Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problem with Generic Trojan and Multiple Processes [Solved]


  • This topic is locked This topic is locked

#1
newworldmike1

newworldmike1

    Member

  • Member
  • PipPip
  • 12 posts

I noticed some slowdowns with Internet Explorer as well as sites showing up in my frequently visited tabs that I have never gone to.

 

I did a full scan with AVG Free 2014, and I keep getting results stating

  • Trojan horse Generic_r/EJI

emanating from various files in Windows\SysWOW64.  Some of the infections are able to be secured while others say the Element Can Not Be Found.  After removing the items, subsequent scans still have the same infections.

 

I also noticed strange processes active in my taskmgr including ctfmon, dllhost, fixmapi, dvdupgdr, and others even though it goes not seem the process is actually active.  I force close the processes, but they return again in a few minutes. 

 

I downloaded and ran Farbar Recovery Scan Tool.  The logs are attached below.   Please let me know what I can do.

Attached Files


  • 0

Advertisements


#2
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,912 posts
Hello and welcome to Geeks To Go! My nickname is Pystryker :) , and I will be helping you with your issue today.


Before we get started, I have a few things I need to go over with you
  • If you are receiving help for this issue at another forum, please let me know so I can close this thread.
  • Please download to and run all requested tools from your Desktop.
  • Please do not install any new software during the cleaning process other than the tools I provide for you. This can hinder the cleaning process.
  • At the top of your post, please click on the "Follow this topic" button and make sure that the "Received notification" box is checked and set to "Instantly" This will send an email to you as soon as I reply to your topic, allowing us to solve your problem faster.
  • If any of your security programs give you a warning about any tool I ask you to use, please do not worry. All the links and tools I provide to you will be safe.
  • Please do not run any tools other than the ones I ask you to, when I ask you to. Some of these tools can be very dangerous if used improperly. Also, if you use a tool that I have not requested you use, it can cause false positives, thereby delaying the complete cleaning of your machine.
  • This is a complicated process. It requires several steps, patience, and careful following of my instructions in the order they are given to diagnose your problems to get your machine back in working order.
  • Please stay with me until the end of all steps and procedures and I declare your system clean. Just because there is a lack of symptoms does not indicate a clean machine. I promise to do the same for you.
  • It is impossible for me to know what interactions may happen between your computer's software and the tools we will use to clean your machine. Therefore, I highly recommend you backup any critical personal files on your machine before we start.
  • If you have any questions at all, please don't hesitate to ask. There's no such thing as a stupid question when dealing with malware.
  • If you are unsure of an instruction I give you, or if something unexepected occurs, Do NOT proceed! Stop and ask for clarification of the instruction or tell me what occurred.
  • Please remember, the fixes are for your machine and your machine ONLY! Do not use these fixes on any other machine, each fix is tailor made for your system only. Using a fix on another machine can and will cause serious damage.
  • Once we have cleaned your machine, we'll have some cleanup and prevention steps to go through. We will also provide you with some information about how to reduce your chances of infection and get some protections in place to help defend you against this in the future
  • Please be patient while I am analyzing your logs. I know you are probably scared and very frustrated with this problem, but I am a volunteer and sometimes life does get in the way. :)
Hello :)

In the future, please copy and paste all requested logs into replies in this thread as it makes them so much easier to analyze. :thumbsup:
 

I also noticed strange processes active in my taskmgr including ctfmon, dllhost, fixmapi, dvdupgdr, and others even though it goes not seem the process is actually active. I force close the processes, but they return again in a few minutes.


Ctfmon and fixmapi are legitimate processes and shouldn't be shut down. Also, dllhost is as well, except in this case, as Poweliks infections show a lot of dllhost.exe processes running. However, do not shut down any of your dllhost processes, the malware related ones will be removed during the cleaning. The dvdupgdr I do not see running in your listed processes in the log at the moment.

Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Backdoor Warning


You have 2 serious backdoor infections on your machine. Poweliks and Zero Access.

These allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would advice you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

That being said, we clean these infections all the time here without reformatting and reinstalling. I've included the first steps below to begin the cleaning if you wish to do so. If you decide you want reformat and reinstall, please let me know that in your next reponse.

If you decide to proceed with the cleaning, then let's kill the 2 main infections, and then we'll go from there. :thumbsup:


Step 1: Download Fresh copy of FRST

Note: Please download a new copy of Farbar's Recovery Scan Tool and save it to your desktop. Your current copy is in a temp directory that will be emptied out during the cleaning process.

http://www.bleepingc...very-scan-tool/


Step 2: Fix with FRST
  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the desktop as fixlist.txt

Start
CreateRestorePoint:
CloseProcesses:
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe
C:\Program Files (x86)\Common Files\AVG Secure Search
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\loggingserver.exe
() C:\Program Files (x86)\AVG Secure Search\vprot.exe
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Secure Search\vprot.exe [2640408 2014-09-03] ()
HKU\S-1-5-21-159428037-1693158616-3119889543-1000\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Ridlen\AppData\Local\Temp\sqmoeqv\snvkmvf\wow64.dll ATTENTION! ====> ZeroAccess?
2014-12-18 14:38 - 2013-06-02 17:52 - 00000350 _____ () C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
HKU\S-1-5-21-159428037-1693158616-3119889543-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.com/search?cid={516357DD-F18E-4A58-80C2-1C43B040CC22}&mid=1b80f12879bd47d0a1a74dfe4b7f019e-8956b6d5063d058018e68e6220dd32e406920b9b&lang=en&ds=AVG&coid=avgtbavg&cmpid=&pr=fr&d=2013-01-18 22:46:55&v=18.1.9.799&pid=avg&sg=0&sap=dsp&q={searchTerms}
BHO-x32: AVG Security Toolbar -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG Secure Search\18.1.9.799\AVG Secure Search_toolbar.dll (AVG Secure Search)
Toolbar: HKLM-x32 - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\18.1.9.799\AVG Secure Search_toolbar.dll (AVG Secure Search)
Toolbar: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.1.9\\npsitesafety.dll No File
CHR StartupUrls: Default -> "hxxp://isearch.avg.com/?cid={516357DD-F18E-4A58-80C2-1C43B040CC22}&mid=1b80f12879bd47d0a1a74dfe4b7f019e-8956b6d5063d058018e68e6220dd32e406920b9b&lang=en&ds=AVG&pr=fr&d=2013-01-18 22:46:55&v=14.0.2.14&pid=avg&sg=&sap=hp"
R2 vToolbarUpdater18.1.9; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe [1820184 2014-08-11] (AVG Secure Search)
CustomCLSID: HKU\S-1-5-21-159428037-1693158616-3119889543-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-159428037-1693158616-3119889543-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 -> C:\Users\Ridlen\AppData\Local\Temp\sqmoeqv\snvkmvf\wow64.dll No File
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{D4CA2496-AA3E-41D5-AE83-F511FC74224D}.exe
Task: {1D8C3E57-CCC7-43F6-9381-43B2FF3A18CD} - System32\Tasks\{9AFA718F-432A-E6AA-B572-C37CE88B6A6A} => C:\Windows\system32\jtlshtr.dll/s "C:\Windows\system32\jtlshtr.dll"
C:\Windows\system32\jtlshtr.dll
2013-01-18 22:46 - 2014-09-03 13:52 - 02640408 _____ () C:\Program Files (x86)\AVG Secure Search\vprot.exe
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
Hosts:
End


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.


