1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

explorer.exe using high memory

Discussion in 'Virus & Other Malware Removal' started by jbzy, Jan 26, 2015.

Thread Status:
Not open for further replies.
Advertisement
  1. jbzy

    jbzy Thread Starter

    Joined:
    Jan 26, 2015
    Messages:
    45
    Explorer.exe process keeps increasing to 1-3GB memory in my task manager list. As it goes higher, it uses up to 100% CPU. If I end the process, it just restarts and within a couple minutes is right back to using tons of memory. I've read several of your threads and tried to follow some of the suggestions, but no resolution. The threads seem to indicate different causes. Please help me diagnose and fix. (Anything else you can do to help me clean it will also be appreciated.) Thank you in advance!!!


    Tech Support Guy System Info Utility version 1.0.0.2
    OS Version: Microsoft Windows 7 Home Premium, Service Pack 1, 64 bit
    Processor: Intel(R) Core(TM) i3 CPU M 330 @ 2.13GHz, Intel64 Family 6 Model 37 Stepping 2
    Processor Count: 4
    RAM: 3893 Mb
    Graphics Card: Intel(R) HD Graphics, 1722 Mb
    Hard Drives: C: Total - 463772 MB, Free - 365565 MB; D: Total - 12862 MB, Free - 2135 MB; E: Total - 99 MB, Free - 94 MB;
    Motherboard: Hewlett-Packard, 1425
    Antivirus: None
     
  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Welcome. :)

    Please download Farbar Recovery Scan Tool and save it to your desktop.

    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
    • Double-click to run it. When the tool opens click Yes to disclaimer.
    • Make sure that under Optional Scans, there is a checkmark on Addition.txt and Shortcut.
    • Press Scan button.
    • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
    • The tool will also produce another two logs (Addition.txt and Shortcut.txt). Please attach these to your reply.
     
  3. jbzy

    jbzy Thread Starter

    Joined:
    Jan 26, 2015
    Messages:
    45
    Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 24-01-2015 01
    Ran by Owner (administrator) on OWNER-PC on 27-01-2015 22:00:03
    Running from C:\Users\Owner\Desktop
    Loaded Profiles: Owner (Available profiles: Owner)
    Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
    Internet Explorer Version 11 (Default browser: IE)
    Boot Mode: Normal
    Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/
    ==================== Processes (Whitelisted) =================
    (If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
    (Microsoft Corporation) C:\Windows\System32\wlanext.exe
    (SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCore64.exe
    (Adobe Systems Incorporated) C:\Program Files (x86)\Adobe\Photoshop Elements 7.0\PhotoshopElementsFileAgent.exe
    (Andrea Electronics Corporation) C:\Program Files\Realtek\Audio\HDA\AERTSr64.exe
    (Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe
    (Microsoft Corporation) C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe
    (HP) C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe
    (Hewlett-Packard Company) C:\Program Files (x86)\HP\Common\HPSupportSolutionsFrameworkService.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    (Realtek Semiconductor) C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe
    (Realtek Semiconductor Corp.) C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe
    (Intel Corporation) C:\Windows\System32\igfxtray.exe
    (Intel Corporation) C:\Windows\System32\hkcmd.exe
    (Intel Corporation) C:\Windows\System32\igfxpers.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Device Center\itype.exe
    (Microsoft Corporation) C:\Program Files\Microsoft Device Center\ipoint.exe
    (Hewlett-Packard Company) C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe
    (Sierra Wireless, Inc.) C:\Program Files (x86)\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe
    (Sierra Wireless Inc.) C:\Program Files (x86)\Sierra Wireless Inc\3G Watcher\WaHelper.exe
    (Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
    (Hewlett-Packard) C:\Program Files (x86)\HP\HP Software Update\hpwuschd2.exe
    (Synaptics Incorporated) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
    () C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe
    (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
    (Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
    (Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqwmiex.exe
    () C:\Program Files (x86)\Hewlett-Packard\Shared\HpqToaster.exe
    (Microsoft Corporation) C:\Windows\System32\taskmgr.exe
    (Microsoft Corporation) C:\Program Files\Internet Explorer\iexplore.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe
    (Adobe Systems Incorporated) C:\Program Files\Adobe\Elements 13 Organizer\PhotoshopElementsFileAgent.exe
    (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    (Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    (Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\HPSA_Service.exe
    (Realtek Semiconductor Corp.) C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe
    (Intel Corporation) C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
    (Microsoft Corporation) C:\Windows\System32\dllhost.exe

