Certain of malware on HP laptop, Windows 7

Solved
By cableman
Jan 25, 2013
Topic Status:
Not open for further replies.
  1. I am getting pop ups saying windows is not authentic as well as windows update not working. Other error messages and problems also. I followed your four step plan and post the logs below. Thank you in advance for any help.

    Malwarebytes Anti-Malware 1.70.0.1100
    www.malwarebytes.org

    Database version: v2013.01.25.07

    Windows 7 Service Pack 1 x86 NTFS
    Internet Explorer 9.0.8112.16421
    Administrator :: USER-HP [administrator]

    1/25/2013 1:29:09 PM
    mbam-log-2013-01-25 (13-29-09).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 239030
    Time elapsed: 6 minute(s), 48 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 21
    HKCR\AppID\{F85FA3F2-D2C8-4D4D-BB1C-3181E691AF2B} (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKCR\CLSID\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCR\TypeLib\{44444444-4444-4444-4444-440044044435} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCR\Interface\{55555555-5555-5555-5555-550055045535} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0000435.BHO.1 (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
    HKCR\Typelib\{A3F56272-CDB4-4310-9BB1-9A0D0757A3B3} (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKCR\Interface\{D6975F9E-15B2-4FE7-9D16-FC2E85CB201B} (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKCR\CLSID\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKCR\SelectionLinks.SelectionLinksBHO.1 (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKCR\SelectionLinks.SelectionLinksBHO (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
    HKCR\CrossriderApp0000435.BHO (PUP.Codec.PR) -> Quarantined and deleted successfully.

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 3
    C:\Program Files\Premiumplay Codec-C\Premiumplay Codec-C.dll (PUP.Codec.PR) -> Quarantined and deleted successfully.
    C:\Program Files\OApps\SelectionLinks.dll (PUP.FaceThemes) -> Quarantined and deleted successfully.
    C:\Users\Administrator\Downloads\mplayer_Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.

    (end)


    DDS (Ver_2012-11-20.01) - NTFS_x86
    Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
    Run by Administrator at 14:09:46 on 2013-01-25
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.826 [GMT -5:00]
    .
    AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    .
    ============== Running Processes ================
    .
    C:\windows\system32\wininit.exe
    C:\windows\system32\lsm.exe
    C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    C:\windows\system32\atiesrxx.exe
    C:\Program Files\IDT\WDM\STacSV.exe
    C:\windows\system32\atieclxx.exe
    C:\windows\system32\Hpservice.exe
    C:\windows\system32\vcsFPService.exe
    C:\windows\system32\WLANExt.exe
    C:\windows\system32\conhost.exe
    C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    C:\windows\System32\spoolsv.exe
    C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
    C:\Program Files\ActivIdentity\ActivClient\acevents.exe
    C:\Program Files\IDT\WDM\aestsrv.exe
    C:\Program Files\LSI SoftModem\agrsmsvc.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\PDF Complete\pdfsvc.exe
    C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
    C:\Program Files\QUALCOMM\QDLService2k\QDLService2kHP.exe
    C:\windows\system32\rpcnet.exe
    C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
    C:\windows\system32\SearchIndexer.exe
    C:\windows\system32\taskhost.exe
    C:\windows\system32\taskeng.exe
    C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
    C:\windows\system32\Dwm.exe
    C:\windows\Explorer.EXE
    C:\ProgramData\Premium\Codec\Codec.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\Program Files\IDT\WDM\sttray.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\AVAST Software\Avast\AvastUI.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
    C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Mozilla Firefox\plugin-container.exe
    C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_278.exe
    C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_278.exe
    C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    C:\windows\system32\wbem\WmiPrvSE.exe
    C:\Windows\system32\WUDFHost.exe
    C:\windows\system32\conhost.exe
    C:\windows\system32\wbem\WmiPrvSE.exe
    C:\windows\system32\svchost.exe -k DcomLaunch
    C:\windows\system32\svchost.exe -k RPCSS
    C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
    C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
    C:\windows\system32\svchost.exe -k netsvcs
    C:\windows\system32\svchost.exe -k LocalService
    C:\windows\system32\svchost.exe -k NetworkService
    C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
    C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
    C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
    C:\windows\system32\svchost.exe -k bthsvcs
    .
    ============== Pseudo HJT Report ===============
    .
    uStart Page = hxxp://www.ask.com/?l=dis&o=102874&gct=hp
    BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
    BHO: Coupon Companion Plugin: {11111111-1111-1111-1111-110211181104} - c:\program files\coupon companion plugin\Coupon Companion Plugin.dll
    BHO: File Sanitizer for HP ProtectTools: {3134413B-49B4-425C-98A5-893C1F195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
    BHO: Incredibar.com Helper Object: {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - c:\program files\incredibar.com\incredibar\1.5.3.27\bh\incredibar.dll
    BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
    BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
    BHO: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - c:\programdata\wecarereminder\IEHelperv2.5.0.dll
    BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
    TB: &RoboForm: {724D43A0-0D85-11D4-9908-00400523E39A} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
    TB: Incredibar Toolbar: {F9639E4A-801B-4843-AEE3-03D9DA199E77} - c:\program files\incredibar.com\incredibar\1.5.3.27\incredibarTlbr.dll
    TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
    uRun: [HPAdvisorDock] c:\program files\hewlett-packard\hp advisor\dock\HPAdvisorDock.exe
    uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
    uRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup
    mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
    mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
    mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
    mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
    dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup
    uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
    mPolicies-System: ConsentPromptBehaviorUser = dword:3
    mPolicies-System: EnableUIADesktopToggle = dword:0
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
    IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
    IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
    IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
    IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
    DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
    DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
    DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
    DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
    TCP: NameServer = 192.168.1.1 205.152.37.23
    TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435} : DHCPNameServer = 192.168.1.1 205.152.37.23
    TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435}\B41686E6D28405 : DHCPNameServer = 192.168.0.1
    TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435}\D4963627F61476568435 : DHCPNameServer = 192.168.0.1
    TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435}\D49637370596767697 : DHCPNameServer = 192.168.0.1 205.152.37.23
    TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\854414D275966696D23586162796E676 : DHCPNameServer = 192.168.1.1
    mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
    IFEO: hppa_main.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
    IFEO: hptcs.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
    IFEO: hpwa_main.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
    IFEO: setup.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
    .
    ================= FIREFOX ===================
    .
    FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\xibtwus7.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://mystart.incredibar.com/mb119/?loc=IB_DS&a=6Oysndgc9f&&I=26&search=
    FF - prefs.js: network.proxy.gopher -
    FF - prefs.js: network.proxy.gopher_port - 0
    FF - prefs.js: network.proxy.type - 0
    FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
    FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
    FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
    FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
    FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
    FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_278.dll
    FF - ExtSQL: 2012-12-22 05:42; plugin@selectionlinks.com; c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\plugin@selectionlinks.com
    FF - ExtSQL: 2012-12-22 05:45; wecarereminder@bryan; c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\wecarereminder@bryan
    FF - ExtSQL: 2013-01-25 00:48; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
    .
    ---- FIREFOX POLICIES ----
    FF - user.js: extensions.incredibar_i.newTab - false
    FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6Oysndgc9f&loc=IB_TB&I=26&search=
    FF - user.js: extensions.incredibar_i.id - a063e759000000000000cc52aff747fc
    FF - user.js: extensions.incredibar_i.hardId - a063e759000000000000cc52aff747fc
    FF - user.js: extensions.incredibar_i.instlDay - 15379
    FF - user.js: extensions.incredibar_i.vrsn - 1.5.3.27
    FF - user.js: extensions.incredibar_i.vrsni - 1.5.3.27
    FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.3.2711:07:01
    FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
    FF - user.js: extensions.incredibar_i.prdct - incredibar
    FF - user.js: extensions.incredibar_i.aflt - orgnl
    FF - user.js: extensions.incredibar_i.smplGrp - none
    FF - user.js: extensions.incredibar_i.tlbrId - base
    FF - user.js: extensions.incredibar_i.instlRef -
    FF - user.js: extensions.incredibar_i.dfltLng -
    FF - user.js: extensions.incredibar_i.excTlbr - false
    FF - user.js: extensions.incredibar_i.ms_url_id -
    FF - user.js: extensions.incredibar_i.upn2 - 6Oysndgc9f
    FF - user.js: extensions.incredibar_i.upn2n - 92260871127040989
    FF - user.js: extensions.incredibar_i.productid - 26
    FF - user.js: extensions.incredibar_i.installerproductid - 26
    FF - user.js: extensions.incredibar_i.did - 10606
    FF - user.js: extensions.incredibar_i.ppd - 48
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: nglayout.initialpaint.delay - 600
    FF - user.js: content.notify.interval - 600000
    FF - user.js: content.max.tokenizing.time - 1800000
    FF - user.js: content.switch.threshold - 600000
    user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
    ============= SERVICES / DRIVERS ===============
    .
    R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-25 64288]
    R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-1-25 738504]
    R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-1-25 361032]
    R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
    R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2011-11-6 81920]
    R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-4-8 172032]
    R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-1-25 21256]
    R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-1-25 58680]
    R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-1-25 44808]
    R2 HPDayStarterService;HP DayStarter Service;c:\program files\hewlett-packard\hp quicklook\HPDayStarterService.exe [2010-3-25 90112]
    R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2010-1-19 297984]
    R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-6-15 26168]
    R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-1-25 398184]
    R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-1-25 682344]
    R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-5-23 635416]
    R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2011-11-6 113264]
    R2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\qualcomm\qdlservice2k\QDLService2kHP.exe [2010-3-15 331000]
    R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2012\TuneUpUtilitiesService32.exe [2011-10-12 1479488]
    R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-2-18 1664304]
    R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-6-20 29472]
    R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-1-25 21104]
    R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2012\TuneUpUtilitiesDriver32.sys [2011-9-22 10064]
    S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
    S2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-6-20 48640]
    S2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-6-20 47616]
    S2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-6-20 38912]
    S2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\rpcnet\bin\rpcld.exe --> c:\programdata\rpcnet\bin\rpcld.exe [?]
    S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
    S3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\drivers\qcfilterhp2k.sys [2010-3-15 5248]
    S3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\drivers\qcusbnethp2k.sys [2010-3-15 208384]
    S3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\drivers\qcusbserhp2k.sys [2010-3-15 106880]
    S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-11-23 1120752]
    S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2011-1-15 1116656]
    S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-9-29 279656]
    S3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\drivers\rtsuvc.sys [2010-6-20 73344]
    S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
    S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-8-12 52224]
    S3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2011-8-12 12800]
    S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-25 1343400]
    S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-1-8 316416]
    S4 HP Power Assistant Service;HP Power Assistant Service;c:\program files\hewlett-packard\hp power assistant\HPPA_Service.exe [2011-6-2 133688]
    S4 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-4-5 103992]
    S4 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\hewlett-packard\hp hotkey support\hpHotkeyMonitor.exe [2010-3-1 264248]
    .
    =============== Created Last 30 ================
    .
    2013-01-25 18:18:10 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-01-25 18:18:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-01-25 18:16:47 -------- d-----w- c:\users\administrator\appdata\local\Programs
    2013-01-25 05:40:32 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2013-01-25 05:40:29 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2013-01-25 05:40:25 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2013-01-25 05:40:08 41224 ----a-w- c:\windows\avastSS.scr
    2013-01-24 14:22:51 97 ----a-w- c:\users\administrator\appdata\roaming\netstat.bat
    2013-01-20 08:31:20 -------- d-----w- c:\program files\NirSoft
    .
    ==================== Find3M ====================
    .
    2013-01-25 18:52:48 17920 ----a-w- c:\windows\system32\rpcnetp.exe
    2013-01-25 18:52:46 58288 ----a-w- c:\windows\system32\rpcnet.dll
    .
    ============= FINISH: 14:18:08.59 ===============

    Attached Files:

  2. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Hi there!

    ComboFix scan

    Please download ComboFix[​IMG] by sUBs
    From TechSpot

    Direct Link (alternative)

    Please save the file to your Desktop.

