High RAM usage.

DMGrier

VIP Member
So my wifes friend gave me her computer to take a look at it as she say it "locks up" and I was guessing she means freezes. The memory usage gets as high a 3 GB usage with nothing open. I ran Avast and no infections, I ran Malwarebytes and it found 51 infections and I would post the log but malwarebytes would crash everytime I would tell it to put the information to a text file. I removed the 51 infections and still no change, any ideas?
 

johnb35

Administrator
Staff member
Boot to safe mode and then see if you can get the log. What operating system does it have? Assume its still infected.
 

Geoff

VIP Member
It may be a simple case of having lots of software, add-ons, etc. installed. Many people just click agree when they install software, not knowing it's also installing trial software, toolbar add-ons, etc. that run on startup.
 

DMGrier

VIP Member
Boot to safe mode and then see if you can get the log. What operating system does it have? Assume its still infected.

Will give that a try.

WRX,
I have already checked installed software and what is set to start with boot.
 

DMGrier

VIP Member
Hey John,
Booted into safe mode and when I try to export to ".txt" Malwarebytes still crashes without exporting. On the flip side memory usage seems normal while in safe mode which is nice.

EDIT: The computer is running Windows 7 Home Premium 64 Bit.
 
Last edited:

DMGrier

VIP Member
That is what I am starting to think, though I need to talk to my wifes friend and see if she has all her license for office and other software. Some people get so upset when you fresh install and they lose their software even if it is to their benefit.
 

johnb35

Administrator
Staff member
Before you do something as drastic as reloading windows try running combofix and post the log. May help to run it in safemode.
 

radical24

New Member
I think that's just because the computer has alot of useless programs running in the background. you could close them manualy at the Processes tab in task manager.
 

DMGrier

VIP Member
Will post result here in a minute John as I am hoping to be able to do this without reinstall.

radical24, if you read the thread in it's entirety you will see that was already ruled out.
 

