Solved Certain of malware on HP laptop, Windows 7

cableman · Jan 25, 2013

I am getting pop ups saying windows is not authentic as well as windows update not working. Other error messages and problems also. I followed your four step plan and post the logs below. Thank you in advance for any help.

Malwarebytes Anti-Malware 1.70.0.1100
www.malwarebytes.org

Database version: v2013.01.25.07

Windows 7 Service Pack 1 x86 NTFS
Internet Explorer 9.0.8112.16421
Administrator :: USER-HP [administrator]

1/25/2013 1:29:09 PM
mbam-log-2013-01-25 (13-29-09).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 239030
Time elapsed: 6 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 21
HKCR\AppID\{F85FA3F2-D2C8-4D4D-BB1C-3181E691AF2B} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\CLSID\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\TypeLib\{44444444-4444-4444-4444-440044044435} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\Interface\{55555555-5555-5555-5555-550055045535} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO.1 (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{11111111-1111-1111-1111-110011041135} (PUP.Codec.PR) -> Quarantined and deleted successfully.
HKCR\Typelib\{A3F56272-CDB4-4310-9BB1-9A0D0757A3B3} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\Interface\{D6975F9E-15B2-4FE7-9D16-FC2E85CB201B} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\CLSID\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\SelectionLinks.SelectionLinksBHO.1 (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\SelectionLinks.SelectionLinksBHO (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{300BEC06-B743-4D19-86B9-11DC711D7FFB} (PUP.FaceThemes) -> Quarantined and deleted successfully.
HKCR\CrossriderApp0000435.BHO (PUP.Codec.PR) -> Quarantined and deleted successfully.

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 3
C:\Program Files\Premiumplay Codec-C\Premiumplay Codec-C.dll (PUP.Codec.PR) -> Quarantined and deleted successfully.
C:\Program Files\OApps\SelectionLinks.dll (PUP.FaceThemes) -> Quarantined and deleted successfully.
C:\Users\Administrator\Downloads\mplayer_Setup.exe (PUP.Bundle.Installer.OI) -> Quarantined and deleted successfully.

(end)

DDS (Ver_2012-11-20.01) - NTFS_x86
Internet Explorer: 9.0.8112.16421 BrowserJavaVersion: 1.6.0_26
Run by Administrator at 14:09:46 on 2013-01-25
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.826 [GMT -5:00]
.
AV: avast! Antivirus *Enabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Enabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
.
============== Running Processes ================
.
C:\windows\system32\wininit.exe
C:\windows\system32\lsm.exe
C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
C:\windows\system32\atiesrxx.exe
C:\Program Files\IDT\WDM\STacSV.exe
C:\windows\system32\atieclxx.exe
C:\windows\system32\Hpservice.exe
C:\windows\system32\vcsFPService.exe
C:\windows\system32\WLANExt.exe
C:\windows\system32\conhost.exe
C:\Program Files\AVAST Software\Avast\AvastSvc.exe
C:\windows\System32\spoolsv.exe
C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
C:\Program Files\ActivIdentity\ActivClient\acevents.exe
C:\Program Files\IDT\WDM\aestsrv.exe
C:\Program Files\LSI SoftModem\agrsmsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\PDF Complete\pdfsvc.exe
C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
C:\Program Files\QUALCOMM\QDLService2k\QDLService2kHP.exe
C:\windows\system32\rpcnet.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
C:\windows\system32\SearchIndexer.exe
C:\windows\system32\taskhost.exe
C:\windows\system32\taskeng.exe
C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
C:\windows\system32\Dwm.exe
C:\windows\Explorer.EXE
C:\ProgramData\Premium\Codec\Codec.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVAST Software\Avast\AvastUI.exe
C:\Program Files\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe
C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_278.exe
C:\windows\system32\Macromed\Flash\FlashPlayerPlugin_11_4_402_278.exe
C:\Program Files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
C:\windows\system32\wbem\WmiPrvSE.exe
C:\Windows\system32\WUDFHost.exe
C:\windows\system32\conhost.exe
C:\windows\system32\wbem\WmiPrvSE.exe
C:\windows\system32\svchost.exe -k DcomLaunch
C:\windows\system32\svchost.exe -k RPCSS
C:\windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\windows\system32\svchost.exe -k netsvcs
C:\windows\system32\svchost.exe -k LocalService
C:\windows\system32\svchost.exe -k NetworkService
C:\windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\windows\system32\svchost.exe -k bthsvcs
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.ask.com/?l=dis&o=102874&gct=hp
BHO: Adobe PDF Reader Link Helper: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Coupon Companion Plugin: {11111111-1111-1111-1111-110211181104} - c:\program files\coupon companion plugin\Coupon Companion Plugin.dll
BHO: File Sanitizer for HP ProtectTools: {3134413B-49B4-425C-98A5-893C1F195601} - c:\program files\hewlett-packard\file sanitizer\IEBHO.dll
BHO: Incredibar.com Helper Object: {6E13DDE1-2B6E-46CE-8B66-DC8BF36F6B99} - c:\program files\incredibar.com\incredibar\1.5.3.27\bh\incredibar.dll
BHO: RoboForm BHO: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
BHO: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
BHO: Windows Live Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: WeCareReminder Class: {D824F0DE-3D60-4F57-9EB1-66033ECD8ABB} - c:\programdata\wecarereminder\IEHelperv2.5.0.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre6\bin\jp2ssv.dll
TB: &RoboForm: {724D43A0-0D85-11D4-9908-00400523E39A} - c:\program files\siber systems\ai roboform\roboform.dll
TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\roboform.dll
TB: Incredibar Toolbar: {F9639E4A-801B-4843-AEE3-03D9DA199E77} - c:\program files\incredibar.com\incredibar\1.5.3.27\incredibarTlbr.dll
TB: avast! WebRep: {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - c:\program files\avast software\avast\aswWebRepIE.dll
uRun: [HPAdvisorDock] c:\program files\hewlett-packard\hp advisor\dock\HPAdvisorDock.exe
uRun: [RoboForm] "c:\program files\siber systems\ai roboform\RoboTaskBarIcon.exe"
uRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SysTrayApp] c:\program files\idt\wdm\sttray.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [avast] "c:\program files\avast software\avast\avastUI.exe" /nogui
dRun: [Exetender] "c:\program files\free ride games\GPlayer.exe" /runonstartup
uPolicies-Explorer: NoDriveTypeAutoRun = dword:145
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\siber systems\ai roboform\RoboFormComFillForms.html
IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\siber systems\ai roboform\RoboFormComSavePass.html
IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\siber systems\ai roboform\RoboFormComShowToolbar.html
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} -
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: NameServer = 192.168.1.1 205.152.37.23
TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435} : DHCPNameServer = 192.168.1.1 205.152.37.23
TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435}\B41686E6D28405 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435}\D4963627F61476568435 : DHCPNameServer = 192.168.0.1
TCP: Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435}\D49637370596767697 : DHCPNameServer = 192.168.0.1 205.152.37.23
TCP: Interfaces\{D1EB2698-7141-45DB-88D5-F8B954FFE9A3}\854414D275966696D23586162796E676 : DHCPNameServer = 192.168.1.1
mASetup: {10880D85-AAD9-4558-ABDC-2AB1552D831F} - "c:\program files\common files\lightscribe\LSRunOnce.exe"
IFEO: hppa_main.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: hptcs.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: hpwa_main.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
IFEO: setup.exe - "c:\program files\tuneup utilities 2012\TUAutoReactivator32.exe"
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\xibtwus7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://mystart.incredibar.com/mb119/?loc=IB_DS&a=6Oysndgc9f&&I=26&search=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - plugin: c:\program files\google\update\1.3.21.123\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\new_plugin\npdeployJava1.dll
FF - plugin: c:\program files\microsoft silverlight\4.0.60831.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdeployJava1.dll
FF - plugin: c:\programdata\real\realplayer\browserrecordplugin\mozillaplugins\nprphtml5videoshim.dll
FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_4_402_278.dll
FF - ExtSQL: 2012-12-22 05:42; plugin@selectionlinks.com; c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\plugin@selectionlinks.com
FF - ExtSQL: 2012-12-22 05:45; wecarereminder@bryan; c:\users\administrator\appdata\roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\wecarereminder@bryan
FF - ExtSQL: 2013-01-25 00:48; wrc@avast.com; c:\program files\avast software\avast\webrep\FF
.
---- FIREFOX POLICIES ----
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6Oysndgc9f&loc=IB_TB&I=26&search=
FF - user.js: extensions.incredibar_i.id - a063e759000000000000cc52aff747fc
FF - user.js: extensions.incredibar_i.hardId - a063e759000000000000cc52aff747fc
FF - user.js: extensions.incredibar_i.instlDay - 15379
FF - user.js: extensions.incredibar_i.vrsn - 1.5.3.27
FF - user.js: extensions.incredibar_i.vrsni - 1.5.3.27
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.3.2711:07:01
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6Oysndgc9f
FF - user.js: extensions.incredibar_i.upn2n - 92260871127040989
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10606
FF - user.js: extensions.incredibar_i.ppd - 48
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
============= SERVICES / DRIVERS ===============
.
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2010-6-25 64288]
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2013-1-25 738504]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2013-1-25 361032]
R2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\common files\actividentity\ac.sharedstore.exe [2009-6-3 207400]
R2 AESTFilters;Andrea ST Filters Service;c:\program files\idt\wdm\AEstSrv.exe [2011-11-6 81920]
R2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [2010-4-8 172032]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2013-1-25 21256]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2013-1-25 58680]
R2 avast! Antivirus;avast! Antivirus;c:\program files\avast software\avast\AvastSvc.exe [2013-1-25 44808]
R2 HPDayStarterService;HP DayStarter Service;c:\program files\hewlett-packard\hp quicklook\HPDayStarterService.exe [2010-3-25 90112]
R2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\hewlett-packard\file sanitizer\HPFSService.exe [2010-1-19 297984]
R2 hpsrv;HP Service;c:\windows\system32\hpservice.exe [2010-6-15 26168]
R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-1-25 398184]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-1-25 682344]
R2 pdfcDispatcher;PDF Document Manager;c:\program files\pdf complete\pdfsvc.exe [2010-5-23 635416]
R2 PdiService;Portrait Displays SDK Service;c:\program files\common files\portrait displays\drivers\pdisrvc.exe [2011-11-6 113264]
R2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\qualcomm\qdlservice2k\QDLService2kHP.exe [2010-3-15 331000]
R2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\tuneup utilities 2012\TuneUpUtilitiesService32.exe [2011-10-12 1479488]
R2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [2010-2-18 1664304]
R3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\drivers\btwl2cap.sys [2010-6-20 29472]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-1-25 21104]
R3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\tuneup utilities 2012\TuneUpUtilitiesDriver32.sys [2011-9-22 10064]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 rimspci;rimspci;c:\windows\system32\drivers\rimspe86.sys [2010-6-20 48640]
S2 risdpcie;risdpcie;c:\windows\system32\drivers\risdpe86.sys [2010-6-20 47616]
S2 rixdpcie;rixdpcie;c:\windows\system32\drivers\rixdpe86.sys [2010-6-20 38912]
S2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\rpcnet\bin\rpcld.exe --> c:\programdata\rpcnet\bin\rpcld.exe [?]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]
S3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\drivers\qcfilterhp2k.sys [2010-3-15 5248]
S3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\drivers\qcusbnethp2k.sys [2010-3-15 208384]
S3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\drivers\qcusbserhp2k.sys [2010-3-15 106880]
S3 RoxMediaDB10;RoxMediaDB10;c:\program files\common files\roxio shared\10.0\sharedcom\RoxMediaDB10.exe [2009-11-23 1120752]
S3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\common files\roxio shared\oem\12.0\sharedcom\RoxMediaDB12OEM.exe [2011-1-15 1116656]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\drivers\Rt86win7.sys [2011-9-29 279656]
S3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\drivers\rtsuvc.sys [2010-6-20 73344]
S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]
S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2011-8-12 52224]
S3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [2011-8-12 12800]
S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2010-6-25 1343400]
S3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\drivers\yk62x86.sys [2010-1-8 316416]
S4 HP Power Assistant Service;HP Power Assistant Service;c:\program files\hewlett-packard\hp power assistant\HPPA_Service.exe [2011-6-2 133688]
S4 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\hewlett-packard\hp wireless assistant\HPWA_Service.exe [2010-4-5 103992]
S4 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\hewlett-packard\hp hotkey support\hpHotkeyMonitor.exe [2010-3-1 264248]
.
=============== Created Last 30 ================
.
2013-01-25 18:18:10 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-25 18:18:09 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-25 18:16:47 -------- d-----w- c:\users\administrator\appdata\local\Programs
2013-01-25 05:40:32 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-01-25 05:40:29 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-25 05:40:25 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-01-25 05:40:08 41224 ----a-w- c:\windows\avastSS.scr
2013-01-24 14:22:51 97 ----a-w- c:\users\administrator\appdata\roaming\netstat.bat
2013-01-20 08:31:20 -------- d-----w- c:\program files\NirSoft
.
==================== Find3M ====================
.
2013-01-25 18:52:48 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2013-01-25 18:52:46 58288 ----a-w- c:\windows\system32\rpcnet.dll
.
============= FINISH: 14:18:08.59 ===============

Jay Pfoutz · Jan 25, 2013

Hi there!

ComboFix scan

Please download ComboFix

by sUBs
From TechSpot

Direct Link (alternative)

Please save the file to your Desktop.

Important information about ComboFix

After the download:

Close any open browsers.
Very Important: Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results". Please visit here if you don't know how.
WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
Please do not attempt to re-connect your machine back to the Internet until ComboFix has completely finished.
If there is no Internet connection after running ComboFix, then restart your computer to restore back your connection.

Running ComboFix:

Double click on ComboFix.exe & follow the prompts.
When ComboFix finishes, it will produce a report for you.
Please post the report, which will launch or be found at "C:\Combo-Fix.txt" in your next reply.

Troubleshooting ComboFix

Safe Mode:

If you still cannot get ComboFix to run, try booting into Safe Mode, and run it there.

(To boot into Safe Mode, tap F8 after BIOS, and just before the Windows
logo appears. A list of options will appear, select "Safe Mode.")

Re-downloading:

If this doesn't work either, try the same method (above method), but try to download it again, except name
ComboFix.exe to iexplore.exe, explorer.exe, or winlogon.exe.

Malware is known for blocking all "user" processes, except for its whitelist of system important processes such as iexplore.exe, explorer.exe, winlogon.exe.

NOTE: If you encounter a message "illegal operation attempted on registry key that has been marked for deletion" and no programs will run - please just reboot and that will resolve that error.

Adware Cleaning

Please download AdwCleaner by Xplode onto your Desktop.

Double click on AdwCleaner.exe to run the tool.
Click on Delete.
A logfile will automatically open after the scan has finished.
Please post the content of that logfile in your reply.
You can find the logfile at C:\AdwCleaner[Rn].txt as well - n is the order number.

Junkware Removal Tool

Please download Junkware Removal Tool to your desktop.

Warning! Once the scan is complete JRT will shut down your browser with NO warning.