    Important information about ComboFix


    After the download:
    • Close any open browsers.
    • Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
    • If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.
    Running ComboFix:
    • Double click on ComboFix.exe & follow the prompts.
    • When ComboFix finishes, it will produce a report for you.
    • Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.
    Troubleshooting ComboFix

    Safe Mode:

    If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

    (To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
    logo appears. A list of options will appear, select "Safe Mode.")

    Re-downloading:

    If this doesn't work either, try the same method (above method), but try to download it again, except name
    ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

    Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

    NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.


    Adware Cleaning

    Please download AdwCleaner by Xplode onto your Desktop.
    • Double click on AdwCleaner.exe to run the tool.
    • Click on Delete.
    • A logfile will automatically open after the scan has finished.
    • Please post the content of that logfile in your reply.
    • You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.


    Junkware Removal Tool

    Please download Junkware Removal Tool to your desktop.
    • Warning! Once the scan is complete JRT will shut down your browser with NO warning.
    • Shut down your protection software now to avoid potential conflicts.
    • Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
    • Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
    • The tool will open and start scanning your system.
    • Please be patient as this can take a while to complete depending on your system's specifications.
    • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
    • Copy and Paste the JRT.txt log into your next message.
  3. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    Thank you for your help so far. I hope I am still getting you the correct results you ask for. I am also getting a pop-up error message every time on reboot. I have taken a screen capture jpg. shot of it in case it is important at this time also; if not sorry for the unnecessary addition. Here are your requested logs:

    ComboFix 13-01-27.03 - Administrator 01/27/2013 10:21:11.2.2 - x86
    Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.1058 [GMT -5:00]
    Running from: c:\users\Administrator\Downloads\ComboFix.exe
    AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
    SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
    * Created a new restore point
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    c:\program files\Coupon Companion Plugin\CoUPon companion plugin.dll
    c:\program files\Incredibar.com
    c:\program files\Incredibar.com\incredibar\1.5.3.27\bh\incredibar.dll
    c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibar.crx
    c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarApp.dll
    c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarEng.dll
    c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarsrv.exe
    c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarTlbr.dll
    c:\program files\Incredibar.com\incredibar\1.5.3.27\uninstall.exe
    c:\programdata\100
    c:\programdata\3002.abs
    c:\programdata\3002.xml
    .
    .
    ((((((((((((((((((((((((( Files Created from 2012-12-27 to 2013-01-27 )))))))))))))))))))))))))))))))
    .
    .
    2013-01-27 15:51 . 2013-01-27 15:51 -------- d-----w- c:\users\user\AppData\Local\temp
    2013-01-27 15:51 . 2013-01-27 15:51 -------- d-----w- c:\users\Public\AppData\Local\temp
    2013-01-27 15:51 . 2013-01-27 15:51 -------- d-----w- c:\users\Default\AppData\Local\temp
    2013-01-25 18:18 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
    2013-01-25 18:18 . 2013-01-25 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
    2013-01-25 18:16 . 2013-01-25 18:16 -------- d-----w- c:\users\Administrator\AppData\Local\Programs
    2013-01-25 05:40 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
    2013-01-25 05:40 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
    2013-01-25 05:40 . 2012-10-15 16:59 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
    2013-01-25 05:40 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
    2013-01-25 05:40 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
    2013-01-25 05:40 . 2012-10-30 23:51 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
    2013-01-25 05:40 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr
    2013-01-25 05:40 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
    2013-01-25 05:12 . 2013-01-25 05:12 -------- d-----w- c:\users\Administrator\AppData\Roaming\Roxio
    2013-01-24 14:22 . 2013-01-24 14:22 97 ----a-w- c:\users\Administrator\AppData\Roaming\netstat.bat
    2013-01-20 08:31 . 2013-01-20 08:31 -------- d-----w- c:\program files\NirSoft
    .
    .
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2013-01-27 15:52 . 2010-10-07 00:01 17920 ----a-w- c:\windows\system32\rpcnetp.exe
    2013-01-27 15:52 . 2010-07-28 16:16 58288 ----a-w- c:\windows\system32\rpcnet.dll
    2012-12-09 00:01 . 2012-12-08 23:39 181064 ----a-w- c:\windows\PSEXESVC.EXE
    2013-01-18 23:32 . 2013-01-18 23:32 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
    .
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
    @="{472083B0-C522-11CF-8763-00608CC02F24}"
    [HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
    2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
    2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
    2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
    2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
    @="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
    [HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
    2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
    .
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HPAdvisorDock"="c:\program files\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe" [2010-02-10 1515576]
    "RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-09-29 107000]
    "Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2012-09-03 4895192]
    .
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
    "SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-11-06 495708]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-25 202256]
    "avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
    .
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2012-09-03 4895192]
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "ConsentPromptBehaviorUser"= 3 (0x3)
    "EnableUIADesktopToggle"= 0 (0x0)
    "EnableLinkedConnections"= 1 (0x1)
    .
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rpcnet]
    @="Service"
    .
    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
    "CPN Notifier"=c:\program files\Lock Poker\PokerNotifier.exe
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe"
    "acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe"
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    "estar"=c:\system.sav\Util\HideDOS.EXE c:\system.sav\util\estartwk\twk7.bat
    "NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" UNATTENDED
    "PDF Complete"=c:\program files\PDF Complete\pdfsty.exe
    "QLBController"=c:\program files\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    "SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
    "HPWirelessAssistant"=c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
    "HPPowerAssistant"=c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe 120 c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden
    "File Sanitizer"=c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
    .
    R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [x]
    R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [x]
    R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [x]
    R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [x]
    R2 X6XSEx_Pr143;X6XSEx_Pr143;c:\program files\Free Ride Games\X6XSEx_Pr143.Sys [x]
    R3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\DRIVERS\qcfilterhp2k.sys [x]
    R3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\DRIVERS\qcusbnethp2k.sys [x]
    R3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\DRIVERS\qcusbserhp2k.sys [x]
    R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [x]
    R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
    R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
    R3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\DRIVERS\rtsuvc.sys [x]
    R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
    R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [x]
    R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
    R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
    R4 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [x]
    R4 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
    R4 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [x]
    S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
    S1 aswSnx;aswSnx; [x]
    S1 aswSP;aswSP; [x]
    S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [x]
    S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [x]
    S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
    S2 aswFsBlk;aswFsBlk; [x]
    S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
    S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [x]
    S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [x]
    S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
    S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
    S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
    S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [x]
    S2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [x]
    S2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\QUALCOMM\QDLService2k\QDLService2kHP.exe [x]
    S2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\Rpcnet\Bin\rpcld.exe [x]
    S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [x]
    S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [x]
    S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
    S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
    S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [x]
    .
    .
    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
    2010-02-22 18:38 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    2013-01-27 c:\windows\Tasks\CodecUpdaterTask{110261C5-0AD3-48E4-B17F-3631829EA6CD}.job
    - c:\programdata\Premium\Codec\Codec.exe [2012-09-22 12:31]
    .
    2012-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 23:48]
    .
    2012-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
    - c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 23:48]
    .
    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.ask.com/?l=dis&o=102874&gct=hp
    TCP: DhcpNameServer = 192.168.1.1 205.152.37.23
    FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://mystart.incredibar.com/mb119/?loc=IB_DS&a=6Oysndgc9f&&I=26&search=
    FF - prefs.js: network.proxy.gopher -
    FF - prefs.js: network.proxy.gopher_port - 0
    FF - prefs.js: network.proxy.type - 0
    FF - ExtSQL: 2012-12-22 05:42; plugin@selectionlinks.com; c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\extensions\plugin@selectionlinks.com
    FF - ExtSQL: 2012-12-22 05:45; wecarereminder@bryan; c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\extensions\wecarereminder@bryan
    FF - ExtSQL: 2013-01-25 00:48; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
    FF - user.js: extensions.incredibar_i.newTab - false
    FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6Oysndgc9f&loc=IB_TB&I=26&search=
    FF - user.js: extensions.incredibar_i.id - a063e759000000000000cc52aff747fc
    FF - user.js: extensions.incredibar_i.hardId - a063e759000000000000cc52aff747fc
    FF - user.js: extensions.incredibar_i.instlDay - 15379
    FF - user.js: extensions.incredibar_i.vrsn - 1.5.3.27
    FF - user.js: extensions.incredibar_i.vrsni - 1.5.3.27
    FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.3.2711:07
    FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
    FF - user.js: extensions.incredibar_i.prdct - incredibar
    FF - user.js: extensions.incredibar_i.aflt - orgnl
    FF - user.js: extensions.incredibar_i.smplGrp - none
    FF - user.js: extensions.incredibar_i.tlbrId - base
    FF - user.js: extensions.incredibar_i.instlRef -
    FF - user.js: extensions.incredibar_i.dfltLng -
    FF - user.js: extensions.incredibar_i.excTlbr - false
    FF - user.js: extensions.incredibar_i.ms_url_id -
    FF - user.js: extensions.incredibar_i.upn2 - 6Oysndgc9f
    FF - user.js: extensions.incredibar_i.upn2n - 92260871127040989
    FF - user.js: extensions.incredibar_i.productid - 26
    FF - user.js: extensions.incredibar_i.installerproductid - 26
    FF - user.js: extensions.incredibar_i.did - 10606
    FF - user.js: extensions.incredibar_i.ppd - 48
    FF - user.js: network.http.max-persistent-connections-per-server - 4
    FF - user.js: nglayout.initialpaint.delay - 600
    FF - user.js: content.notify.interval - 600000
    FF - user.js: content.max.tokenizing.time - 1800000
    FF - user.js: content.switch.threshold - 600000
    user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
    .
    - - - - ORPHANS REMOVED - - - -
    .
    AddRemove-incredibar - c:\program files\Incredibar.com\incredibar\1.5.3.27\uninstall.exe
    .
    .
    .
    [HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
    "ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Internet Explorer\Approved Extensions]
    @Denied: (2) (Administrator)
    @Allowed: (Read) (RestrictedCode)
    "{724D43A0-0D85-11D4-9908-00400523E39A}"=hex:51,66,7a,6c,4c,1d,3b,1b,b0,55,5f,
    6d,b5,56,b8,5f,83,0a,5f,1e,00,68,a0,80
    "{724D43A9-0D85-11D4-9908-00400523E39A}"=hex:51,66,7a,6c,4c,1d,3b,1b,b9,55,5f,
    6d,b5,56,b8,5f,83,0a,5f,1e,00,68,a0,80
    "{11111111-1111-1111-1111-110211181104}"=hex:51,66,7a,6c,4c,1d,3b,1b,01,07,03,
    0e,21,4a,7d,5f,0b,13,4e,5c,14,53,52,1e
    "{300BEC06-B743-4D19-86B9-11DC711D7FFB}"=hex:51,66,7a,6c,4c,1d,3b,1b,16,fa,19,
    2f,73,ec,75,03,9c,bb,4e,82,74,56,3c,e1
    "{581DDABB-8165-F737-7C7F-67DB17CD7392}"=hex:51,66,7a,6c,4c,1d,3b,1b,ab,cc,0f,
    47,55,da,5b,b9,66,7d,38,85,12,86,30,88
    "{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}"=hex:51,66,7a,6c,4c,1d,3b,1b,ce,e6,36,
    c7,50,66,3b,01,84,b3,39,5d,3b,86,c9,a1
    .
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
    @Denied: (2) (Administrator)
    "Timestamp"=hex:74,4d,92,f2,3f,fa,cd,01
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------
    .
    - - - - - - - > 'Explorer.exe'(5412)
    c:\program files\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFTaskbar.dll
    c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\program files\IDT\WDM\STacSV.exe
    c:\windows\system32\atieclxx.exe
    c:\windows\system32\WLANExt.exe
    c:\program files\AVAST Software\Avast\AvastSvc.exe
    c:\windows\system32\conhost.exe
    c:\program files\LSI SoftModem\agrsmsvc.exe
    c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
    c:\program files\Common Files\LightScribe\LSSrvc.exe
    c:\windows\system32\rpcnet.exe
    c:\windows\system32\WUDFHost.exe
    c:\windows\system32\taskhost.exe
    c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
    c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
    c:\windows\system32\conhost.exe
    c:\program files\Synaptics\SynTP\SynTPHelper.exe
    c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
    c:\windows\system32\Mystify.scr
    .
    **************************************************************************
    .
    Completion time: 2013-01-27 13:51:02 - machine was rebooted
    ComboFix-quarantined-files.txt 2013-01-27 18:51
    ComboFix2.txt 2012-01-12 21:23
    .
    Pre-Run: 213,462,233,088 bytes free
    Post-Run: 213,562,081,280 bytes free
    .
    - - End Of File - - 90BE8C52207A225D45D0C719E641C8D3