DMGrier

VIP Member
okay john I ran combofix in safemode and here is the log, thank you so much for your help.
ComboFix 14-05-10.01 - Bridgette 05/12/2014 8:43.1.4 - x64 MINIMAL
Running from: c:\users\Bridgette\Desktop\ComboFix.exe
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\programdata\PCDr\6426\AddOnDownloaded\073fb38f-0e69-479d-bca1-4f81ec9dcbf6.dll
c:\programdata\PCDr\6426\AddOnDownloaded\0bb0beb6-da93-477d-980d-15bb6e2df09c.dll
c:\programdata\PCDr\6426\AddOnDownloaded\1ad2478a-f061-4c93-bd0d-d1433323fd23.dll
c:\programdata\PCDr\6426\AddOnDownloaded\2a6b5d0b-a2fc-4bdd-b3fe-6bbefb85b7e4.dll
c:\programdata\PCDr\6426\AddOnDownloaded\2ff77179-a156-48e2-9210-92584330fa1e.dll
c:\programdata\PCDr\6426\AddOnDownloaded\434373b7-17f4-4a5e-9e8f-2c1bb65cd9e5.dll
c:\programdata\PCDr\6426\AddOnDownloaded\50441041-9037-4c34-842c-4a8523e700da.dll
c:\programdata\PCDr\6426\AddOnDownloaded\51fdf16e-ecb9-4fa4-8469-76fc9a22293b.dll
c:\programdata\PCDr\6426\AddOnDownloaded\538ed073-443d-4773-bf99-d9acbd2ae75f.dll
c:\programdata\PCDr\6426\AddOnDownloaded\59be3af2-87f2-4d3a-b380-7509f3d47c40.dll
c:\programdata\PCDr\6426\AddOnDownloaded\7bc69e73-3dda-484f-af68-bb19598a4b32.dll
c:\programdata\PCDr\6426\AddOnDownloaded\8745715d-dc8a-4b32-b6a6-89cd3d0cc3c5.dll
c:\programdata\PCDr\6426\AddOnDownloaded\9c07cc30-4011-4e36-a63d-e59077a22429.dll
c:\programdata\PCDr\6426\AddOnDownloaded\a4f460a6-e6cd-457f-931d-cb0fc7d56d03.dll
c:\programdata\PCDr\6426\AddOnDownloaded\ad817bdc-639c-43e8-b06b-897bcb5b8f23.dll
c:\programdata\PCDr\6426\AddOnDownloaded\aeffdb78-a789-4b6a-b2c2-f85f9b4863e6.dll
c:\programdata\PCDr\6426\AddOnDownloaded\bc1b45ef-7c18-4b8a-95cd-f77c43d4f7df.dll
c:\programdata\PCDr\6426\AddOnDownloaded\cce4ac4d-7353-4099-b347-95166f07f05e.dll
c:\programdata\PCDr\6426\AddOnDownloaded\cdf86821-bbfe-4586-8cae-bf998bb8d498.dll
c:\programdata\PCDr\6426\AddOnDownloaded\ceb70e67-87f1-40c5-86a3-c576ea0c4e8f.dll
c:\programdata\PCDr\6426\AddOnDownloaded\d114d5a6-2ec4-4056-a365-d6281d97c6b6.dll
c:\programdata\PCDr\6426\AddOnDownloaded\d48ca7e0-0e31-445b-a98c-56b7318daa06.dll
c:\programdata\PCDr\6426\AddOnDownloaded\e0db530c-27fc-4e55-af38-073796a09e9d.dll
c:\programdata\PCDr\6426\AddOnDownloaded\e5847967-7dc8-4833-8ca6-09af078c1bcb.dll
c:\programdata\PCDr\6426\AddOnDownloaded\f12de547-df4d-4236-9129-baac054f90ab.dll
c:\users\Public\invokesi.exe
c:\windows\iun6002.exe
c:\windows\wininit.ini
D:\install.exe
.
.
((((((((((((((((((((((((( Files Created from 2014-04-12 to 2014-05-12 )))))))))))))))))))))))))))))))
.
.
2014-05-12 14:21 . 2014-05-12 14:21 -------- d-----w- c:\users\Bridgette\AppData\Local\Max Secure Software
2014-05-12 14:21 . 2014-05-12 14:22 -------- d-----w- c:\users\Bridgette\AppData\Roaming\GetRightToGo
2014-05-12 05:13 . 2014-03-06 08:15 940032 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-05-12 03:42 . 2014-05-12 03:42 -------- d-----w- c:\users\Bridgette\AppData\Roaming\LavasoftStatistics
2014-05-12 03:21 . 2014-05-12 03:21 -------- d-----w- c:\programdata\Lavasoft