    ==================== Registry (Whitelisted) ==================
    (If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
    HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2281256 2012-11-22] (Synaptics Incorporated)
    HKLM\...\Run: [RTHDVCPL] => C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe [6489704 2011-02-04] (Realtek Semiconductor)
    HKLM\...\Run: [RtkOSD] => C:\Program Files (x86)\Realtek\Audio\OSD\RtVOsd64.exe [995840 2009-10-13] (Realtek Semiconductor Corp.)
    HKLM\...\Run: [IntelliType Pro] => c:\Program Files\Microsoft Device Center\itype.exe [1464928 2012-06-26] (Microsoft Corporation)
    HKLM\...\Run: [IntelliPoint] => c:\Program Files\Microsoft Device Center\ipoint.exe [2004584 2012-06-26] (Microsoft Corporation)
    HKLM\...\Run: [HP LaserJet Professional M1530 MFP Series Fax] => C:\Program Files (x86)\HP\Digital Imaging\Fax\Fax Driver 0.6 Base\hppfaxprintersrv.exe [3707120 2014-08-13] (Hewlett-Packard Company)
    HKLM-x32\...\Run: [TRUUpdater] => C:\Program Files (x86)\Sierra Wireless Inc\WebUpdater\TRUUpdater.exe [562456 2009-08-13] (Sierra Wireless, Inc.)
    HKLM-x32\...\Run: [WatcherHelper] => C:\Program Files (x86)\Sierra Wireless Inc\3G Watcher\WaHelper.exe [62744 2009-08-14] (Sierra Wireless Inc.)
    HKLM-x32\...\Run: [WirelessAssistant] => C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [500792 2010-03-23] (Hewlett-Packard Company)
    HKLM-x32\...\Run: [BCSSync] => C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe [89184 2012-11-05] (Microsoft Corporation)
    HKLM-x32\...\Run: [HP Software Update] => C:\Program Files (x86)\Hp\HP Software Update\HPWuSchd2.exe [49904 2014-08-13] (Hewlett-Packard)
    HKLM-x32\...\Run: [] => [X]
    Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
    HKLM\...\Policies\Explorer: [NoDevMgrUpdate] 0
    HKLM\...\Policies\Explorer: [NoSetTaskbar] 0
    HKLM\...\Policies\Explorer: [NoDeletePrinter] 0
    HKLM\...\Policies\Explorer: [NoDFSTab] 0
    HKLM\...\Policies\Explorer: [NoChangeStartMenu] 0
    HKLM\...\Policies\Explorer: [NoEncryptOnMove] 0
    HKLM\...\Policies\Explorer: [NoRunasInstallPrompt] 0
    HKLM\...\Policies\Explorer: [NoResolveSearch] 0
    HKLM\...\Policies\Explorer: [NoHardwareTab] 0
    HKLM\...\Policies\Explorer: [NoStartMenuSubFolders] 0
    HKU\S-1-5-19\...\Policies\system: [DisableCMD] 0
    HKU\S-1-5-19\...\Policies\system: [NoDispAppearancePage] 0
    HKU\S-1-5-19\...\Policies\system: [NoDispBackgroundPage] 0
    HKU\S-1-5-19\...\Policies\system: [NoDispSettingsPage] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoFolderOptions] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoViewOnDrive] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoControlPanel] 0
    HKU\S-1-5-19\...\Policies\Explorer: [DisableLocalMachineRun] 0
    HKU\S-1-5-19\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
    HKU\S-1-5-19\...\Policies\Explorer: [DisableCurrentUserRun] 0
    HKU\S-1-5-19\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoViewContextMenu] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoShellSearchButton] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoFind] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoFile] 0
    HKU\S-1-5-19\...\Policies\Explorer: [HideClock] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoTrayContextMenu] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoTrayItemsDisplay] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoSetFolders] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoDevMgrUpdate] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoSetTaskbar] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoDeletePrinter] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoDFSTab] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoChangeStartMenu] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoLogoff] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoWindowsUpdate] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoEncryptOnMove] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoRunasInstallPrompt] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoResolveSearch] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoSaveSettings] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoHardwareTab] 0
    HKU\S-1-5-19\...\Policies\Explorer: [NoStartMenuSubFolders] 0
    HKU\S-1-5-20\...\Policies\system: [DisableCMD] 0
    HKU\S-1-5-20\...\Policies\system: [NoDispAppearancePage] 0
    HKU\S-1-5-20\...\Policies\system: [NoDispBackgroundPage] 0
    HKU\S-1-5-20\...\Policies\system: [NoDispSettingsPage] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoFolderOptions] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoViewOnDrive] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoControlPanel] 0
    HKU\S-1-5-20\...\Policies\Explorer: [DisableLocalMachineRun] 0
    HKU\S-1-5-20\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
    HKU\S-1-5-20\...\Policies\Explorer: [DisableCurrentUserRun] 0
    HKU\S-1-5-20\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoViewContextMenu] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoShellSearchButton] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoFind] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoFile] 0
    HKU\S-1-5-20\...\Policies\Explorer: [HideClock] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoTrayContextMenu] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoTrayItemsDisplay] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoSetFolders] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoDevMgrUpdate] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoSetTaskbar] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoDeletePrinter] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoDFSTab] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoChangeStartMenu] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoLogoff] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoWindowsUpdate] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoEncryptOnMove] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoRunasInstallPrompt] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoResolveSearch] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoSaveSettings] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoHardwareTab] 0
    HKU\S-1-5-20\...\Policies\Explorer: [NoStartMenuSubFolders] 0
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\...\Policies\Explorer: [NoDevMgrUpdate] 0
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\...\Policies\Explorer: [NoSetTaskbar] 0
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\...\Policies\Explorer: [NoDeletePrinter] 0
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\...\Policies\Explorer: [NoDFSTab] 0
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\...\Policies\Explorer: [NoChangeStartMenu] 0
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\...\Policies\Explorer: [NoEncryptOnMove] 0
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\...\Policies\Explorer: [NoRunasInstallPrompt] 0
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\...\Policies\Explorer: [NoResolveSearch] 0
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\...\Policies\Explorer: [NoHardwareTab] 0
