Download OTL to your Desktop

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Registry and Extra Registry to All
    • Under File Scans, change File age to 30

    [*]Under the Custom Scan box paste this in

    netsvcs

    %SYSTEMDRIVE%\*.exe

    /md5start

    eventlog.dll

    scecli.dll

    netlogon.dll

    cngaudit.dll

    sceclt.dll

    ntelogon.dll

    logevent.dll

    iaStor.sys

    nvstor.sys

    atapi.sys

    IdeChnDr.sys

    viasraid.sys

    AGP440.sys

    vaxscsi.sys

    nvatabus.sys

    viamraid.sys

    nvata.sys

    nvgts.sys

    iastorv.sys

    ViPrt.sys

    eNetHook.dll

    ahcix86.sys

    KR10N.sys

    nvstor32.sys

    ahcix86s.sys

    nvrd32.sys

    /md5stop

    %systemroot%\*. /mp /s

    CREATERESTOREPOINT

    %systemroot%\system32\*.dll /lockedfiles

    %systemroot%\Tasks\*.job /lockedfiles

    [*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

gmer_zip.gif

Download GMER Rootkit Scanner from here or here.

  • Extract the contents of the zipped file to desktop.
  • Double click GMER.exe.
  • If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan..
    GMER_MAX.png
    Click the image to enlarge it
  • In the right panel, you will see several boxes that have been checked. Ensure that only the following are CHECKED ...
    • IAT/EAT
    • Devices
    • Processes
    • Threads
    • Drives/Partition other than Systemdrive (typically C:\)

    [*] Then click the Scan button & wait for it to finish.

    [*] Once done click on the [save..] button, and in the File name area, type in "ark.txt"

    [*]Save it where you can easily find it, such as your desktop and post its contents in your next reply.

**Caution**

Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Link to post
Share on other sites

i installed otl and made the setting changes you described and pasted the text into 'custom scan' (can't really see the text though - the textbox is smaller than one line) . . . when i click on 'Quick Scan' it automatically changes the settings (Drivers->None; Extra Registry->None; File Age->14 Days; checks the boxes for Skip Microsoft Files, LOP Check, and Purity Check) then I get the hourglass after about 15 seconds and it freezes.

I'll kill it and try the GMER scanner next . . .

Link to post
Share on other sites

i installed otl and made the setting changes you described and pasted the text into 'custom scan' (can't really see the text though - the textbox is smaller than one line) . . . when i click on 'Quick Scan' it automatically changes the settings (Drivers->None; Extra Registry->None; File Age->14 Days; checks the boxes for Skip Microsoft Files, LOP Check, and Purity Check) then I get the hourglass after about 15 seconds and it freezes.

I'll kill it and try the GMER scanner next . . .

tried the OTL program in regular mode (instead of safe) and got the following .txts (but hitting quickscan altered the settings as i mentioned b4)

OTL.txt

OTL logfile created on: 2/16/2010 10:16:49 AM - Run 1

OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Soup\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 372.00 Mb Available Physical Memory | 36.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 83.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 90.09 Gb Total Space | 0.91 Gb Free Space | 1.01% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: STYX

Current User Name: Soup

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/16 10:14:25 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Soup\Desktop\OTL.exe

PRC - [2009/04/16 18:43:41 | 000,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2009/03/09 04:19:15 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe

PRC - [2009/02/03 10:32:28 | 003,550,592 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\My Music\procexp.exe

PRC - [2005/11/15 12:27:54 | 001,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe

PRC - [2005/11/15 12:27:44 | 000,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe

PRC - [2005/10/04 11:42:50 | 000,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe

PRC - [2005/10/04 11:42:42 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe

PRC - [2005/08/04 03:02:58 | 000,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe

PRC - [2005/03/30 20:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe

PRC - [2005/03/03 22:29:02 | 000,356,352 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe

PRC - [2004/09/07 15:12:32 | 000,225,353 | ---- | M] (Intel

Link to post
Share on other sites

i think the the tamper protection from symantec is interfering with the GMER scan . . . now that I'm running in normal mode, i can see 3-4 Symantec processes but i can't kill them because the tamper protection blocks it . . . i tried the webemtst command you described earlier and 1 instance comes up with each query but after i delete it and rerun wbemtest, the instance occurs again? any suggestions on how to disable or get rid of symantec? I can't open the symantec program to uncheck tamper protection (no start menu, taskbar, etc)

Link to post
Share on other sites

i think the the tamper protection from symantec is interfering with the GMER scan . . . now that I'm running in normal mode, i can see 3-4 Symantec processes but i can't kill them because the tamper protection blocks it . . . i tried the webemtst command you described earlier and 1 instance comes up with each query but after i delete it and rerun wbemtest, the instance occurs again? any suggestions on how to disable or get rid of symantec? I can't open the symantec program to uncheck tamper protection (no start menu, taskbar, etc)

found a way to disable symantec and then i ran GMER with the following as the ark.txt:

GMER 1.0.15.15281 - http://www.gmer.net

Rootkit scan 2010-02-16 12:47:45

Windows 5.1.2600 Service Pack 3

Running: gmer.exe; Driver: C:\DOCUME~1\Soup\LOCALS~1\Temp\pxtdypog.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\Mozilla Firefox\firefox.exe[2476] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtWriteFile] [35672AAE] \\?\globalroot\Device\__max++>\5D96FCDE.x86.dll

IAT C:\Program Files\Mozilla Firefox\firefox.exe[2476] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [35672A38] \\?\globalroot\Device\__max++>\5D96FCDE.x86.dll

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Fastfat \Fat B7325D20

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions)

---- Processes - GMER 1.0.15 ----

Library \\?\globalroot\Device\__max++>\5D96FCDE.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\alg.exe [440] 0x35670000

Library \\?\globalroot\Device\__max++>\5D96FCDE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [736] 0x35670000

Library \\?\globalroot\Device\__max++>\5D96FCDE.x86.dll (*** hidden *** ) @ C:\Program Files\Java\jre6\bin\jqs.exe [796] 0x35670000

Library \\?\globalroot\Device\__max++>\5D96FCDE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1368] 0x35670000

Library \\?\globalroot\Device\__max++>\5D96FCDE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1424] 0x35670000

Library \\?\globalroot\Device\__max++>\5D96FCDE.x86.dll (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1584] 0x35670000

Library \\?\globalroot\Device\__max++>\5D96FCDE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1856] 0x35670000

Library \\?\globalroot\Device\__max++>\5D96FCDE.x86.dll (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [1968] 0x35670000

Library \\?\globalroot\Device\__max++>\5D96FCDE.x86.dll (*** hidden *** ) @ C:\Program Files\Mozilla Firefox\firefox.exe [2476] 0x35670000

---- EOF - GMER 1.0.15 ----

Link to post
Share on other sites

  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as Fix.bat
  • Change the Save as Type to All Files
  • and Save it on the desktop
  • Once saved, double click on the Fix.bat file.

@Echo Off

SC STOP LiveUpdate >Nul

SC STOP SavRoam >Nul

SC STOP Symantec AntiVirus >Nul

SC STOP DefWatch >Nul

SC STOP SNDSrvc >Nul

SC STOP ccSetMgr >Nul

SC STOP ccPwdSvc >Nul

SC STOP ccEvtMgr >Nul

SC STOP SPBBCSvc >Nul

SC DELETE LiveUpdate >Nul

SC DELETE SavRoam >Nul

SC DELETE Symantec AntiVirus >Nul

SC DELETE DefWatch >Nul

SC DELETE SNDSrvc >Nul

SC DELETE ccSetMgr >Nul

SC DELETE ccPwdSvc >Nul

SC DELETE ccEvtMgr >Nul

SC DELETE SPBBCSvc >Nul

Del %0

Restart the computer.