2014-05-11 18:53 . 2014-05-12 02:50 119512 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2014-05-11 18:52 . 2014-04-03 15:51 63192 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-05-11 18:52 . 2014-04-03 15:51 88280 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-05-11 18:52 . 2014-04-03 15:50 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-05-11 18:52 . 2014-05-11 18:52 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware
2014-05-11 18:52 . 2014-05-11 18:52 -------- d-----w- c:\programdata\Malwarebytes
2014-05-11 18:52 . 2014-05-11 18:52 -------- d-----w- c:\users\Bridgette\AppData\Local\Programs
2014-05-11 14:05 . 2014-05-11 20:03 -------- d-----w- c:\programdata\AVAST Software
2014-05-09 15:22 . 2014-05-09 15:22 -------- d-----w- c:\users\Bridgette\AppData\Roaming\com.warnerbros.DigitalCopyManager
2014-05-09 15:21 . 2014-05-09 15:21 -------- d-sh--w- c:\users\Bridgette\AppData\Local\EmieUserList
2014-05-09 15:21 . 2014-05-09 15:21 -------- d-sh--w- c:\users\Bridgette\AppData\Local\EmieSiteList
2014-05-09 10:58 . 2014-05-09 10:58 -------- d-s---w- c:\windows\system32\CompatTel
2014-05-09 10:35 . 2013-05-10 04:30 167424 ----a-w- c:\program files\Windows Media Player\wmplayer.exe
2014-05-09 10:35 . 2013-05-10 03:48 164864 ----a-w- c:\program files (x86)\Windows Media Player\wmplayer.exe
2014-05-09 10:35 . 2013-05-10 05:56 12625920 ----a-w- c:\windows\system32\wmploc.DLL
2014-05-09 10:35 . 2013-05-10 04:56 12625408 ----a-w- c:\windows\SysWow64\wmploc.DLL
2014-05-09 10:35 . 2013-05-10 05:56 14631424 ----a-w- c:\windows\system32\wmp.dll
2014-05-09 10:24 . 2014-05-09 10:24 -------- d-----w- c:\windows\Migration
2014-05-09 10:20 . 2013-10-15 00:00 28368 ----a-w- c:\windows\system32\IEUDINIT.EXE
2014-05-09 10:13 . 2014-05-09 10:13 97880 ----a-w- c:\program files (x86)\Internet Explorer\pdmproxy100.dll
2014-05-09 04:10 . 2013-10-30 02:32 335360 ----a-w- c:\windows\system32\msieftp.dll
2014-05-09 04:10 . 2013-10-30 02:19 301568 ----a-w- c:\windows\SysWow64\msieftp.dll
2014-05-09 04:10 . 2014-01-28 02:32 228864 ----a-w- c:\windows\system32\wwansvc.dll
2014-05-09 04:10 . 2013-11-23 18:26 417792 ----a-w- c:\windows\SysWow64\WMPhoto.dll
2014-05-09 04:10 . 2013-11-23 17:47 465920 ----a-w- c:\windows\system32\WMPhoto.dll
2014-05-09 04:10 . 2014-01-29 02:32 484864 ----a-w- c:\windows\system32\wer.dll
2014-05-09 04:10 . 2014-01-29 02:06 381440 ----a-w- c:\windows\SysWow64\wer.dll
2014-05-09 04:10 . 2013-10-19 02:18 81408 ----a-w- c:\windows\system32\imagehlp.dll
2014-05-09 04:10 . 2013-10-19 01:36 159232 ----a-w- c:\windows\SysWow64\imagehlp.dll
2014-05-09 04:10 . 2013-11-12 02:23 2048 ----a-w- c:\windows\system32\tzres.dll
2014-05-09 04:10 . 2013-11-12 02:07 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-05-09 04:09 . 2013-12-06 02:30 1882112 ----a-w- c:\windows\system32\msxml3.dll
2014-05-09 04:09 . 2013-12-06 02:30 2048 ----a-w- c:\windows\system32\msxml3r.dll
2014-05-09 04:09 . 2013-12-06 02:02 2048 ----a-w- c:\windows\SysWow64\msxml3r.dll
2014-05-09 04:09 . 2013-12-06 02:02 1237504 ----a-w- c:\windows\SysWow64\msxml3.dll