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\...\Policies\Explorer: [NoStartMenuSubFolders] 0
    HKU\S-1-5-18\...\Policies\Explorer: [DisableLocalMachineRun] 0
    HKU\S-1-5-18\...\Policies\Explorer: [DisableLocalMachineRunOnce] 0
    HKU\S-1-5-18\...\Policies\Explorer: [DisableCurrentUserRun] 0
    HKU\S-1-5-18\...\Policies\Explorer: [DisableCurrentUserRunOnce] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoShellSearchButton] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoFile] 0
    HKU\S-1-5-18\...\Policies\Explorer: [HideClock] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoTrayItemsDisplay] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoSetFolders] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoDevMgrUpdate] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoSetTaskbar] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoDeletePrinter] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoDFSTab] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoChangeStartMenu] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoLogoff] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoEncryptOnMove] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoRunasInstallPrompt] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoResolveSearch] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoSaveSettings] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoHardwareTab] 0
    HKU\S-1-5-18\...\Policies\Explorer: [NoStartMenuSubFolders] 0
    SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
    BootExecute: autocheck autochk * sdnclean64.exe
    ==================== Internet (Whitelisted) ====================
    (If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
    HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
    HKU\S-1-5-21-3470734023-2448777026-1016626207-1000\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com/ie
    StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
    SearchScopes: HKLM -> {0092F4C5-6BC6-49E4-890E-6BBC75C8B2D7} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
    SearchScopes: HKLM-x32 -> {0092F4C5-6BC6-49E4-890E-6BBC75C8B2D7} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
    SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
    SearchScopes: HKU\S-1-5-21-3470734023-2448777026-1016626207-1000 -> {0092F4C5-6BC6-49E4-890E-6BBC75C8B2D7} URL =
    SearchScopes: HKU\S-1-5-21-3470734023-2448777026-1016626207-1000 -> {504B0534-B66A-4F76-A877-3812D958409A} URL =
    BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    BHO: No Name -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> No File
    BHO: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPluginx64.dll (Hewlett-Packard)
    BHO-x32: Java(tm) Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
    BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
    BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
    BHO-x32: Java(tm) Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
    BHO-x32: HP Network Check Helper -> {E76FD755-C1BA-4DCB-9F13-99BD91223ADE} -> C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\Resources\HPNetworkCheck\HPNetworkCheckPlugin.dll (Hewlett-Packard)
    Toolbar: HKU\S-1-5-21-3470734023-2448777026-1016626207-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
    DPF: HKLM-x32 {106E49CF-797A-11D2-81A2-00E02C015623} http://www.alternatiff.com/distribution/alternatiff-ax-w32-2.0.5.cab
    Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - No File
    Hosts: 127.0.0.1 localhost
    Tcpip\Parameters: [DhcpNameServer] 75.75.76.76 75.75.75.75
    FireFox:
    ========
    FF Plugin: @microsoft.com/GENUINE -> disabled No File
    FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll (Adobe Systems, Inc.)
    FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
    FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
    FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
    FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPAUTHZ.DLL (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~4\Office14\NPSPWRAP.DLL (Microsoft Corporation)
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
    FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll No File
    FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
    FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
    ==================== Services (Whitelisted) =================
    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
    R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-07-22] (SUPERAntiSpyware.com)
    R2 AdobeActiveFileMonitor13.0; C:\Program Files\Adobe\Elements 13 Organizer\PhotoshopElementsFileAgent.exe [231120 2014-08-31] (Adobe Systems Incorporated)
    R2 c2cautoupdatesvc; C:\Program Files (x86)\Skype\Toolbars\AutoUpdate\SkypeC2CAutoUpdateSvc.exe [1390176 2014-07-14] (Microsoft Corporation)
    R2 c2cpnrsvc; C:\Program Files (x86)\Skype\Toolbars\PNRSvc\SkypeC2CPNRSvc.exe [1767520 2014-07-14] (Microsoft Corporation)
    S3 FLEXnet Licensing Service; C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe [651720 2012-09-12] (Macrovision Europe Ltd.) [File not signed]
    R2 HP LaserJet Service; C:\Program Files (x86)\HP\HPLaserJetService\HPLaserJetService.exe [145920 2010-10-25] (HP) [File not signed]
    R2 HP Support Assistant Service; C:\Program Files (x86)\Hewlett-Packard\HP Support Framework\hpsa_service.exe [92160 2013-11-04] (Hewlett-Packard Company) [File not signed]
    R2 HPSupportSolutionsFrameworkService; C:\Program Files (x86)\Hp\Common\HPSupportSolutionsFrameworkService.exe [89352 2014-09-15] (Hewlett-Packard Company)
    R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2010-01-18] (Hewlett-Packard) [File not signed]
    R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2010-01-18] (Hewlett-Packard) [File not signed]
    R2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-07-06] ()
    R2 RtVOsdService; C:\Program Files\Realtek\RtVOsd\RtVOsdService.exe [315392 2010-06-24] (Realtek Semiconductor Corp.) [File not signed]
    R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
    ==================== Drivers (Whitelisted) ====================
    (If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
    U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
    R0 PxHlpa64; C:\Windows\System32\Drivers\PxHlpa64.sys [56336 2013-09-03] (Corel Corporation)
    S3 RSUSBSTOR; C:\Windows\SysWOW64\Drivers\RtsUStor.sys [225280 2009-09-22] (Realtek Semiconductor Corp.)
    R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
    S3 SWNC8U12; C:\Windows\System32\DRIVERS\swnc8u12.sys [280064 2009-07-22] (Sierra Wireless Inc.)
    S3 swumx12; C:\Windows\System32\DRIVERS\swumx12.sys [199552 2009-07-22] (Sierra Wireless Inc.)
    U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [37624 2014-12-28] ()
    S3 USBAAPL64; C:\Windows\System32\Drivers\usbaapl64.sys [52736 2012-07-09] (Apple, Inc.) [File not signed]
    S3 catchme; \??\C:\ComboFix\catchme.sys [X]
    S3 cpuz134; \??\C:\Users\Owner\AppData\Local\Temp\cpuz134\cpuz134_x64.sys [X]
    U4 eabfiltr; No ImagePath
    S3 SWUMX20; system32\DRIVERS\swumx20.sys [X]
    ==================== NetSvcs (Whitelisted) ===================
    (If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)