    # AdwCleaner v2.109 - Logfile created 01/27/2013 at 18:26:43
    # Updated 26/01/2013 by Xplode
    # Operating system : Windows 7 Professional Service Pack 1 (32 bits)
    # User : Administrator - USER-HP
    # Boot Mode : Normal
    # Running from : C:\Users\Administrator\Downloads\adwcleaner.exe
    # Option [Delete]


    ***** [Services] *****


    ***** [Files / Folders] *****

    Deleted on reboot : C:\ProgramData\Premium
    File Deleted : C:\user.js
    File Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\searchplugins\Askcom.xml
    File Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\searchplugins\MyStart Search.xml
    Folder Deleted : C:\Program Files\Ilivid
    Folder Deleted : C:\Program Files\OApps
    Folder Deleted : C:\ProgramData\{B49A644A-1076-4A3D-B124-DAA7862F2318}
    Folder Deleted : C:\ProgramData\InstallMate
    Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ilivid
    Folder Deleted : C:\ProgramData\WeCareReminder
    Folder Deleted : C:\Users\Administrator\AppData\Local\APN
    Folder Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho
    Folder Deleted : C:\Users\Administrator\AppData\Local\Ilivid Player
    Folder Deleted : C:\Users\Administrator\AppData\LocalLow\incredibar.com
    Folder Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\extensions\crossriderapp435@crossrider.com
    Folder Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\extensions\wecarereminder@bryan

    ***** [Registry] *****

    Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
    Key Deleted : HKCU\Software\Headlight
    Key Deleted : HKCU\Software\ilivid
    Key Deleted : HKCU\Software\IM
    Key Deleted : HKCU\Software\ImInstaller
    Key Deleted : HKCU\Software\incredibar.com
    Key Deleted : HKCU\Software\InstalledBrowserExtensions
    Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
    Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
    Key Deleted : HKCU\Software\wecarereminder
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFE8AAFD-A0F3-4329-84E9-6B679EC93EC2}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
    Key Deleted : HKLM\SOFTWARE\Classes\AppID\IEHelperv2.5.0.DLL
    Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C01315C7-B4E2-4864-B43D-5FAFC414D179}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C1545464-C77C-4130-A572-1C619E2895FE}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{ED0E67AD-926C-4008-87E5-03CF72AA2A7E}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF7FEC6D-451B-4452-9D26-7E10C6B5DB6E}
    Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}
    Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0000435.FBApi
    Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0000435.FBApi.1
    Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0000435.Sandbox
    Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0000435.Sandbox.1
    Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.BHO
    Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox
    Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox.1
    Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane
    Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
    Key Deleted : HKLM\SOFTWARE\Classes\escort.escrtBtn.1
    Key Deleted : HKLM\SOFTWARE\Classes\esrv.IncredibarESrvc
    Key Deleted : HKLM\SOFTWARE\Classes\esrv.IncredibarESrvc.1
    Key Deleted : HKLM\SOFTWARE\Classes\I
    Key Deleted : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder
    Key Deleted : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1
    Key Deleted : HKLM\SOFTWARE\Classes\ilivid
    Key Deleted : HKLM\SOFTWARE\Classes\IncredibarApp.appCore
    Key Deleted : HKLM\SOFTWARE\Classes\IncredibarApp.appCore.1
    Key Deleted : HKLM\Software\Classes\Installer\Features\2B1E51D87B2D71A44BB42DDD5E894160
    Key Deleted : HKLM\Software\Classes\Installer\Products\2B1E51D87B2D71A44BB42DDD5E894160
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F0356CB6-4AB7-425B-A31C-0369E0CB5E81}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}
    Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{48C9C8B0-A546-46C1-A81F-47A31E623E9D}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{CFE8AAFD-A0F3-4329-84E9-6B679EC93EC2}
    Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
    Key Deleted : HKLM\Software\Conduit
    Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho
    Key Deleted : HKLM\Software\ilivid
    Key Deleted : HKLM\Software\incredibar.com
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{74C36554-31F0-49DD-8857-ED6A64DF45BE}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\incredibar_install_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\incredibar_install_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
    Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
    Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
    Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
    Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\817FDB46B46DE8B4AAD499F1DAFF341D
    Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5A9327D31011C244A196F700637C701
    Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6B84CEB2810F104BA0E5FC5C8EACD7E
    Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\2B1E51D87B2D71A44BB42DDD5E894160
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2EF17083-57D4-4D64-AE4F-55F32A2C4571}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D15E1B2-D2B7-4A17-B44B-D2DDE5981406}
    Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilivid
    Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

    ***** [Internet Browsers] *****

    -\\ Internet Explorer v9.0.8112.16421

    Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.ask.com/?l=dis&o=102874&gct=hp --> hxxp://www.google.com

    -\\ Mozilla Firefox v18.0.1 (en-US)

    File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\prefs.js

    C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\user.js ... Deleted !

    Deleted : user_pref("browser.search.defaultengine", "Ask.com");
    Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
    Deleted : user_pref("browser.search.order.1", "Ask.com");
    Deleted : user_pref("extensions.505d44cb54699.scode", "(function(){try{if('aol.com,mail.google.com,premiumrepo[...]
    Deleted : user_pref("extensions.crossriderapp21804.adsOldValue", -1);
    Deleted : user_pref("extensions.crossriderapp435.435.InstallationThankYouPage", true);
    Deleted : user_pref("extensions.crossriderapp435.435.InstallationTime", 1328803723);
    Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.searchUserConifrmation", false);
    Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setHomepage", false);
    Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setNewTab", false);
    Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setSearch", false);
    Deleted : user_pref("extensions.crossriderapp435.435.active", true);
    Deleted : user_pref("extensions.crossriderapp435.435.addressbar", "");
    Deleted : user_pref("extensions.crossriderapp435.435.addressbarenhanced", "");
    Deleted : user_pref("extensions.crossriderapp435.435.affid", "0");
    Deleted : user_pref("extensions.crossriderapp435.435.backgroundjs", "\n//------------------ PLUGIN START --[...]
    Deleted : user_pref("extensions.crossriderapp435.435.backgroundver", 8);
    Deleted : user_pref("extensions.crossriderapp435.435.certdomaininstaller", "");
    Deleted : user_pref("extensions.crossriderapp435.435.changeprevious", false);
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.InstallationTime.expiration", "Fri Feb 01 2030 00:[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.InstallationTime.value", "1328803723");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.InstallerParams.expiration", "Fri Feb 01 2030 00:0[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_aoi.value", "%221328803788%22");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030 0[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_parent_zoneid.value", "%2218727%22");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:00[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_zoneid.value", "%2218800%22");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_ID.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_ID.value", "1466");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_custom_zoneid.expiration", "Fri Feb 01 2030 [...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_custom_zoneid.value", "14969");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_pubid.expiration", "Fri Feb 01 2030 00:00:00[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_pubid.value", "%222993%22");
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.previous_page.expiration", "Fri Feb 01 2030 00:00:[...]
    Deleted : user_pref("extensions.crossriderapp435.435.cookie.previous_page.value", "%22hxxp%3A//www.techspot.co[...]
    Deleted : user_pref("extensions.crossriderapp435.435.description", "Premiumplay Codec check");
    Deleted : user_pref("extensions.crossriderapp435.435.domain", "");
    Deleted : user_pref("extensions.crossriderapp435.435.emailsig", "");
    Deleted : user_pref("extensions.crossriderapp435.435.enablesearch", false);
    Deleted : user_pref("extensions.crossriderapp435.435.exposesites", "");
    Deleted : user_pref("extensions.crossriderapp435.435.fbremoteurl", "");
    Deleted : user_pref("extensions.crossriderapp435.435.group", 0);
    Deleted : user_pref("extensions.crossriderapp435.435.homepage", "");
    Deleted : user_pref("extensions.crossriderapp435.435.iframe", false);
    Deleted : user_pref("extensions.crossriderapp435.435.js", "\n\n$jquery(document).ready(function() {\n \n $[...]
    Deleted : user_pref("extensions.crossriderapp435.435.manifesturl", "");
    Deleted : user_pref("extensions.crossriderapp435.435.name", "Codec-V");
    Deleted : user_pref("extensions.crossriderapp435.435.newtab", "");
    Deleted : user_pref("extensions.crossriderapp435.435.opensearch", "");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.code", "if(!appAPI.matchPages(\"search.[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.name", "app_435_specific");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.ver", 4);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.code", "(function(a){a.selectedText=fun[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.name", "CrossriderAppUtils");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.ver", 2);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefined[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.name", "CrossriderUtils");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.ver", 2);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.code", "(function(f){var u={};var e=Mat[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.name", "FacebookFFIE");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.ver", 1);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.code", "if((typeof isBackground===\"und[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.name", "FFAppAPIWrapper");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.ver", 4);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.code", "if(typeof window!==\"undefined\[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.name", "jQuery");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.ver", 3);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_47.code", "(function(){appAPI.ready=functi[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_47.name", "resources_background");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_47.ver", 1);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_49.code", "if (!appAPI.monetize || appAPI.[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_49.name", "similar_web");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_49.ver", 3);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_50.code", "function create_id(string_size)[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_50.name", "similar_web_bg");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_50.ver", 1);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_60.code", "var MonitizationPluginsBase=fun[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_60.name", "base_monetization");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_60.ver", 1);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_64.code", "(function(){var h=\"__CR_EMPTY_[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_64.name", "appApiMessage");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_64.ver", 1);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_72.code", "if(appAPI.__should_activate_val[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_72.name", "appApiValidation");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_72.ver", 1);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_78.code", "if(typeof jQuery!==\"undefined\[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_78.name", "CrossriderInfo");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_78.ver", 2);
    Deleted : user_pref("extensions.crossriderapp435.435.plugins_lists.plugins_0", "14,78,16,64,47,72,50");
    Deleted : user_pref("extensions.crossriderapp435.435.plugins_lists.plugins_1", "17,14,78,13,16,15,64,72,60,49,[...]
    Deleted : user_pref("extensions.crossriderapp435.435.plugins_lists.plugins_5", "14,78,13,16,64,47,72");
    Deleted : user_pref("extensions.crossriderapp435.435.pluginsurl", "hxxp://app-static.crossrider.com/plugin/app[...]
    Deleted : user_pref("extensions.crossriderapp435.435.pluginsversion", 18);
    Deleted : user_pref("extensions.crossriderapp435.435.premium", true);
    Deleted : user_pref("extensions.crossriderapp435.435.publisher", "Premiumplay");
    Deleted : user_pref("extensions.crossriderapp435.435.searchstatus", 0);
    Deleted : user_pref("extensions.crossriderapp435.435.setnewtab", false);
    Deleted : user_pref("extensions.crossriderapp435.435.settingsurl", "");
    Deleted : user_pref("extensions.crossriderapp435.435.thankyou", "");
    Deleted : user_pref("extensions.crossriderapp435.435.updateinterval", 360);
    Deleted : user_pref("extensions.crossriderapp435.435.ver", 69);
    Deleted : user_pref("extensions.crossriderapp435.adsOldValue", -1);
    Deleted : user_pref("extensions.crossriderapp435.apps", "435");
    Deleted : user_pref("extensions.crossriderapp435.bic", "13562e097ccc62bd8cb79bd7650d5f90");
    Deleted : user_pref("extensions.crossriderapp435.cid", 435);
    Deleted : user_pref("extensions.crossriderapp435.firstrun", false);
    Deleted : user_pref("extensions.crossriderapp435.hadappinstalled", true);
    Deleted : user_pref("extensions.crossriderapp435.installationdate", 1328803781);
    Deleted : user_pref("extensions.crossriderapp435.jsver", 3);
    Deleted : user_pref("extensions.crossriderapp435.lastcheck", 22654944);
    Deleted : user_pref("extensions.crossriderapp435.lastcheckitem", 22654973);
    Deleted : user_pref("extensions.crossriderapp435.misc.lastBgWorkerTimer", "1348360906427");
    Deleted : user_pref("extensions.crossriderapp435.misc.lastDomWorkerTimer", "1348360906425");
    Deleted : user_pref("extensions.crossriderapp435.modetype", "production");
    Deleted : user_pref("extensions.enabledAddons", "secureLogin%40blueimp.net:1.0.3,support%40platinumhideip.com:[...]
    Deleted : user_pref("extensions.incredibar.actvtyRptTime", "1348289603187");
    Deleted : user_pref("extensions.incredibar.admin", false);
    Deleted : user_pref("extensions.incredibar.aflt", "orgnl");
    Deleted : user_pref("extensions.incredibar.cntry", "US");
    Deleted : user_pref("extensions.incredibar.dfltLng", "");
    Deleted : user_pref("extensions.incredibar.dfltSrch", false);
    Deleted : user_pref("extensions.incredibar.did", "10606");
    Deleted : user_pref("extensions.incredibar.hdrMd5", "33A8ED43832FFC6AE2CAB8D0435B4356");
    Deleted : user_pref("extensions.incredibar.hmpg", false);
    Deleted : user_pref("extensions.incredibar.id", "a063e759000000000000cc52aff747fc");
    Deleted : user_pref("extensions.incredibar.installerproductid", "26");
    Deleted : user_pref("extensions.incredibar.instlDay", "15379");
    Deleted : user_pref("extensions.incredibar.instlRef", "");
    Deleted : user_pref("extensions.incredibar.lastVrsnTs", "1.5.3.2711:07:01");
    Deleted : user_pref("extensions.incredibar.newTab", false);
    Deleted : user_pref("extensions.incredibar.noFFXTlbr", false);
    Deleted : user_pref("extensions.incredibar.ppd", "48");
    Deleted : user_pref("extensions.incredibar.prdct", "incredibar");
    Deleted : user_pref("extensions.incredibar.productid", "26");
    Deleted : user_pref("extensions.incredibar.prtnrId", "Incredibar");
    Deleted : user_pref("extensions.incredibar.sg", "none");
    Deleted : user_pref("extensions.incredibar.smplGrp", "none");
    Deleted : user_pref("extensions.incredibar.tlbrId", "base");
    Deleted : user_pref("extensions.incredibar.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6Oysndgc9f&loc=IB_T[...]
    Deleted : user_pref("extensions.incredibar.upn2", "6Oysndgc9f");
    Deleted : user_pref("extensions.incredibar.upn2n", "92260871127040989");
    Deleted : user_pref("extensions.incredibar.vrsn", "1.5.3.27");
    Deleted : user_pref("extensions.incredibar.vrsnTs", "1.5.3.2711:07:01");
    Deleted : user_pref("extensions.incredibar.vrsni", "1.5.3.27");
    Deleted : user_pref("extensions.incredibar_i.aflt", "orgnl");
    Deleted : user_pref("extensions.incredibar_i.dfltLng", "");
    Deleted : user_pref("extensions.incredibar_i.did", "10606");
    Deleted : user_pref("extensions.incredibar_i.excTlbr", "false");
    Deleted : user_pref("extensions.incredibar_i.hardId", "a063e759000000000000cc52aff747fc");
    Deleted : user_pref("extensions.incredibar_i.id", "a063e759000000000000cc52aff747fc");
    Deleted : user_pref("extensions.incredibar_i.installerproductid", "26");
    Deleted : user_pref("extensions.incredibar_i.instlDay", "15379");
    Deleted : user_pref("extensions.incredibar_i.instlRef", "");
    Deleted : user_pref("extensions.incredibar_i.ms_url_id", "");
    Deleted : user_pref("extensions.incredibar_i.newTab", false);
    Deleted : user_pref("extensions.incredibar_i.ppd", "48");
    Deleted : user_pref("extensions.incredibar_i.prdct", "incredibar");
    Deleted : user_pref("extensions.incredibar_i.productid", "26");
    Deleted : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
    Deleted : user_pref("extensions.incredibar_i.smplGrp", "none");
    Deleted : user_pref("extensions.incredibar_i.tlbrId", "base");
    Deleted : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6Oysndgc9f&loc=IB[...]
    Deleted : user_pref("extensions.incredibar_i.upn2", "6Oysndgc9f");
    Deleted : user_pref("extensions.incredibar_i.upn2n", "92260871127040989");
    Deleted : user_pref("extensions.incredibar_i.vrsn", "1.5.3.27");
    Deleted : user_pref("extensions.incredibar_i.vrsnTs", "1.5.3.2711:07:01");
    Deleted : user_pref("extensions.incredibar_i.vrsni", "1.5.3.27");
    Deleted : user_pref("extensions.wecarereminder.merchHash", "{\"AFFILIATES\":{\"1-Sale-A-Day\":{\"name\":\"1 Sa[...]
    Deleted : user_pref("keyword.URL", "hxxp://mystart.incredibar.com/mb119/?loc=IB_DS&a=6Oysndgc9f&&I=26&search="[...]