2014-05-09 04:09 . 2014-04-14 02:24 465408 ----a-w- c:\windows\system32\aepdu.dll
2014-05-09 04:09 . 2014-04-14 02:19 424448 ----a-w- c:\windows\system32\aeinv.dll
2014-05-09 04:08 . 2013-10-04 02:16 116736 ----a-w- c:\windows\system32\drivers\drmk.sys
2014-05-09 04:08 . 2013-10-04 01:36 230400 ----a-w- c:\windows\system32\drivers\portcls.sys
2014-05-09 04:07 . 2014-02-07 01:23 3156480 ----a-w- c:\windows\system32\win32k.sys
2014-05-09 04:07 . 2013-12-04 02:16 658432 ----a-w- c:\windows\system32\RMActivate_isv.exe
2014-05-09 04:07 . 2013-12-04 02:16 626176 ----a-w- c:\windows\system32\RMActivate.exe
2014-05-09 04:05 . 2014-02-04 02:32 624128 ----a-w- c:\windows\system32\qedit.dll
2014-05-09 04:04 . 2013-10-12 02:32 150016 ----a-w- c:\windows\system32\wshom.ocx
2014-05-09 04:03 . 2013-09-28 01:09 497152 ----a-w- c:\windows\system32\drivers\afd.sys
2014-05-09 04:03 . 2013-08-05 02:25 155584 ----a-w- c:\windows\system32\drivers\ataport.sys
2014-05-09 04:03 . 2013-10-04 02:24 1930752 ----a-w- c:\windows\system32\authui.dll
2014-05-09 04:03 . 2013-10-04 01:56 1796096 ----a-w- c:\windows\SysWow64\authui.dll
2014-05-09 04:03 . 2013-10-04 02:28 190464 ----a-w- c:\windows\system32\SmartcardCredentialProvider.dll
2014-05-09 04:03 . 2013-10-04 02:25 197120 ----a-w- c:\windows\system32\credui.dll
2014-05-09 04:03 . 2013-10-04 01:58 152576 ----a-w- c:\windows\SysWow64\SmartcardCredentialProvider.dll
2014-05-09 04:03 . 2013-10-04 01:56 168960 ----a-w- c:\windows\SysWow64\credui.dll
2014-05-09 04:01 . 2013-08-02 00:59 112640 ----a-w- c:\windows\system32\smss.exe
2014-05-09 04:00 . 2013-09-08 02:27 327168 ----a-w- c:\windows\system32\mswsock.dll
2014-05-09 04:00 . 2013-09-08 02:03 231424 ----a-w- c:\windows\SysWow64\mswsock.dll
2014-05-09 04:00 . 2013-08-29 02:17 5549504 ----a-w- c:\windows\system32\ntoskrnl.exe
2014-05-09 04:00 . 2013-08-29 01:51 3969472 ----a-w- c:\windows\SysWow64\ntkrnlpa.exe
2014-05-09 04:00 . 2013-08-29 01:51 3914176 ----a-w- c:\windows\SysWow64\ntoskrnl.exe
2014-05-09 04:00 . 2013-08-29 02:16 1732032 ----a-w- c:\windows\system32\ntdll.dll
2014-05-09 04:00 . 2013-08-29 02:13 878080 ----a-w- c:\windows\system32\advapi32.dll
2014-05-09 04:00 . 2013-08-29 02:16 859648 ----a-w- c:\windows\system32\tdh.dll
2014-05-09 04:00 . 2013-08-29 01:50 619520 ----a-w- c:\windows\SysWow64\tdh.dll
2014-05-09 04:00 . 2013-08-29 01:50 1292192 ----a-w- c:\windows\SysWow64\ntdll.dll
2014-05-09 04:00 . 2013-08-29 01:48 640512 ----a-w- c:\windows\SysWow64\advapi32.dll
2014-05-09 03:59 . 2013-07-26 02:24 14172672 ----a-w- c:\windows\system32\shell32.dll
2014-05-09 03:59 . 2013-07-26 02:24 197120 ----a-w- c:\windows\system32\shdocvw.dll
2014-05-09 03:59 . 2013-10-03 02:23 404480 ----a-w- c:\windows\system32\gdi32.dll
2014-05-09 03:59 . 2013-10-03 02:00 311808 ----a-w- c:\windows\SysWow64\gdi32.dll
2014-05-09 03:58 . 2013-07-20 10:33 102608 ----a-w- c:\windows\SysWow64\PresentationCFFRasterizerNative_v0300.dll
2014-05-09 03:58 . 2013-07-20 10:33 124112 ----a-w- c:\windows\system32\PresentationCFFRasterizerNative_v0300.dll