    ==================== One Month Created Files and Folders ========
    (If an entry is included in the fixlist, the file\folder will be moved.)
    2015-01-27 22:00 - 2015-01-27 22:05 - 00021337 _____ () C:\Users\Owner\Desktop\FRST.txt
    2015-01-27 21:59 - 2015-01-27 22:00 - 00000000 ____D () C:\FRST
    2015-01-27 21:58 - 2015-01-27 21:58 - 02129920 _____ (Farbar) C:\Users\Owner\Desktop\FRST64.exe
    2015-01-27 21:42 - 2015-01-27 21:56 - 00000112 _____ () C:\Windows\setupact.log
    2015-01-27 21:42 - 2015-01-27 21:42 - 00000000 _____ () C:\Windows\setuperr.log
    2015-01-26 22:35 - 2015-01-26 22:35 - 20447072 _____ (Malwarebytes Corporation ) C:\Users\Owner\Downloads\mb-setup-2.0.4.1028.exe
    2015-01-18 22:01 - 2015-01-18 22:03 - 00000000 ____D () C:\1e09e516c863d9600d576547cfd9a6
    2015-01-18 20:41 - 2015-01-19 13:26 - 00013153 _____ () C:\Users\Owner\Desktop\Zawacki calcs 20150118.xlsx
    2015-01-18 14:59 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
    2015-01-18 14:59 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
    2015-01-18 14:59 - 2014-12-11 12:47 - 00052736 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
    2015-01-18 14:59 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
    2015-01-18 14:59 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
    2015-01-18 14:59 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
    2015-01-18 14:58 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
    2015-01-18 14:58 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
    2015-01-18 14:58 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
    2015-01-18 14:58 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
    2015-01-18 14:58 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
    2015-01-18 14:58 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
    2015-01-18 14:58 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
    2014-12-29 20:59 - 2009-10-21 02:29 - 03025909 _____ () C:\Windows6.1-KB976417-x64.msu
    2014-12-29 20:58 - 2014-12-29 20:58 - 00000000 _____ () C:\Users\Owner\Desktop\342045d1417580567-two-explorer-exe-one-taking-all-my-rams-memory-uvk-fix-list.uvk.wa4pyx2.partial
    2014-12-29 20:51 - 2014-12-29 20:51 - 00001820 _____ () C:\Users\Public\Desktop\UVK - Ultra Virus Killer.lnk
    2014-12-29 20:51 - 2014-12-29 20:51 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\UVK - Ultra Virus Killer
    2014-12-29 20:51 - 2014-12-29 20:51 - 00000000 ____D () C:\Program Files\UVK - Ultra Virus Killer
    2014-12-29 20:34 - 2015-01-27 22:05 - 00745712 _____ () C:\Windows\WindowsUpdate.log
    2014-12-28 21:28 - 2014-12-28 21:28 - 00006750 _____ () C:\Users\Owner\Desktop\startup.txt
    2014-12-28 21:23 - 2014-12-28 21:23 - 00000288 _____ () C:\Users\Owner\Documents\cc_20141228_212253.reg
    2014-12-28 21:23 - 2014-12-28 21:23 - 00000180 _____ () C:\Users\Owner\Documents\cc_20141228_212315.reg
    2014-12-28 21:22 - 2014-12-28 21:22 - 00020198 _____ () C:\Users\Owner\Documents\cc_20141228_212218.reg
    2014-12-28 21:08 - 2014-12-28 21:08 - 02173952 _____ () C:\Users\Owner\Desktop\adwcleaner_4.106.exe
    2014-12-28 20:08 - 2014-12-28 21:10 - 00000000 ____D () C:\AdwCleaner
    2014-12-28 19:55 - 2014-12-28 19:55 - 00000000 ____D () C:\Users\Owner\Documents\ProcessExplorer
    2014-12-28 19:06 - 2014-12-28 19:06 - 00028089 _____ () C:\ComboFix.txt
    2014-12-28 18:23 - 2014-12-28 18:23 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\SUPERAntiSpyware.com
    2014-12-28 18:23 - 2014-12-28 18:23 - 00000000 ____D () C:\ProgramData\SUPERAntiSpyware.com
    2014-12-28 18:23 - 2014-12-28 18:23 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\SUPERAntiSpyware
    2014-12-28 18:23 - 2014-12-28 18:23 - 00000000 ____D () C:\Program Files\SUPERAntiSpyware
    2014-12-28 18:22 - 2014-12-28 18:22 - 00000000 ____D () C:\ProgramData\Lavasoft
    2014-12-28 18:22 - 2014-12-28 18:22 - 00000000 ____D () C:\ProgramData\AVAST Software
    2014-12-28 17:48 - 2015-01-26 22:37 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
