[billgtr]

Hi billgtr,

How about my question... how is your computer now?

Avast is still saying my Firefox is being redirected to 1.advertising5.com.


EDIT: search on chrome is still with babylon!!!
Thanks!!

Edited by billgtr, 01 October 2012 - 07:22 PM.

[Advertisements]

chrome is still with babylon!!!

Looks like I missed one... or maybe it came back.

Let's see what this does:

Please run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  FF - prefs.js..browser.search.useDBForOrder: true
  [2012/07/21 09:29:50 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\DOCUMENTS AND SETTINGS\BILL LIMA\LOCAL SETTINGS\APPLICATION DATA\{47861E1B-D351-11E1-8270-B8AC6F996F26}
  CHR - default_search_provider: Search the web (Babylon) (Enabled)
  
  :Files
  ipconfig /flushdns /c
  netsh int ip reset c:\resetlog.txt  /c
  ipconfig /release /c
  ipconfig /renew /c
  
  :Commands
  [emptyflash]
  [emptyjava]
  [CreateRestorePoint]
  [Reboot]
  

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• It will produce a log for you on reboot, please post that log in your next reply. The log is saved in the same location as OTL.

Tell if that has made any difference.

[emeraldnzl]

chrome is still with babylon!!!

Looks like I missed one... or maybe it came back.

Let's see what this does:

Please run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  :OTL
  FF - prefs.js..browser.search.useDBForOrder: true
  [2012/07/21 09:29:50 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\DOCUMENTS AND SETTINGS\BILL LIMA\LOCAL SETTINGS\APPLICATION DATA\{47861E1B-D351-11E1-8270-B8AC6F996F26}
  CHR - default_search_provider: Search the web (Babylon) (Enabled)
  
  :Files
  ipconfig /flushdns /c
  netsh int ip reset c:\resetlog.txt  /c
  ipconfig /release /c
  ipconfig /renew /c
  
  :Commands
  [emptyflash]
  [emptyjava]
  [CreateRestorePoint]
  [Reboot]
  

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done
• It will produce a log for you on reboot, please post that log in your next reply. The log is saved in the same location as OTL.

Tell if that has made any difference.

[billgtr]

Ok, here's the latest OTL log:

OTL logfile created on: 10/1/2012 5:49:14 PM - Run 3
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Documents and Settings\Bill Lima\Desktop
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 8.0.6001.18702)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

2.00 Gb Total Physical Memory | 1.56 Gb Available Physical Memory | 78.28% Memory free
3.85 Gb Paging File | 3.61 Gb Available in Paging File | 93.87% Paging File free
Paging file location(s): C:\pagefile.sys 0 0 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 38.16 Gb Total Space | 14.30 Gb Free Space | 37.46% Space Free | Partition Type: NTFS
Drive D: | 115.22 Gb Total Space | 62.94 Gb Free Space | 54.63% Space Free | Partition Type: NTFS
Drive F: | 7.20 Gb Total Space | 3.93 Gb Free Space | 54.59% Space Free | Partition Type: FAT32
Drive H: | 1.84 Gb Total Space | 1.48 Gb Free Space | 80.34% Space Free | Partition Type: FAT

Computer Name: BILL | User Name: Bill Lima | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2012/09/30 12:15:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill Lima\Desktop\OTL.exe
PRC - [2012/09/09 14:53:59 | 000,161,768 | ---- | M] (Oracle Corporation) -- C:\Program Files\Java\jre7\bin\jqs.exe
PRC - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/08/21 02:12:26 | 004,282,728 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/08/21 02:12:25 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2008/04/13 17:12:19 | 001,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2006/11/17 06:42:52 | 000,577,536 | R--- | M] (Realtek Semiconductor Corp.) -- C:\WINDOWS\soundman.exe


========== Modules (No Company Name) ==========

MOD - [2012/10/01 14:20:34 | 001,813,504 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12100101\algo.dll
MOD - [2012/10/01 00:10:22 | 001,813,504 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12100100\algo.dll
MOD - [2012/09/30 12:34:15 | 001,813,504 | ---- | M] () -- C:\Program Files\AVAST Software\Avast\defs\12093001\algo.dll


========== Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- %SystemRoot%\System32\hidserv.dll -- (HidServ)
SRV - File not found [On_Demand | Stopped] -- %SystemRoot%\System32\appmgmts.dll -- (AppMgmt)
SRV - [2012/09/20 17:14:33 | 000,250,288 | ---- | M] (Adobe Systems Incorporated) [On_Demand | Stopped] -- C:\WINDOWS\system32\Macromed\Flash\FlashPlayerUpdateService.exe -- (AdobeFlashPlayerUpdateSvc)
SRV - [2012/09/09 20:34:45 | 000,114,144 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/09/09 14:53:59 | 000,161,768 | ---- | M] (Oracle Corporation) [Auto | Running] -- C:\Program Files\Java\jre7\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2012/09/07 17:04:46 | 000,676,936 | ---- | M] (Malwarebytes Corporation) [Auto | Stopped] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/09/07 17:04:46 | 000,399,432 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/08/21 02:12:25 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\HSF_USR.sys -- (winachsf)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (WDICA)
DRV - File not found [Kernel | On_Demand | Stopped] -- System32\Drivers\usbaapl.sys -- (USBAAPL)
DRV - File not found [Kernel | System | Stopped] -- C:\WINDOWS\system32\drivers\SBREdrv.sys -- (SBRE)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDRELI)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDFRAME)
DRV - File not found [Kernel | On_Demand | Stopped] -- -- (PDCOMP)
DRV - File not found [Kernel | System | Stopped] -- -- (PCIDump)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRESP50a64.SYS -- (MRESP50a64)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MRENDIS5.SYS -- (MRENDIS5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMPR5.SYS -- (MREMPR5)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\PROGRA~1\COMMON~1\Motive\MREMP50a64.SYS -- (MREMP50a64)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\ComboFix\mbr.sys -- (mbr)
DRV - File not found [Kernel | System | Stopped] -- -- (lbrtfdc)
DRV - File not found [File_System | Boot | Stopped] -- system32\DRIVERS\Lbd.sys -- (Lbd)
DRV - File not found [Kernel | System | Stopped] -- -- (i2omgmt)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\USR_BSC2.sys -- (HSFHWBS2)
DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\USR_MDMV.sys -- (HSF_DPV)
DRV - File not found [Kernel | System | Stopped] -- -- (Changer)
DRV - File not found [Kernel | On_Demand | Unknown] -- C:\DOCUME~1\BILLLI~1\LOCALS~1\Temp\catchme.sys -- (catchme)
DRV - [2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/08/21 02:13:15 | 000,729,752 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\WINDOWS\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/08/21 02:13:15 | 000,355,632 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/08/21 02:13:15 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/08/21 02:13:14 | 000,097,608 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswmon2.sys -- (aswMon2)
DRV - [2012/08/21 02:13:14 | 000,035,928 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aswRdr.sys -- (AswRdr)
DRV - [2012/08/21 02:13:13 | 000,025,256 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\aavmker4.sys -- (Aavmker4)
DRV - [2012/08/21 02:13:13 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\WINDOWS\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2008/09/19 08:28:44 | 000,021,248 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MREMP50.sys -- (MREMP50)
DRV - [2008/09/19 08:28:43 | 000,020,096 | ---- | M] (Printing Communications Assoc., Inc. (PCAUSA)) [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Motive\MRESP50.sys -- (MRESP50)
DRV - [2007/11/08 13:51:54 | 000,010,880 | R--- | M] (Texas Instruments) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\DFUUsb.sys -- (DfuUsb)
DRV - [2007/07/31 19:30:12 | 000,096,384 | R--- | M] (TRENDnet ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\TE100XP.sys -- (RTL8023xp)
DRV - [2007/07/13 11:44:22 | 000,043,008 | ---- | M] (D-Link ) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\dlkfet5b.sys -- (FETNDISB)
DRV - [2007/01/25 17:37:16 | 004,027,456 | R--- | M] (Realtek Semiconductor Corp.) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\alcxwdm.sys -- (ALCXWDM)
DRV - [2006/11/13 20:31:44 | 000,033,408 | R--- | M] (ASUSTeK Computer Inc. ) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\ipgdnd51.sys -- (ipgd)
DRV - [2006/01/25 01:24:30 | 001,149,888 | ---- | M] (Agere Systems) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2004/08/03 22:31:32 | 000,020,992 | ---- | M] (Realtek Semiconductor Corporation) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\rtl8139.sys -- (rtl8139)
DRV - [2004/07/30 12:02:54 | 000,017,277 | ---- | M] (Frontier Design Group) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\US122DL.sys -- (US122DL)
DRV - [2004/07/30 11:49:30 | 000,086,648 | ---- | M] (Frontier Design Group, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\US122Wdm.sys -- (Us122WdmService)
DRV - [2004/07/30 11:49:10 | 000,217,472 | ---- | M] (Frontier Design Group, LLC) [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\US122.sys -- (US122)
DRV - [2002/04/17 21:27:02 | 000,011,264 | ---- | M] (VOB Computersysteme GmbH) [Kernel | System | Running] -- C:\WINDOWS\System32\drivers\asapi.sys -- (Asapi)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.c...ferrer:source?}

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,BrowserMngr Start Page = about:blank
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = about:blank
IE - HKCU\..\SearchScopes,BrowserMngrDefaultScope = {A66ADB57-3D67-4A44-8586-5FC55C14A2BD}
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{A66ADB57-3D67-4A44-8586-5FC55C14A2BD}: "URL" = http://www.google.co...age={startPage}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>