2014-05-09 03:58 . 2013-08-01 12:09 983488 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2014-05-09 03:58 . 2013-10-12 02:29 859648 ----a-w- c:\windows\system32\IKEEXT.DLL
2014-05-09 03:58 . 2013-10-12 02:30 830464 ----a-w- c:\windows\system32\nshwfp.dll
2014-05-09 03:58 . 2013-10-12 02:29 324096 ----a-w- c:\windows\system32\FWPUCLNT.DLL
2014-05-09 03:58 . 2013-10-12 02:01 216576 ----a-w- c:\windows\SysWow64\FWPUCLNT.DLL
2014-05-09 03:58 . 2013-10-12 02:03 656896 ----a-w- c:\windows\SysWow64\nshwfp.dll
2014-05-09 03:42 . 2013-08-28 01:12 461312 ----a-w- c:\windows\system32\scavengeui.dll
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2014-03-31 09:51 . 2010-03-30 00:26 90655440 ----a-w- c:\windows\system32\MRT.exe
2014-03-04 09:17 . 2014-05-09 04:05 44032 ----a-w- c:\windows\apppatch\acwow64.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"mcui_exe"="c:\program files\McAfee.com\Agent\mcagent.exe" [2013-01-15 1534504]
"dcmsvc"="c:\program files (x86)\dcmsvc\dcmsvc.exe" [2009-04-07 30440]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"{91120000-002F-0000-0000-0000000FF1CE}"="del" [X]
"{90120000-006E-0409-0000-0000000FF1CE}"="del" [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MBAMSwissArmy]
@="Driver"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
R2 AERTFilters;Andrea RT Filters Service;c:\program files\Realtek\Audio\HDA\AERTSr64.exe;c:\program files\Realtek\Audio\HDA\AERTSr64.exe [x]
R2 BBUpdate;BBUpdate;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE;c:\program files (x86)\Microsoft\BingBar\SeaPort.EXE [x]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R2 DockLoginService;Dock Login Service;c:\program files\Dell\DellDock\DockLogin.exe;c:\program files\Dell\DellDock\DockLogin.exe [x]
R2 McAfee SiteAdvisor Service;McAfee SiteAdvisor Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R2 McMPFSvc;McAfee Personal Firewall Service;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R2 McNaiAnn;McAfee VirusScan Announcer;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe;c:\program files\Common Files\McAfee\McSvcHost\McSvHost.exe [x]
R2 mfefire;McAfee Firewall Core Service;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe;c:\program files\Common Files\McAfee\SystemCore\\mfefire.exe [x]
R2 mfevtp;McAfee Validation Trust Protection Service;c:\windows\system32\mfevtps.exe;c:\windows\SYSNATIVE\mfevtps.exe [x]
R3 BBSvc;Bing Bar Update Service;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE;c:\program files (x86)\Microsoft\BingBar\BBSvc.EXE [x]
R3 cfwids;McAfee Inc. cfwids;c:\windows\system32\drivers\cfwids.sys;c:\windows\SYSNATIVE\drivers\cfwids.sys [x]
R3 CtClsFlt;Creative Camera Class Upper Filter Driver;c:\windows\system32\DRIVERS\CtClsFlt.sys;c:\windows\SYSNATIVE\DRIVERS\CtClsFlt.sys [x]
R3 dc3d;MS Hardware Device Detection Driver (HID);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
R3 GamesAppService;GamesAppService;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe;c:\program files (x86)\WildTangent Games\App\GamesAppService.exe [x]