    -\\ Google Chrome v22.0.1229.94

    File : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences

    Deleted [l.8] : homepage = "hxxp://www.ask.com/?l=dis&o=102874cr&gct=hp",
    Deleted [l.12] : urls_to_restore_on_startup = [ "hxxp://www.ask.com/?l=dis&o=102874cr&gct=hp" ]
    Deleted [l.304] : homepage = "hxxp://www.ask.com/?l=dis&o=102874cr&gct=hp",
    Deleted [l.500] : urls_to_restore_on_startup = [ "hxxp://www.ask.com/?l=dis&o=102874cr&gct=hp" ]

    *************************

    AdwCleaner[S1].txt - [24745 octets] - [27/01/2013 18:26:43]

    ########## EOF - C:\AdwCleaner[S1].txt - [24806 octets] ##########


    Junkware Removal Tool (JRT) by Thisisu
    Version: 4.5.2 (01.26.2013:2)
    OS: Windows 7 Professional x86
    Ran by Administrator on Sun 01/27/2013 at 18:41:49.76
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




    ~~~ Services



    ~~~ Registry Values



    ~~~ Registry Keys



    ~~~ Files



    ~~~ Folders

    Successfully deleted: [Folder] "C:\ProgramData\codec-v"
    Successfully deleted: [Folder] "C:\Users\Administrator\appdata\local\coupon companion plugin"
    Successfully deleted: [Folder] "C:\Users\Administrator\appdata\local\premiumplay codec-c"
    Successfully deleted: [Folder] "C:\Program Files\coupon companion plugin"
    Successfully deleted: [Folder] "C:\Program Files\premiumplay codec-c"
    Successfully deleted: [Folder] "C:\windows\system32\ai_recyclebin"



    ~~~ FireFox

    Successfully deleted: [Folder] C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\505d44cb545ee@505d44cb54627.com
    Successfully deleted: [Folder] C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\plugin@selectionlinks.com
    Successfully deleted the following from C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\prefs.js

    user_pref("extensions.crossrider.bic", "13562e097ccc62bd8cb79bd7650d5f90");
    user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !impor
    user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
    user_pref("extensions.wrc.SearchRules.baidu.com.style", ".WRCN {display:none} .result .f .WRCN {display:inline !important; background: url(\"IMAGE\") right no-repeat}");
    user_pref("extensions.wrc.SearchRules.baidu.com.url", "^hxxp\\:\\/\\/www\\.baidu\\.com\\/.*");
    user_pref("extensions.wrc.SearchRules.excite.com.style", ".WRCN {display:none} .listing .resultsLink + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-re
    user_pref("extensions.wrc.SearchRules.excite.com.url", "^hxxp\\:\\/\\/msxml\\.excite\\.com\\/excite\\/ws\\/.+");
    user_pref("extensions.wrc.SearchRules.rambler.ru.style", ".WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-r
    Emptied folder: C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\minidumps [55 files]



    ~~~ Chrome

    Failed to delete: [Folder] C:\Users\Administrator\appdata\local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm
    Successfully deleted: [Folder] C:\Users\Administrator\appdata\local\Google\Chrome\User Data\Default\Extensions\jneaojaoiajhnemidnjhoempalnidbhj
    Successfully deleted: [Folder] C:\Users\Administrator\appdata\local\Google\Chrome\User Data\Default\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho
    Successfully deleted: [Folder] C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm
    Successfully deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\ippkomaaonokjnfjoikaemidanojkfmm
    Successfully deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\jneaojaoiajhnemidnjhoempalnidbhj



    ~~~ Event Viewer Logs were cleared





    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    Scan was completed on Sun 01/27/2013 at 18:46:45.31
    End of JRT log
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Attached Files:

  4. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    OTL Quick Scan

    Please download OTL by OldTimer to your Desktop.
    • Close all windows and double click OTL.exe.
    • Click Quick Scan button and let the program run uninterrupted.
    • It will produce a log for you called OTL.txt, please post it in your next reply.
    • You may need to use two posts to get it all.
  5. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    Here is the Old Timer Log :

    OTL logfile created on: 1/28/2013 3:25:31 PM - Run 1
    OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Administrator\Downloads
    Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
    Internet Explorer (Version = 9.0.8112.16421)
    Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

    1.74 Gb Total Physical Memory | 1.15 Gb Available Physical Memory | 66.32% Memory free
    4.35 Gb Paging File | 3.40 Gb Available in Paging File | 78.05% Paging File free
    Paging file location(s): c:\pagefile.sys 2673 2673 [binary data]

    %SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
    Drive C: | 230.88 Gb Total Space | 191.30 Gb Free Space | 82.86% Space Free | Partition Type: NTFS
    Drive E: | 14.92 Gb Total Space | 14.91 Gb Free Space | 99.94% Space Free | Partition Type: FAT32
    Drive G: | 1.99 Gb Total Space | 1.99 Gb Free Space | 99.71% Space Free | Partition Type: FAT32

    Computer Name: USER-HP | User Name: Administrator | Logged in as Administrator.
    Boot Mode: Normal | Scan Mode: Current user | Quick Scan
    Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

    ========== Processes (SafeList) ==========

    PRC - [2013/01/28 15:24:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Downloads\OTL.exe
    PRC - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
    PRC - [2012/12/14 16:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
    PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
    PRC - [2012/10/30 18:50:59 | 004,297,136 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
    PRC - [2012/10/30 18:50:59 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
    PRC - [2012/10/20 15:07:16 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.exe
    PRC - [2011/11/06 00:40:42 | 000,495,708 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
    PRC - [2011/11/06 00:40:42 | 000,254,034 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\stacsv.exe
    PRC - [2011/11/06 00:40:41 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Program Files\IDT\WDM\AEstSrv.exe
    PRC - [2011/10/12 17:14:14 | 001,479,488 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
    PRC - [2011/10/12 17:14:14 | 001,210,688 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
    PRC - [2011/09/29 12:06:36 | 000,107,000 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
    PRC - [2011/08/31 20:36:16 | 005,306,880 | ---- | M] (Wisdom Software Inc. ) -- C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
    PRC - [2011/06/23 23:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
    PRC - [2011/03/16 10:26:40 | 000,113,264 | ---- | M] (Portrait Displays, Inc.) -- C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
    PRC - [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
    PRC - [2010/11/20 07:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
    PRC - [2010/06/25 13:35:47 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    PRC - [2010/04/08 01:22:48 | 000,372,736 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
    PRC - [2010/04/08 01:22:18 | 000,172,032 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
    PRC - [2010/03/25 18:02:02 | 000,090,112 | ---- | M] (Hewlett-Packard Company) -- c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe
    PRC - [2010/03/15 17:05:30 | 000,331,000 | ---- | M] (QUALCOMM, Inc.) -- C:\Program Files\QUALCOMM\QDLService2k\QDLService2kHP.exe
    PRC - [2010/03/06 16:39:08 | 000,635,416 | ---- | M] (PDF Complete Inc) -- C:\Program Files\PDF Complete\pdfsvc.exe
    PRC - [2010/02/18 16:26:46 | 001,664,304 | ---- | M] (Validity Sensors, Inc.) -- C:\Windows\System32\vcsFPService.exe
    PRC - [2010/01/21 12:42:48 | 000,014,336 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
    PRC - [2010/01/19 13:17:10 | 000,297,984 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
    PRC - [2009/12/29 15:31:32 | 000,595,232 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
    PRC - [2009/06/03 18:16:42 | 000,207,400 | ---- | M] (ActivIdentity) -- C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
    PRC - [2009/06/03 18:16:34 | 000,153,640 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe


    ========== Modules (No Company Name) ==========

    MOD - [2011/10/13 02:37:42 | 001,051,136 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\1049a76b3de293df726d380932215c91\System.Management.ni.dll
    MOD - [2011/10/13 02:34:13 | 000,368,128 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\07cdef1a740151932dcf161f3306bd9c\PresentationFramework.Aero.ni.dll
    MOD - [2011/10/13 02:34:05 | 014,339,072 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\70e2ca33ffa52c743285dc5b4910a229\PresentationFramework.ni.dll
    MOD - [2011/10/13 02:33:48 | 012,234,752 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\7c94a121334aeca7553c7f01290740f0\PresentationCore.ni.dll
    MOD - [2011/10/13 02:33:36 | 003,347,968 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d7a64c28cf0c90e6c48af4f7d6f9ed41\WindowsBase.ni.dll
    MOD - [2011/10/13 02:32:58 | 000,771,584 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b2622080e047040fa044dd21a04ff10d\System.Runtime.Remoting.ni.dll
    MOD - [2011/10/13 02:32:54 | 006,611,456 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\f8196c3588c2229e84516af4b6a0ee60\System.Data.ni.dll
    MOD - [2011/10/13 02:32:35 | 005,453,312 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\130ad4d9719e566ca933ac7158a04203\System.Xml.ni.dll
    MOD - [2011/10/13 02:32:31 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d5bcbeb9475ef62189f605bcca1cec6\System.Configuration.ni.dll
    MOD - [2011/10/13 02:32:24 | 007,963,648 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\abab08afa60a6f06bdde0fcc9649c379\System.ni.dll
    MOD - [2011/10/13 02:32:12 | 011,490,304 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
    MOD - [2010/11/04 20:58:05 | 002,927,616 | ---- | M] () -- C:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
    MOD - [2010/02/09 20:58:30 | 000,061,440 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll
    MOD - [2010/02/09 20:58:28 | 000,131,072 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\ECenter\ECLibrary.dll
    MOD - [2010/02/09 20:58:24 | 000,040,960 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingServer.dll
    MOD - [2010/02/09 20:58:24 | 000,007,680 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\RemotingClient.dll
    MOD - [2010/02/09 20:58:22 | 000,036,864 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingClients.dll
    MOD - [2010/02/09 20:58:22 | 000,005,632 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingInterface.dll
    MOD - [2010/02/09 20:58:18 | 000,018,944 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingMessages.dll
    MOD - [2009/08/16 17:06:02 | 000,141,312 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
    MOD - [2008/08/12 05:18:42 | 000,148,480 | ---- | M] () -- C:\Program Files\Zoom Player\zpshlext.dll


    ========== Services (SafeList) ==========

    SRV - File not found [Auto | Stopped] -- C:\ProgramData\Rpcnet\Bin\rpcld.exe -- (rpcld)
    SRV - [2013/01/18 18:32:50 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
    SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
    SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
    SRV - [2012/10/30 18:50:59 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
    SRV - [2012/10/20 15:07:16 | 000,058,288 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\Windows\System32\rpcnet.exe -- (rpcnet)
    SRV - [2011/11/06 00:40:42 | 000,254,034 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
    SRV - [2011/11/06 00:40:41 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\IDT\WDM\AEstSrv.exe -- (AESTFilters)
    SRV - [2011/10/12 17:14:14 | 001,479,488 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
    SRV - [2011/06/02 12:18:32 | 000,133,688 | ---- | M] (Hewlett-Packard Company) [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe -- (HP Power Assistant Service)
    SRV - [2011/03/16 10:26:40 | 000,113,264 | ---- | M] (Portrait Displays, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe -- (PdiService)
    SRV - [2011/01/15 07:32:30 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe -- (RoxMediaDB12OEM)
    SRV - [2010/06/25 13:42:21 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
    SRV - [2010/04/08 01:22:18 | 000,172,032 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
    SRV - [2010/04/05 13:12:00 | 000,103,992 | ---- | M] (Hewlett-Packard) [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe -- (HP Wireless Assistant Service)
    SRV - [2010/03/25 18:02:02 | 000,090,112 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe -- (HPDayStarterService)
    SRV - [2010/03/15 17:05:30 | 000,331,000 | ---- | M] (QUALCOMM, Inc.) [Auto | Running] -- C:\Program Files\QUALCOMM\QDLService2k\QDLService2kHP.exe -- (QDLService2kHP)
    SRV - [2010/03/06 16:39:08 | 000,635,416 | ---- | M] (PDF Complete Inc) [Auto | Running] -- C:\Program Files\PDF Complete\pdfsvc.exe -- (pdfcDispatcher)
    SRV - [2010/03/01 12:27:22 | 000,264,248 | ---- | M] (Hewlett-Packard Company) [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe -- (hpHotkeyMonitor)
    SRV - [2010/02/18 16:26:46 | 001,664,304 | ---- | M] (Validity Sensors, Inc.) [Auto | Running] -- C:\Windows\System32\vcsFPService.exe -- (vcsFPService)
    SRV - [2010/02/17 12:53:18 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
    SRV - [2010/01/21 12:42:48 | 000,014,336 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
    SRV - [2010/01/19 13:17:10 | 000,297,984 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe -- (HPFSService)
    SRV - [2009/12/29 15:31:32 | 000,595,232 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
    SRV - [2009/11/23 13:08:10 | 001,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
    SRV - [2009/07/13 20:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
    SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
    SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
    SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
    SRV - [2009/06/03 18:16:42 | 000,207,400 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe -- (ac.sharedstore)


    ========== Driver Services (SafeList) ==========

    DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\Free Ride Games\X6XSEx_Pr143.Sys -- (X6XSEx_Pr143)
    DRV - File not found [Kernel | System | Stopped] -- C:\windows\system32\drivers\SBREDrv.sys -- (SBRE)
    DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys -- (catchme)
    DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
    DRV - [2012/10/30 18:51:58 | 000,738,504 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\windows\System32\drivers\aswSnx.sys -- (aswSnx)
    DRV - [2012/10/30 18:51:58 | 000,361,032 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswSP.sys -- (aswSP)
    DRV - [2012/10/30 18:51:58 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswTdi.sys -- (aswTdi)
    DRV - [2012/10/30 18:51:57 | 000,058,680 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
    DRV - [2012/10/30 18:51:56 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
    DRV - [2012/10/15 11:59:28 | 000,044,784 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr)
    DRV - [2011/11/06 00:40:43 | 000,431,616 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
    DRV - [2011/09/22 12:08:26 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
    DRV - [2010/11/20 07:30:17 | 000,296,064 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vpcvmm.sys -- (vpcvmm)
    DRV - [2010/11/20 07:30:17 | 000,172,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vpchbus.sys -- (vpcbus)
    DRV - [2010/11/20 07:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
    DRV - [2010/11/20 07:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
    DRV - [2010/11/20 07:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
    DRV - [2010/11/20 05:50:38 | 000,078,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vpcusb.sys -- (vpcusb)
    DRV - [2010/11/20 05:50:37 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vpcnfltr.sys -- (vpcnfltr)
    DRV - [2010/11/20 05:50:37 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vpcuxd.sys -- (vpcuxd)
    DRV - [2010/11/20 05:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
    DRV - [2010/11/20 05:06:36 | 000,117,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rmcast.sys -- (RMCAST)
    DRV - [2010/11/20 04:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
    DRV - [2010/11/20 04:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
    DRV - [2010/11/20 04:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
    DRV - [2010/06/25 13:01:27 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\System32\drivers\Lbd.sys -- (Lbd)
    DRV - [2010/06/15 18:53:28 | 000,025,656 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hpdskflt.sys -- (hpdskflt)
    DRV - [2010/06/15 18:53:12 | 000,033,848 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Accelerometer.sys -- (Accelerometer)
    DRV - [2010/04/08 01:49:14 | 005,429,760 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
    DRV - [2010/04/08 00:46:22 | 000,157,184 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
    DRV - [2010/03/15 16:02:30 | 000,208,384 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\qcusbnethp2k.sys -- (qcusbnethp2k)
    DRV - [2010/03/15 16:02:30 | 000,106,880 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\qcusbserhp2k.sys -- (qcusbserhp2k)
    DRV - [2010/03/15 16:02:30 | 000,005,248 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\qcfilterhp2k.sys -- (qcfilterhp2k)
    DRV - [2010/03/08 20:21:26 | 000,107,024 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AtiHdmi.sys -- (AtiHdmiService)
    DRV - [2010/02/16 14:24:12 | 000,021,560 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
    DRV - [2010/01/30 00:45:32 | 000,073,344 | ---- | M] (Realtek Semiconductor Corp.) [2 MP Fixed] [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rtsuvc.sys -- (rtsuvc)
    DRV - [2010/01/21 12:42:46 | 001,163,328 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
    DRV - [2010/01/08 05:23:00 | 000,316,416 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
    DRV - [2009/12/11 23:54:16 | 000,038,912 | ---- | M] (REDC) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\rixdpe86.sys -- (rixdpcie)
    DRV - [2009/10/28 19:55:00 | 000,047,616 | ---- | M] (REDC) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\risdpe86.sys -- (risdpcie)
    DRV - [2009/10/26 16:39:00 | 000,048,640 | ---- | M] (REDC) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\rimspe86.sys -- (rimspci)
    DRV - [2009/08/23 07:55:32 | 000,014,392 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AtiPcie.sys -- (AtiPcie)
    DRV - [2009/07/13 18:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
    DRV - [2009/07/13 18:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
    DRV - [2009/07/13 18:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)


    ========== Standard Registry (SafeList) ==========


    ========== Internet Explorer ==========

    IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCOM/1
    IE - HKLM\..\SearchScopes,DefaultScope =
    IE - HKLM\..\SearchScopes\{65000666-CF5A-412A-8EC4-7A48AF8F45B3}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CMNTDF&pc=CMNTDF&src=IE-SearchBox
    IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
    IE - HKCU\..\SearchScopes,DefaultScope =
    IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
    IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
    IE - HKCU\..\SearchScopes\{CC2821C3-AC0C-4CC0-8B5D-BA449A67F36D}: "URL" = http://websearch.ask.com/redirect?c...pn_sauid=BE37522E-C080-44AE-AA12-21D0DAF50B88
    IE - HKCU\..\SearchScopes\{D5196E2B-5A23-4F3E-9AA5-1CCA061EB31F}: "URL" = http://www.google.com/search?q={sea...rce}&ie={inputEncoding?}&oe={outputEncoding?}
    IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

    ========== FireFox ==========

    FF - prefs.js..browser.search.selectedEngine: "Google"
    FF - prefs.js..browser.startup.homepage: "https://www.google.com/"
    FF - prefs.js..extensions.enabledAddons: secureLogin%40blueimp.net:1.0.3
    FF - prefs.js..extensions.enabledAddons: support%40platinumhideip.com:1.0
    FF - prefs.js..extensions.enabledAddons: autofillForms%40blueimp.net:0.9.9.0
    FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:7.0.1474
    FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1
    FF - prefs.js..network.proxy.gopher: ""
    FF - prefs.js..network.proxy.gopher_port: 0
    FF - prefs.js..network.proxy.share_proxy_settings: true
    FF - prefs.js..network.proxy.type: 0
    FF - user.js - File not found

    FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_11_4_402_278.dll ()
    FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@exent.com/npExentCtl,version=7.0.0.0: C:\Program Files\Free Ride Games\npExentCtl.dll File not found
    FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
    FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
    FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
    FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.732: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.732: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=1.0.0.0: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.732: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
    FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
    FF - HKLM\Software\MozillaPlugins\www.exent.com/GameTreatWidget: C:\Program Files\Free Ride Games\NPGameTreatPlugin.dll File not found

    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2011/09/29 12:07:53 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013/01/25 00:40:17 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/01/18 18:32:52 | 000,000,000 | ---D | M]
    FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/01/18 18:32:33 | 000,000,000 | ---D | M]