========== FireFox ==========

FF - prefs.js..browser.search.useDBForOrder: true
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_4_402_265.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\WINDOWS\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\WINDOWS\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WPF,version=3.5: C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpchromebrowserrecordext;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=15.0.4.53: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpplugin;version=15.0.4.53: c:\program files\real\realplayer\Netscape6\nprpplugin.dll (RealPlayer)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll File not found
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKCU\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{ABDE892B-13A8-4d1b-88E6-365A6E755758}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/05/27 19:18:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{97E22097-9A2F-45b1-8DAF-36AD648C7EF4}: C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\Firefox\Ext [2012/05/27 19:18:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\[email protected]: C:\Program Files\AVAST Software\Avast\WebRep\FF [2012/09/28 07:16:32 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/09/09 20:34:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 15.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2012/09/09 14:53:38 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\{47861E1B-D351-11E1-8270-B8AC6F996F26}: C:\Documents and Settings\Bill Lima\Local Settings\Application Data\{47861E1B-D351-11E1-8270-B8AC6F996F26}\ [2012/07/21 09:29:50 | 000,000,000 | ---D | M]

[2011/12/03 12:13:19 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bill Lima\Application Data\Mozilla\Extensions
[2010/01/15 20:37:20 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bill Lima\Application Data\Mozilla\Extensions\[email protected]
[2012/09/29 12:42:46 | 000,000,000 | ---D | M] (No name found) -- C:\Documents and Settings\Bill Lima\Application Data\Mozilla\Firefox\Profiles\rlms1erm.default\extensions
[2012/08/31 16:29:28 | 001,625,368 | ---- | M] () (No name found) -- C:\Documents and Settings\Bill Lima\Application Data\Mozilla\Firefox\Profiles\rlms1erm.default\extensions\[email protected]
[2012/06/26 18:02:52 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/07/21 09:29:50 | 000,000,000 | ---D | M] (Mozilla Safe Browsing) -- C:\DOCUMENTS AND SETTINGS\BILL LIMA\LOCAL SETTINGS\APPLICATION DATA\{47861E1B-D351-11E1-8270-B8AC6F996F26}
[2012/09/09 20:34:45 | 000,266,720 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2012/08/30 20:47:30 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/08/30 20:47:30 | 000,002,253 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: about:blank
CHR - default_search_provider: Search the web (Babylon) (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?q={searchTerms}&{google:RLZ}{google:acceptedSuggestion}{google:originalQueryForSuggestion}{google:searchFieldtrialParameter}sourceid=chrome&ie={inputEncoding}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: about:blank
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Disabled) = C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\pdf.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Chrome\Application\22.0.1229.79\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Chrome\User Data\PepperFlash\11.2.31.144\pepflashplayer.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\WINDOWS\system32\Macromed\Flash\NPSWF32_11_2_202_235.dll
CHR - plugin: Adobe Acrobat (Enabled) = C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npdrmv2.dll
CHR - plugin: Microsoft\u00AE DRM (Enabled) = C:\Program Files\Windows Media Player\npwmsdrm.dll
CHR - plugin: Windows Media Player Plug-in Dynamic Link Library (Enabled) = C:\Program Files\Windows Media Player\npdsplay.dll
CHR - plugin: RealNetworks™ Chrome Background Extension Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprpchromebrowserrecordext.dll
CHR - plugin: RealPlayer™ HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: RealPlayer™ G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = c:\program files\real\realplayer\Netscape6\nppl3260.dll
CHR - plugin: RealPlayer Download Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprpplugin.dll
CHR - plugin: Google Update (Enabled) = C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Update\1.3.21.111\npGoogleUpdate3.dll
CHR - plugin: Silverlight Plug-In (Enabled) = C:\Program Files\Microsoft Silverlight\4.1.10329.0\npctrl.dll
CHR - plugin: Java™ Platform SE 7 U4 (Enabled) = C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\plugin2\npjp2.dll
CHR - plugin: Java Deployment Toolkit 7.0.40.255 (Enabled) = C:\WINDOWS\system32\npDeployJava1.dll
CHR - plugin: Windows Presentation Foundation (Enabled) = C:\WINDOWS\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\WINDOWS\system32\Adobe\Director\np32dsw.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = c:\program files\real\realplayer\Netscape6\nprjplug.dll
CHR - Extension: Angry Birds = C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\aknpkdffaafgjchaibgeefbgmgeghloj\1.5.0.7_0\
CHR - Extension: YouTube = C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo\4.2.5_0\
CHR - Extension: Google Search = C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf\0.0.0.19_0\
CHR - Extension: avast! WebRep = C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\icmlaeflemplmjndnaapfdbbnpncnbda\7.0.1466_0\
CHR - Extension: RealPlayer HTML5Video Downloader Extension = C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\jfmjfhklogoienhpfnppmbcbjfjnkonk\1.5_0\
CHR - Extension: Gmail = C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia\7_0\