Step 3: Fresh FRST Scan
  • Start Farbar's Recovery Scan Tool and press the Scan button.
  • FRST will scan your system and produce one log this time. Please post it in your next reply.
Things I need to see in your next post:

Please post each of these logs as a separate reply in this thread.

Fixlog.txt Log

Fresh FRST Log

How is the machine running at this time?

  • 0

#3
newworldmike1

newworldmike1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Nice Tron Avatar.

 

Here is the Fixlog.  I will run the Fresh FRST scan next.

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-01-2015 03
Ran by Ridlen at 2015-01-03 21:32:55 Run:1
Running from C:\Users\Ridlen\Desktop
Loaded Profile: Ridlen (Available profiles: Ridlen & DefaultAppPool)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
CreateRestorePoint:
CloseProcesses:
(AVG Secure Search) C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe
C:\Program Files (x86)\Common Files\AVG Secure Search
() C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\loggingserver.exe
() C:\Program Files (x86)\AVG Secure Search\vprot.exe
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [vProt] => C:\Program Files (x86)\AVG Secure Search\vprot.exe [2640408 2014-09-03] ()
HKU\S-1-5-21-159428037-1693158616-3119889543-1000\...409d6c4515e9\InprocServer32: [Default-shell32] C:\Users\Ridlen\AppData\Local\Temp\sqmoeqv\snvkmvf\wow64.dll ATTENTION! ====> ZeroAccess?
2014-12-18 14:38 - 2013-06-02 17:52 - 00000350 _____ () C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job
HKU\S-1-5-21-159428037-1693158616-3119889543-1000\...A8F59079A8D5}\localserver32: rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 243 more characters). <==== Poweliks!
SearchScopes: HKLM -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKLM-x32 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> {2fa28606-de77-4029-af96-b231e3b8f827} URL = http://search.ask.co...&l=dis&o=HPDTDF
SearchScopes: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> {95B7759C-8C7F-4BF1-B163-73684A933233} URL = http://isearch.avg.c...fr&d=2013-01-18 22:46:55&v=18.1.9.799&pid=avg&sg=0&sap=dsp&q={searchTerms}
BHO-x32: AVG Security Toolbar -> {95B7759C-8C7F-4BF1-B163-73684A933233} -> C:\Program Files (x86)\AVG Secure Search\18.1.9.799\AVG Secure Search_toolbar.dll (AVG Secure Search)
Toolbar: HKLM-x32 - AVG Security Toolbar - {95B7759C-8C7F-4BF1-B163-73684A933233} - C:\Program Files (x86)\AVG Secure Search\18.1.9.799\AVG Secure Search_toolbar.dll (AVG Secure Search)
Toolbar: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> No Name - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - No File
Toolbar: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} - No File
Toolbar: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> No Name - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - No File
FF Plugin-x32: @avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin -> C:\Program Files (x86)\Common Files\AVG Secure Search\SiteSafetyInstaller\18.1.9\\npsitesafety.dll No File
CHR StartupUrls: Default -> "hxxp://isearch.avg.com/?cid={516357DD-F18E-4A58-80C2-1C43B040CC22}&mid=1b80f12879bd47d0a1a74dfe4b7f019e-8956b6d5063d058018e68e6220dd32e406920b9b&lang=en&ds=AVG&pr=fr&d=2013-01-18 22:46:55&v=14.0.2.14&pid=avg&sg=&sap=hp"
R2 vToolbarUpdater18.1.9; C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe [1820184 2014-08-11] (AVG Secure Search)
CustomCLSID: HKU\S-1-5-21-159428037-1693158616-3119889543-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32 -> rundll32.exe javascript:"\..\mshtml.dll,RunHTMLApplication ";eval("epdvnfou/xsjuf)(=tdsjqu!mbohvbhf> (the data entry has 251 more characters). <==== Poweliks?
CustomCLSID: HKU\S-1-5-21-159428037-1693158616-3119889543-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}\InprocServer32 -> C:\Users\Ridlen\AppData\Local\Temp\sqmoeqv\snvkmvf\wow64.dll No File
Task: C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => C:\Windows\TEMP\{D4CA2496-AA3E-41D5-AE83-F511FC74224D}.exe
Task: {1D8C3E57-CCC7-43F6-9381-43B2FF3A18CD} - System32\Tasks\{9AFA718F-432A-E6AA-B572-C37CE88B6A6A} => C:\Windows\system32\jtlshtr.dll/s "C:\Windows\system32\jtlshtr.dll"
C:\Windows\system32\jtlshtr.dll
2013-01-18 22:46 - 2014-09-03 13:52 - 02640408 _____ () C:\Program Files (x86)\AVG Secure Search\vprot.exe
CMD: netsh advfirewall reset
CMD: netsh advfirewall set allprofiles state on
CMD: ipconfig /flushdns
Emptytemp:
Hosts:
End

*****************

Restore point was successfully created.
Processes closed successfully.
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\ToolbarUpdater.exe => No running process found
C:\Program Files (x86)\Common Files\AVG Secure Search => Moved successfully.
C:\Program Files (x86)\Common Files\AVG Secure Search\vToolbarUpdater\18.1.9\loggingserver.exe => No running process found
C:\Program Files (x86)\AVG Secure Search\vprot.exe => No running process found
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value deleted successfully.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\vProt => value deleted successfully.
"HKU\S-1-5-21-159428037-1693158616-3119889543-1000\Software\Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9}" => Key deleted successfully.
C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job => Moved successfully.
"HKU\S-1-5-21-159428037-1693158616-3119889543-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}\localserver32" => Key deleted successfully.
"HKU\S-1-5-21-159428037-1693158616-3119889543-1000\Software\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key deleted successfully.
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key deleted successfully.
HKCR\Wow6432Node\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
"HKU\S-1-5-21-159428037-1693158616-3119889543-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}" => Key deleted successfully.
HKCR\CLSID\{2fa28606-de77-4029-af96-b231e3b8f827} => Key not found.
"HKU\S-1-5-21-159428037-1693158616-3119889543-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{95B7759C-8C7F-4BF1-B163-73684A933233}" => Key deleted successfully.
HKCR\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{95B7759C-8C7F-4BF1-B163-73684A933233}" => Key deleted successfully.
"HKCR\Wow6432Node\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233}" => Key deleted successfully.
HKLM\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\\{95B7759C-8C7F-4BF1-B163-73684A933233} => value deleted successfully.
HKCR\Wow6432Node\CLSID\{95B7759C-8C7F-4BF1-B163-73684A933233} => Key not found.
HKU\S-1-5-21-159428037-1693158616-3119889543-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => value deleted successfully.
HKCR\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} => Key not found.
HKU\S-1-5-21-159428037-1693158616-3119889543-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => value deleted successfully.
HKCR\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} => Key not found.
HKU\S-1-5-21-159428037-1693158616-3119889543-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => value deleted successfully.
HKCR\CLSID\{47833539-D0C5-4125-9FA8-0819E2EAAC93} => Key not found.
"HKLM\Software\Wow6432Node\MozillaPlugins\@avg.com/AVG SiteSafety plugin,version=11.0.0.1,application/x-avg-sitesafety-plugin" => Key deleted successfully.
Chrome StartupUrls deleted successfully.
vToolbarUpdater18.1.9 => Service deleted successfully.
HKU\S-1-5-21-159428037-1693158616-3119889543-1000_Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} => Key not found.
HKU\S-1-5-21-159428037-1693158616-3119889543-1000_Classes\CLSID\{fbeb8a05-beee-4442-804e-409d6c4515e9} => Key not found.
C:\Windows\Tasks\AVG-Secure-Search-Update_JUNE2013_TB_rmv.job not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{1D8C3E57-CCC7-43F6-9381-43B2FF3A18CD}" => Key deleted successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{1D8C3E57-CCC7-43F6-9381-43B2FF3A18CD}" => Key deleted successfully.
C:\Windows\System32\Tasks\{9AFA718F-432A-E6AA-B572-C37CE88B6A6A} => Moved successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{9AFA718F-432A-E6AA-B572-C37CE88B6A6A}" => Key deleted successfully.
"C:\Windows\system32\jtlshtr.dll" => File/Directory not found.
C:\Program Files (x86)\AVG Secure Search\vprot.exe => Moved successfully.