    2014-12-28 17:47 - 2015-01-26 22:37 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Malwarebytes Anti-Malware
    2014-12-28 17:47 - 2015-01-26 22:37 - 00000000 ____D () C:\Program Files (x86)\Malwarebytes Anti-Malware
    2014-12-28 17:47 - 2014-11-21 06:14 - 00093400 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mbamchameleon.sys
    2014-12-28 17:47 - 2014-11-21 06:14 - 00063704 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\mwac.sys
    2014-12-28 17:30 - 2014-12-28 17:36 - 00000000 ____D () C:\ProgramData\HitmanPro
    2014-12-28 17:24 - 2014-12-28 17:26 - 00000000 ____D () C:\ProgramData\Spybot - Search & Destroy
    2014-12-28 17:24 - 2014-12-28 17:26 - 00000000 ____D () C:\Program Files (x86)\Spybot - Search & Destroy 2
    2014-12-28 17:21 - 2014-12-28 17:21 - 00000000 ____D () C:\TDSSKiller_Quarantine
    2014-12-28 16:40 - 2014-12-28 16:40 - 00000000 ____D () C:\Windows\pss
    2014-12-28 13:51 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
    2014-12-28 13:51 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
    2014-12-28 13:51 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
    2014-12-28 13:51 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
    2014-12-28 13:51 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
    2014-12-28 13:51 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
    2014-12-28 13:51 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
    2014-12-28 13:51 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
    2014-12-28 13:34 - 2014-12-28 19:06 - 00000000 ____D () C:\Qoobox
    2014-12-28 13:34 - 2014-12-28 14:07 - 00000000 ____D () C:\Windows\erdnt
    ==================== One Month Modified Files and Folders =======
    (If an entry is included in the fixlist, the file\folder will be moved.)
    2015-01-27 22:04 - 2009-07-13 23:45 - 00026192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
    2015-01-27 22:04 - 2009-07-13 23:45 - 00026192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
    2015-01-27 21:56 - 2014-12-26 10:04 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
    2015-01-27 21:56 - 2012-02-07 08:25 - 00000894 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
    2015-01-27 21:56 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
    2015-01-27 21:45 - 2012-12-19 03:42 - 00003926 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{42DA4E33-5134-4AEB-8FEB-E5B35D6F1832}
    2015-01-26 21:55 - 2012-02-07 08:25 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
    2015-01-26 20:51 - 2014-02-07 10:13 - 00003186 _____ () C:\Windows\System32\Tasks\HPCeeScheduleForOwner
    2015-01-26 20:51 - 2014-02-07 10:13 - 00000332 _____ () C:\Windows\Tasks\HPCeeScheduleForOwner.job
    2015-01-22 21:58 - 2012-09-19 20:42 - 00000000 ____D () C:\Users\Owner\Documents\Outlook Files
    2015-01-20 22:28 - 2014-09-29 20:45 - 00000000 ____D () C:\Users\Owner\AppData\Local\Adobe
    2015-01-18 22:10 - 2010-05-13 11:22 - 00810020 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
    2015-01-18 22:10 - 2009-07-14 00:13 - 00810020 _____ () C:\Windows\system32\PerfStringBackup.INI
    2015-01-18 21:50 - 2013-07-15 08:17 - 00000000 ____D () C:\Windows\system32\MRT
    2015-01-18 21:45 - 2010-05-10 17:20 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
    2015-01-08 09:55 - 2010-05-10 16:51 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
    2015-01-04 18:59 - 2014-11-05 21:57 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
    2015-01-04 18:59 - 2014-11-05 21:57 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
    2014-12-29 20:31 - 2009-07-14 00:08 - 00032584 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
    2014-12-28 19:04 - 2009-07-13 21:34 - 00000215 _____ () C:\Windows\system.ini
    2014-12-28 18:02 - 2014-12-13 14:49 - 00037624 _____ () C:\Windows\system32\Drivers\TrueSight.sys
    2014-12-28 17:47 - 2013-01-15 20:02 - 00000000 ____D () C:\Users\Owner\AppData\Roaming\Malwarebytes