O1 HOSTS File: ([2012/09/30 12:16:18 | 000,000,098 | ---- | M]) - C:\WINDOWS\system32\drivers\etc\Hosts
O1 - Hosts: 127.0.0.1 localhost
O1 - Hosts: ::1 localhost
O2 - BHO: (RealPlayer Download and Record Plugin for Internet Explorer) - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Documents and Settings\All Users\Application Data\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll (RealPlayer)
O2 - BHO: (Spybot-S&D IE Protection) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O2 - BHO: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O2 - BHO: (Java™ Plug-In SSV Helper) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre7\bin\ssv.dll (Oracle Corporation)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre7\bin\jp2ssv.dll (Oracle Corporation)
O3 - HKLM\..\Toolbar: (Ad-Aware Security Toolbar) - {6c97a91e-4524-4019-86af-2aa2d567bf5c} - C:\Program Files\adawaretb\adawareDx.dll ()
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {F0F8ECBE-D460-4B34-B007-56A92E8F84A7} - No CLSID value found.
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [NvCplDaemon] C:\WINDOWS\System32\NvCpl.dll (NVIDIA Corporation)
O4 - HKLM..\Run: [SoundMan] C:\WINDOWS\soundman.exe (Realtek Semiconductor Corp.)
O4 - HKCU..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (Safer-Networking Ltd.)
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE (Microsoft Corporation)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\control panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O9 - Extra 'Tools' menuitem : Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited)
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/...indows-i586.cab (Reg Error: Value error.)
O16 - DPF: {CAFEEFAC-0016-0000-0029-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/...indows-i586.cab (Java Plug-in 1.6.0_29)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{1F098974-AE8D-4AC5-A85D-8E20C03B3AF2}: DhcpNameServer = 192.168.0.1 192.168.0.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{A27D462E-7DCC-419F-BAD8-F9F98C8E0C78}: DhcpNameServer = 192.168.0.1 192.168.0.1
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\WINDOWS\system32\userinit.exe) - C:\WINDOWS\system32\userinit.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2008/03/18 23:27:08 | 000,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O32 - AutoRun File - [2005/04/10 23:43:07 | 000,126,077 | ---- | M] () - D:\Autosave Copy of (Untitled).cwp -- [ NTFS ]
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)

========== Files/Folders - Created Within 30 Days ==========

[2012/10/01 07:18:14 | 000,518,144 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWREG.exe
[2012/10/01 07:18:14 | 000,406,528 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWSC.exe
[2012/10/01 07:18:14 | 000,212,480 | ---- | C] (SteelWerX) -- C:\WINDOWS\SWXCACLS.exe
[2012/10/01 07:18:14 | 000,060,416 | ---- | C] (NirSoft) -- C:\WINDOWS\NIRCMD.exe
[2012/10/01 07:18:05 | 000,000,000 | ---D | C] -- C:\Qoobox
[2012/10/01 07:15:20 | 004,759,381 | R--- | C] (Swearware) -- C:\Documents and Settings\Bill Lima\Desktop\ComboFix.exe
[2012/09/30 19:08:24 | 002,212,440 | ---- | C] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Bill Lima\Desktop\tdsskiller.exe
[2012/09/30 15:38:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Malwarebytes' Anti-Malware
[2012/09/30 15:38:25 | 000,022,856 | ---- | C] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[2012/09/30 15:38:25 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2012/09/30 12:15:20 | 000,602,112 | ---- | C] (OldTimer Tools) -- C:\Documents and Settings\Bill Lima\Desktop\OTL.exe
[2012/09/29 19:11:44 | 000,000,000 | ---D | C] -- C:\_OTL
[2012/09/29 15:52:33 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bill Lima\My Documents\case
[2012/09/29 12:40:55 | 000,205,072 | ---- | C] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2012/09/28 07:16:59 | 000,021,256 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswFsBlk.sys
[2012/09/28 07:16:59 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\avast! Free Antivirus
[2012/09/28 07:16:58 | 000,355,632 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSP.sys
[2012/09/28 07:16:46 | 000,054,232 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswTdi.sys
[2012/09/28 07:16:46 | 000,035,928 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswRdr.sys
[2012/09/28 07:16:45 | 000,729,752 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswSnx.sys
[2012/09/28 07:16:44 | 000,097,608 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon2.sys
[2012/09/28 07:16:44 | 000,089,624 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aswmon.sys
[2012/09/28 07:16:44 | 000,025,256 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\drivers\aavmker4.sys
[2012/09/28 07:16:16 | 000,041,224 | ---- | C] (AVAST Software) -- C:\WINDOWS\avastSS.scr
[2012/09/28 07:16:14 | 000,227,648 | ---- | C] (AVAST Software) -- C:\WINDOWS\System32\aswBoot.exe
[2012/09/28 07:15:54 | 000,000,000 | ---D | C] -- C:\Program Files\AVAST Software
[2012/09/28 07:15:54 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\AVAST Software
[2012/09/27 20:01:20 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\GFI Software
[2012/09/27 18:15:13 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\Spybot - Search & Destroy
[2012/09/27 18:15:09 | 000,000,000 | ---D | C] -- C:\Program Files\Spybot - Search & Destroy
[2012/09/27 18:15:09 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
[2012/09/27 07:42:23 | 000,000,000 | ---D | C] -- C:\WINDOWS\temp
[2012/09/27 07:28:15 | 000,000,000 | RH-D | C] -- C:\Documents and Settings\Bill Lima\Recent
[2012/09/19 18:04:44 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bill Lima\My Documents\REAPER Media
[2012/09/19 18:01:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bill Lima\Application Data\REAPER
[2012/09/19 18:01:15 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Start Menu\Programs\REAPER
[2012/09/19 18:01:14 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Propellerhead Software
[2012/09/19 18:01:07 | 000,000,000 | ---D | C] -- C:\Program Files\REAPER
[2012/09/18 07:26:07 | 000,000,000 | ---D | C] -- C:\Program Files\US122_Install
[2012/09/18 07:26:07 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Bill Lima\Start Menu\Programs\US-122
[2012/09/09 14:54:21 | 000,000,000 | ---D | C] -- C:\Program Files\Common Files\Java
[2012/09/09 14:54:14 | 000,246,760 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/09/09 14:54:11 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/09/09 14:54:11 | 000,174,056 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/09/09 14:54:11 | 000,093,672 | ---- | C] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/09/09 14:30:06 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\McAfee
[2012/09/05 18:37:00 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine
[2012/09/05 18:01:28 | 000,000,000 | ---D | C] -- C:\Documents and Settings\All Users\Application Data\6F63A58823D761060000D6037B07D329
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files - Modified Within 30 Days ==========