=========  netsh advfirewall reset =========

Ok.

========= End of CMD: =========

=========  netsh advfirewall set allprofiles state on =========

Ok.

========= End of CMD: =========

=========  ipconfig /flushdns =========

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

========= End of CMD: =========

C:\Windows\System32\Drivers\etc\hosts => Moved successfully.
Hosts was reset successfully.
EmptyTemp: => Removed 17 GB temporary data.

The system needed a reboot.

==== End of Fixlog 22:36:12 ====


  • 0

#4
newworldmike1

newworldmike1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Here is the Fresh FRST log.  I will push the computer some, see how it runs, and watch the Task Manager.

 

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 03-01-2015 03
Ran by Ridlen (administrator) on RIDLEN-HP on 03-01-2015 22:50:01
Running from C:\Users\Ridlen\Desktop
Loaded Profile: Ridlen (Available profiles: Ridlen & DefaultAppPool)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 10 (Default browser: IE)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo...very-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Enigma Software Group USA, LLC.) C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe
(AMD) C:\Windows\System32\atiesrxx.exe
(AMD) C:\Windows\System32\atieclxx.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(Advanced Micro Devices, Inc.) C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe
(Broadcom Corporation.) C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe
(Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
(Cisco Systems, Inc.) C:\Program Files (x86)\Cisco Systems\VPN Client\cvpnd.exe
(Hewlett-Packard Company) C:\Program Files\Hewlett-Packard\HP Client Services\HPClientServices.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\ramaint.exe
(Symantec Corporation) C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftvsa.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer_Service.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler.exe
(Google Inc.) C:\Program Files (x86)\Google\Update\1.3.25.11\GoogleCrashHandler64.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Microsoft Corporation) C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe
(Microsoft Corporation) C:\Program Files (x86)\Common Files\microsoft shared\Virtualization Handler\CVHSVC.EXE
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\TeamViewer.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_w32.exe
(TeamViewer GmbH) C:\Program Files (x86)\TeamViewer\Version9\tv_x64.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\HP Odometer\hpsysdrv.exe
(LogMeIn, Inc.) C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe
(Dropbox, Inc.) C:\Users\Ridlen\AppData\Roaming\Dropbox\bin\Dropbox.exe
(Hewlett-Packard) C:\Program Files (x86)\Hp\HP Software Update\hpwuschd2.exe
(brother) C:\Program Files (x86)\Brownie\BrStsW64.exe
(AVG Technologies CZ, s.r.o.) C:\Program Files (x86)\AVG\AVG2014\avgui.exe
(brother) C:\Program Files (x86)\Brownie\brpjp04a.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\concentr.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\redirector.exe
(Adobe Systems Incorporated) C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
(Oracle Corporation) C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe
(Advanced Micro Devices Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\Receiver\Receiver.exe
(ATI Technologies Inc.) C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\SelfServicePlugin\SelfServicePlugin.exe
(Citrix Systems, Inc.) C:\Program Files (x86)\Citrix\ICA Client\wfcrun32.exe
(Hewlett-Packard) C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\HPTouchSmartSyncCalReminderApp.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
(Microsoft Corporation) C:\Windows\System32\MsSpellCheckingFacility.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe

==================== Registry (Whitelisted) ==================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [hpsysdrv] => c:\program files (x86)\hewlett-packard\HP odometer\hpsysdrv.exe [62768 2008-11-20] (Hewlett-Packard)
HKLM\...\Run: [AdobeAAMUpdater-1.0] => C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe [444904 2012-09-20] (Adobe Systems Incorporated)
HKLM\...\Run: [LogMeIn GUI] => C:\Program Files (x86)\LogMeIn\x64\LogMeInSystray.exe [57928 2012-06-08] (LogMeIn, Inc.)
HKLM-x32\...\Run: [HP Software Update] => c:\Program Files (x86)\HP\HP Software Update\HPWuSchd2.exe [49208 2011-05-10] (Hewlett-Packard)
HKLM-x32\...\Run: [BrStsWnd] => C:\Program Files (x86)\Brownie\BrstsW64.exe [3695416 2009-06-11] (brother)
HKLM-x32\...\Run: [AVG_UI] => C:\Program Files (x86)\AVG\AVG2014\avgui.exe [5188112 2014-11-07] (AVG Technologies CZ, s.r.o.)
HKLM-x32\...\Run: [CitrixReceiver] => "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Citrix\Receiver Updater.lnk"
HKLM-x32\...\Run: [ConnectionCenter] => C:\Program Files (x86)\Citrix\ICA Client\concentr.exe [395656 2013-09-16] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [Redirector] => C:\Program Files (x86)\Citrix\ICA Client\redirector.exe [153992 2013-09-16] (Citrix Systems, Inc.)
HKLM-x32\...\Run: [StartCCC] => C:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\amd64\CLIStart.exe [766208 2013-10-08] (Advanced Micro Devices, Inc.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [926896 2012-09-23] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [507776 2014-10-07] (Oracle Corporation)
HKLM\...\RunOnce: [NCPluginUpdater] => C:\Program Files (x86)\Hewlett-Packard\HP Health Check\ActiveCheck\product_line\NCPluginUpdater.exe [21720 2014-12-16] (Hewlett-Packard)
Startup: C:\Users\Ridlen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Dropbox.lnk
ShortcutTarget: Dropbox.lnk -> C:\Users\Ridlen\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-159428037-1693158616-3119889543-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft...d=ie&ar=msnhome
HKU\S-1-5-21-159428037-1693158616-3119889543-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft...=ie&ar=iesearch
SearchScopes: HKLM -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/...rc=IE-SearchBox
SearchScopes: HKLM -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/...rc=IE-SearchBox
SearchScopes: HKLM -> {569511A0-869E-44BB-BFE3-649E88D5FA28} URL = http://www.amazon.co...ds={searchTerms}
SearchScopes: HKLM -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo....psg&type=HPDTDF
SearchScopes: HKLM -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia....ch={searchTerms}
SearchScopes: HKLM -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...kw={searchTerms}
SearchScopes: HKLM-x32 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/...rc=IE-SearchBox
SearchScopes: HKLM-x32 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/...rc=IE-SearchBox
SearchScopes: HKLM-x32 -> {569511A0-869E-44BB-BFE3-649E88D5FA28} URL = http://www.amazon.co...ds={searchTerms}
SearchScopes: HKLM-x32 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo....psg&type=HPDTDF
SearchScopes: HKLM-x32 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia....ch={searchTerms}
SearchScopes: HKLM-x32 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...kw={searchTerms}
SearchScopes: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> DefaultScope {EF6716E9-F7C3-41E9-818C-562A56CA3225} URL = https://www.google.c...?q={searchTerms}
SearchScopes: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = http://www.bing.com/...rc=IE-SearchBox
SearchScopes: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> {569511A0-869E-44BB-BFE3-649E88D5FA28} URL = http://www.amazon.co...ds={searchTerms}
SearchScopes: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> {b7fca997-d0fb-4fe0-8afd-255e89cf9671} URL = http://search.yahoo....psg&type=HPDTDF
SearchScopes: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> {d43b3890-80c7-4010-a95d-1e77b5924dc3} URL = http://en.wikipedia....ch={searchTerms}
SearchScopes: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> {D944BB61-2E34-4DBF-A683-47E505C587DC} URL = http://rover.ebay.co...kw={searchTerms}
SearchScopes: HKU\S-1-5-21-159428037-1693158616-3119889543-1000 -> {EF6716E9-F7C3-41E9-818C-562A56CA3225} URL = https://www.google.c...?q={searchTerms}
BHO: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files\AMD\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
BHO: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
BHO-x32: &Yahoo! Toolbar Helper -> {02478D38-C3F9-4efb-9B51-7695ECA05670} -> C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll (Adobe Systems Incorporated)
BHO-x32: SteadyVideoBHO Class -> {6C680BAE-655C-4E3D-8FC4-E6A520C3D928} -> C:\Program Files (x86)\amd\SteadyVideo\SteadyVideo.dll (Advanced Micro Devices)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: Google Toolbar Helper -> {AA58ED58-01DD-4d91-8333-CF10577473F7} -> C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
BHO-x32: Adobe Acrobat Create PDF Toolbar Helper -> {AE7CD045-E861-484f-8273-0445EE161910} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
BHO-x32: Skype Click to Call for Internet Explorer -> {AE805869-2E5C-4ED4-8F7B-F1F7851A4497} -> C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
BHO-x32: Adobe Acrobat Create PDF from Selection -> {F4971EE7-DAA0-4053-9964-665D8EE6A077} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_64.dll (Google Inc.)
Toolbar: HKLM-x32 - Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
Toolbar: HKLM-x32 - Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll (Adobe Systems Incorporated)
Toolbar: HKLM-x32 - Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files (x86)\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
DPF: HKLM {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...rl.cab?lmi=1074
DPF: HKLM-x32 {02BCC737-B171-4746-94C9-0D8A0B2C0089} http://office.micros...n/ieawsdc32.cab
DPF: HKLM-x32 {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} https://akamaicdn.we...ex/ieatgpc1.cab
DPF: HKLM-x32 {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} https://secure.logme...rl.cab?lmi=1081
Handler-x32: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\Common Files\Skype\Skype4COM.dll (Skype Technologies)
Handler: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer x64\skypeieplugin.dll (Microsoft Corporation)
Handler-x32: skypec2c - {91774881-D725-4E58-B298-07617B9B86A8} - C:\Program Files (x86)\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (Microsoft Corporation)
Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - C:\Program Files (x86)\Common Files\AVG Secure Search\ViProtocolInstaller\18.1.9\ViProtocol.dll No File
Filter-x32: application/x-ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica; charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=euc-jp - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=ISO-8859-1 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS936 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS949 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=MS950 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF-8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: application/x-ica;charset=UTF8 - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter-x32: ica - {CFB6322E-CC85-4d1b-82C7-893888A236BC} - C:\Program Files (x86)\Citrix\ICA Client\IcaMimeFilter.dll (Citrix Systems, Inc.)
Filter: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter-x32: video/mp4 - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files\AMD\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Filter-x32: video/x-flv - {20C75730-7C25-476B-95DC-C65810F9E489} - C:\Program Files (x86)\amd\SteadyVideo\VideoMIMEFilter.dll (Advanced Micro Devices)
Tcpip\Parameters: [DhcpNameServer] 192.168.2.1

FireFox:
========
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect64.dll (Adobe Systems)
FF Plugin-x32: @Citrix.com/npican -> C:\Program Files (x86)\Citrix\ICA Client\npicaN.dll (Citrix Systems, Inc.)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit PhantomPDF Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit PhantomPDF\plugins\npFoxitPhantomPDFPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/pdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @foxitsoftware.com/Foxit Reader Plugin,version=1.0,application/vnd.fdf -> C:\Program Files (x86)\Foxit Software\Foxit Reader\plugins\npFoxitReaderPlugin.dll (Foxit Corporation)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @messenger.yahoo.com/YahooMessengerStatePlugin;version=1.0.0.6 -> C:\Program Files (x86)\Yahoo!\Shared\npYState.dll (Yahoo! Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~1\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3538.0513 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @WildTangent.com/GamesAppPresenceDetector,Version=1.0 -> C:\Program Files (x86)\WildTangent Games\App\BrowserIntegration\Registered\3\NP_wtapp.dll ()
FF Plugin-x32: Adobe Acrobat -> C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Air\nppdf32.dll (Adobe Systems Inc.)
FF Plugin-x32: adobe.com/AdobeAAMDetect -> C:\Program Files (x86)\Common Files\Adobe\OOBE\PDApp\CCM\Utilities\npAdobeAAMDetect32.dll (Adobe Systems)
FF Plugin HKU\S-1-5-21-159428037-1693158616-3119889543-1000: @citrixonline.com/appdetectorplugin -> C:\Users\Ridlen\AppData\Local\Citrix\Plugins\104\npappdetector.dll (Citrix Online)
FF Plugin HKU\S-1-5-21-159428037-1693158616-3119889543-1000: @unity3d.com/UnityPlayer,version=1.0 -> C:\Users\Ridlen\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll (Unity Technologies ApS)
FF HKLM-x32\...\Firefox\Extensions: [[email protected]] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn
FF Extension: Adobe Acrobat - Create PDF - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCFirefoxExtn [2014-01-24]

Chrome:
=======
CHR HomePage: Default -> hxxp://www.google.com
CHR Profile: C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-05-27]
CHR Extension: (YouTube) - C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2012-11-07]
CHR Extension: (AddThis - Share & Bookmark (new)) - C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Extensions\cgbogdmdefihhljhfeiklfiedefalcde [2012-10-14]
CHR Extension: (Google Search) - C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Extensions\coobgpohoikkiipiblmjeljniedjpjpf [2012-10-14]
CHR Extension: (Adobe Acrobat - Create PDF) - C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Extensions\efaidnbmnnnibpcajpcglclefindmkaj [2014-02-05]
CHR Extension: (The Camelizer - Amazon Price Tracker) - C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghnomdcacenbmilgjigehppbamfndblo [2012-10-14]
CHR Extension: (Topography) - C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Extensions\giigmfllkbnekpcfdckipcdkdpinhpgl [2012-10-14]
CHR Extension: (Skype Click to Call) - C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Extensions\lifbcibllhkdhoafpjfnlhfpfgnpldfl [2013-12-03]
CHR Extension: (Google Wallet) - C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-08-23]
CHR Extension: (The Tracktor  - Price History Tracker) - C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Extensions\onajjgekdldckfgodnmoallcmdmfcfom [2012-10-14]
CHR Extension: (Gmail) - C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2012-11-07]
CHR HKLM-x32\...\Chrome\Extension: [efaidnbmnnnibpcajpcglclefindmkaj] - C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Browser\WCChromeExtn\WCChromeExtn.crx [2012-09-23]
CHR HKLM-x32\...\Chrome\Extension: [lifbcibllhkdhoafpjfnlhfpfgnpldfl] - C:\Program Files (x86)\Skype\Toolbars\ChromeExtension\skype_chrome_extension.crx [2014-07-14]

