ukash (Chesire Police) help needed

[jondeevoy]

As above, I'm not sure if this 'Chesire Police' virus is a new version but it seems to be stubborn. No OTL or asw logs but I have attached the FRST log.

 

[Fiery]

Hi and welcome to MalwareTips!

I'm Fiery and I would gladly assist you in removing the malware on your computer.

Before we start:

• Note that the removal process is not immediate. Depending on the severity of your infection, it could take a long time.
• Malware removal can be dangerous. I cannot guarantee the safety of your system as malware can be unpredictable. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system. Therefore, I would advise you to backup all your important files before we start.
• Please be patient and stay with me until I give you the green lights and inform you that your PC is clean.
• Some tools may be flagged by your antivirus as harmful. Rest assure that ALL the tools we use are safe, the detections are false positives.
• The absence of symptoms does not mean your PC is fully disinfected.
• If you are unclear about the instructions, please stop and ask. Following the steps in the order that I post them in is vital.
• Lastly, if you have requested help on other sites, that will delay and hinder the removal process. Please only stick to one site.

<hr>

Open notepad and copy & paste the following:

HKU\HP\...\Winlogon: [Shell] explorer.exe,C:\Users\HP\AppData\Roaming\skype.dat [156672 2011-11-16] (226 KB )
2013-02-26 03:20 - 2013-02-26 04:42 - 00000004 ____A C:\Users\HP\AppData\Roaming\skype.ini

and save it as fixlist.txt onto your flash drive.

Then, boot to system recovery, plug in your flash drive, open FRST and click fix. Post the generated log. Attempt to boot to normal mode now and run OTL.

Download OTL by Old Timer from here and save it to your Desktop.

• Double click on OTL.exe to run it.
• Click the Scan All Users checkbox.
• Check the boxes beside LOP Check and Purity Check
• Click on Run Scan at the top left hand corner.
• When done, two Notepad files will open.
  • OTL.txt <-- Will be opened
  • Extra.txt <-- Will be minimized
• Please attach the contents of these 2 Notepad files in your next reply.

 

[jondeevoy]

Just a quick update but as I was waiting on a reply I decided to try Hitman Pro Kickstart again. It found the 'skype.dat' and I was able to delete it and boot into my system. I ran Hitman Pro and it found nothing but Malwarebytes is running at present and has picked up 3 objects.

When Malwarebytes finishes I'll just go ahead and run the fixlist and OTL as suggested above. Thanks!

 

[jondeevoy]

OTL logfile created on: 26/02/2013 15:11:48 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\HP\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.87 Gb Total Physical Memory | 1.76 Gb Available Physical Memory | 61.45% Memory free
5.73 Gb Paging File | 4.11 Gb Available in Paging File | 71.75% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 109.99 Gb Total Space | 9.92 Gb Free Space | 9.02% Space Free | Partition Type: NTFS
Drive G: | 30.01 Gb Total Space | 6.54 Gb Free Space | 21.79% Space Free | Partition Type: NTFS
Drive Z: | 157.98 Gb Total Space | 84.71 Gb Free Space | 53.62% Space Free | Partition Type: NTFS

Computer Name: HP-PC | User Name: HP | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Processes (SafeList) ==========

PRC - [2013/02/26 15:11:17 | 000,602,112 | ---- | M] (OldTimer Tools) -- C:\Users\HP\Downloads\OTL.exe
PRC - [2013/02/26 12:33:25 | 000,106,280 | ---- | M] (SurfRight B.V.) -- C:\Program Files\HitmanPro\hmpsched.exe
PRC - [2013/01/30 15:45:22 | 006,864,896 | ---- | M] (FreeDownloadManager.ORG) -- C:\Program Files\Free Download Manager\fdm.exe
PRC - [2012/12/18 14:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
PRC - [2012/12/02 23:38:02 | 001,666,704 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\VIP Access Client\VIPUIManager.exe
PRC - [2012/12/02 23:38:00 | 000,081,552 | ---- | M] (Symantec Corporation) -- C:\Program Files\Symantec\VIP Access Client\VIPAppService.exe
PRC - [2012/11/30 02:55:25 | 000,271,360 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\conhost.exe
PRC - [2012/11/23 02:48:41 | 000,049,152 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\taskhost.exe
PRC - [2012/08/08 23:17:23 | 000,348,664 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
PRC - [2012/05/02 00:42:31 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\sched.exe
PRC - [2012/05/01 23:55:24 | 000,465,360 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe
PRC - [2012/05/01 23:34:37 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe
PRC - [2012/04/24 01:11:59 | 000,080,336 | ---- | M] (Avira Operations GmbH & Co. KG) -- C:\Program Files\Avira\AntiVir Desktop\avshadow.exe
PRC - [2012/01/19 11:47:20 | 003,027,840 | ---- | M] (TeamViewer GmbH) -- C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe
PRC - [2011/02/25 05:30:54 | 002,616,320 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe
PRC - [2011/01/28 05:15:33 | 000,066,048 | ---- | M] (PostgreSQL Global Development Group) -- c:\postgreSQL\bin\pg_ctl.exe
PRC - [2011/01/28 05:13:43 | 004,538,368 | ---- | M] (PostgreSQL Global Development Group) -- c:\postgreSQL\bin\postgres.exe
PRC - [2010/05/12 16:23:04 | 000,130,496 | ---- | M] (Citrix Systems, Inc.) -- C:\Users\HP\AppData\Local\Citrix\ICA Client\CDViewer.exe
PRC - [2010/05/12 16:04:48 | 000,599,480 | ---- | M] (Citrix Systems, Inc.) -- C:\Users\HP\AppData\Local\Citrix\ICA Client\wfcrun32.exe
PRC - [2010/05/12 16:03:22 | 000,300,472 | ---- | M] (Citrix Systems, Inc.) -- C:\Users\HP\AppData\Local\Citrix\ICA Client\concentr.exe
PRC - [2010/05/12 15:52:16 | 001,918,392 | ---- | M] (Citrix Systems, Inc.) -- C:\Users\HP\AppData\Local\Citrix\ICA Client\wfica32.exe
PRC - [2010/01/29 13:59:00 | 005,110,304 | ---- | M] (Realtek Semiconductor) -- C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe
PRC - [2010/01/12 15:32:22 | 000,907,264 | ---- | M] (Realtek Semiconductor Corp.) -- C:\Program Files\Realtek\Audio\OSD\RtVOsd.exe
PRC - [2009/12/30 19:36:06 | 000,114,688 | ---- | M] () -- C:\Program Files\Clarus\Samsung SecretZone\MSSvc.exe
PRC - [2009/12/08 18:26:15 | 003,616,768 | ---- | M] (Native Instruments GmbH) -- C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe
PRC - [2009/11/17 17:15:08 | 000,087,968 | ---- | M] (Andrea Electronics Corporation) -- C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe
PRC - [2009/09/30 19:01:32 | 002,320,920 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
PRC - [2009/09/30 19:01:30 | 000,268,824 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe


========== Modules (No Company Name) ==========

MOD - [2013/02/14 03:29:09 | 011,833,344 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\5ecf01964c70e453d71e5d7653912ff9\System.Web.ni.dll
MOD - [2013/02/14 03:28:52 | 012,436,480 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\cb562e2e4f74ae607f1186f6ec50cec7\System.Windows.Forms.ni.dll
MOD - [2013/01/30 08:25:28 | 000,397,312 | ---- | M] () -- C:\Program Files\Free Download Manager\iefdmdm.dll
MOD - [2013/01/11 03:17:32 | 000,105,984 | ---- | M] () -- C:\Program Files\Free Download Manager\fdmumsp.dll
MOD - [2013/01/10 03:32:07 | 000,771,584 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\90b89f6e8032310e9ac72a309fd49e83\System.Runtime.Remoting.ni.dll
MOD - [2013/01/10 03:31:28 | 001,592,832 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\eead6629e384a5b69f9ae35284b7eeed\System.Drawing.ni.dll
MOD - [2013/01/10 03:31:26 | 000,025,600 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\d908c91e24616e6b8d38c9da61038b25\Accessibility.ni.dll
MOD - [2013/01/10 03:31:08 | 005,453,312 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Xml\f687c43e9fdec031988b33ae722c4613\System.Xml.ni.dll
MOD - [2013/01/10 03:31:03 | 007,989,760 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\System\369f8bdca364e2b4936d18dea582912c\System.ni.dll
MOD - [2013/01/10 03:30:46 | 011,493,376 | ---- | M] () -- C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\7150b9136fad5b79e88f6c7f9d3d2c39\mscorlib.ni.dll
MOD - [2012/12/26 08:13:54 | 003,547,136 | ---- | M] () -- C:\Program Files\Free Download Manager\fdmbtsupp.dll
MOD - [2011/03/17 00:11:16 | 004,297,568 | ---- | M] () -- C:\Program Files\Common Files\microsoft shared\OFFICE14\Cultures\OFFICE.ODF
MOD - [2010/10/20 15:45:26 | 008,801,120 | ---- | M] () -- C:\Program Files\Microsoft Office\Office14\1033\GrooveIntlResource.dll
MOD - [2010/05/12 16:23:00 | 000,087,488 | ---- | M] () -- C:\Users\HP\AppData\Local\Citrix\ICA Client\AxWfIcaLib.dll


========== Services (SafeList) ==========

SRV - File not found [Auto | Stopped] -- H:\HitmanPro.exe /crusader:boot -- (HitmanPro37CrusaderBoot)
SRV - [2013/02/26 12:33:25 | 000,106,280 | ---- | M] (SurfRight B.V.) [Auto | Running] -- C:\Program Files\HitmanPro\hmpsched.exe -- (HitmanProScheduler)
SRV - [2013/02/25 07:39:32 | 000,543,144 | ---- | M] (Valve Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Steam\SteamService.exe -- (Steam Client Service)
SRV - [2012/12/18 14:28:08 | 000,065,192 | ---- | M] (Adobe Systems Incorporated) [Auto | Running] -- C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe -- (AdobeARMservice)
SRV - [2012/12/02 23:38:00 | 000,081,552 | ---- | M] (Symantec Corporation) [Auto | Running] -- C:\Program Files\Symantec\VIP Access Client\VIPAppService.exe -- (VIPAppService)
SRV - [2012/09/20 13:28:48 | 030,785,672 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Microsoft Office\Office14\GROOVE.EXE -- (Microsoft SharePoint Workspace Audit Service)
SRV - [2012/07/13 12:28:36 | 000,160,944 | R--- | M] (Skype Technologies) [Auto | Stopped] -- C:\Program Files\Skype\Updater\Updater.exe -- (SkypeUpdate)
SRV - [2012/05/02 00:42:31 | 000,086,224 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService)
SRV - [2012/05/01 23:55:24 | 000,465,360 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avwebgrd.exe -- (AntiVirWebService)
SRV - [2012/05/01 23:34:37 | 000,110,032 | ---- | M] (Avira Operations GmbH & Co. KG) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService)
SRV - [2012/01/19 11:47:20 | 003,027,840 | ---- | M] (TeamViewer GmbH) [Auto | Running] -- C:\Program Files\TeamViewer\Version7\TeamViewer_Service.exe -- (TeamViewer7)
SRV - [2011/01/28 05:15:33 | 000,066,048 | ---- | M] (PostgreSQL Global Development Group) [Auto | Running] -- c:\postgreSQL\bin\pg_ctl.exe -- (postgresql-8.4)
SRV - [2010/09/10 19:59:47 | 001,343,400 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\Wat\WatAdminSvc.exe -- (WatAdminSvc)
SRV - [2010/06/25 17:07:20 | 000,117,264 | ---- | M] (CACE Technologies, Inc.) [On_Demand | Stopped] -- C:\Program Files\WinPcap\rpcapd.exe -- (rpcapd)
SRV - [2009/12/30 19:36:06 | 000,114,688 | ---- | M] () [Auto | Running] -- C:\Program Files\Clarus\Samsung SecretZone\MSSvc.exe -- (MSR Service)
SRV - [2009/12/08 18:26:15 | 003,616,768 | ---- | M] (Native Instruments GmbH) [Auto | Running] -- C:\Program Files\Common Files\Native Instruments\Hardware\NIHardwareService.exe -- (NIHardwareService)
SRV - [2009/11/17 17:15:08 | 000,087,968 | ---- | M] (Andrea Electronics Corporation) [Auto | Running] -- C:\Program Files\Realtek\Audio\HDA\AERTSrv.exe -- (AERTFilters)
SRV - [2009/09/30 19:01:32 | 002,320,920 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe -- (UNS)
SRV - [2009/09/30 19:01:30 | 000,268,824 | ---- | M] (Intel Corporation) [Auto | Running] -- C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe -- (LMS)
SRV - [2009/07/14 01:16:13 | 000,025,088 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Windows\System32\sensrsvc.dll -- (SensrSvc)


========== Driver Services (SafeList) ==========

DRV - File not found [Kernel | On_Demand | Stopped] -- system32\DRIVERS\mcdbus.sys -- (mcdbus)
DRV - [2012/04/27 09:20:04 | 000,137,928 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb)
DRV - [2012/04/24 23:32:27 | 000,083,392 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt)
DRV - [2012/04/16 20:18:01 | 000,036,000 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avkmgr.sys -- (avkmgr)
DRV - [2011/11/28 14:51:44 | 000,032,896 | ---- | M] (AnvSoft Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\anvsnddrv.sys -- (anvsnddrv)
DRV - [2011/05/18 07:09:04 | 000,040,320 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\dc3d.sys -- (dc3d)
DRV - [2010/11/20 10:24:41 | 000,052,224 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TsUsbFlt.sys -- (TsUsbFlt)
DRV - [2010/11/20 09:59:44 | 000,035,968 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\winusb.sys -- (WinUsb)
DRV - [2010/07/28 05:00:20 | 001,559,552 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\athur.sys -- (athur)
DRV - [2010/07/15 07:44:20 | 000,014,216 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\epmntdrv.sys -- (epmntdrv)
DRV - [2010/07/15 07:44:20 | 000,008,456 | ---- | M] () [Kernel | On_Demand | Stopped] -- C:\Windows\System32\EuGdiDrv.sys -- (EuGdiDrv)
DRV - [2010/06/25 17:07:14 | 000,035,088 | ---- | M] (CACE Technologies, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\npf.sys -- (NPF)
DRV - [2010/06/17 14:14:27 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv)
DRV - [2010/04/22 01:05:56 | 000,324,672 | ---- | M] (Ploytec GmbH) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nmrkusbu.sys -- (NMRKUSBU)
DRV - [2010/04/22 01:05:54 | 000,040,000 | ---- | M] (Numark) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\nmrkusba.sys -- (NMRKUSBA)
DRV - [2010/04/16 15:22:04 | 000,065,584 | ---- | M] (Citrix Systems, Inc.) [Kernel | System | Running] -- C:\Windows\System32\drivers\ctxusbm.sys -- (ctxusbm)
DRV - [2010/02/25 14:18:58 | 000,015,872 | ---- | M] (Hewlett-Packard Development Company, L.P.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HpqKbFiltr.sys -- (HpqKbFiltr)
DRV - [2009/12/23 10:32:26 | 000,086,016 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TPkd.sys -- (TPkd)
DRV - [2009/09/22 01:45:12 | 001,172,992 | ---- | M] (Atheros Communications, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\athr.sys -- (athr)
DRV - [2009/09/17 11:54:14 | 000,041,088 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HECI.sys -- (HECI)
DRV - [2009/07/13 23:52:10 | 000,014,336 | ---- | M] (Microsoft Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\vwifimp.sys -- (vwifimp)
DRV - [2007/10/24 09:47:26 | 000,023,288 | ---- | M] (SIA Syncrosoft) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\synasUSB.sys -- (SynasUSB)
DRV - [2005/05/09 19:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cledx.sys -- (CLEDX)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&FORM=IE8SRC


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.avira.com/?l=dis&o=APN10401&gct=hp&dc=EU&locale=en_GB
IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://search.avira.com/?l=dis&o=APN10401&gct=hp&dc=EU&locale=en_GB
IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
IE - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache = http://uk.msn.com/?ocid=iehp
IE - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache AcceptLangs = en-GB
IE - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page Redirect Cache_TIMESTAMP = 18 56 66 60 DA 10 CE 01 [binary data]
IE - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\..\SearchScopes,DefaultScope = {1E09192B-1999-459A-8D88-951703DA3A5F}
IE - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
IE - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\..\SearchScopes\{1E09192B-1999-459A-8D88-951703DA3A5F}: "URL" = http://www.google.co.uk/search?hl=en&q={searchTerms}&meta=
IE - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


========== FireFox ==========

FF - prefs.js..browser.search.defaultengine: "Ask.com"
FF - prefs.js..browser.search.defaultenginename: "Ask.com"
FF - prefs.js..browser.search.order.1: "Ask.com"
FF - prefs.js..browser.search.selectedEngine: "Ask.com"
FF - prefs.js..browser.startup.homepage: "http://search.avira.com/?l=dis&o=APN10401&gct=hp&dc=EU&locale=en_GB"
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}:6.0.24
FF - prefs.js..extensions.enabledItems: fdm_ffext@freedownloadmanager.org:1.5.7.9
FF - prefs.js..extensions.enabledItems: smartwebprinting@hp.com:4.51
FF - prefs.js..extensions.enabledItems: firesheep@codebutler.com:0.1
FF - prefs.js..extensions.enabledItems: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA}:6.0.31
FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10401&locale=en_GB&apn_uid=59ea409b-a143-475e-938c-000d913aa8de&apn_ptnrs=%5EABZ&apn_sauid=FBF15115-19E3-4674-92C9-4D75AB78F452&apn_dtid=%5EYYYYYY%5EYY%5EGB&&q="
FF - prefs.js..network.proxy.type: 0
FF - user.js - File not found

FF - HKLM\Software\MozillaPlugins\@adobe.com/FlashPlayer: C:\Windows\system32\Macromed\Flash\NPSWF32_11_3_300_262.dll ()
FF - HKLM\Software\MozillaPlugins\@java.com/DTPlugin,version=10.7.2: C:\Windows\system32\npDeployJava1.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@java.com/JavaPlugin,version=10.7.2: C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll (Oracle Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/GENUINE: disabled File not found
FF - HKLM\Software\MozillaPlugins\@Microsoft.com/NpCtrl,version=1.0: C:\Program Files\Microsoft Silverlight\5.1.10411.0\npctrl.dll ( Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/OfficeAuthz,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/SharePoint,version=14.0: C:\PROGRA~1\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3502.0922: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@microsoft.com/WLPG,version=15.4.3508.1109: C:\Program Files\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF - HKLM\Software\MozillaPlugins\@pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)
FF - HKLM\Software\MozillaPlugins\@videolan.org/vlc,version=2.0.1: C:\Program Files\VideoLAN\VLC\npvlc.dll (VideoLAN)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF - HKCU\Software\MozillaPlugins\pandonetworks.com/PandoWebPlugin: C:\Program Files\Pando Networks\Media Booster\npPandoWebPlugin.dll (Pando Networks)

FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/06/03 19:10:09 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Firefox\Extensions\\VIP1X@verisign.com: C:\Program Files\Symantec\VIP Access Client\ [2012/12/15 16:24:25 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2012/12/09 22:21:39 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 10.0.2\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2013/01/09 01:46:45 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Components: C:\Program Files\Mozilla Firefox 3.6\components [2012/01/04 20:08:33 | 000,000,000 | ---D | M]
FF - HKEY_LOCAL_MACHINE\software\mozilla\Mozilla Firefox 3.6.12\extensions\\Plugins: C:\Program Files\Mozilla Firefox 3.6\plugins [2013/01/09 01:46:45 | 000,000,000 | ---D | M]
FF - HKEY_CURRENT_USER\software\mozilla\Firefox\Extensions\\smartwebprinting@hp.com: C:\Program Files\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2011/06/03 19:10:09 | 000,000,000 | ---D | M]