R3 HipShieldK;McAfee Inc. HipShieldK;c:\windows\system32\drivers\HipShieldK.sys;c:\windows\SYSNATIVE\drivers\HipShieldK.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
R3 IntcDAud;Intel(R) Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x]
R3 mfefirek;McAfee Inc. mfefirek;c:\windows\system32\drivers\mfefirek.sys;c:\windows\SYSNATIVE\drivers\mfefirek.sys [x]
R3 mferkdet;McAfee Inc. mferkdet;c:\windows\system32\drivers\mferkdet.sys;c:\windows\SYSNATIVE\drivers\mferkdet.sys [x]
R3 RSUSBSTOR;RtsUStor.Sys Realtek USB Card Reader;c:\windows\system32\Drivers\RtsUStor.sys;c:\windows\SYSNATIVE\Drivers\RtsUStor.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 USBAAPL64;Apple Mobile USB Driver;c:\windows\system32\Drivers\usbaapl64.sys;c:\windows\SYSNATIVE\Drivers\usbaapl64.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 WSDScan;WSD Scan Support via UMB;c:\windows\system32\DRIVERS\WSDScan.sys;c:\windows\SYSNATIVE\DRIVERS\WSDScan.sys [x]
S0 McPvDrv;McPvDrv Driver;c:\windows\system32\drivers\McPvDrv.sys;c:\windows\SYSNATIVE\drivers\McPvDrv.sys [x]
S0 mfewfpk;McAfee Inc. mfewfpk;c:\windows\system32\drivers\mfewfpk.sys;c:\windows\SYSNATIVE\drivers\mfewfpk.sys [x]
S0 PxHlpa64;PxHlpa64;c:\windows\System32\Drivers\PxHlpa64.sys;c:\windows\SYSNATIVE\Drivers\PxHlpa64.sys [x]
S3 HECIx64;Intel(R) Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
.
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="c:\program files\DellTPad\Apoint.exe" [2009-09-16 357376]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2009-10-09 8158240]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2009-11-04 166424]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2009-11-04 390168]
"Persistence"="c:\windows\system32\igfxpers.exe" [2009-11-04 408600]
"Broadcom Wireless Manager UI"="c:\program files\Dell\Dell Wireless WLAN Card\WLTRAY.exe" [2009-07-17 4968960]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.yahoo.com/?ilc=1
mLocal Page = c:\windows\SysWOW64\blank.htm
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~2\MIF5BA~1\Office12\EXCEL.EXE/3000
IE: Google Sidewiki... - c:\program files (x86)\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_7461B1589E8B4FB7.dll/cmsidewiki.html
TCP: DhcpNameServer = 192.168.1.1
.
- - - - ORPHANS REMOVED - - - -
.
Toolbar-Locked - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
ShellIconOverlayIdentifiers-{472083B0-C522-11CF-8763-00608CC02F24} - (no file)
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3961125611-258355649-377235315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.eml\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.Email.1"
.
[HKEY_USERS\S-1-5-21-3961125611-258355649-377235315-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vcf\UserChoice]
@Denied: (2) (LocalSystem)
"Progid"="WindowsLiveMail.VCard.1"
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
Completion time: 2014-05-12 08:50:48
ComboFix-quarantined-files.txt 2014-05-12 14:50
.
Pre-Run: 15,442,546,688 bytes free
Post-Run: 15,864,406,016 bytes free
.
- - End Of File - - 825289787A2E4BD71D03A31BC8CEC6CA
A36C5E4F47E84449FF07ED3517B43A31