Shut down your protection software now to avoid potential conflicts.
Temporarily disable your antivirus and any antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.
Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator
The tool will open and start scanning your system.
Please be patient as this can take a while to complete depending on your system's specifications.
On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
Copy and Paste the JRT.txt log into your next message.

cableman · Jan 27, 2013

Thank you for your help so far. I hope I am still getting you the correct results you ask for. I am also getting a pop-up error message every time on reboot. I have taken a screen capture jpg. shot of it in case it is important at this time also; if not sorry for the unnecessary addition. Here are your requested logs:

ComboFix 13-01-27.03 - Administrator 01/27/2013 10:21:11.2.2 - x86
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.1782.1058 [GMT -5:00]
Running from: c:\users\Administrator\Downloads\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {2B2D1395-420B-D5C9-657E-930FE358FC3C}
SP: avast! Antivirus *Disabled/Updated* {904CF271-6431-DA47-5FCE-A87D98DFB681}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\program files\Coupon Companion Plugin\CoUPon companion plugin.dll
c:\program files\Incredibar.com
c:\program files\Incredibar.com\incredibar\1.5.3.27\bh\incredibar.dll
c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibar.crx
c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarApp.dll
c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarEng.dll
c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarsrv.exe
c:\program files\Incredibar.com\incredibar\1.5.3.27\incredibarTlbr.dll
c:\program files\Incredibar.com\incredibar\1.5.3.27\uninstall.exe
c:\programdata\100
c:\programdata\3002.abs
c:\programdata\3002.xml
.
.
((((((((((((((((((((((((( Files Created from 2012-12-27 to 2013-01-27 )))))))))))))))))))))))))))))))
.
.
2013-01-27 15:51 . 2013-01-27 15:51 -------- d-----w- c:\users\user\AppData\Local\temp
2013-01-27 15:51 . 2013-01-27 15:51 -------- d-----w- c:\users\Public\AppData\Local\temp
2013-01-27 15:51 . 2013-01-27 15:51 -------- d-----w- c:\users\Default\AppData\Local\temp
2013-01-25 18:18 . 2012-12-14 21:49 21104 ----a-w- c:\windows\system32\drivers\mbam.sys
2013-01-25 18:18 . 2013-01-25 18:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2013-01-25 18:16 . 2013-01-25 18:16 -------- d-----w- c:\users\Administrator\AppData\Local\Programs
2013-01-25 05:40 . 2012-10-30 23:51 361032 ----a-w- c:\windows\system32\drivers\aswSP.sys
2013-01-25 05:40 . 2012-10-30 23:51 21256 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2013-01-25 05:40 . 2012-10-15 16:59 44784 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2013-01-25 05:40 . 2012-10-30 23:51 54232 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2013-01-25 05:40 . 2012-10-30 23:51 738504 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2013-01-25 05:40 . 2012-10-30 23:51 58680 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2013-01-25 05:40 . 2012-10-30 23:51 41224 ----a-w- c:\windows\avastSS.scr
2013-01-25 05:40 . 2012-10-30 23:50 227648 ----a-w- c:\windows\system32\aswBoot.exe
2013-01-25 05:12 . 2013-01-25 05:12 -------- d-----w- c:\users\Administrator\AppData\Roaming\Roxio
2013-01-24 14:22 . 2013-01-24 14:22 97 ----a-w- c:\users\Administrator\AppData\Roaming\netstat.bat
2013-01-20 08:31 . 2013-01-20 08:31 -------- d-----w- c:\program files\NirSoft
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2013-01-27 15:52 . 2010-10-07 00:01 17920 ----a-w- c:\windows\system32\rpcnetp.exe
2013-01-27 15:52 . 2010-07-28 16:16 58288 ----a-w- c:\windows\system32\rpcnet.dll
2012-12-09 00:01 . 2012-12-08 23:39 181064 ----a-w- c:\windows\PSEXESVC.EXE
2013-01-18 23:32 . 2013-01-18 23:32 262552 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-10-30 23:50 121528 ----a-w- c:\program files\AVAST Software\Avast\ashShell.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveBlacklistedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D42}]
2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSharedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D43}]
2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncedOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D40}]
2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\GDriveSyncingOverlay]
@="{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}"
[HKEY_CLASSES_ROOT\CLSID\{81539FE6-33C7-4CE7-90C7-1C7B8F2F2D41}]
2012-12-18 00:50 556648 ----a-w- c:\program files\Google\Drive\googledrivesync32.dll
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HPAdvisorDock"="c:\program files\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe" [2010-02-10 1515576]
"RoboForm"="c:\program files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe" [2011-09-29 107000]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2012-09-03 4895192]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2010-06-03 1791272]
"SysTrayApp"="c:\program files\IDT\WDM\sttray.exe" [2011-11-06 495708]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-06-25 202256]
"avast"="c:\program files\AVAST Software\Avast\avastUI.exe" [2012-10-30 4297136]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"="c:\program files\Free Ride Games\GPlayer.exe" [2012-09-03 4895192]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"EnableLinkedConnections"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\rpcnet]
@="Service"
.
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"LightScribe Control Panel"=c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
"CPN Notifier"=c:\program files\Lock Poker\PokerNotifier.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"accrdsub"="c:\program files\ActivIdentity\ActivClient\accrdsub.exe"
"acevents"="c:\program files\ActivIdentity\ActivClient\acevents.exe"
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
"estar"=c:\system.sav\Util\HideDOS.EXE c:\system.sav\util\estartwk\twk7.bat
"NortonOnlineBackupReminder"="c:\program files\Symantec\Norton Online Backup\Activation\NOBuActivation.exe" UNATTENDED
"PDF Complete"=c:\program files\PDF Complete\pdfsty.exe
"QLBController"=c:\program files\Hewlett-Packard\HP HotKey Support\QLBController.exe /start
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" -osboot
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe"
"HPWirelessAssistant"=c:\program files\Hewlett-Packard\HP Wireless Assistant\DelayedAppStarter.exe 120 c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Main.exe /hidden
"HPPowerAssistant"=c:\program files\Hewlett-Packard\HP Power Assistant\DelayedAppStarter.exe 120 c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Main.exe /hidden
"File Sanitizer"=c:\program files\Hewlett-Packard\File Sanitizer\CoreShredder.exe
.
R1 SBRE;SBRE;c:\windows\system32\drivers\SBREDrv.sys [x]
R2 rimspci;rimspci;c:\windows\system32\DRIVERS\rimspe86.sys [x]
R2 risdpcie;risdpcie;c:\windows\system32\DRIVERS\risdpe86.sys [x]
R2 rixdpcie;rixdpcie;c:\windows\system32\DRIVERS\rixdpe86.sys [x]
R2 X6XSEx_Pr143;X6XSEx_Pr143;c:\program files\Free Ride Games\X6XSEx_Pr143.Sys [x]
R3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\DRIVERS\qcfilterhp2k.sys [x]
R3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\DRIVERS\qcusbnethp2k.sys [x]
R3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\DRIVERS\qcusbserhp2k.sys [x]
R3 RoxMediaDB10;RoxMediaDB10;c:\program files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe [x]
R3 RoxMediaDB12OEM;RoxMediaDB12OEM;c:\program files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt86win7.sys [x]
R3 rtsuvc;HP Webcam [2 MP Fixed];c:\windows\system32\DRIVERS\rtsuvc.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 vpcuxd;USB Virtualization Stub Service;c:\windows\system32\drivers\vpcuxd.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x86.sys [x]
R4 HP Power Assistant Service;HP Power Assistant Service;c:\program files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe [x]
R4 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
R4 hpHotkeyMonitor;HP Hotkey Monitor;c:\program files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe [x]
S0 Lbd;Lbd;c:\windows\system32\DRIVERS\Lbd.sys [x]
S1 aswSnx;aswSnx; [x]
S1 aswSP;aswSP; [x]
S2 ac.sharedstore;ActivIdentity Shared Store Service;c:\program files\Common Files\ActivIdentity\ac.sharedstore.exe [x]
S2 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\aestsrv.exe [x]
S2 AMD External Events Utility;AMD External Events Utility;c:\windows\system32\atiesrxx.exe [x]
S2 aswFsBlk;aswFsBlk; [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [x]
S2 HPDayStarterService;HP DayStarter Service;c:\program files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe [x]
S2 HPFSService;File Sanitizer for HP ProtectTools;c:\program files\Hewlett-Packard\File Sanitizer\HPFSService.exe [x]
S2 hpsrv;HP Service;c:\windows\system32\Hpservice.exe [x]
S2 MBAMScheduler;MBAMScheduler;c:\program files\Malwarebytes' Anti-Malware\mbamscheduler.exe [x]
S2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [x]
S2 pdfcDispatcher;PDF Document Manager;c:\program files\PDF Complete\pdfsvc.exe [x]
S2 PdiService;Portrait Displays SDK Service;c:\program files\Common Files\Portrait Displays\Drivers\pdisrvc.exe [x]
S2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files\QUALCOMM\QDLService2k\QDLService2kHP.exe [x]
S2 rpcld;Remote Procedure Call (RPC) LD;c:\programdata\Rpcnet\Bin\rpcld.exe [x]
S2 TuneUp.UtilitiesSvc;TuneUp Utilities Service;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe [x]
S2 vcsFPService;Validity VCS Fingerprint Service;c:\windows\system32\vcsFPService.exe [x]
S3 btwl2cap;Bluetooth L2CAP Service;c:\windows\system32\DRIVERS\btwl2cap.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 TuneUpUtilitiesDrv;TuneUpUtilitiesDrv;c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-02-22 18:38 451872 ----a-w- c:\program files\Common Files\LightScribe\LSRunOnce.exe
.
Contents of the 'Scheduled Tasks' folder
.
2013-01-27 c:\windows\Tasks\CodecUpdaterTask{110261C5-0AD3-48E4-B17F-3631829EA6CD}.job
- c:\programdata\Premium\Codec\Codec.exe [2012-09-22 12:31]
.
2012-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 23:48]
.
2012-10-19 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-09-23 23:48]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.ask.com/?l=dis&o=102874&gct=hp
TCP: DhcpNameServer = 192.168.1.1 205.152.37.23
FF - ProfilePath - c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxps://www.google.com/
FF - prefs.js: keyword.URL - hxxp://mystart.incredibar.com/mb119/?loc=IB_DS&a=6Oysndgc9f&&I=26&search=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.type - 0
FF - ExtSQL: 2012-12-22 05:42; plugin@selectionlinks.com; c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\extensions\plugin@selectionlinks.com
FF - ExtSQL: 2012-12-22 05:45; wecarereminder@bryan; c:\users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\extensions\wecarereminder@bryan
FF - ExtSQL: 2013-01-25 00:48; wrc@avast.com; c:\program files\AVAST Software\Avast\WebRep\FF
FF - user.js: extensions.incredibar_i.newTab - false
FF - user.js: extensions.incredibar_i.tlbrSrchUrl - hxxp://mystart.Incredibar.com/?a=6Oysndgc9f&loc=IB_TB&I=26&search=
FF - user.js: extensions.incredibar_i.id - a063e759000000000000cc52aff747fc
FF - user.js: extensions.incredibar_i.hardId - a063e759000000000000cc52aff747fc
FF - user.js: extensions.incredibar_i.instlDay - 15379
FF - user.js: extensions.incredibar_i.vrsn - 1.5.3.27
FF - user.js: extensions.incredibar_i.vrsni - 1.5.3.27
FF - user.js: extensions.incredibar_i.vrsnTs - 1.5.3.2711:07
FF - user.js: extensions.incredibar_i.prtnrId - Incredibar
FF - user.js: extensions.incredibar_i.prdct - incredibar
FF - user.js: extensions.incredibar_i.aflt - orgnl
FF - user.js: extensions.incredibar_i.smplGrp - none
FF - user.js: extensions.incredibar_i.tlbrId - base
FF - user.js: extensions.incredibar_i.instlRef -
FF - user.js: extensions.incredibar_i.dfltLng -
FF - user.js: extensions.incredibar_i.excTlbr - false
FF - user.js: extensions.incredibar_i.ms_url_id -
FF - user.js: extensions.incredibar_i.upn2 - 6Oysndgc9f
FF - user.js: extensions.incredibar_i.upn2n - 92260871127040989
FF - user.js: extensions.incredibar_i.productid - 26
FF - user.js: extensions.incredibar_i.installerproductid - 26
FF - user.js: extensions.incredibar_i.did - 10606
FF - user.js: extensions.incredibar_i.ppd - 48
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
user_pref('extensions.autoDisableScopes', 0);user_pref('security.csp.enable', false);user_pref('security.OCSP.enabled', 0);
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-incredibar - c:\program files\Incredibar.com\incredibar\1.5.3.27\uninstall.exe
.
.
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\services\pdfcDispatcher]
"ImagePath"="c:\program files\PDF Complete\pdfsvc.exe /startedbyscm:66B66708-40E2BE4D-pdfcService"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Internet Explorer\Approved Extensions]
@Denied: (2) (Administrator)
@Allowed: (Read) (RestrictedCode)
"{724D43A0-0D85-11D4-9908-00400523E39A}"=hex:51,66,7a,6c,4c,1d,3b,1b,b0,55,5f,
6d,b5,56,b8,5f,83,0a,5f,1e,00,68,a0,80
"{724D43A9-0D85-11D4-9908-00400523E39A}"=hex:51,66,7a,6c,4c,1d,3b,1b,b9,55,5f,
6d,b5,56,b8,5f,83,0a,5f,1e,00,68,a0,80
"{11111111-1111-1111-1111-110211181104}"=hex:51,66,7a,6c,4c,1d,3b,1b,01,07,03,
0e,21,4a,7d,5f,0b,13,4e,5c,14,53,52,1e
"{300BEC06-B743-4D19-86B9-11DC711D7FFB}"=hex:51,66,7a,6c,4c,1d,3b,1b,16,fa,19,
2f,73,ec,75,03,9c,bb,4e,82,74,56,3c,e1
"{581DDABB-8165-F737-7C7F-67DB17CD7392}"=hex:51,66,7a,6c,4c,1d,3b,1b,ab,cc,0f,
47,55,da,5b,b9,66,7d,38,85,12,86,30,88
"{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}"=hex:51,66,7a,6c,4c,1d,3b,1b,ce,e6,36,
c7,50,66,3b,01,84,b3,39,5d,3b,86,c9,a1
.
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
@Denied: (2) (Administrator)
"Timestamp"=hex:74,4d,92,f2,3f,fa,cd,01
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'Explorer.exe'(5412)
c:\program files\Hewlett-Packard\HP Support Framework\Resources\HPSFMessenger\HPSFTaskbar.dll
c:\program files\WIDCOMM\Bluetooth Software\btncopy.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\IDT\WDM\STacSV.exe
c:\windows\system32\atieclxx.exe
c:\windows\system32\WLANExt.exe
c:\program files\AVAST Software\Avast\AvastSvc.exe
c:\windows\system32\conhost.exe
c:\program files\LSI SoftModem\agrsmsvc.exe
c:\program files\WIDCOMM\Bluetooth Software\btwdins.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\rpcnet.exe
c:\windows\system32\WUDFHost.exe
c:\windows\system32\taskhost.exe
c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe
c:\program files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
c:\windows\system32\conhost.exe
c:\program files\Synaptics\SynTP\SynTPHelper.exe
c:\program files\Hewlett-Packard\HP Advisor\HPAdvisor.exe
c:\windows\system32\Mystify.scr
.
**************************************************************************
.
Completion time: 2013-01-27 13:51:02 - machine was rebooted
ComboFix-quarantined-files.txt 2013-01-27 18:51
ComboFix2.txt 2012-01-12 21:23
.
Pre-Run: 213,462,233,088 bytes free
Post-Run: 213,562,081,280 bytes free
.
- - End Of File - - 90BE8C52207A225D45D0C719E641C8D3