==================== Services (Whitelisted) =================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

R2 AMD FUEL Service; C:\Program Files\ATI Technologies\ATI.ACE\Fuel\Fuel.Service.exe [344064 2013-10-08] (Advanced Micro Devices, Inc.) [File not signed]
S2 AVGIDSAgent; C:\Program Files (x86)\AVG\AVG2014\avgidsagent.exe [3247120 2014-11-07] (AVG Technologies CZ, s.r.o.)
R2 avgwd; C:\Program Files (x86)\AVG\AVG2014\avgwdsvc.exe [289328 2014-11-07] (AVG Technologies CZ, s.r.o.)
S4 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
R2 CalendarSynchService; C:\Program Files (x86)\Hewlett-Packard\TouchSmart\Calendar\Service\GCalService.exe [16384 2011-08-16] (Hewlett-Packard) [File not signed]
S3 GamesAppIntegrationService; C:\Program Files (x86)\WildTangent Games\App\GamesAppIntegrationService.exe [254016 2014-10-26] (WildTangent)
R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) [File not signed]
R2 LMIGuardianSvc; C:\Program Files (x86)\LogMeIn\x64\LMIGuardianSvc.exe [376168 2014-11-03] (LogMeIn, Inc.)
R2 LMIMaint; C:\Program Files (x86)\LogMeIn\x64\RaMaint.exe [226152 2014-11-03] (LogMeIn, Inc.)
R2 LogMeIn; C:\Program Files (x86)\LogMeIn\x64\LogMeIn.exe [407424 2012-06-08] (LogMeIn, Inc.)
R2 NOBU; C:\Program Files (x86)\Symantec\Norton Online Backup\NOBuAgent.exe [2804568 2010-06-01] (Symantec Corporation)
R2 SpyHunter 4 Service; C:\Program Files\Enigma Software Group\SpyHunter\SH4Service.exe [1024384 2013-01-14] (Enigma Software Group USA, LLC.)
R2 W3SVC; C:\Windows\system32\inetsrv\iisw3adm.dll [453120 2010-11-20] (Microsoft Corporation)

==================== Drivers (Whitelisted) ====================

(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)

U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R1 Avgdiska; C:\Windows\System32\DRIVERS\avgdiska.sys [152344 2014-06-30] (AVG Technologies CZ, s.r.o.)
R1 AVGIDSDriver; C:\Windows\System32\DRIVERS\avgidsdrivera.sys [244504 2014-07-21] (AVG Technologies CZ, s.r.o.)
R0 AVGIDSHA; C:\Windows\System32\DRIVERS\avgidsha.sys [190744 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgldx64; C:\Windows\System32\DRIVERS\avgldx64.sys [237848 2014-10-24] (AVG Technologies CZ, s.r.o.)
R0 Avgloga; C:\Windows\System32\DRIVERS\avgloga.sys [328984 2014-06-17] (AVG Technologies CZ, s.r.o.)
R0 Avgmfx64; C:\Windows\System32\DRIVERS\avgmfx64.sys [123672 2014-10-29] (AVG Technologies CZ, s.r.o.)
R0 Avgrkx64; C:\Windows\System32\DRIVERS\avgrkx64.sys [31512 2014-06-17] (AVG Technologies CZ, s.r.o.)
R1 Avgtdia; C:\Windows\System32\DRIVERS\avgtdia.sys [269080 2014-10-20] (AVG Technologies CZ, s.r.o.)
R1 avgtp; C:\Windows\system32\drivers\avgtpx64.sys [50976 2014-08-11] (AVG Technologies)
R3 CVPNDRVA; C:\Windows\system32\Drivers\CVPNDRVA.sys [304784 2010-02-16] ()
S3 esgiguard; C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [13088 2011-03-02] ()
S3 EsgScanner; C:\Windows\System32\DRIVERS\EsgScanner.sys [22704 2012-06-22] ()
R2 LMIInfo; C:\Program Files (x86)\LogMeIn\x64\RaInfo.sys [16056 2013-05-27] (LogMeIn, Inc.)
S4 LMIRfsClientNP; No ImagePath
S3 swmsflt; C:\Windows\System32\DRIVERS\swmsflt.sys [49232 2010-05-17] ()
S3 SWNC5E00; C:\Windows\System32\DRIVERS\SWNC5E00.sys [285696 2009-08-04] (Sierra Wireless Inc.)
R3 swvspser; C:\Windows\System32\DRIVERS\swvspser.sys [34304 2009-08-13] (Sierra Wireless Inc.)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

==================== One Month Created Files and Folders ========

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-03 21:25 - 2015-01-03 21:26 - 02123776 _____ (Farbar) C:\Users\Ridlen\Desktop\FRST64.exe
2015-01-03 02:10 - 2015-01-03 22:50 - 00029202 _____ () C:\Users\Ridlen\Desktop\FRST.txt
2015-01-03 01:50 - 2015-01-03 01:50 - 00043409 _____ () C:\Users\Ridlen\Desktop\Addition.txt
2015-01-03 01:47 - 2015-01-03 22:50 - 00000000 ____D () C:\FRST
2015-01-02 05:12 - 2015-01-02 05:13 - 00004514 _____ () C:\Windows\DPINST.LOG
2015-01-02 05:12 - 2015-01-02 05:12 - 00000000 ____D () C:\Program Files\Broadcom
2015-01-02 05:12 - 2015-01-02 05:11 - 08071888 _____ (Broadcom Corporation) C:\Windows\system32\Drivers\BCMWL664.SYS
2015-01-02 05:12 - 2015-01-02 05:11 - 04400128 _____ (Broadcom Corporation) C:\Windows\system32\bcmihvsrv64.dll
2015-01-02 05:12 - 2015-01-02 05:11 - 03667968 _____ (Broadcom Corporation) C:\Windows\system32\bcmihvui64.dll
2015-01-02 05:12 - 2015-01-02 05:11 - 00096560 _____ (Broadcom Corporation) C:\Windows\system32\bcmwlcoi.dll
2015-01-02 05:12 - 2015-01-02 05:11 - 00006656 _____ () C:\Windows\system32\bcmwlrc.dll
2015-01-02 05:11 - 2015-01-02 05:11 - 00000000 ____D () C:\Users\Ridlen\AppData\Roaming\InstallShield
2015-01-02 05:11 - 2015-01-02 05:11 - 00000000 ____D () C:\Program Files (x86)\Cisco
2014-12-18 13:44 - 2014-12-18 13:44 - 00029644 _____ () C:\Users\Ridlen\Downloads\12-19-14.xlsm
2014-12-18 11:49 - 2014-12-18 11:49 - 00291201 _____ () C:\Users\Ridlen\Downloads\Home Delivery orders 12.18.14.xlsx
2014-12-17 13:23 - 2014-12-17 13:23 - 00029248 _____ () C:\Users\Ridlen\Downloads\12-18-14.xlsm
2014-12-17 09:05 - 2014-12-17 09:05 - 00293692 _____ () C:\Users\Ridlen\Downloads\Home Delivery orders 12.17.14.xlsx
2014-12-16 13:13 - 2014-12-16 13:13 - 00028938 _____ () C:\Users\Ridlen\Downloads\12-17-14.xlsm
2014-12-16 12:13 - 2014-12-16 12:13 - 00304809 _____ () C:\Users\Ridlen\Downloads\Home Delivery orders 12.16.14.xlsx
2014-12-15 11:52 - 2014-12-15 11:52 - 00283356 _____ () C:\Users\Ridlen\Downloads\Home Delivery orders 12.15.14.xlsx
2014-12-15 10:57 - 2014-12-15 10:57 - 00029608 _____ () C:\Users\Ridlen\Downloads\12-16-14.xlsm
2014-12-13 18:52 - 2014-12-13 18:52 - 00094382 _____ () C:\Users\Ridlen\Desktop\user121314.conf
2014-12-12 10:26 - 2014-12-12 10:26 - 00300598 _____ () C:\Users\Ridlen\Downloads\Home Delivery orders 12.12.14.xlsx
2014-12-10 22:25 - 2014-12-10 22:25 - 00117552 _____ () C:\Users\Ridlen\Desktop\2014 Catalog V2.xlsx

==================== One Month Modified Files and Folders =======

(If an entry is included in the fixlist, the file\folder will be moved.)