[2011/02/21 01:05:05 | 000,000,000 | ---D | M] (No name found) -- C:\Users\HP\AppData\Roaming\Mozilla\Extensions
[2013/02/01 19:16:38 | 000,000,000 | ---D | M] (No name found) -- C:\Users\HP\AppData\Roaming\Mozilla\Firefox\Profiles\z30k7fsq.default\extensions
[2012/06/26 23:31:16 | 000,000,000 | ---D | M] (No name found) -- C:\Program Files\Mozilla Firefox\extensions
[2012/06/26 23:31:13 | 000,134,104 | ---- | M] (Mozilla Foundation) -- C:\Program Files\mozilla firefox\components\browsercomps.dll
[2010/05/12 15:42:04 | 000,124,344 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CCMSDK.dll
[2010/05/12 15:43:54 | 000,070,592 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\CgpCore.dll
[2010/05/12 15:42:52 | 000,091,576 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\confmgr.dll
[2010/05/12 15:42:32 | 000,022,464 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\ctxlogging.dll
[2010/05/12 16:22:36 | 000,423,328 | ---- | M] () -- C:\Program Files\mozilla firefox\plugins\npicaN.dll
[2010/05/12 15:43:56 | 000,024,000 | ---- | M] (Citrix Systems, Inc.) -- C:\Program Files\mozilla firefox\plugins\TcpPServ.dll
[2012/06/26 23:31:11 | 000,001,538 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\amazon-en-GB.xml
[2012/06/26 23:31:11 | 000,002,252 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\bing.xml
[2012/06/26 23:31:11 | 000,000,947 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\chambers-en-GB.xml
[2012/06/26 23:31:11 | 000,001,180 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\eBay-en-GB.xml
[2012/06/26 23:31:11 | 000,001,135 | ---- | M] () -- C:\Program Files\mozilla firefox\searchplugins\yahoo-en-GB.xml

O1 HOSTS File: ([2009/06/10 21:39:37 | 000,000,824 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts
O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O2 - BHO: (Skype Plug-In) - {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O2 - BHO: (Office Document Cache Handler) - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
O2 - BHO: (Symantec VIP Access Add-On) - {C63CD127-A1CB-4D49-A4F7-D6F88A917BE6} - C:\Program Files\Symantec\VIP Access Client\VIPAddOnForIE.dll (Symantec Corporation)
O2 - BHO: (Free Download Manager) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll (FreeDownloadManager.ORG)
O3 - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\..\Toolbar\WebBrowser: (no name) - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - No CLSID value found.
O4 - HKLM..\Run: [] File not found
O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira Operations GmbH & Co. KG)
O4 - HKLM..\Run: [BCSSync] C:\Program Files\Microsoft Office\Office14\BCSSync.exe (Microsoft Corporation)
O4 - HKLM..\Run: [ConnectionCenter] C:\Users\HP\AppData\Local\Citrix\ICA Client\concentr.exe (Citrix Systems, Inc.)
O4 - HKLM..\Run: [RTHDVCPL] C:\Program Files\Realtek\Audio\HDA\RtkNGUI.exe (Realtek Semiconductor)
O4 - HKLM..\Run: [RtkOSD] C:\Program Files\Realtek\Audio\OSD\RtVOsd.exe (Realtek Semiconductor Corp.)
O4 - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000..\Run: [Steam] C:\Program Files\Steam\Steam.exe (Valve Corporation)
O4 - HKU\S-1-5-19..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-20..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O4 - HKU\S-1-5-21-3563083970-3628164584-3303492815-1006..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (Microsoft Corporation)
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorAdmin = 5
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: ConsentPromptBehaviorUser = 3
O8 - Extra context menu item: Download all with Free Download Manager - C:\Program Files\Free Download Manager\dlall.htm ()
O8 - Extra context menu item: Download selected with Free Download Manager - C:\Program Files\Free Download Manager\dlselected.htm ()
O8 - Extra context menu item: Download video with Free Download Manager - C:\Program Files\Free Download Manager\dlfvideo.htm ()
O8 - Extra context menu item: Download with Free Download Manager - C:\Program Files\Free Download Manager\dllink.htm ()
O8 - Extra context menu item: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office\Office14\EXCEL.EXE (Microsoft Corporation)
O9 - Extra Button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe (PokerStars)
O9 - Extra Button: Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O9 - Extra 'Tools' menuitem : Skype Plug-In - {898EA8C8-E7FF-479B-8935-AEC46303B9E5} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O10 - Protocol_Catalog9\Catalog_Entries\000000000001 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000002 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000003 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000004 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000005 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000006 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000007 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000008 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O10 - Protocol_Catalog9\Catalog_Entries\000000000019 - C:\Program Files\Avira\AntiVir Desktop\avsda.dll (Avira Operations GmbH & Co. KG)
O13 - gopher Prefix: missing
O15 - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\..Trusted Domains: clonewarsadventures.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\..Trusted Domains: freerealms.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\..Trusted Domains: soe.com ([]* in Trusted sites)
O15 - HKU\S-1-5-21-3563083970-3628164584-3303492815-1000\..Trusted Domains: sony.com ([]* in Trusted sites)
O16 - DPF: {73ECB3AA-4717-450C-A2AB-D00DAD9EE203} http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection2.cab (GMNRev Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab (Java Plug-in 10.7.2)
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab (MessengerStatsClient Class)
O16 - DPF: {CAFEEFAC-0017-0000-0007-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab (Java Plug-in 1.7.0_07)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.7.0/jinstall-1_7_0_07-windows-i586.cab (Java Plug-in 1.7.0_07)
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab (Reg Error: Key error.)
O16 - DPF: {F27237D7-93C8-44C2-AC6E-D6057B9A918F} https://juniper.net/dana-cached/sc/JuniperSetupClient.cab (JuniperSetupClientControl Class)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{14C5BDD5-3CA2-4D07-B4FC-169980637DDA}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{457E5F1B-EF8C-42DA-830D-3074961A12A4}: DhcpNameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F220F9CC-71A8-4F3E-88D2-13A48D0BD4E6}: DhcpNameServer = 10.0.0.2
O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Common Files\Skype\Skype4COM.dll (Skype Technologies)
O18 - Protocol\Handler\skype-ie-addon-data {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files\Skype\Toolbars\Internet Explorer\skypeieplugin.dll (Skype Technologies S.A.)
O18 - Protocol\Filter\application/x-ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\HP\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O18 - Protocol\Filter\ica {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Users\HP\AppData\Local\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation)
O20 - HKLM Winlogon: UserInit - (C:\Windows\system32\userinit.exe) - C:\Windows\System32\userinit.exe (Microsoft Corporation)
O20 - HKLM Winlogon: VMApplet - (SystemPropertiesPerformance.exe) - C:\Windows\System32\SystemPropertiesPerformance.exe (Microsoft Corporation)
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - No CLSID value found.
O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Program Files\Microsoft Office\Office14\GROOVEEX.DLL (Microsoft Corporation)
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2009/06/10 21:42:20 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ]
O33 - MountPoints2\{60c64d37-43cf-11e2-aa2c-00269edb0a1b}\Shell - "" = AutoRun
O33 - MountPoints2\{60c64d37-43cf-11e2-aa2c-00269edb0a1b}\Shell\AutoRun\command - "" = H:\LaunchU3.exe -a
O33 - MountPoints2\D\Shell - "" = AutoRun
O33 - MountPoints2\D\Shell\AutoRun\command - "" = D:\setup.exe
O34 - HKLM BootExecute: (autocheck autochk *)
O35 - HKLM\..comfile [open] -- "%1" %*
O35 - HKLM\..exefile [open] -- "%1" %*
O37 - HKLM\...com [@ = comfile] -- "%1" %*
O37 - HKLM\...exe [@ = exefile] -- "%1" %*
O38 - SubSystems\\Windows: (ServerDll=winsrv:UserServerDllInitialization,3)
O38 - SubSystems\\Windows: (ServerDll=winsrv:ConServerDllInitialization,2)
O38 - SubSystems\\Windows: (ServerDll=sxssrv,4)

========== Files/Folders - Created Within 30 Days ==========

[2013/02/26 20:47:21 | 000,000,000 | ---D | C] -- C:\FRST
[2013/02/26 20:22:19 | 000,000,000 | ---D | C] -- C:\Windows\Microsoft Antimalware
[2013/02/26 13:25:26 | 000,012,872 | ---- | C] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2013/02/26 12:33:24 | 000,000,000 | ---D | C] -- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\HitmanPro
[2013/02/26 12:33:18 | 000,000,000 | ---D | C] -- C:\Program Files\HitmanPro
[2013/02/26 12:10:45 | 000,000,000 | ---D | C] -- C:\ProgramData\HitmanPro
[2013/02/25 13:22:45 | 000,000,000 | ---D | C] -- C:\Users\HP\Documents\-- Writing --
[2013/02/24 00:53:19 | 000,000,000 | ---D | C] -- C:\Users\HP\AppData\Local\Programs
[2013/02/14 03:03:09 | 002,382,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\mshtml.tlb
[2013/02/14 03:03:08 | 000,065,024 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jsproxy.dll
[2013/02/14 03:03:07 | 000,607,744 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\msfeeds.dll
[2013/02/14 03:03:07 | 000,176,640 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieui.dll
[2013/02/14 03:03:07 | 000,142,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ieUnatt.exe
[2013/02/14 03:03:06 | 001,800,704 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\jscript9.dll
[2013/02/14 03:03:06 | 000,231,936 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\url.dll
[2013/02/14 03:03:05 | 001,427,968 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\inetcpl.cpl
[2013/02/13 07:19:07 | 002,347,008 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\win32k.sys
[2013/02/13 07:18:58 | 003,967,848 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntkrnlpa.exe
[2013/02/13 07:18:58 | 003,913,064 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\ntoskrnl.exe
[2013/02/13 07:18:51 | 000,187,752 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\drivers\FWPKCLNT.SYS
[2013/02/13 07:18:47 | 000,169,984 | ---- | C] (Microsoft Corporation) -- C:\Windows\System32\winsrv.dll
[2013/02/12 22:27:13 | 000,000,000 | ---D | C] -- C:\Users\HP\Documents\-- Story Notes --
[2013/02/08 22:47:37 | 000,000,000 | ---D | C] -- C:\Users\HP\AppData\Local\{2BF0BB93-1A54-4E6B-91D9-16223DC13523}
[2013/02/08 22:47:20 | 000,000,000 | ---D | C] -- C:\Users\HP\Tracing