  • Please double-click OTL.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the quote below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    :OTL
    PRC - [2005/11/15 12:27:54 | 001,756,912 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    PRC - [2005/11/15 12:27:44 | 000,020,208 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec AntiVirus\DefWatch.exe
    PRC - [2005/10/04 11:42:50 | 000,177,776 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    PRC - [2005/10/04 11:42:42 | 000,185,968 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    PRC - [2005/03/30 20:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    SRV - [2006/02/23 10:41:02 | 002,045,632 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE -- (LiveUpdate)
    SRV - [2005/11/15 12:27:56 | 000,169,200 | ---- | M] (symantec) [On_Demand | Stopped] -- C:\Program Files\Symantec AntiVirus\SavRoam.exe -- (SavRoam)
    SRV - [2005/11/15 12:27:54 | 001,756,912 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\Rtvscan.exe -- (Symantec AntiVirus)
    SRV - [2005/11/15 12:27:44 | 000,020,208 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec AntiVirus\DefWatch.exe -- (DefWatch)
    SRV - [2005/10/19 16:39:34 | 000,214,672 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe -- (SNDSrvc)
    SRV - [2005/10/04 11:42:50 | 000,177,776 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe -- (ccSetMgr)
    SRV - [2005/10/04 11:42:48 | 000,083,568 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe -- (ccPwdSvc)
    SRV - [2005/10/04 11:42:42 | 000,185,968 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe -- (ccEvtMgr)
    SRV - [2005/03/30 20:48:22 | 000,992,864 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe -- (SPBBCSvc)
    O1 HOSTS File: ([2009/08/10 14:54:44 | 000,000,686 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\HOSTS
    O2 - BHO: () - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll (MyWay.com)
    O4 - HKLM..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe (Symantec Corporation)
    O4 - HKLM..\Run: [combofix] C:\Combo-Fix30519C\CF8326.cfx File not found
    O4 - HKLM..\Run: [system tool] C:\Program Files\liqcvi\olaqsysguard.exe File not found
    O4 - HKLM..\Run: [vptray] C:\Program Files\Symantec AntiVirus\VPTray.exe (Symantec Corporation)
    O4 - HKCU..\Run: [Monopod] C:\DOCUME~1\Soup\LOCALS~1\Temp\a.exe File not found
    O4 - HKCU..\Run: [NordBull] C:\WINDOWS\msa.exe File not found
    O4 - HKCU..\Run: [system tool] C:\Program Files\liqcvi\olaqsysguard.exe File not found
    O4 - HKLM..\RunOnce: [combofix] C:\Combo-Fix30519C\CF8326.cfx File not found
    O4 - HKLM..\RunOnceEx: [flags] Reg Error: Invalid data type. File not found
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra Button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe File not found
    O9 - Extra 'Tools' menuitem : PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe File not found
    O9 - Extra Button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
    O9 - Extra 'Tools' menuitem : PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe ()
    O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - File not found
    O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (SupportSoft SmartIssue)
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (SupportSoft Script Runner Class)
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (LSSupCtl Class)
    O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} http://java.sun.com/products/plugin/autodl...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} http://java.sun.com/update/1.5.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    O16 - DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Reg Error: Key error.)
    :Files
    C:\Program Files\Symantec AntiVirus
    C:\Program Files\Common Files\Symantec Shared
    C:\WINDOWS\System32\*.tmp
    C:\Documents and Settings\Soup\My Documents\*.tmp
    C:\*.tmp
    C:\WINDOWS\*.tmp
    C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job
    C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job
    C:\WINDOWS\Tasks\1-Click Maintenance.job
    C:\Updater.exe
    C:\vlc-1.0.0-win32.exe
  • Return to OTL, right click in the "Custom Scans/Fixes" window and choose Paste.
  • Click the red Run Fix button.
  • A report will be produced and saved in the C:\_OTL\MovedFiles folder. Open that report and post its contents in a reply.

Run OTL once again.