2015-01-03 22:48 - 2009-07-13 23:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-03 22:48 - 2009-07-13 23:45 - 00024608 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-03 22:45 - 2009-07-14 00:13 - 00834516 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-03 22:44 - 2012-10-13 00:06 - 00003934 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{EADA6634-5A35-47D1-A669-DEBAC28C0AAE}
2015-01-03 22:42 - 2012-10-13 00:24 - 00000000 ___RD () C:\Users\Ridlen\Dropbox
2015-01-03 22:42 - 2012-10-13 00:22 - 00000000 ____D () C:\Users\Ridlen\AppData\Roaming\Dropbox
2015-01-03 22:41 - 2012-10-14 14:11 - 00000326 _____ () C:\Windows\Brownie.ini
2015-01-03 22:40 - 2012-10-13 00:01 - 01429044 _____ () C:\Windows\WindowsUpdate.log
2015-01-03 22:39 - 2014-01-23 02:51 - 00001006 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Client.lnk
2015-01-03 22:39 - 2014-01-23 02:51 - 00000990 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\LogMeIn Control Panel.lnk
2015-01-03 22:39 - 2012-10-14 17:14 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2015-01-03 22:39 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-03 22:39 - 2009-07-13 23:51 - 00050761 _____ () C:\Windows\setupact.log
2015-01-03 22:38 - 2010-11-20 22:47 - 00883178 _____ () C:\Windows\PFRO.log
2015-01-03 22:35 - 2012-10-14 17:14 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2015-01-03 22:19 - 2012-10-13 01:21 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2015-01-03 22:12 - 2014-03-13 12:54 - 00000568 _____ () C:\Windows\Tasks\G2MUpdateTask-S-1-5-21-159428037-1693158616-3119889543-1000.job
2015-01-03 21:33 - 2013-01-18 22:46 - 00000000 ____D () C:\Program Files (x86)\AVG Secure Search
2015-01-03 21:28 - 2014-07-14 14:22 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-03 17:08 - 2012-12-16 12:34 - 00000000 ____D () C:\ProgramData\MFAData
2015-01-03 14:25 - 2012-10-13 01:51 - 00000000 ____D () C:\ProgramData\LogMeIn
2015-01-03 10:45 - 2012-10-17 14:01 - 00000000 ____D () C:\Users\Ridlen\AppData\Local\CrashDumps
2015-01-03 01:04 - 2012-10-28 21:52 - 00002048 ____H () C:\Users\Ridlen\Documents\Default.rdp
2015-01-02 22:35 - 2014-03-13 12:54 - 00003598 _____ () C:\Windows\System32\Tasks\G2MUpdateTask-S-1-5-21-159428037-1693158616-3119889543-1000
2015-01-02 05:22 - 2012-10-14 16:43 - 00000052 _____ () C:\Windows\SysWOW64\DOErrors.log
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\zh-HK
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\tr-TR
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\th-TH
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\sl-SI
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\sk-SK
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\ro-RO
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\lv-LV
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\lt-LT
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\hr-HR
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\he-IL
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\et-EE
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\bg-BG
2015-01-02 05:12 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\ar-SA
2015-01-02 05:11 - 2011-02-11 11:32 - 00000000 ____D () C:\SWSETUP
2015-01-01 17:39 - 2012-10-14 12:26 - 00003192 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForRidlen
2015-01-01 17:39 - 2012-10-14 12:26 - 00000336 _____ () C:\Windows\Tasks\HPCeeScheduleForRidlen.job
2014-12-28 17:39 - 2013-01-13 17:07 - 00000000 _____ () C:\Windows\system32\HP_ActiveX_Patch_NOT_DETECTED.txt
2014-12-18 14:23 - 2010-11-21 02:16 - 00000000 ____D () C:\Windows\ShellNew
2014-12-17 03:44 - 2012-10-13 00:24 - 00001025 _____ () C:\Users\Ridlen\Desktop\Dropbox.lnk
2014-12-17 03:44 - 2012-10-13 00:23 - 00000000 ____D () C:\Users\Ridlen\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Dropbox
2014-12-10 13:19 - 2012-10-13 01:21 - 00701104 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-12-10 13:19 - 2012-10-13 01:21 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-12-10 13:19 - 2012-04-09 16:21 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-12-05 13:38 - 2014-07-14 14:21 - 00001104 _____ () C:\Users\Public\Desktop\Malwarebytes Anti-Malware.lnk
2014-12-05 13:38 - 2014-07-14 14:21 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
2014-12-05 13:38 - 2014-07-14 14:21 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware

Some content of TEMP:
====================
C:\Users\Ridlen\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmpc0wcua.dll

==================== Bamital & volsnap Check =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

LastRegBack: 2014-12-25 00:38

==================== End Of Log ============================


  • 0

#5
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,912 posts

Nice Tron Avatar.


I fight the Users. Sorry, couldn't resist. :) The log looks good, but I do see a couple of things I want to eliminate. There are some further scans I'd like to run to hunt for orphans and remnants.

Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Step 1: Fix with FRST
  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the desktop as fixlist.txt

Start
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-159428037-1693158616-3119889543-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
End


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.


Please disable your antivirus for the duration of my instructions. Don't forget to re-enable them after you have completed the steps.


Step 2: Scan with Malwarebytes


Please download Malwarebytes Anti-Malware to your desktop
Install the progamme and select update
Once it has updated select Settings > Detection and Protection
Tick Scan for rootkits

MBAMsettings_zpsb6b9ada0.jpg

Go back to the Dashboard and select Scan Now

MBAMScan_zps8ba7d192.jpg

If threats are detected, click the Apply Actions button, MBAM will ask for a reboot.

MBAMReboot_zps9089ab30.jpg

MBAMLog_zpsade07f42.jpg

On completion of the scan (or after the reboot), start MBAM,

Click History, then Application Logs, then check the Select box by the first Scan Log in the list.

Click View, then click Export, select text file and save to the desktop as MBAM.txt and post in your next reply.



Step 3: Scan with ESET Online Scanner


Please note: You can use Internet Explorer or Firefox for this step. Either browser used will have to be ran in admin mode.

Right click on either the Internet Explorer icon or the Firefox icon in the Start Menu or Quick Launch Bar on the Task bar and select Run as Administrator from the menu.

If you use Firefox, you will be prompted to download esetsmartinstaller_enu.exe. Please do so, then double click it to install it.