    [2011/09/14 18:55:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Extensions
    [2013/01/27 18:46:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\xibtwus7.default\extensions
    [2012/10/15 08:20:12 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\xibtwus7.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
    [2012/12/11 18:35:52 | 000,149,045 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\autofillForms@blueimp.net.xpi
    [2012/11/28 11:50:16 | 000,083,379 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\secureLogin@blueimp.net.xpi
    [2012/11/06 17:03:07 | 000,004,552 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\support@platinumhideip.com.xpi
    [2012/11/23 07:37:45 | 000,804,627 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
    [2013/01/18 18:32:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
    [2013/01/25 00:40:17 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
    [2013/01/18 18:32:51 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
    [2011/05/04 06:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
    [2012/11/29 03:27:12 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
    [2012/11/29 03:27:12 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

    ========== Chrome ==========

    CHR - homepage: http://www.google.com/
    CHR - default_search_provider: Google (Enabled)
    CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google:eek:riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
    CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
    CHR - homepage: http://www.google.com/
    CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.94\gcswf32.dll
    CHR - plugin: Shockwave Flash (Enabled) = C:\windows\system32\Macromed\Flash\NPSWF32.dll
    CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
    CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
    CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
    CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
    CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
    CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
    CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
    CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
    CHR - plugin: Java(TM) Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
    CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
    CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
    CHR - plugin: Shockwave for Director (Enabled) = C:\windows\system32\Adobe\Director\np32dsw.dll
    CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
    CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
    CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
    CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
    CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.94\ppGoogleNaClPluginChrome.dll
    CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.94\pdf.dll
    CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
    CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll
    CHR - plugin: Default Plug-in (Enabled) = default_plugin

    O1 HOSTS File: ([2013/01/27 10:53:51 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
    O1 - Hosts: 127.0.0.1 localhost
    O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
    O2 - BHO: (File Sanitizer for HP ProtectTools) - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll (Hewlett-Packard)
    O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
    O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
    O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
    O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
    O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
    O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
    O4 - HKCU..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.)
    O4 - HKCU..\Run: [HPAdvisorDock] C:\Program Files\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe ()
    O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
    O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\windows\System32\Macromed\Flash\FlashUtil32_11_4_402_278_Plugin.exe (Adobe Systems Incorporated)
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing present
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
    O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
    O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
    O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
    O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
    O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
    O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
    O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
    O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
    O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
    O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
    O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class)
    O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
    O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
    O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 205.152.37.23
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435}: DhcpNameServer = 192.168.1.1 205.152.37.23
    O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
    O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
    O32 - HKLM CDRom: AutoRun - 1
    O34 - HKLM BootExecute: (autocheck autochk *)
    O35 - HKLM\..comfile [open] -- "%1" %*
    O35 - HKLM\..exefile [open] -- "%1" %*
    O37 - HKLM\...com [@ = ComFile] -- "%1" %*
    O37 - HKLM\...exe [@ = exefile] -- "%1" %*
    O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
    O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
    O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

    ========== Files/Folders - Created Within 30 Days ==========

    [2013/01/27 18:41:48 | 000,000,000 | ---D | C] -- C:\windows\ERUNT
    [2013/01/27 18:41:20 | 000,000,000 | ---D | C] -- C:\JRT
    [2013/01/27 10:53:59 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
    [2013/01/27 10:19:25 | 000,518,144 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
    [2013/01/27 10:19:25 | 000,406,528 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
    [2013/01/27 10:19:25 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
    [2013/01/25 13:18:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
    [2013/01/25 13:18:10 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
    [2013/01/25 13:18:09 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
    [2013/01/25 13:16:47 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Programs
    [2013/01/25 00:42:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
    [2013/01/25 00:40:35 | 000,361,032 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswSP.sys
    [2013/01/25 00:40:35 | 000,021,256 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswFsBlk.sys
    [2013/01/25 00:40:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
    [2013/01/25 00:40:32 | 000,044,784 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswRdr2.sys
    [2013/01/25 00:40:31 | 000,054,232 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswTdi.sys
    [2013/01/25 00:40:29 | 000,738,504 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswSnx.sys
    [2013/01/25 00:40:25 | 000,058,680 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswMonFlt.sys
    [2013/01/25 00:40:08 | 000,227,648 | ---- | C] (AVAST Software) -- C:\windows\System32\aswBoot.exe
    [2013/01/25 00:40:08 | 000,041,224 | ---- | C] (AVAST Software) -- C:\windows\avastSS.scr
    [2013/01/25 00:12:21 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Roxio
    [2013/01/20 03:31:20 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NirSoft ProduKey
    [2013/01/20 03:31:20 | 000,000,000 | ---D | C] -- C:\Program Files\NirSoft
    [2013/01/18 18:32:32 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

    ========== Files - Modified Within 30 Days ==========

    [2013/01/28 02:37:01 | 000,000,134 | RHS- | M] () -- C:\ProgramData\3002.xml
    [2013/01/28 02:36:57 | 000,011,904 | RHS- | M] () -- C:\ProgramData\3002.abs
    [2013/01/27 19:01:53 | 000,625,770 | ---- | M] () -- C:\windows\System32\perfh009.dat
    [2013/01/27 19:01:53 | 000,107,104 | ---- | M] () -- C:\windows\System32\perfc009.dat
    [2013/01/27 19:00:14 | 000,020,944 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    [2013/01/27 19:00:14 | 000,020,944 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    [2013/01/27 18:55:29 | 000,000,380 | -H-- | M] () -- C:\windows\tasks\CodecUpdaterTask{110261C5-0AD3-48E4-B17F-3631829EA6CD}.job
    [2013/01/27 18:55:15 | 000,017,920 | ---- | M] () -- C:\windows\System32\rpcnetp.exe
    [2013/01/27 18:55:13 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\windows\System32\rpcnet.dll
    [2013/01/27 18:55:02 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
    [2013/01/27 10:53:51 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts
    [2013/01/25 13:18:14 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2013/01/25 00:40:35 | 000,002,111 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2013/01/25 00:40:25 | 000,000,000 | ---- | M] () -- C:\windows\System32\config.nt
    [2013/01/25 00:00:10 | 000,001,143 | ---- | M] () -- C:\Users\Administrator\Desktop\Windows Update Troubleshooting Info.lnk
    [2013/01/24 09:22:51 | 000,000,097 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\netstat.bat
    [2013/01/24 07:53:05 | 000,079,026 | ---- | M] () -- C:\Users\Administrator\Desktop\ScreenHunter_05 Jan. 24 07.53.jpg
    [2013/01/24 07:51:46 | 000,038,400 | ---- | M] () -- C:\Users\Administrator\Desktop\ScreenHunter_04 Jan. 24 07.51.jpg
    [2013/01/24 07:50:07 | 000,082,342 | ---- | M] () -- C:\Users\Administrator\Desktop\ScreenHunter_03 Jan. 24 07.50.jpg
    [2013/01/24 07:45:31 | 000,079,822 | ---- | M] () -- C:\Users\Administrator\Desktop\ScreenHunter_01 Jan. 24 07.45.jpg

    ========== Files Created - No Company Name ==========

    [2013/01/28 02:37:01 | 000,000,134 | RHS- | C] () -- C:\ProgramData\3002.xml
    [2013/01/28 02:36:57 | 000,011,904 | RHS- | C] () -- C:\ProgramData\3002.abs
    [2013/01/27 10:19:25 | 000,256,000 | ---- | C] () -- C:\windows\PEV.exe
    [2013/01/27 10:19:25 | 000,208,896 | ---- | C] () -- C:\windows\MBR.exe
    [2013/01/27 10:19:25 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
    [2013/01/27 10:19:25 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
    [2013/01/27 10:19:25 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
    [2013/01/25 13:18:14 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
    [2013/01/25 00:40:35 | 000,002,111 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
    [2013/01/25 00:00:10 | 000,001,143 | ---- | C] () -- C:\Users\Administrator\Desktop\Windows Update Troubleshooting Info.lnk
    [2013/01/24 09:22:51 | 000,000,097 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\netstat.bat
    [2013/01/24 07:53:05 | 000,079,026 | ---- | C] () -- C:\Users\Administrator\Desktop\ScreenHunter_05 Jan. 24 07.53.jpg
    [2013/01/24 07:51:46 | 000,038,400 | ---- | C] () -- C:\Users\Administrator\Desktop\ScreenHunter_04 Jan. 24 07.51.jpg
    [2013/01/24 07:50:07 | 000,082,342 | ---- | C] () -- C:\Users\Administrator\Desktop\ScreenHunter_03 Jan. 24 07.50.jpg
    [2013/01/24 07:45:31 | 000,079,822 | ---- | C] () -- C:\Users\Administrator\Desktop\ScreenHunter_01 Jan. 24 07.45.jpg
    [2012/12/22 05:55:11 | 000,000,064 | ---- | C] () -- C:\windows\GPlrLanc.dat
    [2012/09/30 14:17:02 | 000,000,093 | ---- | C] () -- C:\windows\cdplayer.ini
    [2012/01/11 01:19:20 | 000,000,632 | RHS- | C] () -- C:\Users\Administrator\ntuser.pol
    [2012/01/04 09:57:32 | 000,000,000 | ---- | C] () -- C:\Users\Administrator\AppData\Local\{ED17FFC8-1AF0-4A62-90D8-ADB0166B62E5}
    [2011/12/31 13:17:48 | 000,010,038 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\241jxl51c761ou16p7enx0b527436d22e4026
    [2011/12/31 13:17:48 | 000,010,038 | -HS- | C] () -- C:\ProgramData\241jxl51c761ou16p7enx0b527436d22e4026
    [2011/12/17 23:43:40 | 000,010,564 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\hmrekt1e5kjt3nis3lca3d425d6l
    [2011/12/17 23:43:40 | 000,010,564 | -HS- | C] () -- C:\ProgramData\hmrekt1e5kjt3nis3lca3d425d6l
    [2011/12/12 23:15:03 | 000,010,436 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\d4qv67k1wy4qcw
    [2011/12/12 23:15:03 | 000,010,436 | -HS- | C] () -- C:\ProgramData\d4qv67k1wy4qcw
    [2011/11/06 00:49:44 | 000,000,178 | ---- | C] () -- C:\windows\System32\HPPA.ini
    [2011/10/27 07:33:16 | 000,002,910 | ---- | C] () -- C:\ProgramData\LUUnInstall.LiveUpdate
    [2011/09/29 10:30:10 | 000,080,416 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
    [2011/08/12 16:54:41 | 000,066,048 | ---- | C] () -- C:\windows\System32\PrintBrmUi.exe
    [2011/06/29 17:16:22 | 000,000,834 | RHS- | C] () -- C:\ProgramData\wcttemp.html
    [2011/06/29 17:16:22 | 000,000,016 | RHS- | C] () -- C:\ProgramData\wctreqid.sys

    ========== ZeroAccess Check ==========

    [2009/07/13 23:42:31 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

    [HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

    [HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
    "" = %SystemRoot%\system32\shell32.dll -- [2010/11/20 07:21:19 | 012,872,192 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Apartment

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
    "" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 07:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Free

    [HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
    "" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 20:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
    "ThreadingModel" = Both

    ========== LOP Check ==========

    [2012/11/06 16:52:46 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\F__PlatinumHideIP.exe
    [2012/10/05 02:51:44 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\GetRightToGo
    [2012/11/06 16:31:57 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\PlatinumHideIP
    [2011/12/15 09:02:42 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\TuneUp Software
    [2012/02/13 11:13:12 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\uTorrent
    [2012/10/28 13:12:59 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\WSOP-USA.com

    ========== Purity Check ==========



    ========== Alternate Data Streams ==========

    @Alternate Data Stream - 81 bytes -> C:\Program Files\Lock Poker:MID

    < End of report >
  6. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)


    ESET Online Scan

    Please run a free online scan with the ESET Online Scanner
    • Tick the box next to YES, I accept the Terms of Use
    • Click Start
    • When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
    • Click Start or wait for the scanner to load.
    • Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
    • Click Scan (This scan can take several hours, so please be patient)
    • Once the scan is completed, there are a couple of things to keep in mind:
    • 1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
    • 2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
    • Open the logfile from wherever you saved it
    • Copy and paste the contents in your next reply.


