Help
This topic is locked
Ran "run fix" with this code in the text box.
:Files
rmdir C:\WINDOWS\$NtUninstallKB60894$ /c
:Commands
[REBOOT]
The computer rebooted but, no message box popped up. Tried twice but no luck.
Forum Guidelines
Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help
Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient. DO NOT RUN ComboFix unless requested to. Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log. When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc. Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
"System Check" removal suspect corrupt files
Back to top
#62
- noypi
-
- Group: Malware Response Team
- Posts: 5,161
- Joined: 30-June 06
- Gender:Male
- Location:3 stars and a sun
Posted 06 February 2012 - 10:17 PM
Please go to C:\ > _OTL > MovedFiles and look for the report (text file), the file name of the log starts with the date when you run the fix. Post the contents please.
~Semp
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
#63
- Member
-
- Group: Members
- Posts: 37
- Joined: 14-January 12
Posted 07 February 2012 - 12:39 AM
Here's the log.
========== FILES ==========
< rmdir C:\WINDOWS\$NtUninstallKB60894$ /c >
C:\Documents and Settings\Les\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Les\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
OTL by OldTimer - Version 3.2.31.0 log created on 02062012_195137
========== FILES ==========
< rmdir C:\WINDOWS\$NtUninstallKB60894$ /c >
C:\Documents and Settings\Les\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Les\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========
OTL by OldTimer - Version 3.2.31.0 log created on 02062012_195137
#64
- noypi
-
- Group: Malware Response Team
- Posts: 5,161
- Joined: 30-June 06
- Gender:Male
- Location:3 stars and a sun
Posted 07 February 2012 - 12:58 AM
Can you please run junction once again and post the latest report.
~Semp
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
#65
- Member
-
- Group: Members
- Posts: 37
- Joined: 14-January 12
Posted 07 February 2012 - 11:41 AM
Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
..\\?\c:\\WINDOWS\$NtUninstallKB60894$\1156935256: SYMBOLIC LINK
Print Name : c:\windows\system32\config
Substitute Name: \systemroot\system32\config
.
...
...
...
...
...
...
...
...
...
...
...
...
...
.
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
..\\?\c:\\WINDOWS\$NtUninstallKB60894$\1156935256: SYMBOLIC LINK
Print Name : c:\windows\system32\config
Substitute Name: \systemroot\system32\config
.
...
...
...
...
...
...
...
...
...
...
...
...
...
.
#66
- noypi
-
- Group: Malware Response Team
- Posts: 5,161
- Joined: 30-June 06
- Gender:Male
- Location:3 stars and a sun
Posted 08 February 2012 - 12:43 PM
Please download and install Junction Link Magic- Run Junction Link Magic and perform a Scan (It will automatically ask you to run a scan when you first run it).
- If it ask you to "Deselect the drives that you don't want to scan"... Unchecked all boxes except for C:.
- Click OK
- Once completed, look for the results under junction link.
- Select the following entry and click Remove.
c:\WINDOWS\$NtUninstallKB60894$\1156935256 - Close Junction Link Magic.
Please run Junction again and post the new report for my review.
This post has been edited by sempai: 08 February 2012 - 12:44 PM
~Semp
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
#67
- Member
-
- Group: Members
- Posts: 37
- Joined: 14-January 12
Posted 08 February 2012 - 06:57 PM
Ran Junction Link Magic.
"Report" window said "Finished scanning".
"Junction link / Destination" window was empty. Tried scan twice, same thing.
"Remove" button remained ghosted.
Ran "Junction"
Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
..\\?\c:\\WINDOWS\$NtUninstallKB60894$\1156935256: SYMBOLIC LINK
Print Name : c:\windows\system32\config
Substitute Name: \systemroot\system32\config
.
...
...
...
...
...
...
...
...
...
...
...
...
...
.
"Report" window said "Finished scanning".
"Junction link / Destination" window was empty. Tried scan twice, same thing.
"Remove" button remained ghosted.
Ran "Junction"
Junction v1.06 - Windows junction creator and reparse point viewer
Copyright © 2000-2010 Mark Russinovich
Sysinternals - www.sysinternals.com
Failed to open \\?\c:\\pagefile.sys: The process cannot access the file because it is being used by another process.
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
...
..\\?\c:\\WINDOWS\$NtUninstallKB60894$\1156935256: SYMBOLIC LINK
Print Name : c:\windows\system32\config
Substitute Name: \systemroot\system32\config
.
...
...
...
...
...
...
...
...
...
...
...
...
...
.