Please click on this link and then click the ESET Online Scanner bar ---->esetbar_zps93905f48.jpg
  • Select the option YES, I accept the Terms of Use then click on Start
  • When prompted allow the Add-On/Active X to install.
  • Make sure that the option Remove found threats is NOT checked.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
  • Scan for potentially unwanted applications
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth Technology
  • Now click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • Now click on Finish
  • Use notepad to open the logfile located at C:\Program Files(x86)\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.
Step 4: SecurityCheck Scan


Download Security Checksecuritycheck_zpsb7736812.jpg by screen317 from here or here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • NOTE: If SecurityCheck aborts and you get the following message: UNSUPPORTED OPERATING SYSTEM! ABORTED! try rebooting the system and then run SecurityCheck again.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
Things I need to see in your next post:
  • ESET Scan Log
  • MBAM Log
  • SecurityCheck Log

  • 0

#6
newworldmike1

newworldmike1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

The second fixlog.   Will do MBAM next

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-01-2015 03
Ran by Ridlen at 2015-01-03 23:44:25 Run:2
Running from C:\Users\Ridlen\Desktop
Loaded Profile: Ridlen (Available profiles: Ridlen & DefaultAppPool)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-159428037-1693158616-3119889543-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
End

*****************

Restore point was successfully created.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.
"HKU\S-1-5-21-159428037-1693158616-3119889543-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => Key deleted successfully.

==== End of Fixlog 23:44:58 ====


  • 0

#7
newworldmike1

newworldmike1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

MBAM Found two items.  Here is the log....ESET next

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Update, 1/4/2015 12:00:41 AM, SYSTEM, RIDLEN-HP, Manual, Remediation Database, 2013.10.16.1, 2014.12.6.1,
Update, 1/4/2015 12:00:41 AM, SYSTEM, RIDLEN-HP, Manual, Rootkit Database, 2014.11.18.1, 2014.12.30.1,
Update, 1/4/2015 12:01:18 AM, SYSTEM, RIDLEN-HP, Manual, Malware Database, 2014.11.20.6, 2015.1.4.5,
Scan, 1/4/2015 12:24:28 AM, SYSTEM, RIDLEN-HP, Manual, Start:1/4/2015 12:07:51 AM, Duration:15 min 5 sec, Threat Scan, Completed, 2 Malware Detections, 0 Non-Malware Detections,

(end)


  • 0

#8
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,912 posts
That's not the log of the scan. That looks more like a list of the logs available. The scan log will show the infections it found, plus what action was taken with them. Please start MBAM and follow the procedure below to get the scan log. :thumbsup:

Start MBAM

Click History, then Application Logs, then check the Select box by the first Scan Log in the list.

Click View, then click Export, select text file and save to the desktop as MBAM.txt and post in your next reply.
  • 0

#9
newworldmike1

newworldmike1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

ESET Log....

ESETSmartInstaller@High as downloader log:
all ok
# product=EOS
# version=8
# OnlineScannerApp.exe=1.0.0.1
# OnlineScanner.ocx=1.0.0.7623
# api_version=3.0.2
# EOSSerial=bd2de7cf90f3904398909999de36d296
# engine=21806
# end=finished
# remove_checked=false
# archives_checked=true
# unwanted_checked=true
# unsafe_checked=true
# antistealth_checked=true
# utc_time=2015-01-04 09:06:28
# local_time=2015-01-04 04:06:28 (-0500, Eastern Standard Time)
# country="United States"
# lang=1033
# osver=6.1.7601 NT Service Pack 1
# compatibility_mode_1='AVG AntiVirus Free Edition 2014'
# compatibility_mode=1051 16777213 100 100 0 106553172 0 0
# compatibility_mode_1=''
# compatibility_mode=5893 16776574 100 94 44842015 171905838 0 0
# scanned=210157
# found=5
# cleaned=0
# scan_time=9873
sh=7AAE7870756AC2E45C971E23E8B9F556CCDBF1DB ft=0 fh=0000000000000000 vn="Win32/TrojanDownloader.Tracur.V trojan" ac=I fn="C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Default\aadadidddbdadbdddadgddgddeddgfdh\background.js"
sh=243AA6C14EB05D12071C608E967AD14E9BDFD96A ft=1 fh=b7edfdffc0eed7ac vn="a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application" ac=I fn="C:\Users\Ridlen\Downloads\FoxitReader543.0920_enu_Setup.exe"
sh=1E6492DC34B2374E4673733D8E91A5C8C24734D4 ft=1 fh=c4641876c01c22e8 vn="a variant of Win32/Bundled.Toolbar.Ask.D potentially unsafe application" ac=I fn="C:\Users\Ridlen\Downloads\FoxitReader602.0413_enu_Setup.exe"
sh=E5AD4B34E0600534E16E43823107C2790B6B224B ft=1 fh=bb1f3b8fd51fa327 vn="a variant of Win32/InstallCore.D potentially unwanted application" ac=I fn="C:\Users\Ridlen\Dropbox\cnet2_csvedsetup_exe.exe"
sh=73F44BB4D9A666B71210B942CE90B70227B90B07 ft=1 fh=dbe59abedd1ce373 vn="a variant of Win32/Bundled.Toolbar.Ask.G potentially unsafe application" ac=I fn="C:\Users\Ridlen\Dropbox\hwmonitor_1.20-setup.exe"
 


  • 0

#10
newworldmike1

newworldmike1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

MBAM....take two.

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 1/4/2015
Scan Time: 12:07:51 AM
Logfile: MBAM.txt
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2015.01.04.05
Rootkit Database: v2014.12.30.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Ridlen

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 392212
Time Elapsed: 15 min, 5 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 1
Trojan.Kovter, HKU\S-1-5-21-159428037-1693158616-3119889543-1000-{ED1FC765-E35E-4C3D-BF15-2C2B11260CE4}-0\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|{8f31c99e-b414-0bd9-6dd7-c881d461a0e0}, "C:\Users\Ridlen\AppData\Local\{8f31c99e-b414-0bd9-6dd7-c881d461a0e0}\{8f31c99e-b414-0bd9-6dd7-c881d461a0e0}.exe", Quarantined, [cb366efb81fb5bdb84f94eb505fda957]

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 1
Trojan.Kovter, C:\Users\Ridlen\AppData\Local\{8f31c99e-b414-0bd9-6dd7-c881d461a0e0}\{8f31c99e-b414-0bd9-6dd7-c881d461a0e0}.exe, Delete-on-Reboot, [cb366efb81fb5bdb84f94eb505fda957],

Physical Sectors: 0
(No malicious items detected)

(end)


  • 0

Advertisements


#11
newworldmike1

newworldmike1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Security Check log... so, this should be everything.