[2012/10/01 17:23:00 | 000,000,994 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1715567821-839522115-1004UA.job
[2012/10/01 17:14:00 | 000,000,830 | ---- | M] () -- C:\WINDOWS\tasks\Adobe Flash Player Updater.job
[2012/10/01 07:16:05 | 000,000,322 | -H-- | M] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/10/01 07:15:35 | 004,759,381 | R--- | M] (Swearware) -- C:\Documents and Settings\Bill Lima\Desktop\ComboFix.exe
[2012/10/01 04:23:00 | 000,000,942 | ---- | M] () -- C:\WINDOWS\tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1715567821-839522115-1004Core.job
[2012/09/30 22:29:01 | 000,000,418 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_Bill Lima.job
[2012/09/30 20:31:02 | 000,000,422 | ---- | M] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_Bill Lima.job
[2012/09/30 20:03:32 | 000,001,324 | ---- | M] () -- C:\WINDOWS\System32\d3d9caps.dat
[2012/09/30 19:11:34 | 000,029,239 | ---- | M] () -- C:\WINDOWS\System32\nvapps.xml
[2012/09/30 19:11:05 | 000,000,286 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1547161642-1715567821-839522115-1004.job
[2012/09/30 19:11:04 | 000,000,294 | ---- | M] () -- C:\WINDOWS\tasks\RealUpgradeScheduledTaskS-1-5-21-1547161642-1715567821-839522115-1004.job
[2012/09/30 19:10:46 | 000,000,428 | ---- | M] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_Bill Lima.job
[2012/09/30 19:10:28 | 000,002,048 | --S- | M] () -- C:\WINDOWS\bootstat.dat
[2012/09/30 19:08:32 | 002,212,440 | ---- | M] (Kaspersky Lab ZAO) -- C:\Documents and Settings\Bill Lima\Desktop\tdsskiller.exe
[2012/09/30 15:38:28 | 000,000,784 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/30 12:16:18 | 000,000,098 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\Hosts
[2012/09/30 12:15:22 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\Bill Lima\Desktop\OTL.exe
[2012/09/29 19:27:45 | 000,000,512 | ---- | M] () -- C:\Documents and Settings\Bill Lima\Desktop\MBR.dat
[2012/09/29 19:14:24 | 000,184,224 | ---- | M] () -- C:\WINDOWS\System32\FNTCACHE.DAT
[2012/09/29 19:11:02 | 000,000,929 | ---- | M] () -- C:\Documents and Settings\Bill Lima\Desktop\Shortcut to aswMBR.exe.lnk
[2012/09/29 12:40:33 | 000,205,072 | ---- | M] (Trend Micro Inc.) -- C:\WINDOWS\System32\drivers\tmcomm.sys
[2012/09/29 12:39:50 | 000,013,646 | ---- | M] () -- C:\WINDOWS\System32\wpa.dbl
[2012/09/28 07:16:59 | 000,001,689 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/09/28 07:16:45 | 000,002,625 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2012/09/27 18:15:14 | 000,000,951 | ---- | M] () -- C:\Documents and Settings\Bill Lima\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/09/27 18:15:14 | 000,000,933 | ---- | M] () -- C:\Documents and Settings\Bill Lima\Desktop\Spybot - Search & Destroy.lnk
[2012/09/27 07:42:24 | 000,000,027 | ---- | M] () -- C:\WINDOWS\System32\drivers\etc\hosts.20120927-191443.backup
[2012/09/26 02:27:54 | 000,002,316 | ---- | M] () -- C:\Documents and Settings\Bill Lima\Desktop\Google Chrome.lnk
[2012/09/26 02:27:54 | 000,002,294 | ---- | M] () -- C:\Documents and Settings\Bill Lima\Application Data\Microsoft\Internet Explorer\Quick Launch\Google Chrome.lnk
[2012/09/20 17:14:32 | 000,696,240 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerApp.exe
[2012/09/20 17:14:32 | 000,073,136 | ---- | M] (Adobe Systems Incorporated) -- C:\WINDOWS\System32\FlashPlayerCPLApp.cpl
[2012/09/19 19:40:46 | 000,102,400 | ---- | M] () -- C:\WINDOWS\RegBootClean.exe
[2012/09/19 18:01:15 | 000,000,654 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\REAPER.lnk
[2012/09/16 17:06:37 | 001,153,839 | ---- | M] () -- C:\Documents and Settings\Bill Lima\My Documents\rct.mp3
[2012/09/10 18:11:15 | 000,000,727 | ---- | M] () -- C:\Documents and Settings\Bill Lima\Desktop\Shortcut to attk_far_gui_x86(1).exe.lnk
[2012/09/09 19:45:33 | 000,000,036 | ---- | M] () -- C:\Documents and Settings\Bill Lima\Local Settings\Application Data\housecall.guid.cache
[2012/09/09 14:54:00 | 000,093,672 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\WindowsAccessBridge.dll
[2012/09/09 14:53:59 | 000,821,736 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\npDeployJava1.dll
[2012/09/09 14:53:59 | 000,746,984 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\deployJava1.dll
[2012/09/09 14:53:59 | 000,246,760 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaws.exe
[2012/09/09 14:53:59 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javaw.exe
[2012/09/09 14:53:59 | 000,174,056 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\java.exe
[2012/09/09 14:53:59 | 000,143,872 | ---- | M] (Oracle Corporation) -- C:\WINDOWS\System32\javacpl.cpl
[2012/09/07 17:04:46 | 000,022,856 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[4 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