========== Files - Modified Within 30 Days ==========

[2013/02/26 14:59:12 | 000,015,392 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
[2013/02/26 14:59:12 | 000,015,392 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
[2013/02/26 13:51:44 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat
[2013/02/26 13:25:26 | 000,012,872 | ---- | M] (SurfRight B.V.) -- C:\Windows\System32\bootdelete.exe
[2013/02/26 13:25:26 | 000,001,076 | ---- | M] () -- C:\Windows\System32\.crusader
[2013/02/26 12:33:25 | 000,001,921 | ---- | M] () -- C:\Users\Public\Desktop\HitmanPro.lnk
[2013/02/25 18:02:22 | 000,001,909 | ---- | M] () -- C:\Users\HP\Desktop\Kies Air Discovery Service.lnk
[2013/02/24 00:53:36 | 000,001,095 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
[2013/02/23 19:11:45 | 000,005,245 | ---- | M] () -- C:\Users\HP\.TransferManager.db
[2013/02/23 14:05:08 | 000,691,568 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerApp.exe
[2013/02/23 14:05:08 | 000,071,024 | ---- | M] (Adobe Systems Incorporated) -- C:\Windows\System32\FlashPlayerCPLApp.cpl
[2013/02/23 14:04:05 | 000,001,053 | ---- | M] () -- C:\Users\HP\Desktop\Free Download Manager.lnk
[2013/02/14 03:27:23 | 000,395,248 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT
[2013/02/14 03:01:21 | 000,652,360 | ---- | M] () -- C:\Windows\System32\perfh009.dat
[2013/02/14 03:01:21 | 000,121,292 | ---- | M] () -- C:\Windows\System32\perfc009.dat
[2013/02/12 22:23:39 | 000,094,502 | ---- | M] () -- C:\Users\HP\Documents\a-beautiful-mind.pdf

========== Files Created - No Company Name ==========

[2013/02/26 12:33:25 | 000,001,921 | ---- | C] () -- C:\Users\Public\Desktop\HitmanPro.lnk
[2013/02/26 12:27:35 | 000,001,076 | ---- | C] () -- C:\Windows\System32\.crusader
[2013/02/23 19:08:50 | 000,001,909 | ---- | C] () -- C:\Users\HP\Desktop\Kies Air Discovery Service.lnk
[2013/02/12 22:23:39 | 000,094,502 | ---- | C] () -- C:\Users\HP\Documents\a-beautiful-mind.pdf
[2012/12/04 22:53:39 | 000,004,934 | ---- | C] () -- C:\ProgramData\flwjycbm.bab
[2012/07/24 18:56:43 | 000,721,758 | ---- | C] () -- C:\Windows\unins000.exe
[2012/07/24 18:56:43 | 000,035,103 | ---- | C] () -- C:\Windows\unins000.dat
[2012/07/18 10:57:44 | 004,503,728 | ---- | C] () -- C:\ProgramData\pmt_0piot.pad
[2012/07/09 17:50:50 | 000,000,045 | ---- | C] () -- C:\Users\HP\AppData\Local\machpro.dat
[2012/05/30 14:05:58 | 013,545,472 | ---- | C] () -- C:\Windows\System32\SSL X-Verb Stereo.dll
[2012/05/30 14:05:58 | 006,569,984 | ---- | C] () -- C:\Windows\System32\SSL X-Eq Stereo.dll
[2012/05/30 14:05:58 | 006,569,984 | ---- | C] () -- C:\Windows\System32\SSL X-Eq Mono.dll
[2012/05/30 14:05:58 | 006,217,728 | ---- | C] () -- C:\Windows\System32\SSL X-Comp Stereo.dll
[2012/05/30 14:05:58 | 006,217,728 | ---- | C] () -- C:\Windows\System32\SSL X-Comp Mono.dll
[2012/05/30 14:05:58 | 005,079,040 | ---- | C] () -- C:\Windows\System32\SSL Vocalstrip Stereo.dll
[2012/05/30 14:05:57 | 015,695,872 | ---- | C] () -- C:\Windows\System32\SSL Channel Stereo.dll
[2012/05/30 14:05:57 | 005,787,648 | ---- | C] () -- C:\Windows\System32\SSL Drumstrip Stereo.dll
[2012/05/30 14:05:57 | 005,783,552 | ---- | C] () -- C:\Windows\System32\SSL Drumstrip Mono.dll
[2012/05/30 14:05:57 | 005,074,944 | ---- | C] () -- C:\Windows\System32\SSL Vocalstrip Mono.dll
[2012/05/30 14:05:56 | 015,687,680 | ---- | C] () -- C:\Windows\System32\SSL Channel Mono.dll
[2012/05/30 14:05:56 | 007,122,944 | ---- | C] () -- C:\Windows\System32\SSL Bus Compressor Stereo.dll
[2012/05/30 14:05:56 | 007,122,944 | ---- | C] () -- C:\Windows\System32\SSL Bus Compressor Mono.dll
[2012/05/30 14:05:56 | 000,069,632 | ---- | C] () -- C:\Windows\System32\FxShared.dll
[2012/05/30 14:05:56 | 000,069,632 | ---- | C] () -- C:\Windows\System32\com.fxpansion.fxshared.dll
[2012/03/21 08:42:13 | 000,005,245 | ---- | C] () -- C:\Users\HP\.TransferManager.db
[2012/01/06 18:27:39 | 000,001,057 | ---- | C] () -- C:\Users\HP\AppData\Roaming\vso_ts_preview.xml
[2011/10/15 22:17:53 | 000,101,958 | ---- | C] () -- C:\Users\HP\AppData\Roaming\icarus-dxdiag.xml
[2011/07/03 23:10:35 | 000,163,840 | ---- | C] () -- C:\Windows\System32\ArtFfct.dll
[2011/07/03 23:05:15 | 000,002,892 | ---- | C] () -- C:\Windows\System32\audcon.sys
[2011/07/03 23:04:45 | 000,000,045 | ---- | C] () -- C:\Windows\System32\SYNSOPOS.exe.cfg
[2011/06/03 19:06:08 | 000,170,015 | ---- | C] () -- C:\Windows\hpoins14.dat
[2011/06/03 19:06:08 | 000,001,498 | ---- | C] () -- C:\Windows\hpomdl14.dat
[2011/01/16 21:43:21 | 000,005,632 | ---- | C] () -- C:\Users\HP\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011/01/16 09:21:45 | 000,000,056 | -H-- | C] () -- C:\ProgramData\ezsidmv.dat
[2010/09/25 15:27:09 | 000,007,604 | ---- | C] () -- C:\Users\HP\AppData\Local\Resmon.ResmonCfg

========== ZeroAccess Check ==========

[2009/07/14 04:42:31 | 000,000,227 | RHS- | M] () -- C:\Windows\assembly\Desktop.ini

[HKEY_CURRENT_USER\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]

[HKEY_CURRENT_USER\Software\Classes\clsid\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InProcServer32]
"ThreadingModel" = Both
"" = C:\Windows\system32\shell32.dll -- [2012/06/09 04:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InProcServer32]
"" = %SystemRoot%\system32\shell32.dll -- [2012/06/09 04:41:00 | 012,873,728 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Apartment

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{5839FCA9-774D-42A1-ACDA-D6A79037F57F}\InProcServer32]
"" = C:\Windows\system32\wbem\fastprox.dll -- [2010/11/20 12:19:02 | 000,606,208 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Free

[HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InProcServer32]
"" = %systemroot%\system32\wbem\wbemess.dll -- [2009/07/14 01:16:17 | 000,342,528 | ---- | M] (Microsoft Corporation)
"ThreadingModel" = Both

========== LOP Check ==========


========== Purity Check ==========



========== Alternate Data Streams ==========

@Alternate Data Stream - 178 bytes -> C:\ProgramData\TEMP:BF3D62E7

< End of report >

---

OTL Extras logfile created on: 26/02/2013 15:11:48 - Run 1
OTL by OldTimer - Version 3.2.69.0 Folder = C:\Users\HP\Downloads
Home Premium Edition Service Pack 1 (Version = 6.1.7601) - Type = NTWorkstation
Internet Explorer (Version = 9.0.8112.16421)
Locale: 00000809 | Country: United Kingdom | Language: ENG | Date Format: dd/MM/yyyy

2.87 Gb Total Physical Memory | 1.76 Gb Available Physical Memory | 61.45% Memory free
5.73 Gb Paging File | 4.11 Gb Available in Paging File | 71.75% Paging File free
Paging file location(s): ?:\pagefile.sys [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files
Drive C: | 109.99 Gb Total Space | 9.92 Gb Free Space | 9.02% Space Free | Partition Type: NTFS
Drive G: | 30.01 Gb Total Space | 6.54 Gb Free Space | 21.79% Space Free | Partition Type: NTFS
Drive Z: | 157.98 Gb Total Space | 84.71 Gb Free Space | 53.62% Space Free | Partition Type: NTFS

Computer Name: HP-PC | User Name: HP | Logged in as Administrator.
Boot Mode: Normal | Scan Mode: All users
Company Name Whitelist: Off | Skip Microsoft Files: Off | No Company Name Whitelist: On | File Age = 30 Days