  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • OTL should now start. Change the following settings
    • Change Drivers to All
    • Change Standard Registry to All
    • Under File Scans, change File age to 30

    [*]Under the Custom Scan box paste this in

    /md5start

    scecli.dll

    Explorer.exe

    /md5stop

    [*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.

    • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt (first run only). These are saved in the same location as OTL.
    • Please post the contents of these files in your next reply.

Link to post
Share on other sites

i also reran otl (since removing symantec may have changed things) the following is the OTL.txt (there was not extras.txt)

OTL logfile created on: 2/16/2010 12:51:20 PM - Run 2

OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Soup\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 558.00 Mb Available Physical Memory | 54.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 88.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 90.09 Gb Total Space | 1.22 Gb Free Space | 1.35% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: STYX

Current User Name: Soup

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/16 10:14:25 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Soup\Desktop\OTL.exe

PRC - [2009/12/15 11:24:48 | 000,293,376 | ---- | M] () -- C:\Documents and Settings\Soup\Desktop\gmer.exe

PRC - [2009/04/16 18:43:41 | 000,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2009/03/09 04:19:15 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe

PRC - [2009/02/03 10:32:28 | 003,550,592 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\My Music\procexp.exe

PRC - [2008/04/13 18:12:41 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe

PRC - [2005/08/04 03:02:58 | 000,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe

PRC - [2005/03/03 22:29:02 | 000,356,352 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe

PRC - [2004/09/07 15:12:32 | 000,225,353 | ---- | M] (Intel

Link to post
Share on other sites

I am glad you were able to run GMER. It shows a very special infection. Please follow these steps:

You must first verify that you can logon to the Windows Recovery Console.

To do so, you must have the Recovery Console installed or use the Windows XP installation cd.

How to install and use the Windows XP Recovery Console

  • Next, please download maxlook, saving the file to your desktop.
  • Double click maxlook.exe to run it. Note - you must run it only once!
  • As instructed when the tool runs, restart the computer and logon to the Recovery Console.
  • Execute the following bolded command at the x:\windows> prompt <--- the red x represents your operating system drive letter, usually C

batch look.bat

lookXP.gif

  • You will see 1 file copied many times then return to the x:\windows> prompt.
  • Type Exit to restart your computer then logon in normal mode.
  • Please run maxlook.exe again now. Note - you must run it only once!
  • It will produce looklog.txt on the desktop and open it.
  • Please post the results here.

Link to post
Share on other sites

WinXP came preloaded on the machine and i don't have the installation CD . . . is there any way to check if i have the Recovery Console already installed? (the link you provided seems to suggest that it's an option to be selected on startup if it's there) . . . if not, is there some way to download it?

Link to post
Share on other sites

You can burn a CD with the Recovery Console.

  1. Go to this link for information on how to burn an iso image:
  2. Download the rc.iso file.
  3. Save it to your desktop.
  4. Put a blank CD in your computer’s burner.
  5. Follow the instructions on the previous link to burn the rc.iso image to a CD
  6. When the disk finishes, eject the CD.
  7. Configure the sick computer to start from the CD-ROM or DVD-ROM drive. For information about how to do this, see your computer documentation, or contact your computer manufacturer.
  8. Insert the Image of rc.iso that you burned to CD into your CD-ROM or DVD-ROM drive, and then restart your computer.
  9. When you receive the "Press any key to boot from CD" message, press a key to start your computer from the Windows XP CD-ROM.
  10. You will be prompted with the following options:
    A. To setup Windows XP, press Enter.B. To repair Windows XP installation using recovery console, press R.
    Choose the option, "To repair the Windows XP installation using recovery console", press R. If an Administrator Password have been established, you will be prompted to type it in. If no Administrator Password exists, just press ENTER.
  11. You will be presented with the following:
    Microsoft Windows
Link to post
Share on other sites

made the CD and booted from it and followed the instructions to install Recovery Console (although nothing different happened after i removed the CD and rebooted)

went back to post 18 and ran Fix.bat

then i opened OTL and pasted what was in the quote box and did RunFix the following is the report from _OTL\MovedFiles folder:

========== OTL ==========

No active process named Rtvscan.exe was found!