# AdwCleaner v2.109 - Logfile created 01/27/2013 at 18:26:43
# Updated 26/01/2013 by Xplode
# Operating system : Windows 7 Professional Service Pack 1 (32 bits)
# User : Administrator - USER-HP
# Boot Mode : Normal
# Running from : C:\Users\Administrator\Downloads\adwcleaner.exe
# Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

Deleted on reboot : C:\ProgramData\Premium
File Deleted : C:\user.js
File Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\searchplugins\Askcom.xml
File Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\searchplugins\MyStart Search.xml
Folder Deleted : C:\Program Files\Ilivid
Folder Deleted : C:\Program Files\OApps
Folder Deleted : C:\ProgramData\{B49A644A-1076-4A3D-B124-DAA7862F2318}
Folder Deleted : C:\ProgramData\InstallMate
Folder Deleted : C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Ilivid
Folder Deleted : C:\ProgramData\WeCareReminder
Folder Deleted : C:\Users\Administrator\AppData\Local\APN
Folder Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho
Folder Deleted : C:\Users\Administrator\AppData\Local\Ilivid Player
Folder Deleted : C:\Users\Administrator\AppData\LocalLow\incredibar.com
Folder Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\extensions\crossriderapp435@crossrider.com
Folder Deleted : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\extensions\wecarereminder@bryan

***** [Registry] *****

Key Deleted : HKCU\Software\AppDataLow\Software\Crossrider
Key Deleted : HKCU\Software\Headlight
Key Deleted : HKCU\Software\ilivid
Key Deleted : HKCU\Software\IM
Key Deleted : HKCU\Software\ImInstaller
Key Deleted : HKCU\Software\incredibar.com
Key Deleted : HKCU\Software\InstalledBrowserExtensions
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{CFF4DB9B-135F-47C0-9269-B4C6572FD61A}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKCU\Software\wecarereminder
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{09C554C3-109B-483C-A06B-F14172F1A947}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4E1E9D45-8BF9-4139-915C-9F83CC3D5921}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{4FBBF769-ECEB-420A-B536-133B1D505C36}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{608D3067-77E8-463D-9084-908966806826}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{B12E99ED-69BD-437C-86BE-C862B9E5444D}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{CFE8AAFD-A0F3-4329-84E9-6B679EC93EC2}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escort.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortApp.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escortEng.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\escorTlbr.DLL
Key Deleted : HKLM\SOFTWARE\Classes\AppID\esrv.EXE
Key Deleted : HKLM\SOFTWARE\Classes\AppID\IEHelperv2.5.0.DLL
Key Deleted : HKLM\SOFTWARE\Classes\Applications\ilividsetupv1.exe
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C01315C7-B4E2-4864-B43D-5FAFC414D179}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{C1545464-C77C-4130-A572-1C619E2895FE}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{ED0E67AD-926C-4008-87E5-03CF72AA2A7E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{EF7FEC6D-451B-4452-9D26-7E10C6B5DB6E}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0000435.FBApi
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0000435.FBApi.1
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0000435.Sandbox
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0000435.Sandbox.1
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.BHO
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox
Key Deleted : HKLM\SOFTWARE\Classes\CrossriderApp0021804.Sandbox.1
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane
Key Deleted : HKLM\SOFTWARE\Classes\escort.escortIEPane.1
Key Deleted : HKLM\SOFTWARE\Classes\escort.escrtBtn.1
Key Deleted : HKLM\SOFTWARE\Classes\esrv.IncredibarESrvc
Key Deleted : HKLM\SOFTWARE\Classes\esrv.IncredibarESrvc.1
Key Deleted : HKLM\SOFTWARE\Classes\I
Key Deleted : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder
Key Deleted : HKLM\SOFTWARE\Classes\IEHelperv250.WeCareReminder.1
Key Deleted : HKLM\SOFTWARE\Classes\ilivid
Key Deleted : HKLM\SOFTWARE\Classes\IncredibarApp.appCore
Key Deleted : HKLM\SOFTWARE\Classes\IncredibarApp.appCore.1
Key Deleted : HKLM\Software\Classes\Installer\Features\2B1E51D87B2D71A44BB42DDD5E894160
Key Deleted : HKLM\Software\Classes\Installer\Products\2B1E51D87B2D71A44BB42DDD5E894160
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{22B0769F-794B-4422-AC84-47B123C8986D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{255E0B2A-D747-4EEF-B7CE-159D73A3656D}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{28ED590D-F5ED-4E05-A87F-1D759F1C6169}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{45D5B93F-E2ED-4AF2-915E-DCDDBDA8C33C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{771B99AB-636F-4A11-9039-8DFEB927B061}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{A8321AA2-2227-40C7-8525-6C2F4E1B0EBE}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AA41A731-6814-4A70-A6F1-C0A20FBBFBD5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{ABBB8A9E-D8AF-40D1-94BE-5175077465FC}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{BF737694-56F6-46FA-9FDC-FA99A5B25FAD}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{CFCD164E-8AC9-478E-9ECC-B616A932016C}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{D5961CC0-B442-4567-8030-67E241EF4CC2}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E450067F-1C93-41A7-928E-07E5C2EEC680}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F0356CB6-4AB7-425B-A31C-0369E0CB5E81}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F773BB94-6C19-4643-A570-0E429103D1C3}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{F977D9F2-4BDC-44A6-B508-7C0284C61EED}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{48C9C8B0-A546-46C1-A81F-47A31E623E9D}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{B12920CF-BE13-4C09-890D-1B6EFFFE2FBE}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{CFE8AAFD-A0F3-4329-84E9-6B679EC93EC2}
Key Deleted : HKLM\SOFTWARE\Classes\TypeLib\{D7EE8177-D51E-4F89-92B6-83EA2EC40800}
Key Deleted : HKLM\Software\Conduit
Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho
Key Deleted : HKLM\Software\ilivid
Key Deleted : HKLM\Software\incredibar.com
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{74C36554-31F0-49DD-8857-ED6A64DF45BE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AC5B6CDA-8F90-4740-9A8C-28AC5D3C73FE}
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\iLividSetupV1_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\incredibar_install_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\incredibar_install_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\IncredibarToolbar_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASAPI32
Key Deleted : HKLM\SOFTWARE\Microsoft\Tracing\SetupDataMngr_Searchqu_RASMANCS
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D824F0DE-3D60-4F57-9EB1-66033ECD8ABB}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0FF2AEFF45EEA0A48A4B33C1973B6094
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\305B09CE8C53A214DB58887F62F25536
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\817FDB46B46DE8B4AAD499F1DAFF341D
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A5A9327D31011C244A196F700637C701
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\C6B84CEB2810F104BA0E5FC5C8EACD7E
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\2B1E51D87B2D71A44BB42DDD5E894160
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2EF17083-57D4-4D64-AE4F-55F32A2C4571}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8D15E1B2-D2B7-4A17-B44B-D2DDE5981406}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ilivid
Value Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\New Windows\Allow [*.crossrider.com]

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

Replaced : [HKCU\Software\Microsoft\Internet Explorer\Main - Start Page] = hxxp://www.ask.com/?l=dis&o=102874&gct=hp --> hxxp://www.google.com

-\\ Mozilla Firefox v18.0.1 (en-US)

File : C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\prefs.js

C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\user.js ... Deleted !

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("extensions.505d44cb54699.scode", "(function(){try{if('aol.com,mail.google.com,premiumrepo[...]
Deleted : user_pref("extensions.crossriderapp21804.adsOldValue", -1);
Deleted : user_pref("extensions.crossriderapp435.435.InstallationThankYouPage", true);
Deleted : user_pref("extensions.crossriderapp435.435.InstallationTime", 1328803723);
Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.searchUserConifrmation", false);
Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setHomepage", false);
Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setNewTab", false);
Deleted : user_pref("extensions.crossriderapp435.435.InstallationUserSettings.setSearch", false);
Deleted : user_pref("extensions.crossriderapp435.435.active", true);
Deleted : user_pref("extensions.crossriderapp435.435.addressbar", "");
Deleted : user_pref("extensions.crossriderapp435.435.addressbarenhanced", "");
Deleted : user_pref("extensions.crossriderapp435.435.affid", "0");
Deleted : user_pref("extensions.crossriderapp435.435.backgroundjs", "\n//------------------ PLUGIN START --[...]
Deleted : user_pref("extensions.crossriderapp435.435.backgroundver", 8);
Deleted : user_pref("extensions.crossriderapp435.435.certdomaininstaller", "");
Deleted : user_pref("extensions.crossriderapp435.435.changeprevious", false);
Deleted : user_pref("extensions.crossriderapp435.435.cookie.InstallationTime.expiration", "Fri Feb 01 2030 00:[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie.InstallationTime.value", "1328803723");
Deleted : user_pref("extensions.crossriderapp435.435.cookie.InstallerParams.expiration", "Fri Feb 01 2030 00:0[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_aoi.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_aoi.value", "%221328803788%22");
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_parent_zoneid.expiration", "Fri Feb 01 2030 0[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_parent_zoneid.value", "%2218727%22");
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_zoneid.expiration", "Fri Feb 01 2030 00:00:00[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie._GPL_zoneid.value", "%2218800%22");
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_ID.expiration", "Fri Feb 01 2030 00:00:00 GM[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_ID.value", "1466");
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_custom_zoneid.expiration", "Fri Feb 01 2030 [...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_custom_zoneid.value", "14969");
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_pubid.expiration", "Fri Feb 01 2030 00:00:00[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie.__GPL_pubid.value", "%222993%22");
Deleted : user_pref("extensions.crossriderapp435.435.cookie.previous_page.expiration", "Fri Feb 01 2030 00:00:[...]
Deleted : user_pref("extensions.crossriderapp435.435.cookie.previous_page.value", "%22hxxp%3A//www.techspot.co[...]
Deleted : user_pref("extensions.crossriderapp435.435.description", "Premiumplay Codec check");
Deleted : user_pref("extensions.crossriderapp435.435.domain", "");
Deleted : user_pref("extensions.crossriderapp435.435.emailsig", "");
Deleted : user_pref("extensions.crossriderapp435.435.enablesearch", false);
Deleted : user_pref("extensions.crossriderapp435.435.exposesites", "");
Deleted : user_pref("extensions.crossriderapp435.435.fbremoteurl", "");
Deleted : user_pref("extensions.crossriderapp435.435.group", 0);
Deleted : user_pref("extensions.crossriderapp435.435.homepage", "");
Deleted : user_pref("extensions.crossriderapp435.435.iframe", false);
Deleted : user_pref("extensions.crossriderapp435.435.js", "\n\n$jquery(document).ready(function() {\n \n $[...]
Deleted : user_pref("extensions.crossriderapp435.435.manifesturl", "");
Deleted : user_pref("extensions.crossriderapp435.435.name", "Codec-V");
Deleted : user_pref("extensions.crossriderapp435.435.newtab", "");
Deleted : user_pref("extensions.crossriderapp435.435.opensearch", "");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.code", "if(!appAPI.matchPages(\"search.[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.name", "app_435_specific");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_10.ver", 4);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.code", "(function(a){a.selectedText=fun[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.name", "CrossriderAppUtils");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_13.ver", 2);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.code", "if(typeof(appAPI)===\"undefined[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.name", "CrossriderUtils");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_14.ver", 2);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.code", "(function(f){var u={};var e=Mat[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.name", "FacebookFFIE");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_15.ver", 1);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.code", "if((typeof isBackground===\"und[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.name", "FFAppAPIWrapper");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_16.ver", 4);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.code", "if(typeof window!==\"undefined\[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.name", "jQuery");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_17.ver", 3);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_47.code", "(function(){appAPI.ready=functi[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_47.name", "resources_background");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_47.ver", 1);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_49.code", "if (!appAPI.monetize || appAPI.[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_49.name", "similar_web");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_49.ver", 3);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_50.code", "function create_id(string_size)[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_50.name", "similar_web_bg");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_50.ver", 1);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_60.code", "var MonitizationPluginsBase=fun[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_60.name", "base_monetization");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_60.ver", 1);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_64.code", "(function(){var h=\"__CR_EMPTY_[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_64.name", "appApiMessage");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_64.ver", 1);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_72.code", "if(appAPI.__should_activate_val[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_72.name", "appApiValidation");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_72.ver", 1);
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_78.code", "if(typeof jQuery!==\"undefined\[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_78.name", "CrossriderInfo");
Deleted : user_pref("extensions.crossriderapp435.435.plugins.plugin_78.ver", 2);
Deleted : user_pref("extensions.crossriderapp435.435.plugins_lists.plugins_0", "14,78,16,64,47,72,50");
Deleted : user_pref("extensions.crossriderapp435.435.plugins_lists.plugins_1", "17,14,78,13,16,15,64,72,60,49,[...]
Deleted : user_pref("extensions.crossriderapp435.435.plugins_lists.plugins_5", "14,78,13,16,64,47,72");
Deleted : user_pref("extensions.crossriderapp435.435.pluginsurl", "hxxp://app-static.crossrider.com/plugin/app[...]
Deleted : user_pref("extensions.crossriderapp435.435.pluginsversion", 18);
Deleted : user_pref("extensions.crossriderapp435.435.premium", true);
Deleted : user_pref("extensions.crossriderapp435.435.publisher", "Premiumplay");
Deleted : user_pref("extensions.crossriderapp435.435.searchstatus", 0);
Deleted : user_pref("extensions.crossriderapp435.435.setnewtab", false);
Deleted : user_pref("extensions.crossriderapp435.435.settingsurl", "");
Deleted : user_pref("extensions.crossriderapp435.435.thankyou", "");
Deleted : user_pref("extensions.crossriderapp435.435.updateinterval", 360);
Deleted : user_pref("extensions.crossriderapp435.435.ver", 69);
Deleted : user_pref("extensions.crossriderapp435.adsOldValue", -1);
Deleted : user_pref("extensions.crossriderapp435.apps", "435");
Deleted : user_pref("extensions.crossriderapp435.bic", "13562e097ccc62bd8cb79bd7650d5f90");
Deleted : user_pref("extensions.crossriderapp435.cid", 435);
Deleted : user_pref("extensions.crossriderapp435.firstrun", false);
Deleted : user_pref("extensions.crossriderapp435.hadappinstalled", true);
Deleted : user_pref("extensions.crossriderapp435.installationdate", 1328803781);
Deleted : user_pref("extensions.crossriderapp435.jsver", 3);
Deleted : user_pref("extensions.crossriderapp435.lastcheck", 22654944);
Deleted : user_pref("extensions.crossriderapp435.lastcheckitem", 22654973);
Deleted : user_pref("extensions.crossriderapp435.misc.lastBgWorkerTimer", "1348360906427");
Deleted : user_pref("extensions.crossriderapp435.misc.lastDomWorkerTimer", "1348360906425");
Deleted : user_pref("extensions.crossriderapp435.modetype", "production");
Deleted : user_pref("extensions.enabledAddons", "secureLogin%40blueimp.net:1.0.3,support%40platinumhideip.com:[...]
Deleted : user_pref("extensions.incredibar.actvtyRptTime", "1348289603187");
Deleted : user_pref("extensions.incredibar.admin", false);
Deleted : user_pref("extensions.incredibar.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar.cntry", "US");
Deleted : user_pref("extensions.incredibar.dfltLng", "");
Deleted : user_pref("extensions.incredibar.dfltSrch", false);
Deleted : user_pref("extensions.incredibar.did", "10606");
Deleted : user_pref("extensions.incredibar.hdrMd5", "33A8ED43832FFC6AE2CAB8D0435B4356");
Deleted : user_pref("extensions.incredibar.hmpg", false);
Deleted : user_pref("extensions.incredibar.id", "a063e759000000000000cc52aff747fc");
Deleted : user_pref("extensions.incredibar.installerproductid", "26");
Deleted : user_pref("extensions.incredibar.instlDay", "15379");
Deleted : user_pref("extensions.incredibar.instlRef", "");
Deleted : user_pref("extensions.incredibar.lastVrsnTs", "1.5.3.2711:07:01");
Deleted : user_pref("extensions.incredibar.newTab", false);
Deleted : user_pref("extensions.incredibar.noFFXTlbr", false);
Deleted : user_pref("extensions.incredibar.ppd", "48");
Deleted : user_pref("extensions.incredibar.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar.productid", "26");
Deleted : user_pref("extensions.incredibar.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar.sg", "none");
Deleted : user_pref("extensions.incredibar.smplGrp", "none");
Deleted : user_pref("extensions.incredibar.tlbrId", "base");
Deleted : user_pref("extensions.incredibar.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6Oysndgc9f&loc=IB_T[...]
Deleted : user_pref("extensions.incredibar.upn2", "6Oysndgc9f");
Deleted : user_pref("extensions.incredibar.upn2n", "92260871127040989");
Deleted : user_pref("extensions.incredibar.vrsn", "1.5.3.27");
Deleted : user_pref("extensions.incredibar.vrsnTs", "1.5.3.2711:07:01");
Deleted : user_pref("extensions.incredibar.vrsni", "1.5.3.27");
Deleted : user_pref("extensions.incredibar_i.aflt", "orgnl");
Deleted : user_pref("extensions.incredibar_i.dfltLng", "");
Deleted : user_pref("extensions.incredibar_i.did", "10606");
Deleted : user_pref("extensions.incredibar_i.excTlbr", "false");
Deleted : user_pref("extensions.incredibar_i.hardId", "a063e759000000000000cc52aff747fc");
Deleted : user_pref("extensions.incredibar_i.id", "a063e759000000000000cc52aff747fc");
Deleted : user_pref("extensions.incredibar_i.installerproductid", "26");
Deleted : user_pref("extensions.incredibar_i.instlDay", "15379");
Deleted : user_pref("extensions.incredibar_i.instlRef", "");
Deleted : user_pref("extensions.incredibar_i.ms_url_id", "");
Deleted : user_pref("extensions.incredibar_i.newTab", false);
Deleted : user_pref("extensions.incredibar_i.ppd", "48");
Deleted : user_pref("extensions.incredibar_i.prdct", "incredibar");
Deleted : user_pref("extensions.incredibar_i.productid", "26");
Deleted : user_pref("extensions.incredibar_i.prtnrId", "Incredibar");
Deleted : user_pref("extensions.incredibar_i.smplGrp", "none");
Deleted : user_pref("extensions.incredibar_i.tlbrId", "base");
Deleted : user_pref("extensions.incredibar_i.tlbrSrchUrl", "hxxp://mystart.Incredibar.com/?a=6Oysndgc9f&loc=IB[...]
Deleted : user_pref("extensions.incredibar_i.upn2", "6Oysndgc9f");
Deleted : user_pref("extensions.incredibar_i.upn2n", "92260871127040989");
Deleted : user_pref("extensions.incredibar_i.vrsn", "1.5.3.27");
Deleted : user_pref("extensions.incredibar_i.vrsnTs", "1.5.3.2711:07:01");
Deleted : user_pref("extensions.incredibar_i.vrsni", "1.5.3.27");
Deleted : user_pref("extensions.wecarereminder.merchHash", "{\"AFFILIATES\":{\"1-Sale-A-Day\":{\"name\":\"1 Sa[...]
Deleted : user_pref("keyword.URL", "hxxp://mystart.incredibar.com/mb119/?loc=IB_DS&a=6Oysndgc9f&&I=26&search="[...]

-\\ Google Chrome v22.0.1229.94

File : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Preferences

Deleted [l.8] : homepage = "hxxp://www.ask.com/?l=dis&o=102874cr&gct=hp",
Deleted [l.12] : urls_to_restore_on_startup = [ "hxxp://www.ask.com/?l=dis&o=102874cr&gct=hp" ]
Deleted [l.304] : homepage = "hxxp://www.ask.com/?l=dis&o=102874cr&gct=hp",
Deleted [l.500] : urls_to_restore_on_startup = [ "hxxp://www.ask.com/?l=dis&o=102874cr&gct=hp" ]

*************************

AdwCleaner[S1].txt - [24745 octets] - [27/01/2013 18:26:43]

########## EOF - C:\AdwCleaner[S1].txt - [24806 octets] ##########

Junkware Removal Tool (JRT) by Thisisu
Version: 4.5.2 (01.26.2013:2)
OS: Windows 7 Professional x86
Ran by Administrator on Sun 01/27/2013 at 18:41:49.76
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

~~~ Files

~~~ Folders

Successfully deleted: [Folder] "C:\ProgramData\codec-v"
Successfully deleted: [Folder] "C:\Users\Administrator\appdata\local\coupon companion plugin"
Successfully deleted: [Folder] "C:\Users\Administrator\appdata\local\premiumplay codec-c"
Successfully deleted: [Folder] "C:\Program Files\coupon companion plugin"
Successfully deleted: [Folder] "C:\Program Files\premiumplay codec-c"
Successfully deleted: [Folder] "C:\windows\system32\ai_recyclebin"

~~~ FireFox

Successfully deleted: [Folder] C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\505d44cb545ee@505d44cb54627.com
Successfully deleted: [Folder] C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\plugin@selectionlinks.com
Successfully deleted the following from C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\prefs.js

user_pref("extensions.crossrider.bic", "13562e097ccc62bd8cb79bd7650d5f90");
user_pref("extensions.wrc.SearchRules.ask.com.style", ".WRCN {display:none} #yui-main .tsrc_vnru .title + .WRCN, #yui-main #teoma-results .title + .WRCN {display:inline !impor
user_pref("extensions.wrc.SearchRules.ask.com.url", "^hxxp(s)?\\:\\/\\/(.+\\.)?ask\\.com\\/.*");
user_pref("extensions.wrc.SearchRules.baidu.com.style", ".WRCN {display:none} .result .f .WRCN {display:inline !important; background: url(\"IMAGE\") right no-repeat}");
user_pref("extensions.wrc.SearchRules.baidu.com.url", "^hxxp\\:\\/\\/www\\.baidu\\.com\\/.*");
user_pref("extensions.wrc.SearchRules.excite.com.style", ".WRCN {display:none} .listing .resultsLink + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-re
user_pref("extensions.wrc.SearchRules.excite.com.url", "^hxxp\\:\\/\\/msxml\\.excite\\.com\\/excite\\/ws\\/.+");
user_pref("extensions.wrc.SearchRules.rambler.ru.style", ".WRCN {display:none} .search-results .title + .WRCN {display:inline !important; background: url(\"IMAGE\") right no-r
Emptied folder: C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\minidumps [55 files]

~~~ Chrome

Failed to delete: [Folder] C:\Users\Administrator\appdata\local\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm
Successfully deleted: [Folder] C:\Users\Administrator\appdata\local\Google\Chrome\User Data\Default\Extensions\jneaojaoiajhnemidnjhoempalnidbhj
Successfully deleted: [Folder] C:\Users\Administrator\appdata\local\Google\Chrome\User Data\Default\Extensions\jpnbdefcbnoefmmcpelplabbkfmfhlho
Successfully deleted: [Folder] C:\Users\Administrator\Local Settings\Application Data\Google\Chrome\User Data\Default\Extensions\ippkomaaonokjnfjoikaemidanojkfmm
Successfully deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\ippkomaaonokjnfjoikaemidanojkfmm
Successfully deleted: [Registry Key] hkey_local_machine\software\google\chrome\extensions\jneaojaoiajhnemidnjhoempalnidbhj

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sun 01/27/2013 at 18:46:45.31
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Jay Pfoutz · Jan 27, 2013

OTL Quick Scan

Please download OTL by OldTimer to your Desktop.

Close all windows and double click OTL.exe.
Click Quick Scan button and let the program run uninterrupted.
It will produce a log for you called OTL.txt, please post it in your next reply.
You may need to use two posts to get it all.

cableman · Jan 28, 2013

Here is the Old Timer Log :

OTL logfile created on: 1/28/2013 3:25:31 PM - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\Administrator\Downloads
Professional Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy

1.74 Gb Total Physical Memory | 1.15 Gb Available Physical Memory | 66.32% Memory free
4.35 Gb Paging File | 3.40 Gb Available in Paging File | 78.05% Paging File free
Paging file location(s): c:\pagefile.sys 2673 2673 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\windows | %ProgramFiles% = C:\Program Files
Drive C: | 230.88 Gb Total Space | 191.30 Gb Free Space | 82.86% Space Free | Partition Type: NTFS
Drive E: | 14.92 Gb Total Space | 14.91 Gb Free Space | 99.94% Space Free | Partition Type: FAT32
Drive G: | 1.99 Gb Total Space | 1.99 Gb Free Space | 99.71% Space Free | Partition Type: FAT32

Computer Name: USER-HP | User Name: Administrator | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: Current user | Quick Scan
Company Name Whitelist: On | Skip Microsoft Files: On | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/01/28 15:24:01 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\Administrator\Downloads\OTL.exe
PRC - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
PRC - [2012/12/14 16:49:28 | 000,512,360 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
PRC - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe
PRC - [2012/10/30 18:50:59 | 004,297,136 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastUI.exe
PRC - [2012/10/30 18:50:59 | 000,044,808 | ---- | M] (AVAST Software) -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe
PRC - [2012/10/20 15:07:16 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\Windows\System32\rpcnet.exe
PRC - [2011/11/06 00:40:42 | 000,495,708 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\sttray.exe
PRC - [2011/11/06 00:40:42 | 000,254,034 | ---- | M] (IDT, Inc.) -- C:\Program Files\IDT\WDM\stacsv.exe
PRC - [2011/11/06 00:40:41 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) -- C:\Program Files\IDT\WDM\AEstSrv.exe
PRC - [2011/10/12 17:14:14 | 001,479,488 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe
PRC - [2011/10/12 17:14:14 | 001,210,688 | ---- | M] (TuneUp Software) -- C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesApp32.exe
PRC - [2011/09/29 12:06:36 | 000,107,000 | ---- | M] (Siber Systems) -- C:\Program Files\Siber Systems\AI RoboForm\robotaskbaricon.exe
PRC - [2011/08/31 20:36:16 | 005,306,880 | ---- | M] (Wisdom Software Inc. ) -- C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
PRC - [2011/06/23 23:22:20 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2011/03/16 10:26:40 | 000,113,264 | ---- | M] (Portrait Displays, Inc.) -- C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe
PRC - [2011/02/25 00:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2010/11/20 07:17:47 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2010/06/25 13:35:47 | 000,202,256 | ---- | M] (RealNetworks, Inc.) -- C:\Program Files\Common Files\Real\Update_OB\realsched.exe
PRC - [2010/04/08 01:22:48 | 000,372,736 | ---- | M] (AMD) -- C:\Windows\System32\atieclxx.exe
PRC - [2010/04/08 01:22:18 | 000,172,032 | ---- | M] (AMD) -- C:\Windows\System32\atiesrxx.exe
PRC - [2010/03/25 18:02:02 | 000,090,112 | ---- | M] (Hewlett-Packard Company) -- c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe
PRC - [2010/03/15 17:05:30 | 000,331,000 | ---- | M] (QUALCOMM, Inc.) -- C:\Program Files\QUALCOMM\QDLService2k\QDLService2kHP.exe
PRC - [2010/03/06 16:39:08 | 000,635,416 | ---- | M] (PDF Complete Inc) -- C:\Program Files\PDF Complete\pdfsvc.exe
PRC - [2010/02/18 16:26:46 | 001,664,304 | ---- | M] (Validity Sensors, Inc.) -- C:\Windows\System32\vcsFPService.exe
PRC - [2010/01/21 12:42:48 | 000,014,336 | ---- | M] (LSI Corporation) -- C:\Program Files\LSI SoftModem\agrsmsvc.exe
PRC - [2010/01/19 13:17:10 | 000,297,984 | ---- | M] (Hewlett-Packard) -- C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe
PRC - [2009/12/29 15:31:32 | 000,595,232 | ---- | M] (Broadcom Corporation.) -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
PRC - [2009/06/03 18:16:42 | 000,207,400 | ---- | M] (ActivIdentity) -- C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe
PRC - [2009/06/03 18:16:34 | 000,153,640 | ---- | M] (ActivIdentity) -- C:\Program Files\ActivIdentity\ActivClient\acevents.exe

========== Modules (No Company Name) ==========

MOD - [2011/10/13 02:37:42 | 001,051,136 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Management\1049a76b3de293df726d380932215c91\System.Management.ni.dll
MOD - [2011/10/13 02:34:13 | 000,368,128 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\07cdef1a740151932dcf161f3306bd9c\PresentationFramework.Aero.ni.dll
MOD - [2011/10/13 02:34:05 | 014,339,072 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationFramewo#\70e2ca33ffa52c743285dc5b4910a229\PresentationFramework.ni.dll
MOD - [2011/10/13 02:33:48 | 012,234,752 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\PresentationCore\7c94a121334aeca7553c7f01290740f0\PresentationCore.ni.dll
MOD - [2011/10/13 02:33:36 | 003,347,968 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\WindowsBase\d7a64c28cf0c90e6c48af4f7d6f9ed41\WindowsBase.ni.dll
MOD - [2011/10/13 02:32:58 | 000,771,584 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b2622080e047040fa044dd21a04ff10d\System.Runtime.Remoting.ni.dll
MOD - [2011/10/13 02:32:54 | 006,611,456 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Data\f8196c3588c2229e84516af4b6a0ee60\System.Data.ni.dll
MOD - [2011/10/13 02:32:35 | 005,453,312 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Xml\130ad4d9719e566ca933ac7158a04203\System.Xml.ni.dll
MOD - [2011/10/13 02:32:31 | 000,971,264 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\2d5bcbeb9475ef62189f605bcca1cec6\System.Configuration.ni.dll
MOD - [2011/10/13 02:32:24 | 007,963,648 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\System\abab08afa60a6f06bdde0fcc9649c379\System.ni.dll
MOD - [2011/10/13 02:32:12 | 011,490,304 | ---- | M] () -- C:\windows\assembly\NativeImages_v2.0.50727_32\mscorlib\a1a82db68b3badc7c27ea1f6579d22c5\mscorlib.ni.dll
MOD - [2010/11/04 20:58:05 | 002,927,616 | ---- | M] () -- C:\windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
MOD - [2010/02/09 20:58:30 | 000,061,440 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\PCAlerts\PCAlertsPillar.dll
MOD - [2010/02/09 20:58:28 | 000,131,072 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\Pillars\ECenter\ECLibrary.dll
MOD - [2010/02/09 20:58:24 | 000,040,960 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingServer.dll
MOD - [2010/02/09 20:58:24 | 000,007,680 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\RemotingClient.dll
MOD - [2010/02/09 20:58:22 | 000,036,864 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingClients.dll
MOD - [2010/02/09 20:58:22 | 000,005,632 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingInterface.dll
MOD - [2010/02/09 20:58:18 | 000,018,944 | ---- | M] () -- C:\Program Files\Hewlett-Packard\HP Advisor\MessagingMessages.dll
MOD - [2009/08/16 17:06:02 | 000,141,312 | ---- | M] () -- C:\Program Files\WinRAR\RarExt.dll
MOD - [2008/08/12 05:18:42 | 000,148,480 | ---- | M] () -- C:\Program Files\Zoom Player\zpshlext.dll