    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death

    Note: Absence of issues does not mean that you're protected in the future.
  7. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    I have completed the last set of instructions you left for me and included the logs. Looks like there are still a lot of issues with this laptop. Are we getting it cleaned up or is it so bad that a Windows re-install might be an option to look at? I have never had a computer get so much malware on it. I let my sister talk me into putting Vipre anti-virus on here and it seems around that time is when I started having all the problems. I usually use the free version of Avast and put Avast back on here after trying the Vipre, but the damage had been done by then. If I can get this computer straightened out I am seriously considering buying Bit Defender, it seems to come highly recommended on reviews.

    All processes killed
    ========== OTL ==========
    Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CC2821C3-AC0C-4CC0-8B5D-BA449A67F36D}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC2821C3-AC0C-4CC0-8B5D-BA449A67F36D}\ not found.
    Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\LogonHoursAction deleted successfully.
    Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DontDisplayLogonHoursWarnings deleted successfully.
    Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ not found.
    Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
    Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
    C:\Users\Administrator\AppData\Local\241jxl51c761ou16p7enx0b527436d22e4026 moved successfully.
    C:\ProgramData\241jxl51c761ou16p7enx0b527436d22e4026 moved successfully.
    C:\Users\Administrator\AppData\Local\hmrekt1e5kjt3nis3lca3d425d6l moved successfully.
    C:\ProgramData\hmrekt1e5kjt3nis3lca3d425d6l moved successfully.
    C:\Users\Administrator\AppData\Local\d4qv67k1wy4qcw moved successfully.
    C:\ProgramData\d4qv67k1wy4qcw moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Utils folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Update folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\TournamentLobby folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\TeamsLobby\Media folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\TeamsLobby folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Settings\media folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Settings folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerLobby\Media\PrivateGames folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerLobby\Media\Icons folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerLobby\Media folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerLobby folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme9 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme8 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme7 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme6 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme5 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme4 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme3\History folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme3 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme2\History folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme2 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme10 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme1\History folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme1 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\Deck4 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\Deck3 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\Deck2 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\Deck1 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck9 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck8 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck7 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck6 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck5 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck4 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck3 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck2 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck10 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck1 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\ThrowStuff folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Themes\Theme0\History folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Themes\Theme0 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Themes\History folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Themes folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Teams folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\NotesIcons folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Logos\Logo1 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Logos\Logo0 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Logos\History folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Logos folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Decks\Deck0 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Decks\BackDeck0 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Decks folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\6 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\5 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\4 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\3 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\2 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\1 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\0 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\ChatGestures folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Gestures folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Emoticons\ChatSet1 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Emoticons\ChatSet0 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Emoticons\CalloutSet1 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Emoticons\CalloutSet0 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Emoticons folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Zodiac folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Sport folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Marvel folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\LuckySymbols folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Holidays folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Flags folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Characters folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Avatars folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\NoFlash folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\media folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Login\media folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Login folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Lang\0\Localization folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Lang\0\Config folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Lang\0 folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Lang folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Icons folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\HandHistory folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\GameHistory\media folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\GameHistory folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\GameHist\media folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\GameHist folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Fonts folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Chat folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Cash\media folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Cash folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Brand folder moved successfully.
    C:\Users\Administrator\AppData\Roaming\WSOP-USA.com folder moved successfully.
    ADS C:\Program Files\Lock Poker:MID deleted successfully.
    ========== FILES ==========
    < ipconfig /flushdns /c >
    Windows IP Configuration
    Successfully flushed the DNS Resolver Cache.
    C:\Users\Administrator\Downloads\cmd.bat deleted successfully.
    C:\Users\Administrator\Downloads\cmd.txt deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 115440 bytes
    ->Temporary Internet Files folder emptied: 1443809 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 135604463 bytes
    ->Google Chrome cache emptied: 7244992 bytes
    ->Flash cache emptied: 5232 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: user
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 65748 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 23325198 bytes

    Total Files Cleaned = 160.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 01302013_194845

    Files\Folders moved on Reboot...
    File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...


    C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Documents and Settings\Administrator\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Documents and Settings\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Users\Administrator\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Users\Administrator\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
    C:\Users\Administrator\Downloads\CPP-ProductKeyFinder.exe Win32/OpenCandy application
    C:\Users\Administrator\Downloads\produkey_setup.exe a variant of Win32/PSWTool.ProductKey application
    C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application cleaned by deleting - quarantined
    C:\Documents and Settings\Administrator\Downloads\CPP-ProductKeyFinder.exe Win32/OpenCandy application cleaned by deleting - quarantined
    C:\Documents and Settings\Administrator\Downloads\produkey_setup.exe a variant of Win32/PSWTool.ProductKey application cleaned by deleting - quarantined
    C:\Program Files\NirSoft\ProduKey\ProduKey.exe a variant of Win32/PSWTool.ProductKey application cleaned by deleting - quarantined
    C:\Qoobox\Quarantine\C\Program Files\Coupon Companion Plugin\CoUPon companion plugin.dll.vir a variant of Win32/Toolbar.CrossRider.A application cleaned by deleting - quarantined
  8. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    We'll get it....

    Hitman Pro

    Please download Hitman Pro

    • After the download completes please double click the program to run it.
    • Accept the terms of the license agreement and click Next
    • Let the scan run. It will not take long
    • When the scan finishes, and all the files have been uploaded to the Scan Cloud, click Next
    • Click Next again. At the bottom left you will see Export Scan Results To XML File. Click that and save it in a convenient location
    • Upload log.xml here for review please


    Kaspersky Virus Removal Tool

    The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

    Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

    • Double-click the Setup file to install it on your computer.
    • Once it has installed, review and accept the agreement and press the Start button.
    • You will presented with the main interface, but don't scan yet, click the options tab (gear icon):
      [​IMG]
    • On the Scan Scope tab, make sure to checkmark all the options, except for the CD/DVD drive:
      [​IMG]
    • On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":
      [​IMG]
    • Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.
    • Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:
      [​IMG]
    • Then, choose Save. Also, in the Automatic Report tab, select Save:
      [​IMG]
    • Please post the reports in your next reply.
    • Once you exit, the tool should uninstall automatically.
  9. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    How is this going so far?
  10. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    Sorry, got swamped. I will reply quickly now. I hope I didn't get this log wrong. I have been careful to do them just like you ask but this Hitman Pro saved the log differently before I got the chance to save it in .xml format. I did not have any option other than post this or redo the whole thing. I thought you should know what happened because if I had redone it then the log would have been different then this one (I think). Anyway, instead of chancing more mistakes, I posted the results so far so you can instruct me as how to proceed. The Kaspersky log should be as you asked.


    Code:
    HitmanPro 3.7.1.186
    www.hitmanpro.com
    
       Computer name . . . . : USER-HP
       Windows . . . . . . . : 6.1.1.7601.X86/2
       User name . . . . . . : user-HP\Administrator
       UAC . . . . . . . . . : Disabled
       License . . . . . . . : Free
    
       Scan date . . . . . . : 2013-02-02 21:25:08
       Scan mode . . . . . . : Normal
       Scan duration . . . . : 2m 6s
       Disk access mode  . . : Direct disk access (SRB)
       Cloud . . . . . . . . : Internet
       Reboot  . . . . . . . : No
    
       Threats . . . . . . . : 0
       Traces  . . . . . . . : 70
    
       Objects scanned . . . : 1,123,679
       Files scanned . . . . : 14,568
       Remnants scanned  . . : 395,161 files / 713,950 keys
    
    Potential Unwanted Programs _________________________________________________
    
       HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220022042235}\ (Premiumplay)
       HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066046635}\ (Premiumplay)
    
    Cookies _____________________________________________________________________
    
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:adbrite.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.cineble.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.cinemaden.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.redorbit.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:apmebf.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:burstnet.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:fastclick.net
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:network.realmedia.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:realmedia.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:specificclick.net
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:yieldmanager.net
       C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:zedo.com
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\1LA2KXED.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\1O3QMYRG.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\38IQTUCT.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\49HE2ZLA.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\4S6B44OW.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\9DY949X3.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\9W88P3R3.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\AAPCEYB2.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\AKRCI8VE.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\ANNTSDFS.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\AR8M9WSQ.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\AV0RPULD.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\BI81VZHX.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\BL1F66UY.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\BZTQSWM0.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\C79U7J6O.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\CFNS3U40.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\E5MRDH0V.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\F7U79CVB.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\GFCE1LDD.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\I9KXK8LM.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\MXLDDJOA.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\O34IPFO9.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\OSMA60VR.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\P9BP3IHX.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\PAL4VCAJ.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\TAAE2R6M.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\TU1L1C9D.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\UJL7IA08.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\VB2DA3CK.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Y5K133DT.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\YDO68RNC.txt
       C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\ZZICUKD4.txt
       C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:2o7.net
       C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:ad.yieldmanager.com
       C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:doubleclick.net
       C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:eset.122.2o7.net
       C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:invitemedia.com
       C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:paypal.112.2o7.net
       C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:stat.onestat.com
       C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:statcounter.com
       C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:stats.paypal.com
       C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:statse.webtrendslive.com
       C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:yadro.ru
    
    
    

    Status: Vulnerability (events: 8)
    2/2/2013 10:14:53 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/43269 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.dll Low
    2/2/2013 10:25:58 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/50949 C:\Program Files\Java\jre6\bin\java.exe Low
    2/2/2013 11:14:57 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/0 C:\Windows\System32\msxml4.dll Low
    2/2/2013 11:15:19 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51090 C:\Windows\System32\Adobe\Shockwave 11\SwInit.exe Low
    2/2/2013 11:28:29 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51771 C:\Windows\System32\Macromed\Flash\NPSWF32_11_4_402_278.dll Low
    2/2/2013 11:43:43 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51226 c:\Program Files\QuickTime\QuickTimePlayer.exe Low
    2/2/2013 11:49:15 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51771 c:\Windows\System32\Macromed\Flash\NPSWF32_11_4_402_278.dll Low
    2/2/2013 11:49:16 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/0 c:\Windows\System32\msxml4.dll Low
  11. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any more issues?

    We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

    Many of the things to note for us would be:

    • Slow computer
    • Error messages
    • Fake antivirus alerts or the icon in the system tray
    • svchost.exe running at 100%
    • System crashes or blue screen of death

    Note: Absence of issues does not mean that you're protected in the future.
     
  12. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    I haven't been using this laptop much while we have been working on it because I didn't want to interfere with any logs or fixes. I have used it to stream some video and have observed it's behavior while working on it. The computer is as fast as normal with no apparent problems other than a pop up that shows up when I reboot. The message says "Invalid or missing resource files in the installation directory. Please reinstall Extender Player". This could be associated with a game that tried to install on my computer that I stopped and wanted cleaned out but didn't want to start making changes and deleting things while we were working on it. I have a shortcut on my desktop to "more free games" which I do not want. I was going to try and delete this completely and fix the popup. If you have any instructions as to this or any more instructions as to cleaning any remaining malware out I am ready. Everything else checks out ok, no system crashes. No fake alerts or icons.
  13. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    That popup can be ceased on boot...

    SystemLook x86 scan

    Please download SystemLook from one of the links below and save it to your Desktop.
    Download Mirror #1
    Download Mirror #2
    • Double-click SystemLook.exe to run it.
    • Copy the content of the following codebox into the main textfield:
    • Click the Look button to start the scan.
    • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
    Note: The log can also be found on your Desktop entitled SystemLook.txt
  14. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    Doesn't look like much in the way of results. Did it just like you asked. Log results of system look:


    SystemLook 30.07.11 by jpshortstuff
    Log created at 17:05 on 04/02/2013 by Administrator
    Administrator - Elevation successful

    ========== regfind ==========

    Searching for "Extender Player"
    No data found.

    Searching for ""Extender Player""
    No data found.