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.cpl [@ = cplfile] -- C:\Windows\System32\control.exe (Microsoft Corporation)
.hlp [@ = hlpfile] -- C:\Windows\winhlp32.exe (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-3563083970-3628164584-3303492815-1000\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
cplfile [cplopen] -- %SystemRoot%\System32\control.exe "%1",%* (Microsoft Corporation)
exefile [open] -- "%1" %*
helpfile [open] -- Reg Error: Key error.
hlpfile [open] -- %SystemRoot%\winhlp32.exe %1 (Microsoft Corporation)
htmlfile [edit] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [print] -- "C:\Program Files\Microsoft Office\Office14\msohtmed.exe" /p %1 (Microsoft Corporation)
inffile [install] -- %SystemRoot%\System32\InfDefaultInstall.exe "%1" (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [AddToPlaylistVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --playlist-enqueue "%1" ()
Directory [cmd] -- cmd.exe /s /k pushd "%V" (Microsoft Corporation)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Directory [PlayWithVLC] -- "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "%1" ()
Folder [open] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [explore] -- Reg Error: Value error.
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"cval" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc]
"VistaSp1" = Reg Error: Unknown registry data type -- File not found
"AntiVirusOverride" = 0
"AntiSpywareOverride" = 0
"FirewallOverride" = 0