========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- C:\ProgramData\Rpcnet\Bin\rpcld.exe -- (rpcld)
SRV - [2013/01/18 18:32:50 | 000,115,608 | ---- | M] (Mozilla Foundation) [On_Demand | Stopped] -- C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe -- (MozillaMaintenance)
SRV - [2012/12/14 16:49:28 | 000,682,344 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe -- (MBAMService)
SRV - [2012/12/14 16:49:28 | 000,398,184 | ---- | M] (Malwarebytes Corporation) [Auto | Running] -- C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe -- (MBAMScheduler)
SRV - [2012/10/30 18:50:59 | 000,044,808 | ---- | M] (AVAST Software) [Auto | Running] -- C:\Program Files\AVAST Software\Avast\AvastSvc.exe -- (avast! Antivirus)
SRV - [2012/10/20 15:07:16 | 000,058,288 | ---- | M] (Absolute Software Corp.) [Auto | Running] -- C:\Windows\System32\rpcnet.exe -- (rpcnet)
SRV - [2011/11/06 00:40:42 | 000,254,034 | ---- | M] (IDT, Inc.) [Auto | Running] -- C:\Program Files\IDT\WDM\stacsv.exe -- (STacSV)
SRV - [2011/11/06 00:40:41 | 000,081,920 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\IDT\WDM\AEstSrv.exe -- (AESTFilters)
SRV - [2011/10/12 17:14:14 | 001,479,488 | ---- | M] (TuneUp Software) [Auto | Running] -- C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesService32.exe -- (TuneUp.UtilitiesSvc)
SRV - [2011/06/02 12:18:32 | 000,133,688 | ---- | M] (Hewlett-Packard Company) [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\HP Power Assistant\HPPA_Service.exe -- (HP Power Assistant Service)
SRV - [2011/03/16 10:26:40 | 000,113,264 | ---- | M] (Portrait Displays, Inc.) [Auto | Running] -- C:\Program Files\Common Files\Portrait Displays\Drivers\pdisrvc.exe -- (PdiService)
SRV - [2011/01/15 07:32:30 | 001,116,656 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- C:\Program Files\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe -- (RoxMediaDB12OEM)
SRV - [2010/06/25 13:42:21 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/04/08 01:22:18 | 000,172,032 | ---- | M] (AMD) [Auto | Running] -- C:\Windows\System32\atiesrxx.exe -- (AMD External Events Utility)
SRV - [2010/04/05 13:12:00 | 000,103,992 | ---- | M] (Hewlett-Packard) [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe -- (HP Wireless Assistant Service)
SRV - [2010/03/25 18:02:02 | 000,090,112 | ---- | M] (Hewlett-Packard Company) [Auto | Running] -- c:\Program Files\Hewlett-Packard\HP QuickLook\HPDayStarterService.exe -- (HPDayStarterService)
SRV - [2010/03/15 17:05:30 | 000,331,000 | ---- | M] (QUALCOMM, Inc.) [Auto | Running] -- C:\Program Files\QUALCOMM\QDLService2k\QDLService2kHP.exe -- (QDLService2kHP)
SRV - [2010/03/06 16:39:08 | 000,635,416 | ---- | M] (PDF Complete Inc) [Auto | Running] -- C:\Program Files\PDF Complete\pdfsvc.exe -- (pdfcDispatcher)
SRV - [2010/03/01 12:27:22 | 000,264,248 | ---- | M] (Hewlett-Packard Company) [Disabled | Stopped] -- C:\Program Files\Hewlett-Packard\HP HotKey Support\hpHotkeyMonitor.exe -- (hpHotkeyMonitor)
SRV - [2010/02/18 16:26:46 | 001,664,304 | ---- | M] (Validity Sensors, Inc.) [Auto | Running] -- C:\Windows\System32\vcsFPService.exe -- (vcsFPService)
SRV - [2010/02/17 12:53:18 | 003,093,880 | ---- | M] (Symantec Corporation) [On_Demand | Stopped] -- C:\Program Files\Symantec\LiveUpdate\LuComServer_3_3.EXE -- (LiveUpdate)
SRV - [2010/01/21 12:42:48 | 000,014,336 | ---- | M] (LSI Corporation) [Auto | Running] -- C:\Program Files\LSI SoftModem\agrsmsvc.exe -- (AgereModemAudio)
SRV - [2010/01/19 13:17:10 | 000,297,984 | ---- | M] (Hewlett-Packard) [Auto | Running] -- C:\Program Files\Hewlett-Packard\File Sanitizer\HPFSService.exe -- (HPFSService)
SRV - [2009/12/29 15:31:32 | 000,595,232 | ---- | M] (Broadcom Corporation.) [Auto | Running] -- C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe -- (btwdins)
SRV - [2009/11/23 13:08:10 | 001,120,752 | ---- | M] (Sonic Solutions) [On_Demand | Stopped] -- c:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe -- (RoxMediaDB10)
SRV - [2009/07/13 20:16:15 | 000,016,384 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\StorSvc.dll -- (StorSvc)
SRV - [2009/07/13 20:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)
SRV - [2009/07/13 20:16:12 | 001,004,544 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\PeerDistSvc.dll -- (PeerDistSvc)
SRV - [2009/07/13 20:15:41 | 000,680,960 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Windows Defender\MpSvc.dll -- (WinDefend)
SRV - [2009/06/03 18:16:42 | 000,207,400 | ---- | M] (ActivIdentity) [Auto | Running] -- C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe -- (ac.sharedstore)

========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | Auto | Stopped] -- C:\Program Files\Free Ride Games\X6XSEx_Pr143.Sys -- (X6XSEx_Pr143)
DRV - File not found [Kernel | System | Stopped] -- C:\windows\system32\drivers\SBREDrv.sys -- (SBRE)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Users\ADMINI~1\AppData\Local\Temp\catchme.sys -- (catchme)
DRV - [2012/12/14 16:49:28 | 000,021,104 | ---- | M] (Malwarebytes Corporation) [File_System | On_Demand | Running] -- C:\Windows\System32\drivers\mbam.sys -- (MBAMProtector)
DRV - [2012/10/30 18:51:58 | 000,738,504 | ---- | M] (AVAST Software) [File_System | System | Running] -- C:\windows\System32\drivers\aswSnx.sys -- (aswSnx)
DRV - [2012/10/30 18:51:58 | 000,361,032 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswSP.sys -- (aswSP)
DRV - [2012/10/30 18:51:58 | 000,054,232 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\windows\System32\drivers\aswTdi.sys -- (aswTdi)
DRV - [2012/10/30 18:51:57 | 000,058,680 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\Windows\System32\drivers\aswMonFlt.sys -- (aswMonFlt)
DRV - [2012/10/30 18:51:56 | 000,021,256 | ---- | M] (AVAST Software) [File_System | Auto | Running] -- C:\windows\System32\drivers\aswFsBlk.sys -- (aswFsBlk)
DRV - [2012/10/15 11:59:28 | 000,044,784 | ---- | M] (AVAST Software) [Kernel | System | Running] -- C:\Windows\System32\drivers\aswRdr2.sys -- (aswRdr)
DRV - [2011/11/06 00:40:43 | 000,431,616 | ---- | M] (IDT, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\stwrt.sys -- (STHDA)
DRV - [2011/09/22 12:08:26 | 000,010,064 | ---- | M] (TuneUp Software) [Kernel | On_Demand | Running] -- C:\Program Files\TuneUp Utilities 2012\TuneUpUtilitiesDriver32.sys -- (TuneUpUtilitiesDrv)
DRV - [2010/11/20 07:30:17 | 000,296,064 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vpcvmm.sys -- (vpcvmm)
DRV - [2010/11/20 07:30:17 | 000,172,416 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vpchbus.sys -- (vpcbus)
DRV - [2010/11/20 07:30:15 | 000,175,360 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmbus.sys -- (vmbus)
DRV - [2010/11/20 07:30:15 | 000,040,704 | ---- | M] (Microsoft Corporation) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\vmstorfl.sys -- (storflt)
DRV - [2010/11/20 07:30:15 | 000,028,032 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\storvsc.sys -- (storvsc)
DRV - [2010/11/20 05:50:38 | 000,078,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vpcusb.sys -- (vpcusb)
DRV - [2010/11/20 05:50:37 | 000,048,128 | ---- | M] (Microsoft Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\vpcnfltr.sys -- (vpcnfltr)
DRV - [2010/11/20 05:50:37 | 000,012,800 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vpcuxd.sys -- (vpcuxd)
DRV - [2010/11/20 05:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 05:06:36 | 000,117,760 | ---- | M] (Microsoft Corporation) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\rmcast.sys -- (RMCAST)
DRV - [2010/11/20 04:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\winusb.sys -- (WinUSB)
DRV - [2010/11/20 04:14:45 | 000,017,920 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\VMBusHID.sys -- (VMBusHID)
DRV - [2010/11/20 04:14:41 | 000,005,632 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\vms3cap.sys -- (s3cap)
DRV - [2010/06/25 13:01:27 | 000,064,288 | ---- | M] (Lavasoft AB) [File_System | Boot | Running] -- C:\Windows\System32\drivers\Lbd.sys -- (Lbd)
DRV - [2010/06/15 18:53:28 | 000,025,656 | ---- | M] (Hewlett-Packard Company) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\hpdskflt.sys -- (hpdskflt)
DRV - [2010/06/15 18:53:12 | 000,033,848 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Accelerometer.sys -- (Accelerometer)
DRV - [2010/04/08 01:49:14 | 005,429,760 | ---- | M] (ATI Technologies Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmdag.sys -- (amdkmdag)
DRV - [2010/04/08 00:46:22 | 000,157,184 | ---- | M] (Advanced Micro Devices, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\atikmpag.sys -- (amdkmdap)
DRV - [2010/03/15 16:02:30 | 000,208,384 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\qcusbnethp2k.sys -- (qcusbnethp2k)
DRV - [2010/03/15 16:02:30 | 000,106,880 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\qcusbserhp2k.sys -- (qcusbserhp2k)
DRV - [2010/03/15 16:02:30 | 000,005,248 | ---- | M] (QUALCOMM Incorporated) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\qcfilterhp2k.sys -- (qcfilterhp2k)
DRV - [2010/03/08 20:21:26 | 000,107,024 | ---- | M] (ATI Technologies, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\AtiHdmi.sys -- (AtiHdmiService)
DRV - [2010/02/16 14:24:12 | 000,021,560 | ---- | M] (Hewlett-Packard Company) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2010/01/30 00:45:32 | 000,073,344 | ---- | M] (Realtek Semiconductor Corp.) [2 MP Fixed] [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\rtsuvc.sys -- (rtsuvc)
DRV - [2010/01/21 12:42:46 | 001,163,328 | ---- | M] (LSI Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\AGRSM.sys -- (AgereSoftModem)
DRV - [2010/01/08 05:23:00 | 000,316,416 | ---- | M] (Marvell) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\yk62x86.sys -- (yukonw7)
DRV - [2009/12/11 23:54:16 | 000,038,912 | ---- | M] (REDC) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\rixdpe86.sys -- (rixdpcie)
DRV - [2009/10/28 19:55:00 | 000,047,616 | ---- | M] (REDC) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\risdpe86.sys -- (risdpcie)
DRV - [2009/10/26 16:39:00 | 000,048,640 | ---- | M] (REDC) [Kernel | Auto | Stopped] -- C:\Windows\System32\drivers\rimspe86.sys -- (rimspci)
DRV - [2009/08/23 07:55:32 | 000,014,392 | ---- | M] (Advanced Micro Devices Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\AtiPcie.sys -- (AtiPcie)
DRV - [2009/07/13 18:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2009/07/13 18:45:33 | 000,083,456 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\serial.sys -- (Serial)
DRV - [2009/07/13 18:12:52 | 000,030,720 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\tpm.sys -- (TPM)

========== Standard Registry (SafeList) ==========

========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://g.msn.com/HPCOM/1
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{65000666-CF5A-412A-8EC4-7A48AF8F45B3}: "URL" = http://www.bing.com/search?q={searchTerms}&form=CMNTDF&pc=CMNTDF&src=IE-SearchBox
IE - HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
IE - HKCU\..\SearchScopes,DefaultScope =
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC
IE - HKCU\..\SearchScopes\{CC2821C3-AC0C-4CC0-8B5D-BA449A67F36D}: "URL" = http://websearch.ask.com/redirect?c...pn_sauid=BE37522E-C080-44AE-AA12-21D0DAF50B88
IE - HKCU\..\SearchScopes\{D5196E2B-5A23-4F3E-9AA5-1CCA061EB31F}: "URL" = http://www.google.com/search?q={sea...rce}&ie={inputEncoding?}&oe={outputEncoding?}
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

========== FireFox ==========

FF - prefs.js..browser.search.selectedEngine: "Google"
FF - prefs.js..browser.startup.homepage: "https://www.google.com/"
FF - prefs.js..extensions.enabledAddons: secureLogin%40blueimp.net:1.0.3
FF - prefs.js..extensions.enabledAddons: support%40platinumhideip.com:1.0
FF - prefs.js..extensions.enabledAddons: autofillForms%40blueimp.net:0.9.9.0
FF - prefs.js..extensions.enabledAddons: wrc%40avast.com:7.0.1474
FF - prefs.js..extensions.enabledAddons: %7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:18.0.1
FF - prefs.js..network.proxy.gopher: ""
FF - prefs.js..network.proxy.gopher_port: 0
FF - prefs.js..network.proxy.share_proxy_settings: true
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\windows\system32\Macromed\Flash\NPSWF32_11_4_402_278.dll ()
FF - HKLM\Software\MozillaPlugins\@adobe.com/ShockwavePlayer: C:\windows\system32\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
FF - HKLM\Software\MozillaPlugins\@exent.com/npExentCtl,version=7.0.0.0: C:\Program Files\Free Ride Games\npExentCtl.dll File not found
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin: C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll (Sun Microsystems, Inc.)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@real.com/nppl3260;version=6.0.12.732: C:\Program Files\Real\RealPlayer\Netscape6\nppl3260.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprjplug;version=1.0.3.732: C:\Program Files\Real\RealPlayer\Netscape6\nprjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprphtml5videoshim;version=1.0.0.0: C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nprpjplug;version=6.0.12.732: C:\Program Files\Real\RealPlayer\Netscape6\nprpjplug.dll (RealNetworks, Inc.)
FF - HKLM\Software\MozillaPlugins\@real.com/nsJSRealPlayerPlugin;version=: File not found
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=3: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\@tools.google.com/Google Update;version=9: C:\Program Files\Google\Update\1.3.21.123\npGoogleUpdate3.dll (Google Inc.)
FF - HKLM\Software\MozillaPlugins\www.exent.com/GameTreatWidget: C:\Program Files\Free Ride Games\NPGameTreatPlugin.dll File not found

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\{22119944-ED35-4ab1-910B-E619EA06A115}: C:\Program Files\Siber Systems\AI RoboForm\Firefox [2011/09/29 12:07:53 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\wrc@avast.com: C:\Program Files\AVAST Software\Avast\WebRep\FF [2013/01/25 00:40:17 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2013/01/18 18:32:52 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 18.0.1\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/01/18 18:32:33 | 000,000,000 | ---D | M]