EDIT: Hey John since I booted into safe mode and ran this scan I have gone back into regular Windows but now when I try to go into the web browser it won't display pages even though it is connected to the web. Don't know if this gives indication to anything.
 
Last edited:

johnb35

Administrator
Staff member
At work until later this afternoon. Can you run adwcleaner and junk ware removal tool and post the logs. You can get the download links by reading the sticky in the security section.
 

DMGrier

VIP Member
Thanks John here is the adwCleaner log, I am running junk ware removal tool now. Right clicked and running as administrator in safe mode, cmd opens and just has a blinking cursor does that mean it is scanning?
# AdwCleaner v3.208 - Report created 12/05/2014 at 15:35:45
# Updated 11/05/2014 by Xplode
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Bridgette - BRIDGETTE-PC
# Running from : C:\Users\Bridgette\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Found : C:\ProgramData\Trymedia
Folder Found : C:\Users\Bridgette\AppData\Local\Max Secure Software
Folder Found : C:\Users\Bridgette\AppData\Roaming\iWin

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Found : HKCU\Software\AppDataLow\Software\adawarebp
Key Found : HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}
Key Found : HKLM\Software\Trymedia Systems
Key Found : [x64] HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17041


-\\ Google Chrome v

[ File : C:\Users\Bridgette\AppData\Local\Google\Chrome\User Data\Default\preferences ]


*************************

AdwCleaner[R0].txt - [1062 octets] - [12/05/2014 15:35:45]

########## EOF - C:\AdwCleaner\AdwCleaner[R0].txt - [1122 octets] ##########
 

johnb35

Administrator
Staff member
No, its not running. You would get text in the black screen, would have to press a key to get it to start scanning after the text comes up. Ok, one more scan and lets hope you have a rootkit running.

Please download and run TDSSkiller

When the program opens, click on change parameters and click on detect tdlfs file system, click ok and then click on the start scan button.

tdssstartscan_zps32a151cd.jpg


TDSSKiller will now scan your computer for the TDSS infection. When the scan has finished it will display a result screen stating whether or not the infection was found on your computer. If it was found it will display a screen similar to the one below.

2663-2-eng.png


To remove the infections simply click on the Continue button and TDSSKiller will attempt to clean them or remove them.

After trying to clean them it will pop up with the results of the scan and its actions.

2663_3_en.png


Please reboot the system if asked to do so.

After running there will be a log that will be located at the root of your c:\ drive labeled tdsskiller with a series of numbers after it example, C:\TDSSKiller.2.4.7_23.07.2010_15.31.43_log.txt

Please open the log and copy and paste it back here.
 

DMGrier

VIP Member
I cannot post the log TDSSkiller as I am told it is to long by almost 3000 lines. when it finished it showed 0 infections though. I was able to get the junkware scanner running, just had to be out of safe mode and here is that one.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.4 (04.06.2014:1)
OS: Windows 7 Home Premium x64
Ran by Bridgette on Mon 05/12/2014 at 16:13:25.50
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Users\Bridgette\AppData\Roaming\getrighttogo"
Successfully deleted: [Empty Folder] C:\Users\Bridgette\appdata\local\{4BCB40F9-BD7F-4D23-B536-C171DA6AC5E9}
Successfully deleted: [Empty Folder] C:\Users\Bridgette\appdata\local\{B103B701-C4BD-4231-85DF-DAE7CD4831D3}



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 05/12/2014 at 16:21:52.74
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Now when I open IE and try to navigate to a page it says the actions has been canceled. Still using well over 3 GB of memory but I am not seeing anything in the task manager using that many resources or even close. Any other ideas John?
 

DMGrier

VIP Member
I don't know if this helps but I went and looked at all processes from all users and I have a "wmpnetwk.exe" using roughly 1,500,000 KB. Description is Windows Media player Network Sharing service.
 

johnb35

Administrator
Staff member
In the search box, type services.msc and hit enter. When the services box comes up, scroll down to windows media player sharing service and disable it. Reboot and see what happens. I just have a feeling windows will need to be reinstalled with all the other issues going on.
 

DMGrier

VIP Member
Hey John, Thank you so much for all your help I really do appreciate it. Yeah I am just going to try and restore it from the restore partition. Just for my knowledge are you still thinking infection and is it possible for a infection to be hidden so well no scanner can find it?
 

johnb35

Administrator
Staff member
I just wished I knew what Malwarebytes actually removed. That would give me some sort of clue as to what was going on. Did you disable the media player sharing service? Sometimes that does hog memory for some reason.
 

DMGrier

VIP Member
I did but no change, I am clueless and I wish I could pull that log but Malwarebytes crashes every time I try to pull the log. I talked to my wife's friend and she just wants a fresh install.
 
Top