========== Files Created - No Company Name ==========

[2012/10/01 07:18:14 | 000,256,000 | ---- | C] () -- C:\WINDOWS\PEV.exe
[2012/10/01 07:18:14 | 000,208,896 | ---- | C] () -- C:\WINDOWS\MBR.exe
[2012/10/01 07:18:14 | 000,098,816 | ---- | C] () -- C:\WINDOWS\sed.exe
[2012/10/01 07:18:14 | 000,080,412 | ---- | C] () -- C:\WINDOWS\grep.exe
[2012/10/01 07:18:14 | 000,068,096 | ---- | C] () -- C:\WINDOWS\zip.exe
[2012/09/30 15:38:28 | 000,000,784 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Malwarebytes Anti-Malware.lnk
[2012/09/29 19:27:45 | 000,000,512 | ---- | C] () -- C:\Documents and Settings\Bill Lima\Desktop\MBR.dat
[2012/09/29 19:11:02 | 000,000,929 | ---- | C] () -- C:\Documents and Settings\Bill Lima\Desktop\Shortcut to aswMBR.exe.lnk
[2012/09/28 07:16:59 | 000,001,689 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\avast! Free Antivirus.lnk
[2012/09/28 07:16:45 | 000,000,322 | -H-- | C] () -- C:\WINDOWS\tasks\avast! Emergency Update.job
[2012/09/27 18:15:14 | 000,000,951 | ---- | C] () -- C:\Documents and Settings\Bill Lima\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk
[2012/09/27 18:15:14 | 000,000,933 | ---- | C] () -- C:\Documents and Settings\Bill Lima\Desktop\Spybot - Search & Destroy.lnk
[2012/09/26 22:25:01 | 000,000,428 | ---- | C] () -- C:\WINDOWS\tasks\RNUpgradeHelperLogonPrompt_Bill Lima.job
[2012/09/26 22:25:00 | 000,000,422 | ---- | C] () -- C:\WINDOWS\tasks\ReclaimerUpdateFiles_Bill Lima.job
[2012/09/26 22:25:00 | 000,000,418 | ---- | C] () -- C:\WINDOWS\tasks\ReclaimerUpdateXML_Bill Lima.job
[2012/09/19 18:01:15 | 000,000,654 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\REAPER.lnk
[2012/09/16 17:06:29 | 001,153,839 | ---- | C] () -- C:\Documents and Settings\Bill Lima\My Documents\rct.mp3
[2012/09/10 18:11:15 | 000,000,727 | ---- | C] () -- C:\Documents and Settings\Bill Lima\Desktop\Shortcut to attk_far_gui_x86(1).exe.lnk
[2012/09/09 20:18:31 | 000,102,400 | ---- | C] () -- C:\WINDOWS\RegBootClean.exe
[2012/09/09 19:45:33 | 000,000,036 | ---- | C] () -- C:\Documents and Settings\Bill Lima\Local Settings\Application Data\housecall.guid.cache
[2012/09/05 19:02:14 | 000,000,286 | ---- | C] () -- C:\WINDOWS\tasks\RealUpgradeLogonTaskS-1-5-21-1547161642-1715567821-839522115-1004.job
[2012/02/14 23:56:11 | 000,003,072 | ---- | C] () -- C:\WINDOWS\System32\iacenc.dll
[2011/05/02 07:11:52 | 000,000,064 | ---- | C] () -- C:\WINDOWS\System32\rp_stats.dat
[2011/05/02 07:11:52 | 000,000,044 | ---- | C] () -- C:\WINDOWS\System32\rp_rules.dat
[2008/04/26 03:27:57 | 000,000,280 | ---- | C] () -- C:\Documents and Settings\Bill Lima\Application Data\AVSDVDPlayer.m3u
[2008/03/22 16:52:47 | 000,029,696 | ---- | C] () -- C:\Documents and Settings\Bill Lima\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini

========== ZeroAccess Check ==========

[2008/03/19 03:00:00 | 000,000,227 | RHS- | M] () -- C:\WINDOWS\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shdocvw.dll -- [2008/04/13 17:12:05 | 001,499,136 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2009/02/09 05:10:48 | 000,473,600 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2008/04/13 17:12:08 | 000,273,920 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

< End of report >


Thank you!!!!

[emeraldnzl]

Hi billgtr,

I think what you did there was click the Run Scan button.

Please paste the fix details as outlined in my post and click the Run Fix button.

[billgtr]

Hi billgtr,

I think what you did there was click the Run Scan button.

Please paste the fix details as outlined in my post and click the Run Fix button.

I posted the wrong log!!

Too many logs on my desktop right now


Here's the right one:


========== OTL ==========
Prefs.js: true removed from browser.search.useDBForOrder
C:\DOCUMENTS AND SETTINGS\BILL LIMA\LOCAL SETTINGS\APPLICATION DATA\{47861E1B-D351-11E1-8270-B8AC6F996F26}\chrome\content folder moved successfully.
C:\DOCUMENTS AND SETTINGS\BILL LIMA\LOCAL SETTINGS\APPLICATION DATA\{47861E1B-D351-11E1-8270-B8AC6F996F26}\chrome folder moved successfully.
C:\DOCUMENTS AND SETTINGS\BILL LIMA\LOCAL SETTINGS\APPLICATION DATA\{47861E1B-D351-11E1-8270-B8AC6F996F26} folder moved successfully.
Use Chrome's Settings page to remove the default_search_provider items.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Documents and Settings\Bill Lima\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Bill Lima\Desktop\cmd.txt deleted successfully.
< netsh int ip reset c:\resetlog.txt /c >
C:\Documents and Settings\Bill Lima\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Bill Lima\Desktop\cmd.txt deleted successfully.
< ipconfig /release /c >
Windows IP Configuration
Ethernet adapter Local Area Connection 6:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 0.0.0.0
Subnet Mask . . . . . . . . . . . : 0.0.0.0
Default Gateway . . . . . . . . . :
C:\Documents and Settings\Bill Lima\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Bill Lima\Desktop\cmd.txt deleted successfully.
< ipconfig /renew /c >
Windows IP Configuration
Ethernet adapter Local Area Connection 6:
Connection-specific DNS Suffix . : domain_not_set.invalid
IP Address. . . . . . . . . . . . : 75.22.90.68
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 75.22.90.69
C:\Documents and Settings\Bill Lima\Desktop\cmd.bat deleted successfully.
C:\Documents and Settings\Bill Lima\Desktop\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYFLASH]

User: Administrator

User: All Users

User: Bill Lima
->Flash cache emptied: 506 bytes

User: Default User

User: LocalService

User: NetworkService

Total Flash Files Cleaned = 0.00 mb


[EMPTYJAVA]

User: Administrator

User: All Users

User: Bill Lima
->Java cache emptied: 0 bytes

User: Default User

User: LocalService

User: NetworkService

Total Java Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.69.0 log created on 10012012_183722

[emeraldnzl]

Hi billgtr,

Please run a free online scan with the ESET Online Scanner

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

• Click the green ESET Online Scanner box
• Tick the box next to YES, I accept the Terms of Use
  then click on: Start
• You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
• Make sure that the option Scan archives is checked.
• Now click on Advanced Settings and select the following:
  
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click on Start
• The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
• When completed the Online Scan will begin automatically. The scan may take several hours.
• Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
• When completed select Uninstall application on close, make sure you copy the logfile first!
• Then click on: Finish
• Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
• Copy and paste that log as a reply to this topic.

Also tell me if we still have the problem.

[billgtr]

Thank you. Here's the ESET log:

ESETSmartInstaller@High as downloader log:
all ok
# version=7
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.6583
# api_version=3.0.2
# EOSSerial=97d58cca23bde64698f46a6c73ef95e7
# end=finished
# remove_checked=true
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2012-10-02 03:04:47
# local_time=2012-10-01 08:04:47 (-0800, Pacific Daylight Time)
# country="United States"
# lang=1033
# osver=5.1.2600 NT Service Pack 3
# compatibility_mode=768 16777215 100 0 123023833 123023833 0 0
# compatibility_mode=8192 67108863 100 0 0 0 0 0
# scanned=88331
# found=8
# cleaned=8
# scan_time=3040
C:\Documents and Settings\Bill Lima\Local Settings\Application Data\Sun\Java\Deployment\cache\6.0\9\3e640749-3ac9abcb a variant of Java/Exploit.CVE-2012-1723.AP trojan (deleted - quarantined) 00000000000000000000000000000000 C
C:\Documents and Settings\Bill Lima\My Documents\Downloads\skb04-05-15d3t04_vbr_downloader.exe Win32/Adware.MediaFinder application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\Program Files\Leapic Video Cutter\VideoCutter.exe a variant of Win32/Packed.Molebox.G application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0A55F131-CF04-401F-8BA7-9EEC4D009ED1}\RP1335\A0204639.dll Win32/Boaxxe.G trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0A55F131-CF04-401F-8BA7-9EEC4D009ED1}\RP1356\A0215422.dll a variant of Win32/Toolbar.Babylon application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0A55F131-CF04-401F-8BA7-9EEC4D009ED1}\RP1356\A0215425.exe probably a variant of Win32/Toolbar.Babylon application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\System Volume Information\_restore{0A55F131-CF04-401F-8BA7-9EEC4D009ED1}\RP1381\A0218347.exe a variant of Win32/Packed.Molebox.G application (cleaned by deleting - quarantined) 00000000000000000000000000000000 C
C:\_OTL\MovedFiles\10012012_183722\C_DOCUMENTS AND SETTINGS\BILL LIMA\LOCAL SETTINGS\APPLICATION DATA\{47861E1B-D351-11E1-8270-B8AC6F996F26}\chrome\content\browser.xul JS/Redirector.NIQ trojan (cleaned by deleting - quarantined) 00000000000000000000000000000000 C


The computer seems to be clean now. No more Avast warnings!!!

[emeraldnzl]

Hello again billgtr,

I think your machine is clean.

Now

Your Adobe Acrobat Reader is out of date. Older versions are vunerable to attack.

Please go to the link below to update.

http://www.adobe.com.../readstep2.html

Step 2

Your computer is overdue for defrag:

Click on Start > Accessories > Tools > System Tools > Disk Defragmenter and click on the defragmenter button. If you haven't done this before it may take a very long time to complete its task.

Step 3

Please run OTL.exe

• Under the Custom Scans/Fixes box at the bottom, paste in the following
  
  

  
  :Commands
  [emptytemp]
  [resethosts]
  

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot when it is done

Next.

We have a couple of last steps to perform and then you're all set.

Follow these steps to uninstall Combofix and tools used in the removal of malware. This will also clean out and reset your Restore Points.

• Go to Start > Programs > Accessories and click on Run
• Copy and paste the the bolded text below in the box then hit OK
  
  Combofix /Uninstall
  
  

Step 2

• Double-click OTL.exe to run it. (Vista users, please right click on OTL.exe and select "Run as an Administrator")
• Click on the CleanUp! button
• Click Yes to begin the Cleanup process and remove these components, including this application.
• You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.

MBAM can be uninstalled via control panel add/remove but it may be a useful tool to keep.

-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to turn back on any anti-malware programs you may have turned off during the cleaning process.

-------------------------------------------------------------------------------------------------------------------

Now that your machine is clean here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

Regularly check that your Java is up to date. Older versions are vunerable to malicious attack.

• Download Java for Windows
  
  Reboot your computer.
  You also need to unininstall older versions of Java.
  
• Click Start > Control Panel > Add or Remove Programs
• Remove all Java updates except the latest one you have just installed.

---------------------------------------------------------------------------------------------------------------------

Make Internet Explorer more secure

• Click Start > Run
• Type Inetcpl.cpl & click OK
• Click on the Security tab
• Click Reset all zones to default level
• Make sure the Internet Zone is selected & Click Custom level
• In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
• Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* Consider using an alternate browser.

Opera may be downloaded from here. It is one of the least targeted of all browers.

Avant may be downloaded from here. Another one that is less well known.

Chrome may be downloaded from here . One of the most used nowadays.

Firefox may be downloaded from Here. I use Firefox because I like it. Used to be one of the safest but now targeted probably as much as IE.

Adblock Plus is a good Add-on for Firefox that helps prevent those annoying pop ups.

NoSript by Giorgio Maone is another one to add to your protection.

No scripts is an excellant security device. I like it but it is not for everyone because it requires you to take action if you want to see some things (pop ups, banners etc.) on sites you visit.

Further, sometimes you will get a site telling you that you need to install Java when actually all you need to do is enable the site through the no script icon down on the right hand side of your computer.

-----------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future:

• If you do not already have automatic updates set then it is recommended that you do set Windows to check, download and install your updates automatically.
  
  * Click Start > Control Panel > System and Security > Windows Update
  * Under Windows Update click on Turn automatic updating on or off
  * Check items shown to ensure you receive updates automatically. Click OK.
  
  And to keep your system clean consider choosing from these free for home use malware scanners and updating and running weekly.
  
• Malwarebytes
• SuperAntiSpyWare

Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

Have a safe and happy computing day!

[billgtr]

all done!!! Thanks for your help!!! I really appreciate it!!

Bill

[emeraldnzl]

You are very welcome

I will keep this topic open for a day or two in case any issues arise.

[emeraldnzl]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.