[2011/09/14 18:55:55 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Extensions
[2013/01/27 18:46:26 | 000,000,000 | ---D | M] (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\xibtwus7.default\extensions
[2012/10/15 08:20:12 | 000,000,000 | ---D | M] (Yahoo! Toolbar) -- C:\Users\Administrator\AppData\Roaming\mozilla\Firefox\Profiles\xibtwus7.default\extensions\{635abd67-4fe9-1b23-4f01-e679fa7484c1}
[2012/12/11 18:35:52 | 000,149,045 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\autofillForms@blueimp.net.xpi
[2012/11/28 11:50:16 | 000,083,379 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\secureLogin@blueimp.net.xpi
[2012/11/06 17:03:07 | 000,004,552 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\support@platinumhideip.com.xpi
[2012/11/23 07:37:45 | 000,804,627 | ---- | M] () (No name found) -- C:\Users\Administrator\AppData\Roaming\mozilla\firefox\profiles\xibtwus7.default\extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi
[2013/01/18 18:32:33 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2013/01/25 00:40:17 | 000,000,000 | ---D | M] (avast! WebRep) -- C:\PROGRAM FILES\AVAST SOFTWARE\AVAST\WEBREP\FF
[2013/01/18 18:32:51 | 000,262,552 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2011/05/04 06:52:23 | 000,476,904 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\mozilla firefox\plugins\npdeployJava1.dll
[2012/11/29 03:27:12 | 000,002,465 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/11/29 03:27:12 | 000,002,058 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\twitter.xml

========== Chrome ==========

CHR - homepage: http://www.google.com/
CHR - default_search_provider: Google (Enabled)
CHR - default_search_provider: search_url = {google:baseURL}search?{google:RLZ}{google:acceptedSuggestion}{google

riginalQueryForSuggestion}{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}sourceid=chrome&ie={inputEncoding}&q={searchTerms}
CHR - default_search_provider: suggest_url = {google:baseSuggestURL}search?{google:searchFieldtrialParameter}{google:instantFieldTrialGroupParameter}client=chrome&hl={language}&q={searchTerms}
CHR - homepage: http://www.google.com/
CHR - plugin: Shockwave Flash (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.94\gcswf32.dll
CHR - plugin: Shockwave Flash (Enabled) = C:\windows\system32\Macromed\Flash\NPSWF32.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll
CHR - plugin: QuickTime Plug-in 7.6.6 (Enabled) = C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll
CHR - plugin: Java Deployment Toolkit 6.0.260.3 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npdeployJava1.dll
CHR - plugin: Java(TM) Platform SE 6 U26 (Enabled) = C:\Program Files\Java\jre6\bin\new_plugin\npjp2.dll
CHR - plugin: Adobe Acrobat (Disabled) = C:\Program Files\Adobe\Reader 8.0\Reader\Browser\nppdf32.dll
CHR - plugin: Silverlight Plug-In (Enabled) = c:\Program Files\Microsoft Silverlight\4.0.60831.0\npctrl.dll
CHR - plugin: Shockwave for Director (Enabled) = C:\windows\system32\Adobe\Director\np32dsw.dll
CHR - plugin: RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nppl3260.dll
CHR - plugin: RealPlayer Version Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprpjplug.dll
CHR - plugin: RealPlayer(tm) HTML5VideoShim Plug-In (32-bit) (Enabled) = C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\MozillaPlugins\nprphtml5videoshim.dll
CHR - plugin: Remoting Viewer (Enabled) = internal-remoting-viewer
CHR - plugin: Native Client (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.94\ppGoogleNaClPluginChrome.dll
CHR - plugin: Chrome PDF Viewer (Enabled) = C:\Program Files\Google\Chrome\Application\22.0.1229.94\pdf.dll
CHR - plugin: RealJukebox NS Plugin (Enabled) = C:\Program Files\Mozilla Firefox\plugins\nprjplug.dll
CHR - plugin: Google Update (Enabled) = C:\Program Files\Google\Update\1.3.21.79\npGoogleUpdate3.dll
CHR - plugin: Default Plug-in (Enabled) = default_plugin

O1 HOSTS File: ([2013/01/27 10:53:51 | 000,000,027 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (File Sanitizer for HP ProtectTools) - {3134413B-49B4-425C-98A5-893C1F195601} - C:\Program Files\Hewlett-Packard\File Sanitizer\IEBHO.dll (Hewlett-Packard)
O2 - BHO: (Reg Error: Value error.) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O2 - BHO: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKLM\..\Toolbar: (&RoboForm) - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O3 - HKLM\..\Toolbar: (avast! WebRep) - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O3 - HKCU\..\Toolbar\WebBrowser: (&RoboForm) - {724D43A0-0D85-11D4-9908-00400523E39A} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll (Siber Systems Inc.)
O4 - HKLM..\Run: [avast] C:\Program Files\AVAST Software\Avast\avastUI.exe (AVAST Software)
O4 - HKLM..\Run: [SysTrayApp] C:\Program Files\IDT\WDM\sttray.exe (IDT, Inc.)
O4 - HKLM..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe (RealNetworks, Inc.)
O4 - HKCU..\Run: [Exetender] C:\Program Files\Free Ride Games\GPlayer.exe (Exent Technologies Ltd.)
O4 - HKCU..\Run: [HPAdvisorDock] C:\Program Files\Hewlett-Packard\HP Advisor\DOCK\HPAdvisorDock.exe ()
O4 - HKCU..\Run: [RoboForm] C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe (Siber Systems)
O4 - HKCU..\RunOnce: [FlashPlayerUpdate] C:\windows\System32\Macromed\Flash\FlashUtil32_11_4_402_278_Plugin.exe (Adobe Systems Incorporated)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\InfoDelivery present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\TabbedBrowsing present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: EnableLinkedConnections = 1
O7 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O9 - Extra Button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra 'Tools' menuitem : Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html ()
O9 - Extra Button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra 'Tools' menuitem : Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html ()
O9 - Extra Button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra 'Tools' menuitem : RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html ()
O9 - Extra Button: @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O9 - Extra 'Tools' menuitem : @C:\Program Files\WIDCOMM\Bluetooth Software\btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm ()
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class)
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} http://download.eset.com/special/eos/OnlineScanner.cab (OnlineScanner Control)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1 205.152.37.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{386C4CDF-B88A-4FB1-9A4D-51A5E7F17435}: DhcpNameServer = 192.168.1.1 205.152.37.23
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = ComFile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/01/27 18:41:48 | 000,000,000 | ---D | C] -- C:\windows\ERUNT
[2013/01/27 18:41:20 | 000,000,000 | ---D | C] -- C:\JRT
[2013/01/27 10:53:59 | 000,000,000 | ---D | C] -- C:\$RECYCLE.BIN
[2013/01/27 10:19:25 | 000,518,144 | ---- | C] (SteelWerX) -- C:\windows\SWREG.exe
[2013/01/27 10:19:25 | 000,406,528 | ---- | C] (SteelWerX) -- C:\windows\SWSC.exe
[2013/01/27 10:19:25 | 000,060,416 | ---- | C] (NirSoft) -- C:\windows\NIRCMD.exe
[2013/01/25 13:18:14 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes' Anti-Malware
[2013/01/25 13:18:10 | 000,021,104 | ---- | C] (Malwarebytes Corporation) -- C:\windows\System32\drivers\mbam.sys
[2013/01/25 13:18:09 | 000,000,000 | ---D | C] -- C:\Program Files\Malwarebytes' Anti-Malware
[2013/01/25 13:16:47 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Local\Programs
[2013/01/25 00:42:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Google Drive
[2013/01/25 00:40:35 | 000,361,032 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswSP.sys
[2013/01/25 00:40:35 | 000,021,256 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswFsBlk.sys
[2013/01/25 00:40:35 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\avast! Free Antivirus
[2013/01/25 00:40:32 | 000,044,784 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswRdr2.sys
[2013/01/25 00:40:31 | 000,054,232 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswTdi.sys
[2013/01/25 00:40:29 | 000,738,504 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswSnx.sys
[2013/01/25 00:40:25 | 000,058,680 | ---- | C] (AVAST Software) -- C:\windows\System32\drivers\aswMonFlt.sys
[2013/01/25 00:40:08 | 000,227,648 | ---- | C] (AVAST Software) -- C:\windows\System32\aswBoot.exe
[2013/01/25 00:40:08 | 000,041,224 | ---- | C] (AVAST Software) -- C:\windows\avastSS.scr
[2013/01/25 00:12:21 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Roxio
[2013/01/20 03:31:20 | 000,000,000 | ---D | C] -- C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\NirSoft ProduKey
[2013/01/20 03:31:20 | 000,000,000 | ---D | C] -- C:\Program Files\NirSoft
[2013/01/18 18:32:32 | 000,000,000 | ---D | C] -- C:\Program Files\Mozilla Firefox

========== Files - Modified Within 30 Days ==========

[2013/01/28 02:37:01 | 000,000,134 | RHS- | M] () -- C:\ProgramData\3002.xml
[2013/01/28 02:36:57 | 000,011,904 | RHS- | M] () -- C:\ProgramData\3002.abs
[2013/01/27 19:01:53 | 000,625,770 | ---- | M] () -- C:\windows\System32\perfh009.dat
[2013/01/27 19:01:53 | 000,107,104 | ---- | M] () -- C:\windows\System32\perfc009.dat
[2013/01/27 19:00:14 | 000,020,944 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/01/27 19:00:14 | 000,020,944 | -H-- | M] () -- C:\windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/01/27 18:55:29 | 000,000,380 | -H-- | M] () -- C:\windows\tasks\CodecUpdaterTask{110261C5-0AD3-48E4-B17F-3631829EA6CD}.job
[2013/01/27 18:55:15 | 000,017,920 | ---- | M] () -- C:\windows\System32\rpcnetp.exe
[2013/01/27 18:55:13 | 000,058,288 | ---- | M] (Absolute Software Corp.) -- C:\windows\System32\rpcnet.dll
[2013/01/27 18:55:02 | 000,067,584 | --S- | M] () -- C:\windows\bootstat.dat
[2013/01/27 10:53:51 | 000,000,027 | ---- | M] () -- C:\windows\System32\drivers\etc\hosts
[2013/01/25 13:18:14 | 000,001,067 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/01/25 00:40:35 | 000,002,111 | ---- | M] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013/01/25 00:40:25 | 000,000,000 | ---- | M] () -- C:\windows\System32\config.nt
[2013/01/25 00:00:10 | 000,001,143 | ---- | M] () -- C:\Users\Administrator\Desktop\Windows Update Troubleshooting Info.lnk
[2013/01/24 09:22:51 | 000,000,097 | ---- | M] () -- C:\Users\Administrator\AppData\Roaming\netstat.bat
[2013/01/24 07:53:05 | 000,079,026 | ---- | M] () -- C:\Users\Administrator\Desktop\ScreenHunter_05 Jan. 24 07.53.jpg
[2013/01/24 07:51:46 | 000,038,400 | ---- | M] () -- C:\Users\Administrator\Desktop\ScreenHunter_04 Jan. 24 07.51.jpg
[2013/01/24 07:50:07 | 000,082,342 | ---- | M] () -- C:\Users\Administrator\Desktop\ScreenHunter_03 Jan. 24 07.50.jpg
[2013/01/24 07:45:31 | 000,079,822 | ---- | M] () -- C:\Users\Administrator\Desktop\ScreenHunter_01 Jan. 24 07.45.jpg

========== Files Created - No Company Name ==========

[2013/01/28 02:37:01 | 000,000,134 | RHS- | C] () -- C:\ProgramData\3002.xml
[2013/01/28 02:36:57 | 000,011,904 | RHS- | C] () -- C:\ProgramData\3002.abs
[2013/01/27 10:19:25 | 000,256,000 | ---- | C] () -- C:\windows\PEV.exe
[2013/01/27 10:19:25 | 000,208,896 | ---- | C] () -- C:\windows\MBR.exe
[2013/01/27 10:19:25 | 000,098,816 | ---- | C] () -- C:\windows\sed.exe
[2013/01/27 10:19:25 | 000,080,412 | ---- | C] () -- C:\windows\grep.exe
[2013/01/27 10:19:25 | 000,068,096 | ---- | C] () -- C:\windows\zip.exe
[2013/01/25 13:18:14 | 000,001,067 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/01/25 00:40:35 | 000,002,111 | ---- | C] () -- C:\Users\Public\Desktop\avast! Free Antivirus.lnk
[2013/01/25 00:00:10 | 000,001,143 | ---- | C] () -- C:\Users\Administrator\Desktop\Windows Update Troubleshooting Info.lnk
[2013/01/24 09:22:51 | 000,000,097 | ---- | C] () -- C:\Users\Administrator\AppData\Roaming\netstat.bat
[2013/01/24 07:53:05 | 000,079,026 | ---- | C] () -- C:\Users\Administrator\Desktop\ScreenHunter_05 Jan. 24 07.53.jpg
[2013/01/24 07:51:46 | 000,038,400 | ---- | C] () -- C:\Users\Administrator\Desktop\ScreenHunter_04 Jan. 24 07.51.jpg
[2013/01/24 07:50:07 | 000,082,342 | ---- | C] () -- C:\Users\Administrator\Desktop\ScreenHunter_03 Jan. 24 07.50.jpg
[2013/01/24 07:45:31 | 000,079,822 | ---- | C] () -- C:\Users\Administrator\Desktop\ScreenHunter_01 Jan. 24 07.45.jpg
[2012/12/22 05:55:11 | 000,000,064 | ---- | C] () -- C:\windows\GPlrLanc.dat
[2012/09/30 14:17:02 | 000,000,093 | ---- | C] () -- C:\windows\cdplayer.ini
[2012/01/11 01:19:20 | 000,000,632 | RHS- | C] () -- C:\Users\Administrator\ntuser.pol
[2012/01/04 09:57:32 | 000,000,000 | ---- | C] () -- C:\Users\Administrator\AppData\Local\{ED17FFC8-1AF0-4A62-90D8-ADB0166B62E5}
[2011/12/31 13:17:48 | 000,010,038 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\241jxl51c761ou16p7enx0b527436d22e4026
[2011/12/31 13:17:48 | 000,010,038 | -HS- | C] () -- C:\ProgramData\241jxl51c761ou16p7enx0b527436d22e4026
[2011/12/17 23:43:40 | 000,010,564 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\hmrekt1e5kjt3nis3lca3d425d6l
[2011/12/17 23:43:40 | 000,010,564 | -HS- | C] () -- C:\ProgramData\hmrekt1e5kjt3nis3lca3d425d6l
[2011/12/12 23:15:03 | 000,010,436 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\d4qv67k1wy4qcw
[2011/12/12 23:15:03 | 000,010,436 | -HS- | C] () -- C:\ProgramData\d4qv67k1wy4qcw
[2011/11/06 00:49:44 | 000,000,178 | ---- | C] () -- C:\windows\System32\HPPA.ini
[2011/10/27 07:33:16 | 000,002,910 | ---- | C] () -- C:\ProgramData\LUUnInstall.LiveUpdate
[2011/09/29 10:30:10 | 000,080,416 | ---- | C] () -- C:\windows\System32\RtNicProp32.dll
[2011/08/12 16:54:41 | 000,066,048 | ---- | C] () -- C:\windows\System32\PrintBrmUi.exe
[2011/06/29 17:16:22 | 000,000,834 | RHS- | C] () -- C:\ProgramData\wcttemp.html
[2011/06/29 17:16:22 | 000,000,016 | RHS- | C] () -- C:\ProgramData\wctreqid.sys

========== ZeroAccess Check ==========

[2009/07/13 23:42:31 | 000,000,227 | RHS- | M] () -- C:\windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2010/11/20 07:21:19 | 012,872,192 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = %systemroot%\system32\wbem\fastprox.dll -- [2010/11/20 07:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/13 20:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========