========== Firewall Settings ==========

========== Authorized Applications List ==========


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{048298C9-A4D3-490B-9FF9-AB023A9238F3}" = Steam
"{0886900B-B2F3-452C-B580-60F1253F7F80}" = Native Instruments Controller Editor
"{09DF00E6-520C-49D5-B7E0-9612165CACA8}" = OpenOffice.org 3.2
"{0A0CADCF-78DA-33C4-A350-CD51849B9702}" = Microsoft .NET Framework 4 Extended
"{0B0F231F-CE6A-483D-AA23-77B364F75917}" = Windows Live Installer
"{0B8565BA-BAD5-4732-B122-5FD78EFC50A9}" = Native Instruments Service Center
"{0EF5BEA9-B9D3-46d7-8958-FB69A0BAEACC}" = Status
"{0F367CA3-3B2F-43F9-A44A-25A8EE69E45D}" = Scan
"{1111706F-666A-4037-7777-211328764D10}" = JavaFX 2.1.1
"{15BC8CD0-A65B-47D0-A2DD-90A824590FA8}" = Microsoft Works
"{15EB20D6-5F13-41D0-BEF9-C9C44D6AC620}" = SDFormatter
"{175F0111-2968-4935-8F70-33108C6A4DE3}" = MarketResearch
"{19BA08F7-C728-469C-8A35-BFBD3633BE08}" = Windows Live Movie Maker
"{1E03C8BE-0848-430F-BECA-7D7709401626}" = TP-LINK Wireless Client Utility
"{1E958728-CFA3-454A-A2D6-42A9FF718480}" = Intel(R) C++ Redistributables for Windows* on IA-32
"{1EC71BFB-01A3-4239-B6AF-B1AE656B15C0}" = TrayApp
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{1F6AB0E7-8CDD-4B93-8A23-AA9EB2FEFCE4}" = Junk Mail filter update
"{200FEC62-3C34-4D60-9CE8-EC372E01C08F}" = Windows Live SOXE Definitions
"{261FDE14-0B8C-4B7A-8E37-A6F70FE5CEEA}" = Max 5.1.8
"{2640314A-2D9A-4F58-B501-DB109CD9DBA2}" = DJ_AIO_ProductContext
"{26A24AE4-039D-4CA4-87B4-2F83217007FF}" = Java 7 Update 7
"{294B9A61-B4D6-4EDB-91BF-354619C43FE2}" = PCM Native Reverb Bundle
"{294BF709-D758-4363-8D75-01479AD20927}" = Windows Live Family Safety
"{2991DD80-25AE-471E-9981-D572CA0887EE}" = Flux_StereoTool
"{2AAC4085-DCBF-417B-AEBD-182197839240}" = Native Instruments Traktor
"{2EEA7AA4-C203-4b90-A34F-19FB7EF1C81C}" = BufferChm
"{2EFA4E4C-7B5F-48F7-A1C0-1AA882B7A9C3}" = HP Update
"{2FF8C687-DB7D-4adc-A5DC-57983EC25046}" = DeviceDiscovery
"{32DACAC3-6538-405D-915E-8F2D026F199C}" = DJ_AIO_Software_min
"{3336F667-9049-4D46-98B6-4C743EEBC5B1}" = Windows Live Photo Gallery
"{34D2AB40-150D-475D-AE32-BD23FB5EE355}" = HP Quick Launch Buttons
"{34F4D9A4-42C2-4348-BEF4-E553C84549E7}" = Windows Live Photo Gallery
"{3577E42B-3347-4EB8-BFDA-D36E8ED3C519}" = Windows 7 USB/DVD Download Tool
"{3C3901C5-3455-3E0A-A214-0B093A5070A6}" = Microsoft .NET Framework 4 Client Profile
"{3C92B2E6-380D-4fef-B4DF-4A3B4B669771}" = Copy
"{3F5C371F-8EA2-4F25-9D3D-D0B4526E3AEA}" = NVIDIA PhysX
"{43CDF946-F5D9-4292-B006-BA0D92013021}" = WebReg
"{490BF87E-1F75-4453-BF55-9F540543A3CA}" = Steinberg Drum Loop Expansion 01
"{491DF203-7B61-4F0E-BDCB-A1218C4DAFE9}" = Native Instruments Massive
"{4A03706F-666A-4037-7777-5F2748764D10}" = Java Auto Updater
"{4A19D6AC-ADE0-4A07-80FF-9C9812C45557}" = Steinberg Cubase 5
"{4A70EF07-7F88-4434-BB61-D1DE8AE93DD4}" = SolutionCenter
"{4CBABDFD-49F8-47FD-BE7D-ECDE7270525A}" = Windows Live PIMT Platform
"{4D454CF8-12FD-464D-B57B-B46FE27B78BB}" = Steinberg LoopMash Content
"{4E7C28C7-D5DA-4E9F-A1CA-60490B54AE35}" = UnloadSupport
"{50ACF4F1-D38A-4DCE-8147-0F574CDEF45B}" = Citrix online plug-in (USB)
"{532B917B-8235-4FA5-BE36-643A8BB053A5}" = Steinberg REVerence Content 01
"{53C141BA-4F9E-43FB-B4F9-0C01BB716FA8}" = Adobe Audition 3.0
"{5776E400-655A-44E0-B67C-A236E498AB26}" = Flux_BitterSweetII
"{61AD15B2-50DB-4686-A739-14FE180D4429}" = Windows Live ID Sign-in Assistant
"{63FF21C9-A810-464F-B60A-3111747B1A6D}" = GPBaseService2
"{65153EA5-8B6E-43B6-857B-C6E4FC25798A}" = Intel(R) Management Engine Components
"{66491E5A-7899-4863-A2E9-057E10BCB578}" = Samsung SecretZone
"{681B698F-C997-42C3-B184-B489C6CA24C9}" = HPPhotoSmartDiscLabelContent1
"{682B3E4F-696A-42DE-A41C-4C07EA1678B4}" = Windows Live SOXE
"{6A05FEDF-662E-46BF-8A25-010E3F1C9C69}" = Windows Live UX Platform Language Pack
"{6B2FFB21-AC88-45C3-9A7D-4BB3E744EC91}" = HPSSupply
"{6BBA26E9-AB03-4FE7-831A-3535584CA002}" = Toolbox
"{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}" = Microsoft Visual C++ 2005 Redistributable
"{7281CABA-E70B-411A-AF4B-ECB3C8778364}_is1" = Mouse Recorder 2.3.6.2
"{770657D0-A123-3C07-8E44-1C83EC895118}" = Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
"{789289CA-F73A-4A16-A331-54D498CE069F}" = Ventrilo Client
"{80956555-A512-4190-9CAD-B000C36D6B6B}" = Windows Live Messenger
"{837b34e3-7c30-493c-8f6a-2b0f04e2912c}" = Microsoft Visual C++ 2005 Redistributable
"{846B5DED-DC8C-4E1A-B5B4-9F5B39A0CACE}" = HPDiagnosticAlert
"{865D9ED1-EAC2-436D-AFA7-0B750EB5AAAB}" = Steinberg HALionOne Studio Drum Set
"{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}" = Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570
"{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}" = Microsoft Silverlight
"{8DD46C6A-0056-4FEC-B70A-28BB16A1F11F}" = MSVCRT
"{90120000-0020-0409-0000-0000000FF1CE}" = Compatibility Pack for the 2007 Office system
"{90140000-0011-0000-0000-0000000FF1CE}" = Microsoft Office Professional Plus 2010
"{90140000-0011-0000-0000-0000000FF1CE}_Office14.PROPLUS_{047B0968-E622-4FAA-9B4B-121FA109EDDE}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0015-0409-0000-0000000FF1CE}" = Microsoft Office Access MUI (English) 2010
"{90140000-0015-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0016-0409-0000-0000000FF1CE}" = Microsoft Office Excel MUI (English) 2010
"{90140000-0016-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0018-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint MUI (English) 2010
"{90140000-0018-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0019-0409-0000-0000000FF1CE}" = Microsoft Office Publisher MUI (English) 2010
"{90140000-0019-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001A-0409-0000-0000000FF1CE}" = Microsoft Office Outlook MUI (English) 2010
"{90140000-001A-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001B-0409-0000-0000000FF1CE}" = Microsoft Office Word MUI (English) 2010
"{90140000-001B-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0409-0000-0000000FF1CE}" = Microsoft Office Proof (English) 2010
"{90140000-001F-0409-0000-0000000FF1CE}_Office14.PROPLUS_{99ACCA38-6DD3-48A8-96AE-A283C9759279}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-040C-0000-0000000FF1CE}" = Microsoft Office Proof (French) 2010
"{90140000-001F-040C-0000-0000000FF1CE}_Office14.PROPLUS_{46298F6A-1E7E-4D4A-B5F5-106A4F0E48C6}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-001F-0C0A-0000-0000000FF1CE}" = Microsoft Office Proof (Spanish) 2010
"{90140000-001F-0C0A-0000-0000000FF1CE}_Office14.PROPLUS_{DEA87BE2-FFCC-4F33-9946-FCBE55A1E998}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-002C-0409-0000-0000000FF1CE}" = Microsoft Office Proofing (English) 2010
"{90140000-002C-0409-0000-0000000FF1CE}_Office14.PROPLUS_{7CA93DF4-8902-449E-A42E-4C5923CFBDE3}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0044-0409-0000-0000000FF1CE}" = Microsoft Office InfoPath MUI (English) 2010
"{90140000-0044-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-006E-0409-0000-0000000FF1CE}" = Microsoft Office Shared MUI (English) 2010
"{90140000-006E-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00A1-0409-0000-0000000FF1CE}" = Microsoft Office OneNote MUI (English) 2010
"{90140000-00A1-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-00BA-0409-0000-0000000FF1CE}" = Microsoft Office Groove MUI (English) 2010
"{90140000-00BA-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0115-0409-0000-0000000FF1CE}" = Microsoft Office Shared Setup Metadata MUI (English) 2010
"{90140000-0115-0409-0000-0000000FF1CE}_Office14.PROPLUS_{4560037C-E356-444A-A015-D21F487D809E}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{90140000-0117-0409-0000-0000000FF1CE}" = Microsoft Office Access Setup Metadata MUI (English) 2010
"{90140000-0117-0409-0000-0000000FF1CE}_Office14.PROPLUS_{6BD185A0-E67F-4F77-8BCD-E34EA6AE76DF}" = Microsoft Office 2010 Service Pack 1 (SP1)
"{918A9082-6287-4D25-9002-5E5D5E4971CB}" = League of Legends
"{92EA4134-10D1-418A-91E1-5A0453131A38}" = Windows Live Movie Maker
"{942E5031-2BD6-4C1B-918C-C8A1CBAE7B8C}" = Microsoft IntelliPoint 8.2
"{95120000-00AF-0409-0000-0000000FF1CE}" = Microsoft Office PowerPoint Viewer 2007 (English)
"{95120000-00B9-0409-0000-0000000FF1CE}" = Microsoft Application Error Reporting
"{97C89A11-9AD7-49CE-9F90-54BF075623CE}" = VIP Access
"{980A182F-E0A2-4A40-94C1-AE0C1235902E}" = Pando Media Booster
"{9A25302D-30C0-39D9-BD6F-21E6EC160475}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
"{9BE518E6-ECC6-35A9-88E4-87755C07200F}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161
"{9D56775A-93F3-44A3-8092-840E3826DE30}" = Windows Live Mail
"{A6B90148-02C5-4fd3-8D7A-EF2386835CB9}" = F4100_Help
"{A726AE06-AAA3-43D1-87E3-70F510314F04}" = Windows Live Writer
"{A80FA752-C491-4ED9-ABF0-4278563160B2}" = 32 Bit HP CIO Components Installer
"{A9BDCA6B-3653-467B-AC83-94367DA3BFE3}" = Windows Live Photo Common
"{AAAFC670-569B-4A2F-82B4-42945E0DE3EF}" = Windows Live Writer
"{AAF454FC-82CA-4F29-AB31-6A109485E76E}" = Windows Live Writer
"{AC76BA86-7AD7-1033-7B44-AA1000000001}" = Adobe Reader X (10.1.5)
"{AC997F93-0757-4ED4-A701-F40C2D654D09}" = Steinberg HALionOne GM Drum Set
"{AD99B476-6FB7-4985-A3C3-E40595A7E6DE}" = DJ_AIO_Software
"{AF844339-2F8A-4593-81B3-9F4C54038C4E}" = Windows Live MIME IFilter
"{B10914FD-8812-47A4-85A1-50FCDE7F1F33}" = Windows Live Sync
"{B124E6D3-91B4-4E3C-AD03-BA959B223537}" = Citrix online plug-in (Web)
"{B194272D-1F92-46DF-99EB-8D5CE91CB4EC}" = Adobe AIR
"{B2544A03-10D0-4E5E-BA69-0362FFC20D18}" = OGA Notifier 2.0.0048.0
"{BC21E1FA-BD9C-4351-8EA3-4EC377B1E439}_is1" = Power CD+G Burner
"{BD7204BA-DD64-499E-9B55-6A282CDF4FA4}" = Destinations
"{BD86F1AC-B594-46E4-85DC-1258AC9E2232}" = Steinberg Groove Agent ONE Content
"{C43326F5-F135-4551-8270-7F7ABA0462E1}" = HPProductAssistant
"{C66824E4-CBB3-4851-BB3F-E8CFD6350923}" = Windows Live Mail
"{CAE4213F-F797-439D-BD9E-79B71D115BE3}" = HPPhotoGadget
"{CAE7D1D9-3794-4169-B4DD-964ADBC534EE}" = HP Product Detection
"{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}" = Skype Toolbars
"{CE95A79E-E4FC-4FFF-8A75-29F04B942FF2}" = Windows Live UX Platform
"{CFF8B8E8-E086-4DE0-935F-FE22CAB54F80}" = Microsoft Search Enhancement Pack
"{d05a1414-a955-4c5c-9716-b7777ef86e85}" = F4100
"{D1E632A6-CE8B-436B-BC03-009851802E82}" = Sound Forge Pro 10.0
"{D23CBFDA-C46B-4920-BA70-FC7878A3F05A}" = Steinberg HALionOne Studio Set
"{D436F577-1695-4D2F-8B44-AC76C99E0002}" = Windows Live Photo Common
"{D45240D3-B6B3-4FF9-B243-54ECE3E10066}" = Windows Live Communications Platform
"{D4C9692E-4EFA-4DA0-8B7F-9439466D9E31}" = Full Tilt Poker
"{D51FED8C-2A72-4D72-8CE3-7EB7D7673363}" = uMusic
"{D79113E7-274C-470B-BD46-01B10219DF6A}" = HPPhotosmartEssential
"{D82CDA0D-C182-42C8-8FF2-5649C98D6003}" = Steinberg HALionOne Pro Set
"{D86B0E2E-DF9A-441C-AF77-8D1A0FF00FA6}" = AIO_Scan
"{D899C197-F8C1-4773-9EC4-6C1FBADB9B29}" = Citrix online plug-in (HDX)
"{D8D4ED7E-954C-449D-B21D-6F97036DF0E9}" = Citrix online plug-in (DV)
"{DB6AB705-C9BD-40E3-8929-2EA57F36A4FF}_is1" = ConvertXtoDVD 4.1.19.365
"{DC635845-46D3-404B-BCB1-FC4A91091AFA}" = SmartWebPrinting
"{DDC8BDEE-DCAC-404D-8257-3E8D4B782467}" = Windows Live Writer Resources
"{DE626616-D7C4-4F00-7E0B-EAF26FA65749}" = muvee Reveal
"{E09C4DB7-630C-4F06-A631-8EA7239923AF}" = D3DX10
"{E22AD5D3-EB60-4A8F-835C-6C10E369DCE2}" = Steinberg HALionOne Expression Set
"{E70E7159-93B1-470D-9FBD-D8E9EF34B538}" = Steinberg HALionOne
"{E7C814DF-6D2F-4E70-8491-B739A2CF2230}" = TableNinja
"{EB4DF488-AAEF-406F-A341-CB2AAA315B90}" = Windows Live Messenger
"{EB773820-0871-46A8-9B96-F2B04F8B34F0}" = HP Deskjet All-In-One Driver Software 13.0 Rel. 1
"{EBFEEB3F-3E3B-4725-A4E0-376144CE4F76}" = Citrix XenApp Web Plugin
"{EE7257A2-39A2-4D2F-9DAC-F9F25B8AE1D8}" = Skype™ 5.10
"{F057965A-D974-4C64-ADB1-4381CD4B8956}" = Steinberg HALionOne GM Set
"{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}" = Microsoft SQL Server 2005 Compact Edition [ENU]
"{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}" = Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219
"{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}" = Realtek High Definition Audio Driver
"{F1D7AC58-554A-4A58-B784-B61558B1449A}" = QLBCASL
"{F3AFD063-8BAD-485E-B641-E7F5A2C5AE71}" = Steinberg HALionOne Additional Content Set 01
"{F50A4470-7A45-4A5A-97F8-806990B736C2}" = MP3+G Toolz
"{F53D678E-238F-4A71-9742-08BB6774E9DC}" = Windows Live Family Safety
"{FE044230-9CA5-43F7-9B58-5AC5A28A1F33}" = Windows Live Essentials
"{FF66E9F6-83E7-3A3E-AF14-8DE9A809A6A4}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022
"4Videosoft AMV Media Converter_is1" = 4Videosoft AMV Media Converter
"Adobe AIR" = Adobe AIR
"Adobe Audition 3.0" = Adobe Audition 3.0
"Adobe Flash Player ActiveX" = Adobe Flash Player 11 ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 11 Plugin
"Any Video Converter Ultimate_is1" = Any Video Converter Ultimate 4.5.8
"ASIO4ALL" = ASIO4ALL
"Avira AntiVir Desktop" = Avira Free Antivirus
"BazzISM2 VST2" = BazzISM2 VST2 2.4.6
"BazzISM2 VST3" = BazzISM2 VST3 2.4.6
"bx_saturator_is1" = bx_saturator 1.0.2
"CitrixOnlinePluginPackWeb" = Citrix online plug-in - web
"Cyclop_is1" = Sugar Bytes Cyclop 1.0.1
"DMGAudio PitchFunk_is1" = DMGAudio PitchFunk 1.02
"EASEUS Partition Master Home Edition_is1" = EASEUS Partition Master 6.1.1 Home Edition
"eLicenser Control" = eLicenser Control
"Football Manager 2012_is1" = Football Manager 2012
"Free Download Manager_is1" = Free Download Manager 3.9.2
"GhostMouse_is1" = GhostMouse
"HitmanPro37" = HitmanPro 3.7
"HoldemManager2" = Holdem Manager 2
"HP Imaging Device Functions" = HP Imaging Device Functions 13.0
"HP Photosmart Essential" = HP Photosmart Essential 3.5
"HP Smart Web Printing" = HP Smart Web Printing 4.51
"HP Solution Center & Imaging Support Tools" = HP Solution Center 13.0
"HPExtendedCapabilities" = HP Customer Participation Program 13.0
"HxD Hex Editor_is1" = HxD Hex Editor version 1.7.7.0
"ImgBurn" = ImgBurn
"iZotope Stutter Edit_is1" = iZotope Stutter Edit
"Juniper_Setup_Client Activex Control" = Juniper Networks Setup Client Activex Control
"Live 8.2.8" = Live 8.2.8
"Malwarebytes' Anti-Malware_is1" = Malwarebytes Anti-Malware version 1.70.0.1100
"Microsoft .NET Framework 4 Client Profile" = Microsoft .NET Framework 4 Client Profile
"Microsoft .NET Framework 4 Extended" = Microsoft .NET Framework 4 Extended
"Microsoft IntelliPoint 8.2" = Microsoft IntelliPoint 8.2
"minimoog V2_is1" = minimoog V2 2.0
"Mozilla Firefox (3.6.12)" = Mozilla Firefox (3.6.12)
"Mozilla Firefox 10.0.2 (x86 en-GB)" = Mozilla Firefox 10.0.2 (x86 en-GB)
"Mp3tag" = Mp3tag v2.48
"Native Instruments Controller Editor" = Native Instruments Controller Editor
"Native Instruments Massive" = Native Instruments Massive
"Native Instruments Service Center" = Native Instruments Service Center
"Native Instruments Traktor" = Native Instruments Traktor
"Office14.PROPLUS" = Microsoft Office Professional Plus 2010
"Ohmboyz VST2" = OhmForce Ohmboyz VST2
"Ohmicide VST" = Ohm Force - Ohmicide VST
"PCM Native Reverb Bundle" = PCM Native Reverb Bundle
"PokerStars" = PokerStars
"PokerTracker4" = PokerTracker 4 (remove only)
"PostgreSQL 8.4" = PostgreSQL 8.4
"PreSonus Studio One 2" = PreSonus Studio One 2
"PSP 85 32bit" = PSP 85 32bit
"PSP EasyVerb 1.6.0 32bit" = PSP EasyVerb 1.6.0 32bit
"QuickSFV" = QuickSFV (Remove only)
"Shop for HP Supplies" = Shop for HP Supplies
"Softube FET Compressor VST RTAS_is1" = Softube FET Compressor VST RTAS v1.0.3
"Softube Tube-Tech CL 1B VST RTAS_is1" = Softube Tube-Tech CL 1B VST RTAS v1.0.3
"Sonic Charge µTonic VST" = Sonic Charge µTonic VST
"Sonnoxplugins Oxford Elite Collection Native_is1" = Sonnoxplugins Oxford Elite Collection Native v1.0
"SopCast" = SopCast 3.4.0
"SoundToys Native Effects VST RTAS_is1" = SoundToys Native Effects VST RTAS v4.0.2
"Speccy" = Speccy
"SPL Analog Code Bundle_is1" = SPL Analog Code Bundle v1.1
"SSL Duende Native_is1" = SSL Duende Native (32-bit) v3.6.6
"StarCraft II" = StarCraft II
"SubBoomBass_is1" = Rob Papen SubBoomBass 1.0.5 Multi-core
"SyncroSoft Emu" = SyncroSoft Emu (Remove only)
"Syncrosoft License Control" = Syncrosoft License Control
"SynTPDeinstKey" = Synaptics Pointing Device Driver
"TeamViewer 7" = TeamViewer 7
"USB_AUDIO_DEusb-audio.deNumark" = Numark USB Audio driver
"uTorrent" = µTorrent
"ValhallaRoom_is1" = ValhallaRoom 1.1.0
"VirtualCloneDrive" = VirtualCloneDrive
"VLC media player" = VLC media player 2.0.1
"WBFS Manager 3.0" = WBFS Manager 3.0
"WinLiveSuite" = Windows Live Essentials
"WinPcapInst" = WinPcap 4.1.2
"WinRAR archiver" = WinRAR archiver
"Wireshark" = Wireshark 1.6.4
"World of Warcraft" = World of Warcraft
"Zoiper" = Zoiper