No active process named DefWatch.exe was found!

No active process named ccSetMgr.exe was found!

No active process named ccEvtMgr.exe was found!

No active process named SPBBCSvc.exe was found!

Error: No service named LiveUpdate was found to stop!

Unable to stop service LiveUpdate!

File C:\Program Files\Symantec\LiveUpdate\LuComServer_3_0.EXE not found.

Error: No service named SavRoam was found to stop!

Unable to stop service SavRoam!

File C:\Program Files\Symantec AntiVirus\SavRoam.exe not found.

Error: No service named Symantec AntiVirus was found to stop!

Unable to stop service Symantec AntiVirus!

File C:\Program Files\Symantec AntiVirus\Rtvscan.exe not found.

Error: No service named DefWatch was found to stop!

Unable to stop service DefWatch!

File C:\Program Files\Symantec AntiVirus\DefWatch.exe not found.

Error: No service named SNDSrvc was found to stop!

Unable to stop service SNDSrvc!

File C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe not found.

Error: No service named ccSetMgr was found to stop!

Unable to stop service ccSetMgr!

File C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe not found.

Error: No service named ccPwdSvc was found to stop!

Unable to stop service ccPwdSvc!

File C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe not found.

Error: No service named ccEvtMgr was found to stop!

Unable to stop service ccEvtMgr!

File C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe not found.

Error: No service named SPBBCSvc was found to stop!

Unable to stop service SPBBCSvc!

C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe moved successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4D25F921-B9FE-4682-BF72-8AB8210D6D75}\ deleted successfully.

C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll moved successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\ccApp not found.

File C:\Program Files\Common Files\Symantec Shared\ccApp.exe not found.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\combofix deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\system tool deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\\vptray not found.

File C:\Program Files\Symantec AntiVirus\VPTray.exe not found.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Monopod deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\NordBull deleted successfully.

Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\system tool deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce\\combofix deleted successfully.

Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx\\flags deleted successfully.

Registry key HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.

Registry key HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B4B52284-A248-4c51-9F7C-F0A0C67FCC9D}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.

C:\Program Files\PartyGaming\PartyPoker\RunApp.exe moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}\ not found.

File C:\Program Files\PartyGaming\PartyPoker\RunApp.exe not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{d81ca86b-ef63-42af-bee3-4502d9a03c2d}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{d81ca86b-ef63-42af-bee3-4502d9a03c2d}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\msn.com\ deleted successfully.

Starting removal of ActiveX control {01010E00-5E80-11D8-9E86-0007E96C65AE}

C:\WINDOWS\Downloaded Program Files\tgctlsi.inf moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{01010E00-5E80-11D8-9E86-0007E96C65AE}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01010E00-5E80-11D8-9E86-0007E96C65AE}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{01010E00-5E80-11D8-9E86-0007E96C65AE}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01010E00-5E80-11D8-9E86-0007E96C65AE}\ not found.

Starting removal of ActiveX control {01012101-5E80-11D8-9E86-0007E96C65AE}

C:\WINDOWS\Downloaded Program Files\tgctlsr.inf moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{01012101-5E80-11D8-9E86-0007E96C65AE}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01012101-5E80-11D8-9E86-0007E96C65AE}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{01012101-5E80-11D8-9E86-0007E96C65AE}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{01012101-5E80-11D8-9E86-0007E96C65AE}\ not found.

Starting removal of ActiveX control {1F2F4C9E-6F09-47BC-970D-3C54734667FE}

C:\WINDOWS\Downloaded Program Files\LSSupCtl.inf moved successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}\ not found.

Starting removal of ActiveX control {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Registry key HKEY_CURRENT_USER\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ deleted successfully.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}\ not found.

========== FILES ==========

File\Folder C:\Program Files\Symantec AntiVirus not found.

C:\Program Files\Common Files\Symantec Shared\VirusDefs\20100214.004 folder moved successfully.