[2012/11/06 16:52:46 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\F__PlatinumHideIP.exe
[2012/10/05 02:51:44 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\GetRightToGo
[2012/11/06 16:31:57 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\PlatinumHideIP
[2011/12/15 09:02:42 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\TuneUp Software
[2012/02/13 11:13:12 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\uTorrent
[2012/10/28 13:12:59 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\WSOP-USA.com

========== Purity Check ==========

========== Alternate Data Streams ==========

@Alternate Data Stream - 81 bytes -> C:\Program Files\Lock Poker:MID

< End of report >

Jay Pfoutz · Jan 29, 2013

OTL Fix

Please run OTL

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:OTL
IE - HKCU\..\SearchScopes\{CC2821C3-AC0C-4CC0-8B5D-BA449A67F36D}: "URL" = http://websearch.ask.com/redirect?c...pn_sauid=BE37522E-C080-44AE-AA12-21D0DAF50B88
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: LogonHoursAction = 2
O7 - HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: DontDisplayLogonHoursWarnings = 1
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-1_6_0_26-windows-i586.cab (Java Plug-in 1.6.0_26)
[2011/12/31 13:17:48 | 000,010,038 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\241jxl51c761ou16p7enx0b527436d22e4026
[2011/12/31 13:17:48 | 000,010,038 | -HS- | C] () -- C:\ProgramData\241jxl51c761ou16p7enx0b527436d22e4026
[2011/12/17 23:43:40 | 000,010,564 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\hmrekt1e5kjt3nis3lca3d425d6l
[2011/12/17 23:43:40 | 000,010,564 | -HS- | C] () -- C:\ProgramData\hmrekt1e5kjt3nis3lca3d425d6l
[2011/12/12 23:15:03 | 000,010,436 | -HS- | C] () -- C:\Users\Administrator\AppData\Local\d4qv67k1wy4qcw
[2011/12/12 23:15:03 | 000,010,436 | -HS- | C] () -- C:\ProgramData\d4qv67k1wy4qcw
[2012/10/28 13:12:59 | 000,000,000 | ---D | M] -- C:\Users\Administrator\AppData\Roaming\WSOP-USA.com
@Alternate Data Stream - 81 bytes -> C:\Program Files\Lock Poker:MID

:files
ipconfig /flushdns /c

:commands
[emptytemp]
[reboot]

Click to expand...
Then click the Run Fix button at the top.
Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

ESET Online Scan

Please run a free online scan with the ESET Online Scanner

Tick the box next to YES, I accept the Terms of Use
Click Start
When asked, allow the ActiveX control to install, or it will ask to download an installer. Please do so an install it.
Click Start or wait for the scanner to load.
Make sure that the options Remove found threats and the option Scan unwanted applications are checked.
Click Scan (This scan can take several hours, so please be patient)
Once the scan is completed, there are a couple of things to keep in mind:
1. If NO threats were found, allow the scanner to Uninstall on close and then close the Window.
2. If threats WERE detected, click on List of Threats Found, Export to Text File...save it as ESET-Scan-Log.txt. Click the back button/link, put a checkmark to Uninstall Application on Close and then close the window.
Open the logfile from wherever you saved it
Copy and paste the contents in your next reply.

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

Slow computer
Error messages
Fake antivirus alerts or the icon in the system tray
svchost.exe running at 100%
System crashes or blue screen of death

Note: Absence of issues does not mean that you're protected in the future.

cableman · Jan 30, 2013

I have completed the last set of instructions you left for me and included the logs. Looks like there are still a lot of issues with this laptop. Are we getting it cleaned up or is it so bad that a Windows re-install might be an option to look at? I have never had a computer get so much malware on it. I let my sister talk me into putting Vipre anti-virus on here and it seems around that time is when I started having all the problems. I usually use the free version of Avast and put Avast back on here after trying the Vipre, but the damage had been done by then. If I can get this computer straightened out I am seriously considering buying Bit Defender, it seems to come highly recommended on reviews.

All processes killed
========== OTL ==========
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{CC2821C3-AC0C-4CC0-8B5D-BA449A67F36D}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CC2821C3-AC0C-4CC0-8B5D-BA449A67F36D}\ not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\LogonHoursAction deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DontDisplayLogonHoursWarnings deleted successfully.
Starting removal of ActiveX control {8AD9C840-044E-11D1-B3E9-00805F499D93}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8AD9C840-044E-11D1-B3E9-00805F499D93}\ not found.
Starting removal of ActiveX control {CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0026-ABCDEFFEDCBA}\ not found.
Starting removal of ActiveX control {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\ not found.
C:\Users\Administrator\AppData\Local\241jxl51c761ou16p7enx0b527436d22e4026 moved successfully.
C:\ProgramData\241jxl51c761ou16p7enx0b527436d22e4026 moved successfully.
C:\Users\Administrator\AppData\Local\hmrekt1e5kjt3nis3lca3d425d6l moved successfully.
C:\ProgramData\hmrekt1e5kjt3nis3lca3d425d6l moved successfully.
C:\Users\Administrator\AppData\Local\d4qv67k1wy4qcw moved successfully.
C:\ProgramData\d4qv67k1wy4qcw moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Utils folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Update folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\TournamentLobby folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\TeamsLobby\Media folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\TeamsLobby folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Settings\media folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Settings folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerLobby\Media\PrivateGames folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerLobby\Media\Icons folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerLobby\Media folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerLobby folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme9 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme8 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme7 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme6 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme5 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme4 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme3\History folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme3 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme2\History folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme2 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme10 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme1\History folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes\Theme1 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Themes folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\Deck4 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\Deck3 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\Deck2 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\Deck1 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck9 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck8 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck7 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck6 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck5 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck4 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck3 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck2 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck10 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks\BackDeck1 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media\Decks folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx\media folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\PokerEx folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\ThrowStuff folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Themes\Theme0\History folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Themes\Theme0 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Themes\History folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Themes folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Teams folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\NotesIcons folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Logos\Logo1 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Logos\Logo0 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Logos\History folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Logos folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Decks\Deck0 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Decks\BackDeck0 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Decks folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\6 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\5 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\4 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\3 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\2 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\1 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips\0 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chips folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\ChatGestures folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Gestures folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Emoticons\ChatSet1 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Emoticons\ChatSet0 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Emoticons\CalloutSet1 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Emoticons\CalloutSet0 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat\Emoticons folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Chat folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Zodiac folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Sport folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Marvel folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\LuckySymbols folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Holidays folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Flags folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Characters folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars\Avatars folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media\Avatars folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker\media folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Poker folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\NoFlash folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\media folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Login\media folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Login folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Lang\0\Localization folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Lang\0\Config folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Lang\0 folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Lang folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Icons folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\HandHistory folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\GameHistory\media folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\GameHistory folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\GameHist\media folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\GameHist folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Fonts folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Chat folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Cash\media folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Cash folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com\Brand folder moved successfully.
C:\Users\Administrator\AppData\Roaming\WSOP-USA.com folder moved successfully.
ADS C:\Program Files\Lock Poker:MID deleted successfully.
========== FILES ==========
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\Administrator\Downloads\cmd.bat deleted successfully.
C:\Users\Administrator\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 115440 bytes
->Temporary Internet Files folder emptied: 1443809 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 135604463 bytes
->Google Chrome cache emptied: 7244992 bytes
->Flash cache emptied: 5232 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 65748 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 23325198 bytes

Total Files Cleaned = 160.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 01302013_194845

Files\Folders moved on Reboot...
File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Documents and Settings\Administrator\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Documents and Settings\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Users\Administrator\AppData\Local\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Users\Administrator\AppData\Local\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Users\Administrator\AppData\Local\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application
C:\Users\Administrator\Downloads\CPP-ProductKeyFinder.exe Win32/OpenCandy application
C:\Users\Administrator\Downloads\produkey_setup.exe a variant of Win32/PSWTool.ProductKey application
C:\Documents and Settings\Administrator\AppData\Local\Application Data\Application Data\Application Data\Application Data\Application Data\Google\Chrome\User Data\Default\Extensions\fmifdfijfmaaodfgbdkcmbmonhehmjdg\3_0\505d44cb545401348289739.js Win32/Adware.MultiPlug.H application cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Downloads\CPP-ProductKeyFinder.exe Win32/OpenCandy application cleaned by deleting - quarantined
C:\Documents and Settings\Administrator\Downloads\produkey_setup.exe a variant of Win32/PSWTool.ProductKey application cleaned by deleting - quarantined
C:\Program Files\NirSoft\ProduKey\ProduKey.exe a variant of Win32/PSWTool.ProductKey application cleaned by deleting - quarantined
C:\Qoobox\Quarantine\C\Program Files\Coupon Companion Plugin\CoUPon companion plugin.dll.vir a variant of Win32/Toolbar.CrossRider.A application cleaned by deleting - quarantined

Jay Pfoutz · Jan 31, 2013

We'll get it....

Hitman Pro

Please download Hitman Pro

After the download completes please double click the program to run it.
Accept the terms of the license agreement and click Next
Let the scan run. It will not take long
When the scan finishes, and all the files have been uploaded to the Scan Cloud, click Next
Click Next again. At the bottom left you will see Export Scan Results To XML File. Click that and save it in a convenient location
Upload log.xml here for review please

Kaspersky Virus Removal Tool

The Kaspersky Virus Removal Tool is a scan-and-remove solution from Kaspersky that searches out the most common malware and attempts to remove it from your computer.

Please download the Kaspersky Virus Removal Tool from Kaspersky's Official Link and save it to your Desktop.

Double-click the Setup file to install it on your computer.
Once it has installed, review and accept the agreement and press the Start button.
You will presented with the main interface, but don't scan yet, click the options tab (gear icon):
On the Scan Scope tab, make sure to checkmark all the options, except for the CD/DVD drive:
On the Security Level tab, make sure to move the slider up denoting "Current Security Level: High":
Now, go back to the Automatic Scan tab, and choose "Start Scanning". It may take several hours to complete. Please allow it to do so.
Once done scanning, choose the Report tab (page icon), select Detected Threats tab on left, and choose Disinfect All:
Then, choose Save. Also, in the Automatic Report tab, select Save:
Please post the reports in your next reply.
Once you exit, the tool should uninstall automatically.

Jay Pfoutz · Feb 2, 2013

How is this going so far?

cableman · Feb 3, 2013

Sorry, got swamped. I will reply quickly now. I hope I didn't get this log wrong. I have been careful to do them just like you ask but this Hitman Pro saved the log differently before I got the chance to save it in .xml format. I did not have any option other than post this or redo the whole thing. I thought you should know what happened because if I had redone it then the log would have been different then this one (I think). Anyway, instead of chancing more mistakes, I posted the results so far so you can instruct me as how to proceed. The Kaspersky log should be as you asked.

Code:

HitmanPro 3.7.1.186
www.hitmanpro.com

   Computer name . . . . : USER-HP
   Windows . . . . . . . : 6.1.1.7601.X86/2
   User name . . . . . . : user-HP\Administrator
   UAC . . . . . . . . . : Disabled
   License . . . . . . . : Free

   Scan date . . . . . . : 2013-02-02 21:25:08
   Scan mode . . . . . . : Normal
   Scan duration . . . . : 2m 6s
   Disk access mode  . . : Direct disk access (SRB)
   Cloud . . . . . . . . : Internet
   Reboot  . . . . . . . : No

   Threats . . . . . . . : 0
   Traces  . . . . . . . : 70

   Objects scanned . . . : 1,123,679
   Files scanned . . . . : 14,568
   Remnants scanned  . . : 395,161 files / 713,950 keys

Potential Unwanted Programs _________________________________________________

   HKLM\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220022042235}\ (Premiumplay)
   HKLM\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660066046635}\ (Premiumplay)

Cookies _____________________________________________________________________

   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.360yield.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ad.yieldmanager.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:adbrite.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.cineble.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.cinemaden.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.redorbit.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:ads.undertone.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:advertising.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:apmebf.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:atdmt.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:burstnet.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:casalemedia.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:collective-media.net
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:doubleclick.net
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:fastclick.net
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:invitemedia.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:media6degrees.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:network.realmedia.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:realmedia.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:revsci.net
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:specificclick.net
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:tribalfusion.com
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:yieldmanager.net
   C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Cookies:zedo.com
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\1LA2KXED.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\1O3QMYRG.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\38IQTUCT.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\49HE2ZLA.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\4S6B44OW.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\9DY949X3.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\9W88P3R3.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\AAPCEYB2.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\AKRCI8VE.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\ANNTSDFS.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\AR8M9WSQ.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\AV0RPULD.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\BI81VZHX.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\BL1F66UY.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\BZTQSWM0.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\C79U7J6O.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\CFNS3U40.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\E5MRDH0V.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\F7U79CVB.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\GFCE1LDD.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\I9KXK8LM.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\MXLDDJOA.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\O34IPFO9.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\OSMA60VR.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\P9BP3IHX.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\PAL4VCAJ.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\TAAE2R6M.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\TU1L1C9D.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\UJL7IA08.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\VB2DA3CK.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\Y5K133DT.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\YDO68RNC.txt
   C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Cookies\ZZICUKD4.txt
   C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:2o7.net
   C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:ad.yieldmanager.com
   C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:doubleclick.net
   C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:eset.122.2o7.net
   C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:invitemedia.com
   C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:paypal.112.2o7.net
   C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:stat.onestat.com
   C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:statcounter.com
   C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:stats.paypal.com
   C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:statse.webtrendslive.com
   C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\xibtwus7.default\cookies.sqlite:yadro.ru

Status: Vulnerability (events: 8)
2/2/2013 10:14:53 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/43269 C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.dll Low
2/2/2013 10:25:58 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/50949 C:\Program Files\Java\jre6\bin\java.exe Low
2/2/2013 11:14:57 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/0 C:\Windows\System32\msxml4.dll Low
2/2/2013 11:15:19 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51090 C:\Windows\System32\Adobe\Shockwave 11\SwInit.exe Low
2/2/2013 11:28:29 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51771 C:\Windows\System32\Macromed\Flash\NPSWF32_11_4_402_278.dll Low
2/2/2013 11:43:43 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51226 c:\Program Files\QuickTime\QuickTimePlayer.exe Low
2/2/2013 11:49:15 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/51771 c:\Windows\System32\Macromed\Flash\NPSWF32_11_4_402_278.dll Low
2/2/2013 11:49:16 PM Vulnerability vulnerability http://www.securelist.com/en/advisories/0 c:\Windows\System32\msxml4.dll Low

Jay Pfoutz · Feb 3, 2013

Any more issues?

We need to know any other issues that are plaguing your computer. Kindly give a summary so we know how to continue from here.

Many of the things to note for us would be:

Slow computer
Error messages
Fake antivirus alerts or the icon in the system tray
svchost.exe running at 100%
System crashes or blue screen of death

Note: Absence of issues does not mean that you're protected in the future.

cableman · Feb 4, 2013

I haven't been using this laptop much while we have been working on it because I didn't want to interfere with any logs or fixes. I have used it to stream some video and have observed it's behavior while working on it. The computer is as fast as normal with no apparent problems other than a pop up that shows up when I reboot. The message says "Invalid or missing resource files in the installation directory. Please reinstall Extender Player". This could be associated with a game that tried to install on my computer that I stopped and wanted cleaned out but didn't want to start making changes and deleting things while we were working on it. I have a shortcut on my desktop to "more free games" which I do not want. I was going to try and delete this completely and fix the popup. If you have any instructions as to this or any more instructions as to cleaning any remaining malware out I am ready. Everything else checks out ok, no system crashes. No fake alerts or icons.

Jay Pfoutz · Feb 4, 2013

That popup can be ceased on boot...

SystemLook x86 scan

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

Double-click SystemLook.exe to run it.
Copy the content of the following codebox into the main textfield:

:regfind
Extender Player
"Extender Player"

Click to expand...
Click the Look button to start the scan.
When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt

cableman · Feb 4, 2013

Doesn't look like much in the way of results. Did it just like you asked. Log results of system look:

SystemLook 30.07.11 by jpshortstuff
Log created at 17:05 on 04/02/2013 by Administrator
Administrator - Elevation successful

========== regfind ==========

Searching for "Extender Player"
No data found.

Searching for ""Extender Player""
No data found.

-= EOF =-

Jay Pfoutz · Feb 5, 2013

New script please:

:regfind
EXTender
GPlayer

cableman · Feb 5, 2013

Looks like better results with new script. New log :

SystemLook 30.07.11 by jpshortstuff
Log created at 13:05 on 05/02/2013 by Administrator
Administrator - Elevation successful

========== regfind ==========

Searching for "EXTender"
[HKEY_CURRENT_USER\Software\Classes\Local Settings\MuiCache\2A2\52C64B7E]
"@%SystemRoot%\ehome\ehres.dll,-15502"="Allows Media Center Extenders to locate and connect to the computer."
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{083863F1-70DE-11D0-BD40-00A0C911CE86}\Instance\{E55A0B49-2F73-44D4-AD66-48966DED31BA}]
"FriendlyName"="Media Center Extender Encryption Filter"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{897708D5-9657-4C08-903C-40A1CB534992}]
@="WebExtenderClient Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{897708D5-9657-4C08-903C-40A1CB534992}\ProgID]
@="WECAPI5.WebExtenderClient.3"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{897708D5-9657-4C08-903C-40A1CB534992}\VersionIndependentProgID]
@="WECAPI5.WebExtenderClient"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E55A0B49-2F73-44D4-AD66-48966DED31BA}]
@="Media Center Extender Encryption Filter"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f77d9c1c-5aff-4341-b028-57f7510aa91c}]
@="CLSID_AssociationListExtender"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{4DB06329-23F4-443B-9ABD-9CF611E8AE07}]
@="IExtenderProvider"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{8D0AA9CC-8465-42F3-AD6E-DFDE28CCC75D}]
@="ObjectExtenders"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{914934C0-5A91-11CF-8700-00AA0060263B}]
@="OCXExtender"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{AD0FD906-EB8C-41B2-9856-4F6D7FC5A8E9}]
@="IAssociationListExtender"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{B85F43C4-C765-4984-AE3D-695E8CD8E992}]
@="IInternalExtenderProvider"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{E57C510B-968B-4A3C-A467-EE4013157DC9}]
@="IExtenderSite"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F69B64A3-9017-4E48-9784-E152B51AA722}]
@="IExtenderProviderUnk"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-microsoft-com:device:MediaCenterExtender:1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-microsoft-com:device:MediaCenterExtender:1\Shell\Configure\Command]
@="C:\Windows\ehome\ehshell.exe -extender"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-microsoft-com:device:MediaCenterExtenderMFD:1]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-microsoft-com:device:MediaCenterExtenderMFD:1\Shell\Configure\Command]
@="C:\Windows\ehome\ehshell.exe -extender"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient]
@="WebExtenderClient Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient.3]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient.3]
@="WebExtenderClient Class"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Publishers\{7b7838a3-6562-4269-bb7a-97b0d9593882}]
@="Microsoft-Windows-Media Center Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
"Class"="Media Center Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
@="Media Center Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\System Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\Boot Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\System Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceGroupOrder]
"List"="System Reserved EMS WdfLoadGroup Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Virtualization FSFilter Encryption FSFilter Compression FSFilter Imaging FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Streams Drivers NDIS Wrapper COM Infrastructure Event Log AudioGroup ProfSvc_Group UIGroup MS_WindowsLocalValidation PlugPlay ValiditySensors Cryptography PNP_TDI NDIS TDI iSCSI NetBIOSGroup ShellSvcGrou
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\ACPI]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\aliide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\amdide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\cmdide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\Compbatt]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\intelide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\isapnp]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mountmgr]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\mpio]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msdsm]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\msisadrv]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\nvraid]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\partmgr]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pci]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pciide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\pcmcia]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\sdbus]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\vdrvroot]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\viaide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\vmbus]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\volmgr]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\volmgrx]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
"Class"="Media Center Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
@="Media Center Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Minimal\System Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\Boot Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\SafeBoot\Network\System Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\ServiceGroupOrder]
"List"="System Reserved EMS WdfLoadGroup Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Virtualization FSFilter Encryption FSFilter Compression FSFilter Imaging FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Streams Drivers NDIS Wrapper COM Infrastructure Event Log AudioGroup ProfSvc_Group UIGroup MS_WindowsLocalValidation PlugPlay ValiditySensors Cryptography PNP_TDI NDIS TDI iSCSI NetBIOSGroup ShellSvcGrou
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\ACPI]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\aliide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\amdide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\cmdide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\Compbatt]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\intelide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\isapnp]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\mountmgr]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\mpio]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\msdsm]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\msisadrv]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\nvraid]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\partmgr]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\pci]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\pciide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\pcmcia]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\sdbus]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\vdrvroot]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\viaide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\vmbus]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\volmgr]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\services\volmgrx]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
"Class"="Media Center Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{43675D81-502A-4A82-9F84-B75F418C5DEA}]
@="Media Center Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Boot Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\System Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\Boot Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network\System Bus Extender]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder]
"List"="System Reserved EMS WdfLoadGroup Boot Bus Extender System Bus Extender SCSI miniport Port Primary Disk SCSI Class SCSI CDROM Class FSFilter Infrastructure FSFilter System FSFilter Bottom FSFilter Copy Protection FSFilter Security Enhancer FSFilter Open File FSFilter Physical Quota Management FSFilter Virtualization FSFilter Encryption FSFilter Compression FSFilter Imaging FSFilter HSM FSFilter Cluster File System FSFilter System Recovery FSFilter Quota Management FSFilter Content Screener FSFilter Continuous Backup FSFilter Replication FSFilter Anti-Virus FSFilter Undelete FSFilter Activity Monitor FSFilter Top Filter Boot File System Base Pointer Port Keyboard Port Pointer Class Keyboard Class Video Init Video Video Save File System Streams Drivers NDIS Wrapper COM Infrastructure Event Log AudioGroup ProfSvc_Group UIGroup MS_WindowsLocalValidation PlugPlay ValiditySensors Cryptography PNP_TDI NDIS TDI iSCSI NetBIOSGroup ShellSvc
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\ACPI]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\aliide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\amdide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\cmdide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Compbatt]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\intelide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\isapnp]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mountmgr]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\mpio]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msdsm]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\msisadrv]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\nvraid]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\partmgr]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\pci]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\pciide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\pcmcia]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\sdbus]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vdrvroot]
"Group"="Boot Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\viaide]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\vmbus]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\volmgr]
"Group"="System Bus Extender"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\volmgrx]
"Group"="System Bus Extender"
[HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\2A2\52C64B7E]
"@%SystemRoot%\ehome\ehres.dll,-15501"="Media Center Extender Service"
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Classes\Local Settings\MuiCache\2A2\52C64B7E]
"@%SystemRoot%\ehome\ehres.dll,-15502"="Allows Media Center Extenders to locate and connect to the computer."
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500_Classes\Local Settings\MuiCache\2A2\52C64B7E]
"@%SystemRoot%\ehome\ehres.dll,-15502"="Allows Media Center Extenders to locate and connect to the computer."
[HKEY_USERS\S-1-5-18\Software\Classes\Local Settings\MuiCache\2A2\52C64B7E]
"@%SystemRoot%\ehome\ehres.dll,-15501"="Media Center Extender Service"

Searching for "GPlayer"
[HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication]
"Name"="GPLAYER.EXE"
[HKEY_CURRENT_USER\Software\Microsoft\DirectInput\MostRecentApplication]
"Id"="GPLAYER.EXE503F754D004AB1D8"
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\a3714275_0]
@="{0.0.0.00000000}.{03d76a47-3195-4297-8466-33c52c1101a2}|\Device\HarddiskVolume1\Program Files\Free Ride Games\GPlayer.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"=""C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup"
[HKEY_CURRENT_USER\Software\Classes\Applications\GPlayer.exe]
[HKEY_CURRENT_USER\Software\Classes\Applications\GPlayer.exe]
"TaskbarGroupIcon"="C:\Program Files\Free Ride Games\Skins\000005\icon\GPlayer.ico"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\EXEtender\Shell\Open\Command]
@=""C:\Program Files\Free Ride Games\GPlayer.exe" %1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Direct3D\MostRecentApplication]
"Name"="GPlayer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8EBFFAE0-F0A4-4ee6-8524-2751906624C4}]
"AppName"="GPlayer.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GPlayer_RASAPI32]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\GPlayer_RASMANCS]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"=""C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup"
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\DirectInput\MostRecentApplication]
"Name"="GPLAYER.EXE"
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\DirectInput\MostRecentApplication]
"Id"="GPLAYER.EXE503F754D004AB1D8"
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Internet Explorer\LowRegistry\Audio\PolicyConfig\PropertyStore\a3714275_0]
@="{0.0.0.00000000}.{03d76a47-3195-4297-8466-33c52c1101a2}|\Device\HarddiskVolume1\Program Files\Free Ride Games\GPlayer.exe%b{00000000-0000-0000-0000-000000000000}"
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"=""C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup"
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Classes\Applications\GPlayer.exe]
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Classes\Applications\GPlayer.exe]
"TaskbarGroupIcon"="C:\Program Files\Free Ride Games\Skins\000005\icon\GPlayer.ico"
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500_Classes\Applications\GPlayer.exe]
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500_Classes\Applications\GPlayer.exe]
"TaskbarGroupIcon"="C:\Program Files\Free Ride Games\Skins\000005\icon\GPlayer.ico"
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"=""C:\Program Files\Free Ride Games\GPlayer.exe" /runonstartup"

-= EOF =-

Jay Pfoutz · Feb 5, 2013

OTL Fix

Please run OTL

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:reg
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"=-

:commands
[emptytemp]
[reboot]

Click to expand...
Then click the Run Fix button at the top.
Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

Let me know of any more issues...

cableman · Feb 5, 2013

Program ran quick, asked to remove media from drive for reboot but drive is empty, hit power button for reboot after removing a flash drive that I have been saving logs on and rebooted to windows then. Pesky popup still there !! Here is log:

All processes killed
========== REGISTRY ==========
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 1182 bytes
->Temporary Internet Files folder emptied: 118666 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 56587509 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 1037 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 83179 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 279590 bytes

Total Files Cleaned = 54.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 02052013_193914

Files\Folders moved on Reboot...
File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

cableman · Feb 5, 2013

I have a program "Tune Up Utilities 2012" on my computer and it has a section that allows me to enable or disable start up programs. In the list I disabled "Extender Player". No more pop up but that only disables the program from booting with Windows; it is still somewhere on the computer. As for those free games shortcuts; some type of malware must have done that because they only opened my browser to the download page for games. I immediately closed and deleted shortcuts. Deleted a couple of old shortcuts that are broken since cleanup of computer and shouldn't have been there anyway. I could try to manually find any "Extender Player" files or program on the computer and delete but I wait for tour instructions before doing anything else.

Jay Pfoutz · Feb 6, 2013

It's GPlayer on your computer, which is from a free games.

cableman · Feb 6, 2013

I can't find any "GPlayer" on any program list but I have found : "Cradle of Rome", "Heroes of Hellas", "Time Riddles: The Mansion"', and "7 Wonders II" The "GPlayer is not to be found on any program list anywhere even when I use "my computer" to go to program install an uninstall. The game listings show up but it won't let me uninstall and the best I can do is sometimes when I think I am going to get it to uninstall, that same pesky popup comes up about reinstalling "Extender Player". The only problem is I can't find any files relating to it with search. I am unsure how to clean these out. All the game show they were installed on 12/22/2012 but I dont try to open any because I don't want to let it get deeper in. Any advice?

Jay Pfoutz · Feb 7, 2013

Any programs about Extender Player?

I can remove all files manually, if we need to...

cableman · Feb 7, 2013

Then please tell me how to get rid of this. I am locked out of deleting it!!! Thanks for all your help also. And NO there is no sign of "Extender Player" in any program list, file list, or anywhere I can find. I even looked in accessories folder and all.

Jay Pfoutz · Feb 8, 2013

GPlayer is part of Free Ride Games, so it's probably bundled inside the program.

OTL Fix

Please run OTL

Under the Custom Scans/Fixes box at the bottom, copy and paste in the following:

:reg
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"=-
[HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"=-
[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"Exetender"=-

:commands
[emptytemp]
[reboot]

Click to expand...
Then click the Run Fix button at the top.
Note: The fix for OTL automatically hides your Desktop and Start menu so the fix can be completed. Do not be alerted, as this is normal.
Please do not exit the program. It might take a while to fix, but allow it to run. If it asks to reboot the computer, allow it to reboot. If the program freezes, and the computer fails to reboot - let me know.
Lastly, post the contents of the log. (Located at C:\_OTL\Moved Files)

Let me know if this did the trick.

cableman · Feb 8, 2013

That helped a lot. Where I was using "Tune Up Utilities" to prevent that Extender Player popup on reboot it took it completely away. I do however still have these listed in the program uninstall list through my computer: Cradle of Rome, Heroes of Hellos, Time Riddles:The Mansion, and 7 Wonders II. It will not let me uninstall them. It will say something to the effect that they are a part of Extender Player and it wasn't uninstalled properly and then blocks me from doing anything with them. Other than that everything is fine and these programs or files or remnants or whatever don't seem to be causing problems but I wonder why they are still there and what they might do in the future. Here is the log:

All processes killed
========== REGISTRY ==========
Registry value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender not found.
Registry value HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender not found.
Registry value HKEY_USERS\S-1-5-21-806783369-3586686801-2702779342-500\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender not found.
Registry value HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run\\Exetender not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 273013 bytes
->Temporary Internet Files folder emptied: 35882 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 11616599 bytes
->Google Chrome cache emptied: 0 bytes
->Flash cache emptied: 492 bytes

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Public
->Temp folder emptied: 0 bytes

User: user
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 66016 bytes
%systemroot%\system32\config\systemprofile\Local Settings\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 7376346 bytes

Total Files Cleaned = 18.00 mb

OTL by OldTimer - Version 3.2.69.0 log created on 02082013_165718

Files\Folders moved on Reboot...
File move failed. C:\windows\temp\_avast_\Webshlock.txt scheduled to be moved on reboot.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

Solved Certain of malware on HP laptop, Windows 7

Posts: 274 +0

Attachments

Posts: 4,279 +49

Posts: 274 +0

Attachments

Posts: 4,279 +49

Posts: 274 +0

Posts: 4,279 +49

Posts: 274 +0

Posts: 4,279 +49

Posts: 4,279 +49

Posts: 274 +0

Posts: 4,279 +49

Posts: 274 +0

Posts: 4,279 +49

Posts: 274 +0

Posts: 4,279 +49

Posts: 274 +0

Posts: 4,279 +49

Posts: 274 +0

Posts: 274 +0

Posts: 4,279 +49

Posts: 274 +0

Posts: 4,279 +49

Posts: 274 +0

Posts: 4,279 +49

Posts: 274 +0

Similar threads