#68
- noypi
-
- Group: Malware Response Team
- Posts: 5,161
- Joined: 30-June 06
- Gender:Male
- Location:3 stars and a sun
Posted 09 February 2012 - 09:49 AM
I am not really happy about the outcome and this is a bit tricky to remove.
Run OTL.
Run OTL.
- Click the None button at the top (Between "Run fix" and "Clean up" button).
- Copy and Paste the following code into the Custom Scan box.
c:\windows\*. /RP /s
- Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
- When the scan completes, it will open a notepad windows.
- Please copy (Edit->Select All, Edit->Copy) the contents of that file, and post them when you reply.
~Semp
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
#69
- Member
-
- Group: Members
- Posts: 37
- Joined: 14-January 12
Posted 09 February 2012 - 07:44 PM
OTL logfile created on: 09/02/2012 5:42:42 PM - Run 1
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Les\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy
735.48 Mb Total Physical Memory | 390.11 Mb Available Physical Memory | 53.04% Memory free
1.76 Gb Paging File | 1.44 Gb Available in Paging File | 82.10% Paging File free
Paging file location(s): C:\pagefile.sys 1104 2208 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 416.96 Gb Free Space | 89.52% Space Free | Partition Type: NTFS
Computer Name: GRAY-HOME-PC | User Name: Les | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days
========== Custom Scans ==========
< c:\windows\*. /RP /s >
< >
< >
< >
< >
< >
< >
< >
< End of report >
OTL by OldTimer - Version 3.2.31.0 Folder = C:\Documents and Settings\Les\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00001009 | Country: Canada | Language: ENC | Date Format: dd/MM/yyyy
735.48 Mb Total Physical Memory | 390.11 Mb Available Physical Memory | 53.04% Memory free
1.76 Gb Paging File | 1.44 Gb Available in Paging File | 82.10% Paging File free
Paging file location(s): C:\pagefile.sys 1104 2208 [binary data]
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 465.76 Gb Total Space | 416.96 Gb Free Space | 89.52% Space Free | Partition Type: NTFS
Computer Name: GRAY-HOME-PC | User Name: Les | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: Off | File Age = 30 Days
========== Custom Scans ==========
< c:\windows\*. /RP /s >
< >
< >
< >
< >
< >
< >
< >
< End of report >
#70
- noypi
-
- Group: Malware Response Team
- Posts: 5,161
- Joined: 30-June 06
- Gender:Male
- Location:3 stars and a sun
Posted 09 February 2012 - 10:37 PM
Two scanners reported that the symbolic link that we're trying to remove is no longer there, how's the computer running?
~Semp
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
#71
- Member
-
- Group: Members
- Posts: 37
- Joined: 14-January 12
Posted 09 February 2012 - 11:31 PM
My computer is running good. You guys have provided great sevice. Thanks
#72
- noypi
-
- Group: Malware Response Team
- Posts: 5,161
- Joined: 30-June 06
- Gender:Male
- Location:3 stars and a sun
Posted 10 February 2012 - 12:09 AM
That's great, let's remove the remaining tools.
Uninstall:
Delete:
Clean-up with OTL:
Uninstall:
1. Junction Link Magic
- Go to Control Panel > Add Remove Programs > locate and remove Junction Link Magic.
Delete:
1. Junction.exe
Clean-up with OTL:
- Run OTL
- Click on the CleanUp! button.
- Reboot when ask.
~Semp
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
#73
- Member
-
- Group: Members
- Posts: 37
- Joined: 14-January 12
Posted 11 February 2012 - 12:28 AM
I just did a "delete" of the setup applications on the desktop for junction and junction link magic. Is that correct?
Thanks again for all your help.
Thanks again for all your help.
#74
- noypi
-
- Group: Malware Response Team
- Posts: 5,161
- Joined: 30-June 06
- Gender:Male
- Location:3 stars and a sun
Posted 11 February 2012 - 12:41 AM
Yes that is correct, just delete the installers but junction link magic must be uninstalled from Add Remove Programs in the control panel..
~Semp
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
#75
- noypi
-
- Group: Malware Response Team
- Posts: 5,161
- Joined: 30-June 06
- Gender:Male
- Location:3 stars and a sun
Posted 11 February 2012 - 09:52 PM
It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.
~Semp
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
You can help me continue the fight against malware by making a donation, Thank you.
If I am helping you and I didn't reply within 48 hours... Please send me a private message.
Topics that are not replied within 5 days will be close. Please don't PM asking for support, post on the Forums instead.
Member of UNITE (Unified Network of Instructors and Trained Eliminators) and ASAP (Alliance of Security Analysis Professionals)