 

 Results of screen317's Security Check version 0.99.93 
 Windows 7 Service Pack 1 x64 (UAC is enabled) 
 Internet Explorer 10 Out of date!
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled! 
AVG AntiVirus Free Edition 2014  
 Antivirus out of date! 
`````````Anti-malware/Other Utilities Check:`````````
 Java 8 Update 25 
 Java version 32-bit out of Date!
 Google Chrome (39.0.2171.71)
 Google Chrome (39.0.2171.95)
````````Process Check: objlist.exe by Laurent```````` 
 Malwarebytes Anti-Malware mbam.exe 
 AVG avgwdsvc.exe
 Symantec Norton Online Backup NOBuAgent.exe 
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 0%
````````````````````End of Log``````````````````````


  • 0

#12
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,912 posts
Thank you for the logs, let's get rid of the files that ESET found. :thumbsup:
  • Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below. (To do this highlight the contents of the box, right click on it and select copy.
  • Right-click in the open notepad and select Paste).
  • Save it on the desktop as fixlist.txt

Start
C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Default\aadadidddbdadbdddadgddgddeddgfdh\background.js
C:\Users\Ridlen\Downloads\FoxitReader543.0920_enu_Setup.exe
C:\Users\Ridlen\Dropbox\cnet2_csvedsetup_exe.exe
C:\Users\Ridlen\Dropbox\hwmonitor_1.20-setup.exe
End


NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.


Run FRST and press the Fix button just once and wait. The tool will make a log on the desktop (Fixlog.txt) please post it in your next reply.

Things I need to see in your next post:

Fixlog.txt Log

  • 0

#13
newworldmike1

newworldmike1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Latest Fixlog....

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 03-01-2015 03
Ran by Ridlen at 2015-01-04 19:24:51 Run:3
Running from C:\Users\Ridlen\Desktop
Loaded Profile: Ridlen (Available profiles: Ridlen & DefaultAppPool)
Boot Mode: Normal
==============================================

Content of fixlist:
*****************
Start
C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Default\aadadidddbdadbdddadgddgddeddgfdh\background.js
C:\Users\Ridlen\Downloads\FoxitReader543.0920_enu_Setup.exe
C:\Users\Ridlen\Dropbox\cnet2_csvedsetup_exe.exe
C:\Users\Ridlen\Dropbox\hwmonitor_1.20-setup.exe
End

*****************

C:\Users\Ridlen\AppData\Local\Google\Chrome\User Data\Default\Default\aadadidddbdadbdddadgddgddeddgfdh\background.js => Moved successfully.
C:\Users\Ridlen\Downloads\FoxitReader543.0920_enu_Setup.exe => Moved successfully.
C:\Users\Ridlen\Dropbox\cnet2_csvedsetup_exe.exe => Moved successfully.
C:\Users\Ridlen\Dropbox\hwmonitor_1.20-setup.exe => Moved successfully.

==== End of Fixlog 19:24:52 ====


  • 0

#14
pystryker

pystryker

    Trusted Helper

  • Malware Removal
  • 3,912 posts
Hello :)

Great news, your logs are CLEAN! :thumbsup: :) but we still have a few things we need to address namely:
  • I need to remove the tools we installed on your machine.
  • We also have some programs on your machine that need updating to help protect you in the future.
Step 1: Tool Removal with Delfix and Creation of a clean restore point
  • Download Delfix from here
  • Ensure Remove disinfection tools is ticked
    Also tick:
    • Create registry backup
    • Purge system restore
    delfix.jpg
  • Click Run
The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply.

You can uninstall ESET Online Scanner at this time.

I recommend keeping Malwarebytes Anti-Malware installed. Make sure to update it and run it at least once a week. If it finds things such as PUP's (Potentially Unwanted Programs) you can delete those with no worries. However, if it finds something like a trojan, come see us.


Step 2: Java Warning and Program Updates


A word about Java

Java has become the #1 program exploited by thieves and hackers as of today. It's gotten so bad, the Department of Homeland Security recently recommended that users disable Java on their machines.

For more information regarding this, see the two articles below:

Forbes: US Department of Homeland Security Calls on user do disable Java

US warns on Java software

Unless you have software on your machine that absolutely requires Java, I highly recommend you completely remove it from your system.

If you do have software that requires it, then disable it until such time as it's needed by those programs.

Please click the link below for instructions to disable Java.

How to Disable Java in your Web Browser


If you wish to continue to use Java on your machine, please be sure to keep it updated by following the instructions below.
  • Click on this link Java Website and click Do I Have Java?
  • Then click the Verify Java Version button. It will scan your current version and show you if you have the most current version.
You can find instructions for manually removing older versions for Windows XP, Vista, and 7 by clicking the link below:

Instructions for manually removing old versions of Java


Update AVG Anti-Viru

Your current anti-virus is out of date, please follow these instructions to update it to the latest version and definitions.

Right click over the tray icon and select Check for Updates.


Step 3: Tips, Information, and Optional Installation of Unchecky
  • Watch what you open in your emails. If you get an email from an unknown source with any attached files, do not open it.
  • Install and keep only one anti-virus on your machine. Update it and scan your machine with it at least once a week.
  • Be careful of the websites you visit.
  • When installing new programs, don't be "click happy" and click through the screens. Many programs come with adware in them and are set to install them by default. Several programs require that you uncheck or select no to prevent the installation. Take your time and read each screen as you go. :)
To help protect yourself while on the web, I recommend you read How did I get infected in the first place?

Installation of Unchecky

This is a very good little program that will automatically uncheck any boxes during a software installation. This helps prevent the software from installing any malware that is by default checked while the program is being installed.

Click here to be taken to Unchecky.com

Click the very large Download button.

Click Save

Once downloaded, double click the program (Vista, Win 7, and 8, right click and Run as Administrator)

Once open, click the Install button.


unchecky1_zps667e512d.jpg


Then click Finish

unchecky2_zpsca4e7d0d.jpg


Unchecky is now installed and will help you keep unwanted check boxes unchecked. :thumbsup:


Things I need to see in your next post:

Delfix Log

  • 0

#15
newworldmike1

newworldmike1

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts

Delfix log.  Will confirm when next steps are done.

 

# DelFix v10.8 - Logfile created 04/01/2015 at 20:32:14
# Updated 29/07/2014 by Xplode
# Username : Ridlen - RIDLEN-HP
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)

~ Removing disinfection tools ...

Deleted : C:\Qoobox
Deleted : C:\FRST
Deleted : C:\ComboFix.txt
Deleted : C:\TDSSKiller.2.8.16.0_04.03.2013_20.40.09_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_09.05.2013_01.24.15_log.txt
Deleted : C:\TDSSKiller.2.8.16.0_28.04.2013_12.31.30_log.txt
Deleted : C:\Users\Ridlen\Desktop\Addition.txt
Deleted : C:\Users\Ridlen\Desktop\Fixlog.txt
Deleted : C:\Users\Ridlen\Desktop\FRST.txt
Deleted : C:\Users\Ridlen\Desktop\FRST64.exe
Deleted : C:\Users\Ridlen\Desktop\SecurityCheck.exe
Deleted : C:\Users\Ridlen\Downloads\ComboFix.exe
Deleted : C:\Users\Ridlen\Downloads\esetsmartinstaller_enu.exe
Deleted : C:\Users\Ridlen\Downloads\tdsskiller.exe
Deleted : C:\Windows\grep.exe
Deleted : C:\Windows\PEV.exe
Deleted : C:\Windows\NIRCMD.exe
Deleted : C:\Windows\MBR.exe
Deleted : C:\Windows\SED.exe
Deleted : C:\Windows\SWREG.exe
Deleted : C:\Windows\SWSC.exe
Deleted : C:\Windows\SWXCACLS.exe
Deleted : C:\Windows\Zip.exe
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\combofix.exe

~ Creating registry backup ... OK

~ Cleaning system restore ...

Deleted : RP #170 [Scheduled Checkpoint | 12/21/2014 05:00:01]
Deleted : RP #171 [Scheduled Checkpoint | 12/28/2014 05:00:01]
Deleted : RP #172 [HPSF Applying updates | 01/02/2015 10:06:38]
Deleted : RP #174 [Restore Point Created by FRST | 01/04/2015 02:32:57]
Deleted : RP #176 [Restore Point Created by FRST | 01/04/2015 04:44:29]

New restore point created !

########## - EOF - ##########


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP