Bits Missing From Windows XP - PC Help Forum - Free Computer Help, Windows, Hardware, Software and more!

madassmax · #1 03-20-2008

Hi all,

sorry for the rather vague title on this one, but not quite sure how to describe this one!

Basically a month or so ago i switched my pc on and recieved the following error message;

Error loading C:\WINDOWS\system32|cefocatp.dll
The specified module could not be found

So i clicked OK and then began to notice various items missing...
no sound, no printer and the windows desktop had reverted to 'classic windows' mode and not the blue XP that its been set at for last 4 years.
Basically its not recognising the sound card or printer and when i go to control panel to look in device manager, its not there - niether is the hardware installer. When i tried to do a system restore it failed tol restore on all previuos restore points.

I can't attribute anything specific prior to this happening i.e. i hadn't downloaded anything or installed any new software/hardware (although i have having problems with it picking up thvarious forms of the vundo virus over the past 6 months, all of which have been succesfully dealt with by Vundo Fix)

I guess the key is in the error message that pops uo everytime the pc is started, but i've tried a google search on it and come up with nothing. P_C bits and pieces are as follows;

Fujitsu Siemens PC
Windows XP 5.1.2600 Home
AMD Athlon XP 2000+
NVIDIA GeForce4 MX 420
Micro Star Motherboard MS-6330V5
Bios Type AT/AT compatible
Bios Version 6.00 PG

got this info off Auslogics System Information, theres no audio equipment showing as being installed on this either, but i know its in there.

Can anybody help at all with this scattering of information?

Ta

madmonkey · #2 03-20-2008

Hey Max, welcome to PCHF.

cefocatp.dll is definitely no part of the Windows installation, or anything I have ever seen. Even google picks up nothing for this particular file, but is likely to be a result of installed application (you mentioned that nothing had been uninstalled), virus or malware.

You did mentioned that you had a virus on your PC. May be worth taking a look at PCHF Prework, and post a hijack and AVG log back here from a member of the security team to rule out any remaining issues.

You also mentioned something about a "hardware installer" not showing in Device Manager. What is this? Can you download SIW, save and post a log from here also. This will give us an idea what hardware does actually show on your system. The screenshots link on my signature also describes how to post a screenshot of anything else that doesn't right, such as your device manager.

Finally, have you considered performing a repair install, or reinstalling Windows from scratch? I rarely suggest this approach, I'm normally quite stubborn, and use these options as a last resort, however, if Windows has been damaged as a result of a virus (severely by what you have described so far), this will be no simple problem to diagnose and fix.

madassmax · #3 03-20-2008

Hi Monkey;

Hijack this log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:00:11 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVG7\avgwb.dat
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [3c9d7d32] rundll32.exe "C:\WINDOWS\system32\cefocatp.dll",b
O4 - HKCU\..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKCU\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\S-1-5-21-343818398-1409082233-725345543-1004\..\Run: [ZoneAlarm Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe (User '?')
O4 - HKUS\S-1-5-21-343818398-1409082233-725345543-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1201761095671
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1201763039546
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP1\RpcSandraSrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 4206 bytes

SIW hardware under devices reports no devices to list.
AVG reports no threats found.
Device manger in windows just shows a blank page with no devices listed.

I really didn't want to have to reinstall windows again as i only did it about 6-8 months ago, just thought there may be something i'm missing?

madmonkey · #4 03-20-2008

looool, well I do know this much. If there really didn't have any devices installed, Windows simply wouldn't be able to function. Is Device Manager empty also? I'm just going to get Valis our resident hijack expert to clear you, before we continue, otherwise whatever caused this in the first place may hinder our efforts to fix the problem. In the meantime I'll write up a procedure for going through your drivers and registry settings.

ih8bills · #5 03-21-2008

Hi Max...
@Not to **** in Mad...

moving thread to HJT logs so it gets faster attention

madassmax · #6 03-21-2008

the below is a screenshot of windows device manager;

dev man.JPG

totally blank, although obviously things are installed otherwise as you say i wouldn't be able to use it, i'm using it now to post this reply so modem, keyboard, mice, monitor, etc are all working.

Its almost Twilight Zone this...

ih8bills · #7 03-21-2008

I will PM a few Security Team members for you...
They are always very busy folks-- be patient.

madmonkey · #8 03-21-2008

lol, twilight zone indeed. Don't worry max, I'm sure well get to the bottom of it, bear with us.

Pancake · #9 03-21-2008

Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.
Please visit this webpage for download links, and instructions for running the tool

When the tool is finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require.
Caution: Never run and remove files with Combofix unless supervised by a security analyst.
NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

madassmax · #10 03-22-2008

Hi,

right hopefully i've done everything correctly having read your very good in structions (typical bloke i'm afraid, don't do instructions!!!)

Combo Fix Log;

C