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-3563083970-3628164584-3303492815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{79A765E1-C399-405B-85AF-466F52E918B0}" = Avira SearchFree Toolbar plus Web Protection Updater
"090215de958f1060" = Curse Client
"Dropbox" = Dropbox
"Juniper_Setup_Client" = Juniper Networks Setup Client
"Neoteris_Host_Checker" = Juniper Networks Host Checker

========== Last 20 Event Log Errors ==========

[ Application Events ]
Error - 24/02/2013 20:03:16 | Computer Name = HP-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 9.0.8112.16464 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 13dc Start
Time: 01ce12b7fc306da9 Termination Time: 15 Application Path: C:\Program Files\Internet
Explorer\iexplore.exe Report Id: be6ac092-7ede-11e2-bb40-00269edb0a1b

Error - 24/02/2013 20:04:03 | Computer Name = HP-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 9.0.8112.16464 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 7c4 Start
Time: 01ce12eb83cb1257 Termination Time: 12 Application Path: C:\Program Files\Internet
Explorer\iexplore.exe Report Id: db3d17fd-7ede-11e2-bb40-00269edb0a1b

Error - 24/02/2013 20:06:55 | Computer Name = HP-PC | Source = Application Hang | ID = 1002
Description = The program iexplore.exe version 9.0.8112.16464 stopped interacting
with Windows and was closed. To see if more information about the problem is available,
check the problem history in the Action Center control panel. Process ID: 17d0 Start
Time: 01ce12eba07f714c Termination Time: 16 Application Path: C:\Program Files\Internet
Explorer\iexplore.exe Report Id: 40fe5fcf-7edf-11e2-bb40-00269edb0a1b

Error - 26/02/2013 07:25:41 | Computer Name = HP-PC | Source = PostgreSQL | ID = 0
Description = 2013-02-26 11:25:41 GMTFATAL: the database system is starting up

Error - 26/02/2013 08:14:36 | Computer Name = HP-PC | Source = PostgreSQL | ID = 0
Description = 2013-02-26 12:14:36 GMTFATAL: the database system is starting up

Error - 26/02/2013 08:14:40 | Computer Name = HP-PC | Source = PostgreSQL | ID = 0
Description = 2013-02-26 12:14:40 GMTFATAL: the database system is starting up

Error - 26/02/2013 08:29:21 | Computer Name = HP-PC | Source = PostgreSQL | ID = 0
Description = 2013-02-26 12:29:21 GMTFATAL: the database system is starting up

Error - 26/02/2013 09:06:56 | Computer Name = HP-PC | Source = PostgreSQL | ID = 0
Description = 2013-02-26 13:06:56 GMTFATAL: the database system is starting up

Error - 26/02/2013 09:27:22 | Computer Name = HP-PC | Source = PostgreSQL | ID = 0
Description = 2013-02-26 13:27:22 GMTFATAL: the database system is starting up

Error - 26/02/2013 09:51:53 | Computer Name = HP-PC | Source = PostgreSQL | ID = 0
Description = 2013-02-26 13:51:53 GMTFATAL: the database system is starting up

[ System Events ]
Error - 26/02/2013 09:27:45 | Computer Name = HP-PC | Source = Service Control Manager | ID = 7001
Description = The HomeGroup Provider service depends on the Function Discovery Resource
Publication service which failed to start because of the following error: %%-2147024891

Error - 26/02/2013 09:51:45 | Computer Name = HP-PC | Source = Service Control Manager | ID = 7000
Description = The HitmanPro 3.7 Crusader (Boot) service failed to start due to the
following error: %%2

Error - 26/0

 

[Fiery]

Open OTL. Under custom scan/fixes, copy and paste the following:

:OTL
O17 - HKLM\System\CCS\Services\Tcpip\Parameters\Interfaces\{F220F9CC-71A8-4F3E-88D2-13A48D0BD4E6}: DhcpNameServer = 10.0.0.2
@Alternate Data Stream - 178 bytes -> C:\ProgramData\TEMP:BF3D62E7


:Files
C:\ProgramData\flwjycbm.bab
ipconfig /flushdns /c

:Commands
[EMPTYTEMP]
[RESETHOSTS]

Then click Run Fix. Post the log afterwards.

Please download AdwCleaner by Xplode onto your desktop.

• Close all open programs and internet browsers.
• Double click on AdwCleaner.exe to run the tool(For Vista or Windows 7, right-click and select Run as Administrator to start)
• Click delete
• Please post the content of that logfile with your next answer.
• You can find the logfile at C:\AdwCleaner[S1].txt

Download & SAVE to your Desktop RogueKiller or from here

• Quit all programs that you may have started.
• Please disconnect any USB or external drives from the computer before you run this scan!
• For Vista or Windows 7, right-click and select Run as Administrator to start
• Wait until Prescan has finished, then click on "Scan" button
• Wait until the Status box shows "Scan Finished"
• Click delete and wait until it saids deleting finished
• Click on "Report" and copy/paste the content of the Notepad into your next reply.
• The log should be found in RKreport[1].txt on your Desktop
  Exit/Close RogueKiller+

 

[jondeevoy]

All processes killed
========== OTL ==========
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{F220F9CC-71A8-4F3E-88D2-13A48D0BD4E6}\\DhcpNameServer| /E : value set successfully!
ADS C:\ProgramData\TEMP:BF3D62E7 deleted successfully.
========== FILES ==========
C:\ProgramData\flwjycbm.bab moved successfully.
< ipconfig /flushdns /c >
Windows IP Configuration
Successfully flushed the DNS Resolver Cache.
C:\Users\HP\Downloads\cmd.bat deleted successfully.
C:\Users\HP\Downloads\cmd.txt deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 400707 bytes
->Flash cache emptied: 56504 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: HP
->Temp folder emptied: 2693488992 bytes
->Temporary Internet Files folder emptied: 38419626 bytes
->Java cache emptied: 15560626 bytes
->FireFox cache emptied: 80705492 bytes
->Flash cache emptied: 788 bytes

User: postgres
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 400707 bytes
->Flash cache emptied: 56504 bytes

User: Public

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 273956800 bytes
RecycleBin emptied: 2107 bytes

Total Files Cleaned = 2,959.00 mb

File move failed. C:\Windows\System32\drivers\etc\Hosts scheduled to be moved on reboot.
Error: Unble to create default HOSTS file!