C:\Program Files\Common Files\Symantec Shared\VirusDefs folder moved successfully.

C:\Program Files\Common Files\Symantec Shared\SPManifests folder moved successfully.

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS folder moved successfully.

C:\Program Files\Common Files\Symantec Shared\SPBBC folder moved successfully.

C:\Program Files\Common Files\Symantec Shared\Help folder moved successfully.

C:\Program Files\Common Files\Symantec Shared folder moved successfully.

C:\WINDOWS\System32\CONFIG.TMP moved successfully.

C:\WINDOWS\System32\setb2.tmp moved successfully.

C:\WINDOWS\System32\setb5.tmp moved successfully.

C:\Documents and Settings\Soup\My Documents\~WRL1077.tmp moved successfully.

C:\Documents and Settings\Soup\My Documents\~WRL1205.tmp moved successfully.

C:\Documents and Settings\Soup\My Documents\~WRL3232.tmp moved successfully.

C:\D5.tmp moved successfully.

C:\D6.tmp moved successfully.

C:\D7.tmp moved successfully.

C:\WINDOWS\002950_.tmp moved successfully.

C:\WINDOWS\tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job moved successfully.

C:\WINDOWS\tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job moved successfully.

C:\WINDOWS\Tasks\1-Click Maintenance.job moved successfully.

C:\Updater.exe moved successfully.

C:\vlc-1.0.0-win32.exe moved successfully.

OTL by OldTimer - Version 3.1.28.0 log created on 02162010_141302

About to run OTL with quick scan again as per instructions in Post 18 . . .

Link to post
Share on other sites

the following OTL.txt report was generated after running QuickScan (with the indicated custom scan terms from the quotebox) after the RunFix from Post 18:

(btw, the settings for OTL still change when i hit quickscan, i don't if that changes anything) . . . thanks again . . .

OTL logfile created on: 2/16/2010 2:20:37 PM - Run 3

OTL by OldTimer - Version 3.1.28.0 Folder = C:\Documents and Settings\Soup\Desktop

Windows XP Professional Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation

Internet Explorer (Version = 8.0.6001.18702)

Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1,023.00 Mb Total Physical Memory | 591.00 Mb Available Physical Memory | 58.00% Memory free

2.00 Gb Paging File | 2.00 Gb Available in Paging File | 89.00% Paging File free

Paging file location(s): C:\pagefile.sys 1536 3072 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files

Drive C: | 90.09 Gb Total Space | 1.20 Gb Free Space | 1.34% Space Free | Partition Type: NTFS

D: Drive not present or media not loaded

E: Drive not present or media not loaded

F: Drive not present or media not loaded

G: Drive not present or media not loaded

H: Drive not present or media not loaded

I: Drive not present or media not loaded

Computer Name: STYX

Current User Name: Soup

Logged in as Administrator.

Current Boot Mode: Normal

Scan Mode: Current user

Company Name Whitelist: On

Skip Microsoft Files: On

File Age = 14 Days

Output = Standard

Quick Scan

========== Processes (SafeList) ==========

PRC - [2010/02/16 10:14:25 | 000,549,376 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Soup\Desktop\OTL.exe

PRC - [2009/04/16 18:43:41 | 000,307,704 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe

PRC - [2009/03/09 04:19:15 | 000,152,984 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe

PRC - [2009/02/03 10:32:28 | 003,550,592 | ---- | M] (Sysinternals - www.sysinternals.com) -- C:\My Music\procexp.exe

PRC - [2008/04/13 18:12:41 | 000,013,824 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\system32\wscntfy.exe

PRC - [2005/08/04 03:02:58 | 000,380,928 | ---- | M] (ATI Technologies Inc.) -- C:\WINDOWS\system32\ati2evxx.exe

PRC - [2005/03/03 22:29:02 | 000,356,352 | ---- | M] (Dell Inc.) -- C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe

PRC - [2004/09/07 15:12:32 | 000,225,353 | ---- | M] (Intel

Link to post
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.