    -= EOF =-
  15. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    New script please:

    :regfind
    EXTender
    GPlayer
  16. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    Looks like better results with new script. New log :


    SystemLook 30.07.11 by jpshortstuff
    Log created at 13:05 on 05/02/2013 by Administrator
    Administrator - Elevation successful

    ========== regfind ==========

    Searching for "EXTender"
    [HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2A2\52C64B7E]
    "@%SystemRoot%\ehome\ehres.dll,-15502"="Allows Media Center Extenders to locate and connect to the computer."
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E55A0B49-2F73-44D4-AD66-48966DED31BA}]
    "FriendlyName"="Media Center Extender Encryption Filter"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{897708D5-9657-4C08-903C-40A1CB534992}]
    @="WebExtenderClient Class"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{897708D5-9657-4C08-903C-40A1CB534992}\ProgID]
    @="WECAPI5.WebExtenderClient.3"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{897708D5-9657-4C08-903C-40A1CB534992}\VersionIndependentProgID]
    @="WECAPI5.WebExtenderClient"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E55A0B49-2F73-44D4-AD66-48966DED31BA}]
    @="Media Center Extender Encryption Filter"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f77d9c1c-5aff-4341-b028-57f7510aa91c}]
    @="CLSID_AssociationListExtender"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4DB06329-23F4-443B-9ABD-9CF611E8AE07}]
    @="IExtenderProvider"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8D0AA9CC-8465-42F3-AD6E-DFDE28CCC75D}]
    @="ObjectExtenders"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{914934C0-5A91-11CF-8700-00AA0060263B}]
    @="OCXExtender"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD0FD906-EB8C-41B2-9856-4F6D7FC5A8E9}]
    @="IAssociationListExtender"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B85F43C4-C765-4984-AE3D-695E8CD8E992}]
    @="IInternalExtenderProvider"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E57C510B-968B-4A3C-A467-EE4013157DC9}]
    @="IExtenderSite"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F69B64A3-9017-4E48-9784-E152B51AA722}]
    @="IExtenderProviderUnk"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-microsoft-com:device:MediaCenterExtender:1]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-microsoft-com:device:MediaCenterExtender:1\Shell\Configure\Command]
    @="C:\Windows\ehome\ehshell.exe -extender"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-microsoft-com:device:MediaCenterExtenderMFD:1]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-microsoft-com:device:MediaCenterExtenderMFD:1\Shell\Configure\Command]
    @="C:\Windows\ehome\ehshell.exe -extender"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient]
    @="WebExtenderClient Class"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient.3]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient.3]
    @="WebExtenderClient Class"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{7b7838a3-6562-4269-bb7a-97b0d9593882}]
    @="Microsoft-Windows-Media Center Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
    "Class"="Media Center Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
    @="Media Center Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\System Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder]
    "List"="System Reserved EMS WdfLoadGroup Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Virtualization FSFilter Encryption FSFilter Compression FSFilter Imaging FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Streams Drivers NDIS Wrapper COM Infrastructure Event Log AudioGroup ProfSvc_Group UIGroup MS_WindowsLocalValidation PlugPlay ValiditySensors Cryptography PNP_TDI NDIS TDI iSCSI NetBIOSGroup ShellSvcGrou
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ACPI]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aliide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\amdide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Compbatt]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\intelide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\isapnp]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mountmgr]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mpio]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msdsm]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msisadrv]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nvraid]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\partmgr]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pci]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pciide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pcmcia]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sdbus]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\vdrvroot]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\viaide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\vmbus]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\volmgr]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\volmgrx]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
    "Class"="Media Center Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
    @="Media Center Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\System Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\Boot Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\System Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\ServiceGroupOrder]
    "List"="System Reserved EMS WdfLoadGroup Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Virtualization FSFilter Encryption FSFilter Compression FSFilter Imaging FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Streams Drivers NDIS Wrapper COM Infrastructure Event Log AudioGroup ProfSvc_Group UIGroup MS_WindowsLocalValidation PlugPlay ValiditySensors Cryptography PNP_TDI NDIS TDI iSCSI NetBIOSGroup ShellSvcGrou
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\ACPI]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\aliide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\amdide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Compbatt]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\intelide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\isapnp]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\mountmgr]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\mpio]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\msdsm]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\msisadrv]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\nvraid]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\partmgr]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\pci]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\pciide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\pcmcia]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\sdbus]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\vdrvroot]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\viaide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\vmbus]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\volmgr]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\volmgrx]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
    "Class"="Media Center Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
    @="Media Center Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder]
    "List"="System Reserved EMS WdfLoadGroup Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Virtualization FSFilter Encryption FSFilter Compression FSFilter Imaging FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Streams Drivers NDIS Wrapper COM Infrastructure Event Log AudioGroup ProfSvc_Group UIGroup MS_WindowsLocalValidation PlugPlay ValiditySensors Cryptography PNP_TDI NDIS TDI iSCSI NetBIOSGroup ShellSvc
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ACPI]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\aliide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\amdide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Compbatt]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\intelide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\isapnp]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mountmgr]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mpio]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msdsm]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msisadrv]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nvraid]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\partmgr]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\pci]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\pciide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\pcmcia]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sdbus]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vdrvroot]
    "Group"="Boot Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\viaide]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmbus]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\volmgr]
    "Group"="System Bus Extender"
    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\volmgrx]
    "Group"="System Bus Extender"
    [HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2A2\52C64B7E]
    "@%SystemRoot%\ehome\ehres.dll,-15501"="Media Center Extender Service"
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Classes\Local Settings\MuiCache\2A2\52C64B7E]
    "@%SystemRoot%\ehome\ehres.dll,-15502"="Allows Media Center Extenders to locate and connect to the computer."
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500_Classes\Local Settings\MuiCache\2A2\52C64B7E]
    "@%SystemRoot%\ehome\ehres.dll,-15502"="Allows Media Center Extenders to locate and connect to the computer."
    [HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\MuiCache\2A2\52C64B7E]
    "@%SystemRoot%\ehome\ehres.dll,-15501"="Media Center Extender Service"

    Searching for "GPlayer"
    [HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication]
    "Name"="GPLAYER.EXE"
    [HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication]
    "Id"="GPLAYER.EXE503F754D004AB1D8"
    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\a3714275_0]
    @="{0.0.0.00000000}.{03d76a47-3195-4297-8466-33c52c1101a2}|\Device\HarddiskVolume1\Program Files\Free Ride Games\GPlayer.exe%b{00000000-0000-0000-0000-000000000000}"
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
    "Exetender"=""C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup"
    [HKEY_CURRENT_USER\Software\Classes\Applications\GPlayer.exe]
    [HKEY_CURRENT_USER\Software\Classes\Applications\GPlayer.exe]
    "TaskbarGroupIcon"="C:\Program Files\Free Ride Games\Skins\000005\icon\GPlayer.ico"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EXEtender\Shell\Open\Command]
    @=""C:\Program Files\Free Ride Games\GPlayer.exe" %1"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
    "Name"="GPlayer.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}]
    "AppName"="GPlayer.exe"
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GPlayer_RASAPI32]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GPlayer_RASMANCS]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "Exetender"=""C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup"
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\DirectInput\MostRecentApplication]
    "Name"="GPLAYER.EXE"
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\DirectInput\MostRecentApplication]
    "Id"="GPLAYER.EXE503F754D004AB1D8"
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\a3714275_0]
    @="{0.0.0.00000000}.{03d76a47-3195-4297-8466-33c52c1101a2}|\Device\HarddiskVolume1\Program Files\Free Ride Games\GPlayer.exe%b{00000000-0000-0000-0000-000000000000}"
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Run]
    "Exetender"=""C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup"
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Classes\Applications\GPlayer.exe]
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Classes\Applications\GPlayer.exe]
    "TaskbarGroupIcon"="C:\Program Files\Free Ride Games\Skins\000005\icon\GPlayer.ico"
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500_Classes\Applications\GPlayer.exe]
    [HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500_Classes\Applications\GPlayer.exe]
    "TaskbarGroupIcon"="C:\Program Files\Free Ride Games\Skins\000005\icon\GPlayer.ico"
    [HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
    "Exetender"=""C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup"

    -= EOF =-
  17. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

    Let me know of any more issues...
  18. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    Program ran quick, asked to remove media from drive for reboot but drive is empty, hit power button for reboot after removing a flash drive that I have been saving logs on and rebooted to windows then. Pesky popup still there !! Here is log:


    All processes killed
    ========== REGISTRY ==========
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender deleted successfully.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 1182 bytes
    ->Temporary Internet Files folder emptied: 118666 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 56587509 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 1037 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: user
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 83179 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 279590 bytes

    Total Files Cleaned = 54.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 02052013_193914

    Files\Folders moved on Reboot...
    File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
  19. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    I have a program "Tune Up Utilities 2012" on my computer and it has a section that allows me to enable or disable start up programs. In the list I disabled "Extender Player". No more pop up but that only disables the program from booting with Windows; it is still somewhere on the computer. As for those free games shortcuts; some type of malware must have done that because they only opened my browser to the download page for games. I immediately closed and deleted shortcuts. Deleted a couple of old shortcuts that are broken since cleanup of computer and shouldn't have been there anyway. I could try to manually find any "Extender Player" files or program on the computer and delete but I wait for tour instructions before doing anything else.
  20. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    It's GPlayer on your computer, which is from a free games.
  21. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    I can't find any "GPlayer" on any program list but I have found : "Cradle of Rome", "Heroes of Hellas", "Time Riddles: The Mansion"', and "7 Wonders II" The "GPlayer is not to be found on any program list anywhere even when I use "my computer" to go to program install an uninstall. The game listings show up but it won't let me uninstall and the best I can do is sometimes when I think I am going to get it to uninstall, that same pesky popup comes up about reinstalling "Extender Player". The only problem is I can't find any files relating to it with search. I am unsure how to clean these out. All the game show they were installed on 12/22/2012 but I dont try to open any because I don't want to let it get deeper in. Any advice?
  22. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    Any programs about Extender Player?

    I can remove all files manually, if we need to...
  23. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    Then please tell me how to get rid of this. I am locked out of deleting it!!! Thanks for all your help also. And NO there is no sign of "Extender Player" in any program list, file list, or anywhere I can find. I even looked in accessories folder and all.
  24. Jay Pfoutz

    Jay Pfoutz Malware Helper Posts: 4,286   +49

    GPlayer is part of Free Ride Games, so it's probably bundled inside the program. :p

    OTL Fix

    Please run OTL
    • Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

    • Then click the Run Fix button at the top.
    • Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
    • Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
      Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

    Let me know if this did the trick. :)
  25. cableman

    cableman TechSpot Enthusiast Topic Starter Posts: 173

    That helped a lot. Where I was using "Tune Up Utilities" to prevent that Extender Player popup on reboot it took it completely away. I do however still have these listed in the program uninstall list through my computer: Cradle of Rome, Heroes of Hellos, Time Riddles:The Mansion, and 7 Wonders II. It will not let me uninstall them. It will say something to the effect that they are a part of Extender Player and it wasn't uninstalled properly and then blocks me from doing anything with them. Other than that everything is fine and these programs or files or remnants or whatever don't seem to be causing problems but I wonder why they are still there and what they might do in the future. Here is the log:


    All processes killed
    ========== REGISTRY ==========
    Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender not found.
    Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender not found.
    Registry value HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender not found.
    Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender not found.
    ========== COMMANDS ==========

    [EMPTYTEMP]

    User: Administrator
    ->Temp folder emptied: 273013 bytes
    ->Temporary Internet Files folder emptied: 35882 bytes
    ->Java cache emptied: 0 bytes
    ->FireFox cache emptied: 11616599 bytes
    ->Google Chrome cache emptied: 0 bytes
    ->Flash cache emptied: 492 bytes

    User: All Users

    User: Default
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Default User
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    User: Public
    ->Temp folder emptied: 0 bytes

    User: user
    ->Temp folder emptied: 0 bytes
    ->Temporary Internet Files folder emptied: 0 bytes
    ->Flash cache emptied: 0 bytes

    %systemdrive% .tmp files removed: 0 bytes
    %systemroot% .tmp files removed: 0 bytes
    %systemroot%\System32 .tmp files removed: 0 bytes
    %systemroot%\System32\drivers .tmp files removed: 0 bytes
    Windows Temp folder emptied: 66016 bytes
    %systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
    RecycleBin emptied: 7376346 bytes

    Total Files Cleaned = 18.00 mb


    OTL by OldTimer - Version 3.2.69.0 log created on 02082013_165718

    Files\Folders moved on Reboot...
    File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

    PendingFileRenameOperations files...

    Registry entries deleted on Reboot...
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.