OTL by OldTimer - Version 3.2.69.0 log created on 02282013_185428

Files\Folders moved on Reboot...
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\AntiPhishing\ED8654D5-B9F0-4DD9-B3E8-F8F560086FDF.dat moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\beacon[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\beacon[2].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\ddc[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\ddc[2].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\ddc[3].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\default[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\fpi[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\fpi[2].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\like[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\LocalStorage[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\Mcs-Group-jobs-in-Belfast[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\pixel[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\pixel[2].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\tweet_button.1362008198[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\uid[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\xmlProxy[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FMXJQ5R1\xmlProxy[2].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EMJ0XO8U\adif_px[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EMJ0XO8U\adif_px[2].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EMJ0XO8U\aT0zNDM0LHM9MzAweDI1MCxuPWlmcmFtZQ==[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EMJ0XO8U\beacon[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EMJ0XO8U\ddc[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EMJ0XO8U\ddc[2].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EMJ0XO8U\search[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EMJ0XO8U\server[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EMJ0XO8U\uid[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EMJ0XO8U\xd_arbiter[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\5MWriter[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\adif_px[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\adloader[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\fastbutton[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\flextag[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\fpi[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\iframeproxy-19[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\Messenger[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\pm[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\search[2].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\server[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\serve[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DL6YSHVQ\xd_arbiter[2].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\adif_px[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\AjaxHistoryFrame[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\aT0zNDM0LHM9MzAweDI1MCxuPWlmcmFtZQ==[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\beacon[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\ddc[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\EditMessageLight[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\fpi[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\getadi[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\iu3[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\pixel[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\pixel[2].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\pm[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\pr[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\resourcespreload[2].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\RteFrame_16.2.7221.0222[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\search[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\serve[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\Thread-ukash-Chesire-Police-help-needed[1].htm moved successfully.
C:\Users\HP\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\6PF619WW\xmlProxy[1].htm moved successfully.
C:\Windows\System32\drivers\etc\Hosts moved successfully.

PendingFileRenameOperations files...

Registry entries deleted on Reboot...

 

[jondeevoy]

I had my Antivirus on when running the above fix and noticed that access to the HOSTS file was blocked. I then ran the :Command RESETHOSTS and got this:

========== COMMANDS ==========
HOSTS file reset successfully

OTL by OldTimer - Version 3.2.69.0 log created on 02282013_190937

 

[jondeevoy]

# AdwCleaner v2.113 - Logfile created 02/28/2013 at 19:14:06
# Updated 23/02/2013 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (32 bits)
# User : HP - HP-PC
# Boot Mode : Normal
# Running from : C:\Users\HP\Downloads\AdwCleaner.exe
# Option [Delete]


***** [Services] *****


***** [Files / Folders] *****


***** [Registry] *****

Key Deleted : HKCU\Software\APN
Key Deleted : HKCU\Software\Ask.com.tmp
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{D4027C7F-154A-4066-A1AD-4243D8127440}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}
Key Deleted : HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\{79A765E1-C399-405B-85AF-466F52E918B0}
Key Deleted : HKLM\Software\APN
Key Deleted : HKLM\Software\AskToolbar
Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9B0CB95C-933A-4B8C-B6D4-EDCD19A43874}
Key Deleted : HKLM\SOFTWARE\Classes\AppID\GenericAskToolbar.DLL
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{00000000-6E41-4FD3-8538-502F5495E5FC}
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}
Key Deleted : HKLM\Software\Classes\Installer\Features\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\Software\Classes\Installer\Products\A28B4D68DEBAA244EB686953B7074FEF
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{6C434537-053E-486D-B62A-160059D9D456}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{79FB5FC8-44B9-4AF5-BADD-CCE547F953E5}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{91CF619A-4686-4CA4-9232-3B2E6B63AA92}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{AC71B60E-94C9-4EDE-BA46-E146747BB67E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{2EECD738-5844-4A99-B4B6-146BF802613B}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{97F2FF5B-260C-4CCF-834A-2DDA4E29E39E}
Key Deleted : HKLM\SOFTWARE\Microsoft\Internet Explorer\Extension Compatibility\{98889811-442D-49DD-99D7-DC866BE87DBC}
Key Deleted : HKLM\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ApnUpdater
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\F928123A039649549966D4C29D35B1C9
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0CFE535C35F99574E8340BFA75BF92C2
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\120DFADEB50841F408F04D2A278F9509
Key Deleted : HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B5BAE2ED018083A4C8DA86D6E3F4B024
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CD95D125-2992-4858-B3EF-5F6FB52FBAD6}

***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16464

[OK] Registry is clean.

-\\ Mozilla Firefox v10.0.2 (en-GB)

File : C:\Users\HP\AppData\Roaming\Mozilla\Firefox\Profiles\z30k7fsq.default\prefs.js

Deleted : user_pref("browser.search.defaultengine", "Ask.com");
Deleted : user_pref("browser.search.defaultenginename", "Ask.com");
Deleted : user_pref("browser.search.order.1", "Ask.com");
Deleted : user_pref("browser.search.selectedEngine", "Ask.com");
Deleted : user_pref("browser.startup.homepage", "hxxp://search.avira.com/?l=dis&o=APN10401&gct=hp&dc=EU&locale[...]
Deleted : user_pref("extensions.asktb.ff-original-keyword-url", "");
Deleted : user_pref("keyword.URL", "hxxp://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-3&o=APN10401&loc[...]

*************************

AdwCleaner[S1].txt - [3838 octets] - [28/02/2013 19:14:06]

########## EOF - C:\AdwCleaner[S1].txt - [3898 octets] ##########

 

[jondeevoy]

RogueKiller V8.5.2 [Feb 23 2013] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 32 bits version
Started in : Normal mode
User : HP [Admin rights]
Mode : Remove -- Date : 02/28/2013 20:14:46
| ARK || FAK || MBR |

¤¤¤ Bad processes : 1 ¤¤¤
[Microsoft][HJNAME] notepad.exe -- C:\Windows\System32\notepad.exe [7] -> KILLED [TermProc]

¤¤¤ Registry Entries : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[84] : NtCreateSection @ 0x8302A03D -> HOOKED (Unknown @ 0x90B2835E)
SSDT[299] : NtRequestWaitReplyPort @ 0x83044A0A -> HOOKED (Unknown @ 0x90B28368)
SSDT[316] : NtSetContextThread @ 0x830E4637 -> HOOKED (Unknown @ 0x90B28363)
SSDT[347] : NtSetSecurityObject @ 0x83008725 -> HOOKED (Unknown @ 0x90B2836D)
SSDT[368] : NtSystemDebugControl @ 0x8308C5E2 -> HOOKED (Unknown @ 0x90B28372)
SSDT[370] : NtTerminateProcess @ 0x83061B9D -> HOOKED (Unknown @ 0x90B282FF)
S_SSDT[585] : NtUserSetWindowsHookEx -> HOOKED (Unknown @ 0x90B28386)
S_SSDT[588] : NtUserSetWinEventHook -> HOOKED (Unknown @ 0x90B2838B)

¤¤¤ Extern Hives: ¤¤¤
-> G:\windows\system32\config\SOFTWARE
-> G:\windows\system32\config\SYSTEM
-> G:\Users\Default\NTUSER.DAT
-> G:\Users\Default User\NTUSER.DAT
-> G:\Users\Shift\NTUSER.DAT
-> G:\Documents and Settings\Default\NTUSER.DAT
-> G:\Documents and Settings\Default User\NTUSER.DAT

¤¤¤ HOSTS File: ¤¤¤
--> C:\Windows\system32\drivers\etc\hosts

127.0.0.1 localhost


¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: SAMSUNG HM320II ATA Device +++++
--- User ---
[MBR] f8de517ef8354861ff80b0f5f55dbb50
[BSP] e3824f4763e30480b78c0c44a204fe0a : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 100 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 208845 | Size: 112633 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 230886180 | Size: 30733 Mo
3 - [XXXXXX] EXTEN-LBA (0x0f) [VISIBLE] Offset (sectors): 293828850 | Size: 161771 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[2]_D_02282013_02d2014.txt >>
RKreport[1]_S_02282013_02d2013.txt ; RKreport[2]_D_02282013_02d2014.txt

 

[Fiery]

Download TDSSkiller from here

• Double-Click on TDSSKiller.exe to run the application
• When TDSSkiller opens, click change parameters , check the box next to Loaded modules . A reboot will be required.
• After reboot, TDSSKiller will run again. Click Change parameters again and make sure everything is checked.
  
  
• click Start scan .
  
• If a suspicious object is detected, the default action will be Skip, click on Continue. (If it saids TDL4/TDSS file system, select delete)
• If malicious objects are found, ensure Cure (default) is selected, then click Continue and Reboot now to finish the cleaning process.

Post the log after (usually C:\ folder in the form of TDSSKiller.[Version]_[Date]_[Time]_log.txt

 

[jondeevoy]

Log attached..

 

[Fiery]

Looking good. One more scan and we will clean up.

Run Eset NOD32 Online AntiVirus

Note: You will need to use Internet Explorer for this scan.
Vista / 7 users: You will need to to right-click on the Internet Explorer icon and select Run as Administrator

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Un-checked, and the following Advance Settings are Checked
  • Scan unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
• Click Scan
• Wait for the scan to finish
• Re-enable your antivirus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.