    2014-12-28 17:47 - 2013-01-15 20:01 - 00000000 ____D () C:\ProgramData\Malwarebytes
    2014-12-28 14:08 - 2009-07-13 22:20 - 00000000 __RHD () C:\Users\Default
    2014-12-28 14:01 - 2009-07-13 21:34 - 89653248 _____ () C:\Windows\system32\config\SOFTWARE.bak
    2014-12-28 14:01 - 2009-07-13 21:34 - 50855936 _____ () C:\Windows\system32\config\COMPONENTS.bak
    2014-12-28 14:01 - 2009-07-13 21:34 - 19398656 _____ () C:\Windows\system32\config\SYSTEM.bak
    2014-12-28 14:01 - 2009-07-13 21:34 - 01048576 _____ () C:\Windows\system32\config\DEFAULT.bak
    2014-12-28 14:01 - 2009-07-13 21:34 - 00262144 _____ () C:\Windows\system32\config\SECURITY.bak
    2014-12-28 14:01 - 2009-07-13 21:34 - 00262144 _____ () C:\Windows\system32\config\SAM.bak
    2014-12-28 14:00 - 2010-05-10 10:16 - 00000000 ____D () C:\Users\Owner
    2014-12-28 13:45 - 2014-11-08 01:39 - 00000000 ____D () C:\ProgramData\MFAData
    2014-12-28 13:44 - 2014-11-08 01:38 - 00000000 ____D () C:\ProgramData\Avg
    2014-12-28 13:44 - 2014-11-08 01:37 - 00000000 ____D () C:\Users\Owner\AppData\Local\AvgSetupLog
    ==================== Files in the root of some directories =======
    2011-07-22 16:57 - 2011-07-22 17:05 - 0000000 _____ () C:\Users\Owner\AppData\Roaming\bibstats
    2014-02-15 22:28 - 2014-02-15 22:28 - 0038442 _____ () C:\Users\Owner\AppData\Roaming\Comma Separated Values (DOS).ADR
    2013-01-28 14:31 - 2013-01-28 14:31 - 0038456 _____ () C:\Users\Owner\AppData\Roaming\Comma Separated Values (Windows).ADR
    2011-02-26 18:29 - 2011-02-26 18:29 - 0001854 _____ () C:\Users\Owner\AppData\Roaming\GhostObjGAFix.xml
    2012-02-07 15:15 - 2014-12-02 21:30 - 0000614 _____ () C:\Users\Owner\AppData\Roaming\wklnhst.dat
    2010-05-10 10:26 - 2010-05-10 10:26 - 0000000 _____ () C:\Users\Owner\AppData\Local\AtStart.txt
    2010-05-10 10:26 - 2010-05-10 10:26 - 0000000 _____ () C:\Users\Owner\AppData\Local\DSwitch.txt
    2010-05-10 10:26 - 2010-05-10 10:26 - 0000000 _____ () C:\Users\Owner\AppData\Local\QSwitch.txt
    2010-05-10 10:26 - 2015-01-27 21:56 - 0000190 _____ () C:\ProgramData\HPWALog.txt
    2010-02-11 04:32 - 2010-02-11 04:32 - 0000032 _____ () C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
    2010-01-20 14:54 - 2010-01-20 14:55 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
    2010-02-11 04:32 - 2010-02-11 04:32 - 0000032 _____ () C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
    2010-01-20 14:51 - 2010-01-20 14:52 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
    2010-02-11 04:31 - 2010-02-11 04:31 - 0000032 _____ () C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
    2010-02-11 04:32 - 2010-02-11 04:32 - 0000032 _____ () C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
    2010-01-20 14:50 - 2010-01-20 14:51 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
    2010-01-20 14:52 - 2010-01-20 14:54 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
    2010-02-11 04:32 - 2010-02-11 04:32 - 0000105 _____ () C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log
    ==================== Bamital & volsnap Check =================
    (There is no automatic fix for files that do not pass verification.)
    C:\Windows\System32\winlogon.exe => File is digitally signed
    C:\Windows\System32\wininit.exe => File is digitally signed
    C:\Windows\SysWOW64\wininit.exe => File is digitally signed
    C:\Windows\explorer.exe => File is digitally signed
    C:\Windows\SysWOW64\explorer.exe => File is digitally signed
    C:\Windows\System32\svchost.exe => File is digitally signed
    C:\Windows\SysWOW64\svchost.exe => File is digitally signed
    C:\Windows\System32\services.exe => File is digitally signed
    C:\Windows\System32\User32.dll => File is digitally signed
    C:\Windows\SysWOW64\User32.dll => File is digitally signed
    C:\Windows\System32\userinit.exe => File is digitally signed
    C:\Windows\SysWOW64\userinit.exe => File is digitally signed
    C:\Windows\System32\rpcss.dll => File is digitally signed
    C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed

    LastRegBack: 2014-12-22 14:59
    ==================== End Of Log ============================
     

    Attached Files:

  4. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Lets check the file system first. Enter the System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    • Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
      To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



      To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
    • On the System Recovery Options menu you will get the following options:
    • Startup Repair
    • System Restore
    • Windows Complete PC Restore
    • Windows Memory Diagnostic Tool
    • Command Prompt
    • Select Command Prompt

      Once in the Command Prompt:

    • Type in the following and press Enter.
      .
      bcdedit | find "osdevice"​

    • Note the osdevice partition letter, then type.

      CHKDSK X: /R​

    • Where X is the osdevice letter, and press Enter
    • The tool will start to run.

    Upon finished, type exit and press Enter. Restart the computer

    Let us know if that helps.
     
  5. jbzy

    jbzy Thread Starter

    Joined:
    Jan 26, 2015
    Messages:
    45
    Thanks for your help. I ran the "CHKDSK X: /R" process...took quite a while. My comp is still exhibiting same explorer.exe issue. What next?
     
  6. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Any problems found with the index or file system?

    Lets try Combofix.

    Please download the latest version of ComboFix from Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    -----------------------------------------------------------​
    1. Please, never rename Combofix unless instructed.
    2. Close any open browsers.
    3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
      -----------------------------------------------------------​
      • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------​
    4. Close any open browsers.
    5. WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    6. Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    7. If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
      • Double click on combofix.exe & follow the prompts.
      • Install the Recovery Console if prompted.
      • When finished, it will produce a report for you.
      • Please post the "C:\ComboFix.txt" .
      • **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
    Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.
     
  7. jbzy

    jbzy Thread Starter

    Joined:
    Jan 26, 2015
    Messages:
    45
    How would I determine "Any problems found with the index or file system?"?


    Ran Combofix. Attached "C:\ComboFix.txt".


    Received this error message while Combofix was running:
    "C:\Program Files\Internet Explorer\iexplorer.exe
    Illegal operation attempted on a registry key that has been marked for deletion."


    Noticed this error message when I noticed Combofix had finished running:
    "C:\Windows\system32\GfxUI.exe
    A device attached to the system is not functioning."
     

    Attached Files:

  8. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    CHKDSK would have indicated this when running.

    Is the computer set on a language other than English?

    Are you sure is Explorer.exe using too much memory or mscorsvw.exe. Press CRL+ALT+Delete and bring the Task Manager. Check which program is keeping the CPU high.

    Download the enclosed file. (see below) Save it in the same location Combofix is saved.

    [​IMG]

    Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.
     

    Attached Files:

  9. jbzy

    jbzy Thread Starter

    Joined:
    Jan 26, 2015
    Messages:
    45
    I didn't read the CHKDSK display because I wasn't told to do so. I ran it then restarted as instructed. Do you want me to do anything about that?

    Per Control Panel > Region and Language > Formats, my format is "English (United States)".

    I'm positive it's "explorer.exe" that's using the high memory. I always one instance of "explorer.exe" listed in Task Manager, then a second one appears and steadily grows in memory usage until it's 1-3GB. When I highlight the offending process and click "End Process", it reappears and does the same thing. No instance of "mscorsvw.exe" appears in my Task Mgr. It was doing this every time I started the comp, the last 4 days or so it's hit-or-miss, happening only sometimes.


    Dragged CFScript.txt into ComboFix.exe. Resulting report attached.






     

    Attached Files:

  10. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Download the enclosed file. (see below) Save it in the same location FRST is saved. Open FRST and click on the Fix button. Wait until finished. The tool will produce a log, fixlog.txt, in the same location FRST is saved. Please post its contents in a reply.

    • Run the ESET Online Scanner.
    • Hold down Control and click on this link to open ESET OnlineScan in a new window.
    • Click the [​IMG] button.
    • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the [​IMG] icon on your desktop.
    • Check "YES, I accept the Terms of Use."
    • Click the Start button.
    • Accept any security warnings from your browser.
    • Under scan settings, check "Scan Archives" and "Remove found threats"
    • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
    • When the scan completes, click List Threats
    • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
    • Click the Back button.
    • Click the Finish button.
    • NOTE:Sometimes if ESET finds no infections it will not create a log.
     

    Attached Files:

  11. jbzy

    jbzy Thread Starter

    Joined:
    Jan 26, 2015
    Messages:
    45
    FRST fixlog.txt attached.


    ESET kept hanging up. Would not complete. Tried 3 times. Last time, I left it going all night and all day but it stopped at 99%. It currently says:
    Target: E:\HELP_DECRYPT>PNG
    Files scanned: 297616
    Infected files: 5340
    Total scan time: 17:05:32 and counting.


    Threats found: Win32/Filecoder.CR trojan (repeated multiple times)
    Yesterday, at one point while scanning it also said it found "a variant of Win64/Kryptik.KB trojan.


    What do I do?
     

    Attached Files:

  12. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    This entry is part of a Ransom virus: E:\HELP_DECRYPT.PNG. Lets check you computer for these entries.

    Download the enclosed file. (see below) Save it in the same location FRST is saved. Open FRST and click on the Fix button. Wait until finished. The tool will produce a log, fixlog.txt, in the same location FRST is saved. Please post its contents in a reply.

    [​IMG] Please download Malwarebytes' Anti-Malware from Here.

    Double Click mbam-setup-2.0..exe to install the application. (The revision number may vary.)
    • Select the language and click OK.
    • Accept the agreement
    • Make sure a checkmark is placed next to Enable the Free Trial and Launch [*]Malwarebytes' Anti-Malware, then click on finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select "Scan Now".
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click on Quanrantee All,.
    • When disinfection is completed, a dialog will open and you may be prompted to Restart.(See Extra Note)
    • Upon restart, launch Malwarebytes Antimalware and select History.
    • Double click on the last scan done, then on Copy to Clipboard.
    • Right click on your next reply and select Paste.
    • Submit your reply.

    Extra Note:

    If you already have Malwarebytes Antimalrare, launch the application, update and perform a scan as above

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediatly.
     

