[Essexboy]

We will need to ensure that the environment variables are set correctly - I will need to check out if there is a batch file I can use for that

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans press the following button:
  • Extras
• Under the Custom Scan box paste this in
  
  set /c
  netsvcs
  %SYSTEMDRIVE%\*.exe
  drivers32
  %SYSTEMDRIVE%\*.*
  %systemroot%\*. /mp /s
  CREATERESTOREPOINT
  %systemroot%\system32\*.dll /lockedfiles
  %systemroot%\Tasks\*.job /lockedfiles
  %systemroot%\System32\config\*.sav
  %systemroot%\system32\drivers\*.sys /180
  
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Edited by Essexboy, 31 May 2010 - 03:24 PM.

[Advertisements]

http://www.mediafire...cawkd3z/OTS.Txt

[nicole24]

http://www.mediafire...cawkd3z/OTS.Txt

[Essexboy]

The environment variables check out OK

Can you run the programmes by clicking the executable rather than the shortcut i.e. for MBAM C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Driver Services - Safe List]
YY -> (CDAVFS) CDAVFS [File_System | Auto | Stopped] -> C:\Windows\System32\drivers\CDAVFS.sys
[Registry - Safe List]
< Internet Explorer Settings [HKEY_USERS\.DEFAULT\] > -> 
YN -> HKEY_USERS\.DEFAULT\: "ProxyServer" -> http=127.0.0.1:8181
< Internet Explorer Settings [HKEY_USERS\S-1-5-18\] > -> 
YN -> HKEY_USERS\S-1-5-18\: "ProxyServer" -> http=127.0.0.1:8181
< Internet Explorer Settings [HKEY_USERS\S-1-5-21-2644474151-2586524466-2085771258-1000\] > -> 
YY -> HKEY_USERS\S-1-5-21-2644474151-2586524466-2085771258-1000\: URLSearchHooks\\"{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}" [HKLM] -> C:\Program Files\Crawler\Toolbar\ctbr.dll []
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YY -> "{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> C:\Program Files\Crawler\Toolbar\ctbr.dll [&Crawler Toolbar]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2644474151-2586524466-2085771258-1000\] > -> HKEY_USERS\S-1-5-21-2644474151-2586524466-2085771258-1000\Software\Microsoft\Internet Explorer\Toolbar\
YY -> WebBrowser\\"{4B3803EA-5230-4DC3-A7FC-33638F3D3542}" [HKLM] -> C:\Program Files\Crawler\Toolbar\ctbr.dll [&Crawler Toolbar]
YN -> WebBrowser\\"{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
[Registry - Additional Scans - Safe List]
< Uninstall List [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
YN -> {AA63780B-DDB7-417b-8A13-E5AFBE08E807} -> 
[Files/Folders - Created Within 30 Days]
NY ->  6 C:\Users\Catrina\Documents\*.tmp files -> C:\Users\Catrina\Documents\*.tmp
NY ->  55 C:\Users\Catrina\*.tmp files -> C:\Users\Catrina\*.tmp
[Empty Temp Folders]
[EmptyFlash]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new OTS log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

[nicole24]

During the scan it said it needed to reboot to finsih removing files so i agreed. i will switch over to normal mode to see if i can open mbam that way but it does work in safe mode.


All Processes Killed
[Driver Services - Safe List]
Service CDAVFS stopped successfully!
Service CDAVFS deleted successfully!
C:\Windows\System32\drivers\CDAVFS.sys moved successfully.
[Registry - Safe List]
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer deleted successfully.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer not found.
Registry key HKEY_USERS\S-1-5-21-2644474151-2586524466-2085771258-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\URLSearchHooks not found.
C:\Program Files\Crawler\Toolbar\ctbr.dll moved successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
File C:\Program Files\Crawler\Toolbar\ctbr.dll not found.
Registry value HKEY_USERS\S-1-5-21-2644474151-2586524466-2085771258-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{4B3803EA-5230-4DC3-A7FC-33638F3D3542} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4B3803EA-5230-4DC3-A7FC-33638F3D3542}\ not found.
File C:\Program Files\Crawler\Toolbar\ctbr.dll not found.
Registry value HKEY_USERS\S-1-5-21-2644474151-2586524466-2085771258-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A}\ not found.
[Registry - Additional Scans - Safe List]
[Files/Folders - Created Within 30 Days]
C:\Users\Catrina\Documents\~of195E.tmp deleted successfully.
C:\Users\Catrina\Documents\~of1FA8.tmp deleted successfully.
C:\Users\Catrina\Documents\~of8EFD.tmp deleted successfully.
C:\Users\Catrina\Documents\~of981A.tmp deleted successfully.
C:\Users\Catrina\Documents\~ofA899.tmp deleted successfully.
C:\Users\Catrina\Documents\~ofFE14.tmp deleted successfully.
C:\Users\Catrina\41F0D112.TMP deleted successfully.
C:\Users\Catrina\B272.tmp deleted successfully.
C:\Users\Catrina\cd6B83.tmp\2009 Codebase\Installers\CDINSTALLER10\BIN\runtime folder deleted successfully.
C:\Users\Catrina\cd6B83.tmp\2009 Codebase\Installers\CDINSTALLER10\BIN folder deleted successfully.
C:\Users\Catrina\cd6B83.tmp\2009 Codebase\Installers\CDINSTALLER10 folder deleted successfully.
C:\Users\Catrina\cd6B83.tmp\2009 Codebase\Installers folder deleted successfully.
C:\Users\Catrina\cd6B83.tmp\2009 Codebase folder deleted successfully.
C:\Users\Catrina\cd6B83.tmp folder deleted successfully.
C:\Users\Catrina\cd97AD.tmp\2009 Codebase\Installers\CDINSTALLER8\BIN\runtime\CDAS_DEMO folder deleted successfully.
C:\Users\Catrina\cd97AD.tmp\2009 Codebase\Installers\CDINSTALLER8\BIN\runtime\cdinstx.ini deleted successfully.
C:\Users\Catrina\cd97AD.tmp\2009 Codebase\Installers\CDINSTALLER8\BIN\runtime folder deleted successfully.
C:\Users\Catrina\cd97AD.tmp\2009 Codebase\Installers\CDINSTALLER8\BIN folder deleted successfully.
C:\Users\Catrina\cd97AD.tmp\2009 Codebase\Installers\CDINSTALLER8 folder deleted successfully.
C:\Users\Catrina\cd97AD.tmp\2009 Codebase\Installers folder deleted successfully.
C:\Users\Catrina\cd97AD.tmp\2009 Codebase folder deleted successfully.
C:\Users\Catrina\cd97AD.tmp folder deleted successfully.
C:\Users\Catrina\F24F1127.TMP deleted successfully.
C:\Users\Catrina\fla361F.tmp deleted successfully.
C:\Users\Catrina\fla9D57.tmp deleted successfully.
C:\Users\Catrina\flaA39F.tmp deleted successfully.
C:\Users\Catrina\flaA3AF.tmp deleted successfully.
C:\Users\Catrina\flaB646.tmp deleted successfully.
C:\Users\Catrina\hsf78w3uhduf8w.tmp deleted successfully.
C:\Users\Catrina\jar_cache3072079584236944491.tmp deleted successfully.
C:\Users\Catrina\JET12D4.tmp deleted successfully.
C:\Users\Catrina\JET1F04.tmp deleted successfully.
C:\Users\Catrina\JET2D66.tmp deleted successfully.
C:\Users\Catrina\JET4BBE.tmp deleted successfully.
C:\Users\Catrina\JET8BDA.tmp deleted successfully.
C:\Users\Catrina\JET93B6.tmp deleted successfully.
C:\Users\Catrina\JET9A0D.tmp deleted successfully.
C:\Users\Catrina\JETB4FC.tmp deleted successfully.
C:\Users\Catrina\JETB9CC.tmp deleted successfully.
C:\Users\Catrina\JETBC5B.tmp deleted successfully.
C:\Users\Catrina\JETD113.tmp deleted successfully.
C:\Users\Catrina\JETD123.tmp deleted successfully.
C:\Users\Catrina\JETED6A.tmp deleted successfully.
C:\Users\Catrina\jisfije9fjoiee.tmp deleted successfully.
C:\Users\Catrina\nss5C63.tmp folder deleted successfully.
C:\Users\Catrina\sdfsejf98jfsiodkfd.tmp deleted successfully.
C:\Users\Catrina\~DF1196.tmp deleted successfully.
C:\Users\Catrina\~DF119B.tmp deleted successfully.
C:\Users\Catrina\~DF2798.tmp deleted successfully.
File delete failed. C:\Users\Catrina\~DF4553.tmp scheduled to be deleted on reboot.
File delete failed. C:\Users\Catrina\~DF4559.tmp scheduled to be deleted on reboot.
C:\Users\Catrina\~DF546A.tmp deleted successfully.
C:\Users\Catrina\~DF576E.tmp deleted successfully.
C:\Users\Catrina\~DF5795.tmp deleted successfully.
C:\Users\Catrina\~DF6FC0.tmp deleted successfully.
C:\Users\Catrina\~DF761F.tmp deleted successfully.
C:\Users\Catrina\~DF836.tmp deleted successfully.
C:\Users\Catrina\~DF88E.tmp deleted successfully.
C:\Users\Catrina\~DF978D.tmp deleted successfully.
C:\Users\Catrina\~DF9794.tmp deleted successfully.
C:\Users\Catrina\~DF9D7F.tmp deleted successfully.
C:\Users\Catrina\~DFA7C5.tmp deleted successfully.
C:\Users\Catrina\~DFA7CA.tmp deleted successfully.
C:\Users\Catrina\~DFCDC3.tmp deleted successfully.
C:\Users\Catrina\~DFD04E.tmp deleted successfully.
C:\Users\Catrina\~DFD91C.tmp deleted successfully.
C:\Users\Catrina\~DFE119.tmp deleted successfully.
C:\Users\Catrina\~DFF13E.tmp deleted successfully.
C:\Users\Catrina\~DFF14.tmp deleted successfully.
C:\Users\Catrina\~DFF1D.tmp deleted successfully.
C:\Users\Catrina\~DFF4CA.tmp deleted successfully.
C:\Users\Catrina\~DFF99F.tmp deleted successfully.
C:\Users\Catrina\~DFF9A4.tmp deleted successfully.
[Empty Temp Folders]


User: All Users

User: Catrina
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 84583684 bytes
->Java cache emptied: 17777 bytes
->Flash cache emptied: 750 bytes

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: janelle
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 0 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 130884096 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 206.00 mb


[EMPTYFLASH]

User: All Users

User: Catrina
->Flash cache emptied: 0 bytes

User: Default

User: Default User

User: Guest
->Flash cache emptied: 0 bytes

User: janelle
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

< End of fix log >
OTS by OldTimer - Version 3.1.31.2 fix logfile created on 06012010_171019

Files\Folders moved on Reboot...
File\Folder C:\Users\Catrina\~DF4553.tmp not found!
File\Folder C:\Users\Catrina\~DF4559.tmp not found!
C:\Users\Catrina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\REE528P4\facebook_com[1].htm moved successfully.
C:\Users\Catrina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\REE528P4\redirectiframe[1].htm moved successfully.
C:\Users\Catrina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\REE528P4\Unsure-name-virus-t278050[2].htm moved successfully.
C:\Users\Catrina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P0Z5KWA2\10[2].htm moved successfully.
C:\Users\Catrina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P0Z5KWA2\history_manager[3].htm moved successfully.
C:\Users\Catrina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\P0Z5KWA2\iframe[4].htm moved successfully.
C:\Users\Catrina\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\93ZKS8QE\index[1].htm moved successfully.
C:\Users\Catrina\AppData\Local\Microsoft\Windows\Temporary Internet Files\AntiPhishing\A0AB7674-8D67-4F4D-B5E1-96FAEADFB79D.dat moved successfully.

Registry entries deleted on Reboot...

[nicole24]

i am currently in normal mode and unable to open mbam ive tried goign to file location and everything for all programs that display the environment option error. i dont know if it matter but while in normal mode all icons on the desktop like . mbam, gmer,combofix, ots,regserve, otl all have the administrator icon in the bottom left hand corner and in safe mode they do not

[Essexboy]

Could you also run OTS in normal mode please

[Essexboy]

Could you right click and select run as admin

[nicole24]

nope and yes ive tried right clicking and choosing run as administrator. could not find the environment option for ots as well do u want me to stay in normal mode?

[Essexboy]

One thing I noticed on your OTS scan was a lot of hard links - did you set those up ? Do you run any special software ?

[nicole24]

im not sure what you mean by hard links can you explain? and no i dont have any special software to my knowledge anyways

[Essexboy]

Basically what that means is that whenever a file is run it is routed through your set up files

wusa.exe -> \Windows\System32\wusa.exe -> HardLink
wusa.exe -> \Windows\winsxs\x86_microsoft-windows-wusa_31bf3856ad364e35_6.0.6000.16386_none_aac9cf811bb1ca58\wusa.exe -> HardLink
wuwebv.dll -> \Windows\System32\wuwebv.dll -> HardLink
wuwebv.dll -> \Windows\winsxs\x86_microsoft-windows-w..pdateclient-activex_31bf3856ad364e35_7.4.7600.226_none_79951cca15140d1a\wuwebv.dll -> HardLink
wvc.dll -> \Windows\System32\wvc.dll -> HardLink
wvc.dll -> \Windows\winsxs\x86_microsoft-windows-performancetoolsgui_31bf3856ad364e35_6.0.6000.16386_none_99d2fc2fa408df3c\wvc.dll -> HardLink
wzcdlg.dll -> \Windows\System32\wzcdlg.dll -> HardLink
wzcdlg.dll -> \Windows\winsxs\x86_microsoft-windows-w..etwork-setup-wizard_31bf3856ad364e35_6.0.6000.16386_none_92a66968477c3219\wzcdlg.dll -> HardLink

So for example when wusa.exe is run it is routed through your update files

Have you recently updated Vista and been experiencing problems since then ?

[nicole24]

okay well no i did not set anything up i dont really mess with anything. as for updates i mean i think it does it automically windows updates? is there somewhere i can look to see if i did

[Essexboy]

As you have Vista what I would like you to try is to update to Service Pack 1 - this may well alleviate the problem

Could you do that please

[nicole24]

i looked in windows updates in control panel to review update history and it looks like just about all updates have failed since 12/9/09 only a few have been successful

[Essexboy]

Do you have your Vista CD ? If so we could do a repair install or you could download the standalone SP1 and install that

Standalone SP1