    Attached Files:

  13. jbzy

    jbzy Thread Starter

    Joined:
    Jan 26, 2015
    Messages:
    45
    Malwarebytes Anti-Malware
    www.malwarebytes.org

    Protection, 2/3/2015 9:59:15 PM, SYSTEM, OWNER-PC, Protection, Malware Protection, Starting,
    Protection, 2/3/2015 9:59:15 PM, SYSTEM, OWNER-PC, Protection, Malware Protection, Started,
    Protection, 2/3/2015 9:59:15 PM, SYSTEM, OWNER-PC, Protection, Malicious Website Protection, Starting,
    Protection, 2/3/2015 9:59:17 PM, SYSTEM, OWNER-PC, Protection, Malicious Website Protection, Started,
    Update, 2/3/2015 9:59:32 PM, SYSTEM, OWNER-PC, Manual, Remediation Database, 2013.10.16.1, 2014.12.6.1,
    Update, 2/3/2015 9:59:32 PM, SYSTEM, OWNER-PC, Manual, Rootkit Database, 2014.11.18.1, 2015.2.3.1,
    Update, 2/3/2015 10:01:31 PM, SYSTEM, OWNER-PC, Manual, Malware Database, 2014.11.20.6, 2015.2.4.3,
    Protection, 2/3/2015 10:01:31 PM, SYSTEM, OWNER-PC, Protection, Refresh, Starting,
    Protection, 2/3/2015 10:01:31 PM, SYSTEM, OWNER-PC, Protection, Malicious Website Protection, Stopping,
    Protection, 2/3/2015 10:01:33 PM, SYSTEM, OWNER-PC, Protection, Malicious Website Protection, Stopped,
    Protection, 2/3/2015 10:01:40 PM, SYSTEM, OWNER-PC, Protection, Refresh, Success,
    Protection, 2/3/2015 10:01:40 PM, SYSTEM, OWNER-PC, Protection, Malicious Website Protection, Starting,
    Protection, 2/3/2015 10:01:40 PM, SYSTEM, OWNER-PC, Protection, Malicious Website Protection, Started,
    Detection, 2/3/2015 10:02:04 PM, Owner, OWNER-PC, Protection, Malware Protection, File, Trojan.FakeMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll, Quarantine Failed, 303, Queued for removal on reboot, [0d66fc1ed6b4c96d6f129b673dc5b14f]
    Detection, 2/3/2015 10:02:20 PM, SYSTEM, OWNER-PC, Protection, Malware Protection, File, Trojan.FakeMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll, Quarantine Failed, 303, Queued for removal on reboot, [0d66fc1ed6b4c96d6f129b673dc5b14f]
    Detection, 2/3/2015 10:02:32 PM, SYSTEM, OWNER-PC, Protection, Malware Protection, File, Trojan.FakeMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll, Quarantine Failed, 303, Queued for removal on reboot, [0d66fc1ed6b4c96d6f129b673dc5b14f]
    Detection, 2/3/2015 10:08:35 PM, SYSTEM, OWNER-PC, Protection, Malware Protection, File, Trojan.FakeMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll, Quarantine Failed, 303, Queued for removal on reboot, [0d66fc1ed6b4c96d6f129b673dc5b14f]
    Detection, 2/3/2015 10:17:36 PM, SYSTEM, OWNER-PC, Protection, Malware Protection, File, Trojan.FakeMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll, Quarantine Failed, 303, Queued for removal on reboot, [0d66fc1ed6b4c96d6f129b673dc5b14f]
    Detection, 2/3/2015 10:20:37 PM, SYSTEM, OWNER-PC, Protection, Malware Protection, File, Trojan.FakeMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll, Quarantine Failed, 303, Queued for removal on reboot, [0d66fc1ed6b4c96d6f129b673dc5b14f]
    Scan, 2/3/2015 10:22:09 PM, SYSTEM, OWNER-PC, Manual, Start:2/3/2015 10:02:00 PM, Duration:17 min 29 sec, Threat Scan, Completed, 6 Malware Detections, 0 Non-Malware Detections,
    Detection, 2/3/2015 10:22:27 PM, Owner, OWNER-PC, Protection, Malware Protection, File, Trojan.FakeMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll, Quarantine Failed, 303, Queued for removal on reboot, [7ff4d54594f62b0bf09119e9877b9967]
    Protection, 2/3/2015 10:24:42 PM, SYSTEM, OWNER-PC, Protection, Malware Protection, Starting,
    Protection, 2/3/2015 10:24:42 PM, SYSTEM, OWNER-PC, Protection, Malware Protection, Started,
    Protection, 2/3/2015 10:24:42 PM, SYSTEM, OWNER-PC, Protection, Malicious Website Protection, Starting,
    Protection, 2/3/2015 10:25:06 PM, SYSTEM, OWNER-PC, Protection, Malicious Website Protection, Started,
    (end)
     

    Attached Files:

  14. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Download the enclosed file. (see below) Save it in the same location FRST is saved. Open FRST and click on the Fix button. Wait until finished. The tool will produce a log, fixlog.txt, in the same location FRST is saved. Please post its contents in a reply.
     

    Attached Files:

  15. jbzy

    jbzy Thread Starter

    Joined:
    Jan 26, 2015
    Messages:
    45
    Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 04-02-2015 01
    Ran by Owner at 2015-02-04 21:06:25 Run:3
    Running from C:\Users\Owner\Desktop
    Loaded Profiles: Owner & (Available profiles: Owner)
    Boot Mode: Normal
    ==============================================
    Content of fixlist:
    *****************
    Start
    C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll
    C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll
    End
    *****************
    "C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll" => File/Directory not found.
    "C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\appmgr.dll" => File/Directory not found.
    ==== End of Fixlog 21:06:25 ====
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1141937

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice