Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


explorer.exe uses full core pemanently, ntdll.dll!RtlValidateHeap+0x17

  • This topic is locked This topic is locked
7 replies to this topic

#1 geverl


  • Members
  • 4 posts
  • Local time:08:56 PM

Posted 26 October 2014 - 07:37 AM

I've moved http://www.bleepingcomputer.com/forums/t/553368/explorerexe-uses-full-core-pemanently-ntdlldllrtlvalidateheap0x17/ to here as I understand this is the more suitable place.


As soon as I open Windows Explorer, it uses a full core of my 4 core system. I'm running Windows 7 Pro 64 Bit. Process Hacker shows ntdll.dll!RtlValidateHeap+0x170 as start address for the thread that uses the processor resources. I've tried Process Monitor to find out what this thread is doing, but only the thread exit with success (after I've terminated it in Process Hacker) shows up in Process Monitor. A System Restore has brought no change. I can't find anything suspicious in Event Viewer. I've run full scans with Microsoft Security Essentials, Anti-Malware and Hitman Pro and removed everything they found, to no avail.

The problem also occurs with other programs, e.g. Notepad, as soon as the Windows file dialog is opened, although in that case it is not always ntdll.dll that seems to use the processor resources.

Here is the DDS.txt, Attach.txt is attached:

DDS (Ver_2012-11-20.01) - NTFS_AMD64
Internet Explorer: 11.0.9600.17344  BrowserJavaVersion: 11.25.2
Run by Asterix at 11:51:19 on 2014-10-26
Microsoft Windows 7 Professional   6.1.7601.1.1252.352.1033.18.8175.5467 [GMT 1:00]
AV: Microsoft Security Essentials *Enabled/Updated* {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
SP: Microsoft Security Essentials *Enabled/Updated* {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
SP: Windows Defender *Disabled/Outdated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
============== Running Processes ===============
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files (x86)\EMET 5.0\EMET_Service.exe
C:\Program Files (x86)\Gemalto\Classic Client\BIN\GslShmSrvc.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe
C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Windows\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\Program Files (x86)\EMET 5.0\EMET_Agent.exe
c:\Program Files\Microsoft Security Client\NisSrv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe
C:\Program Files\Microsoft Security Client\msseces.exe
C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\system32\svchost.exe -k defragsvc
C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe
C:\Program Files\Process Hacker 2\ProcessHacker.exe
C:\Program Files (x86)\Mozilla Thunderbird\thunderbird.exe
C:\Windows\system32\svchost.exe -k SDRSVC
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Program Files (x86)\Mozilla Firefox\firefox.exe
C:\Program Files (x86)\Mozilla Firefox\plugin-container.exe
============== Pseudo HJT Report ===============
uStart Page = about:blank
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - <orphaned>
BHO: Microsoft Web Test Recorder 12.0 Helper: {432dd630-7e03-4c97-9d62-b99f52df4fc2} - C:\Program Files (x86)\Microsoft Visual Studio 12.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll
BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL
BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll
BHO: Microsoft Web Test Recorder 10.0 Helper: {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - c:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
EB: Developer Tools: {1A6FE369-F28C-4AD9-A3E6-2BCB50807CF1} - C:\Program Files (x86)\Internet Explorer\iedvtool.dll
EB: Web Test Recorder 12.0: {46857999-9b7c-4895-9d22-81a4a2478868} -
EB: Web Test Recorder 10.0: {5802D092-1784-4908-8CDB-99B6842D353D} -
uRun: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
mRun: [IAStorIcon] C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorIcon.exe
mRun: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
uPolicies-Explorer: NoDrives = dword:0
mPolicies-Explorer: NoDrives = dword:0
mPolicies-System: ConsentPromptBehaviorAdmin = dword:5
mPolicies-System: ConsentPromptBehaviorUser = dword:3
mPolicies-System: EnableUIADesktopToggle = dword:0
mPolicies-System: PromptOnSecureDesktop = dword:0
IE: Add to Google Photos Screensa&ver - C:\Windows\System32\GPhotos.scr/200
IE: Append Link Target to Existing PDF - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: E&xport to Microsoft Excel - C:\Program Files\Microsoft Office 15\Root\Office15\EXCEL.EXE/3000
IE: Se&nd to OneNote - C:\Program Files\Microsoft Office 15\Root\Office15\ONBttnIE.dll/105
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - C:\Program Files (x86)\Windows Live\Writer\WriterBrowserExtension.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503}
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/E/5/6/E5611B10-0D6D-4117-8430-A67417AA88CD/LegitCheckControl.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
TCP: NameServer =
TCP: Interfaces\{2C71A5FE-A69E-4D0E-9088-A3A3594F308A} : DHCPNameServer =
Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files (x86)\MP3 Skype Recorder\Skype4COM.dll
Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - C:\Program Files (x86)\Windows Live\Photo Gallery\AlbumDownloadProtocolHandler.dll
SSODL: WebCheck - <orphaned>
IFEO: taskmgr.exe - "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
x64-BHO: <No Name>: {31D09BA0-12F5-4CCE-BE8A-2923E76605DA} - LocalServer32 - <no file>
x64-BHO: Java™ Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll
x64-BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
x64-BHO: Office Document Cache Handler: {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL
x64-BHO: <No Name>: {D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF} - LocalServer32 - <no file>
x64-BHO: Java™ Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll
x64-Run: [RtHDVCpl] C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe -s
x64-Run: [MSC] "c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey
x64-Run: [PrnStatusMX] C:\Program Files\Hewlett-Packard\PrnStatusMX\PrnStatusMX.exe
x64-Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
x64-Run: [CanonSolutionMenu] C:\Program Files (x86)\Canon\SolutionMenu\CNSLMAIN.exe /logon
x64-DPF: {CAFEEFAC-0017-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
x64-DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.7.0/jinstall-1_7_0_04-windows-i586.cab
x64-Filter: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
x64-Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - <orphaned>
x64-Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - <orphaned>
x64-SSODL: WebCheck - <orphaned>
x64-IFEO: taskmgr.exe - "C:\Program Files\Process Hacker 2\ProcessHacker.exe"
================= FIREFOX ===================
FF - ProfilePath - C:\Users\Asterix\AppData\Roaming\Mozilla\Firefox\Profiles\qinseuba.default\
FF - prefs.js: browser.search.selectedEngine - Ixquick HTTPS - UK
FF - prefs.js: browser.startup.homepage - file:///C:/Users/Asterix/Documents/Software%20Engineering/HTML/HTML5/GEWeb1/index.html
FF - prefs.js: keyword.URL - hxxp://search.webwebweb.com/index.html?lang=en&zip=52499&town=&site=&country=LU&safe=&query=
FF - prefs.js: network.proxy.gopher -
FF - prefs.js: network.proxy.gopher_port - 0
FF - prefs.js: network.proxy.http - localhost
FF - prefs.js: network.proxy.http_port - 9666
FF - prefs.js: network.proxy.socks - localhost
FF - prefs.js: network.proxy.socks_port - 9050
FF - prefs.js: network.proxy.ssl - localhost
FF - prefs.js: network.proxy.ssl_port - 9666
FF - prefs.js: network.proxy.type - 0
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPAUTHZ.DLL
FF - plugin: C:\PROGRA~2\MICROS~2\Office14\NPSPWRAP.DLL
FF - plugin: C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll
FF - plugin: C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll
FF - plugin: C:\Program Files (x86)\Google\Picasa3\npPicasa3.dll
FF - plugin: C:\Program Files (x86)\Google\Update\\npGoogleUpdate3.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npdeployJava1.dll
FF - plugin: C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll
FF - plugin: c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrlui.dll
FF - plugin: C:\Program Files (x86)\Sony\Media Go\npmediago.dll
FF - plugin: C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll
FF - plugin: C:\Users\Asterix\AppData\Local\Citrix\Plugins\104\npappdetector.dll
FF - plugin: C:\Users\Asterix\AppData\Local\Facebook\Video\Skype\npFacebookVideoCalling.dll
FF - plugin: C:\Users\Asterix\AppData\Local\Google\Update\\npGoogleUpdate3.dll
FF - plugin: C:\Users\Asterix\AppData\Local\Turbulenz\Engine\\npengine.dll
FF - plugin: C:\Users\Asterix\AppData\Local\Turbulenz\Engine\\npturbulenz.dll
FF - plugin: C:\Windows\SysWOW64\Adobe\Director\np32dsw_1213153.dll
FF - plugin: C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_15_0_0_152.dll
FF - user.js: yahoo.ytff.general.dontshowhpoffer - true
============= SERVICES / DRIVERS ===============
R0 MpFilter;Microsoft Malware Protection Driver;C:\Windows\System32\drivers\MpFilter.sys [2014-7-17 269008]
R0 NCFilter;Novell UNC Filter - Filter;C:\Windows\System32\drivers\ncfilter.sys [2011-11-27 112216]
R0 NCRecognizer;Novell UNC Filter - Recognizer;C:\Windows\System32\drivers\ncrecognizer.sys [2011-11-27 119896]
R0 NCUncFilter;Novell UNC Filter - UNC Filter;C:\Windows\System32\drivers\ncuncfilter.sys [2011-11-27 26200]
R2 EMET_Service;Microsoft EMET Service;C:\Program Files (x86)\EMET 5.0\EMET_Service.exe [2014-7-30 31880]
R2 GslShmSrvc;GSL Share Memory;C:\Program Files (x86)\Gemalto\Classic Client\BIN\GslShmSrvc.exe [2010-7-6 84992]
R2 IAStorDataMgrSvc;Intel® Rapid Storage Technology;C:\Program Files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [2012-5-27 13336]
R2 IpOverUsbSvc;Windows Phone IP over USB Transport (IpOverUsbSvc);C:\Program Files (x86)\Common Files\microsoft shared\Phone Tools\CoreCon\11.0\bin\IpOverUsbSvc.exe [2014-4-17 22768]
R2 NCFSD;Novell Client File System Redirector;C:\Program Files\Novell\Client\XTier\Drivers\ncfsd.sys [2011-11-27 108120]
R2 NCIOCTL;Novell Xplat IoCtl Driver;C:\Program Files\Novell\Client\XTier\Drivers\ncioctl.sys [2011-11-27 88152]
R2 NisDrv;Microsoft Network Inspection System;C:\Windows\System32\drivers\NisDrvWFP.sys [2012-3-20 125584]
R3 EtronHub3;Etron USB 3.0 Extensible Hub Driver;C:\Windows\System32\drivers\EtronHub3.sys [2014-7-25 65152]
R3 EtronXHCI;Etron USB 3.0 Extensible Host Controller Driver;C:\Windows\System32\drivers\EtronXHCI.sys [2010-11-1 88576]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;C:\Windows\System32\drivers\hitmanpro37.sys [2014-10-26 32512]
R3 hxctlflt;hxctlflt;C:\Windows\System32\drivers\hxctlflt.sys [2009-2-8 111104]
R3 NisSrv;Microsoft Network Inspection;C:\Program Files\Microsoft Security Client\NisSrv.exe [2014-8-22 368624]
R3 RTL8167;Realtek 8167 NT Driver;C:\Windows\System32\drivers\Rt64win7.sys [2014-7-25 939224]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2013-9-11 105144]
S2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2013-9-11 124088]
S3 AtiHDAudioService;AMD Function Driver for HD Audio Service;C:\Windows\System32\drivers\AtihdW76.sys [2013-7-5 96256]
S3 c2wts;Claims to Windows Token Service;C:\Program Files\Windows Identity Foundation\v3.5\c2wtshost.exe [2014-6-30 15768]
S3 dg_ssudbus;SAMSUNG Mobile USB Composite Device Driver (DEVGURU Ver.);C:\Windows\System32\drivers\ssudbus.sys [2013-5-6 103064]
S3 DirMngr;DirMngr;C:\Program Files (x86)\GNU\GnuPG\dirmngr.exe [2011-3-2 224256]
S3 dmvsc;dmvsc;C:\Windows\System32\drivers\dmvsc.sys [2011-4-12 71168]
S3 GemCCID;GemCCID;C:\Windows\System32\drivers\GemCCID.sys [2009-8-10 119680]
S3 ggflt;SEMC USB Flash Driver Filter;C:\Windows\System32\drivers\ggflt.sys [2012-7-18 14448]
S3 IEEtwCollectorService;Internet Explorer ETW Collector Service;C:\Windows\System32\ieetwcollector.exe [2014-10-24 111616]
S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;C:\Windows\System32\drivers\rdpvideominiport.sys [2012-11-28 19456]
S3 s1018bus;Sony Ericsson Device 1018 driver (WDM);C:\Windows\System32\drivers\s1018bus.sys [2009-3-25 113704]
S3 s1018mdfl;Sony Ericsson Device 1018 USB WMC Modem Filter;C:\Windows\System32\drivers\s1018mdfl.sys [2009-3-25 19496]
S3 s1018mdm;Sony Ericsson Device 1018 USB WMC Modem Driver;C:\Windows\System32\drivers\s1018mdm.sys [2009-3-25 153128]
S3 s1018mgmt;Sony Ericsson Device 1018 USB WMC Device Management Drivers (WDM);C:\Windows\System32\drivers\s1018mgmt.sys [2009-3-25 133160]
S3 s1018nd5;Sony Ericsson Device 1018 USB Ethernet Emulation (NDIS);C:\Windows\System32\drivers\s1018nd5.sys [2009-3-25 34856]
S3 s1018obex;Sony Ericsson Device 1018 USB WMC OBEX Interface;C:\Windows\System32\drivers\s1018obex.sys [2009-3-25 128552]
S3 s1018unic;Sony Ericsson Device 1018 USB Ethernet Emulation (WDM);C:\Windows\System32\drivers\s1018unic.sys [2009-3-25 146472]
S3 ssudmdm;SAMSUNG  Mobile USB Modem Drivers (DEVGURU Ver.);C:\Windows\System32\drivers\ssudmdm.sys [2013-5-6 203672]
S3 StorSvc;Storage Service;C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-14 27136]
S3 tap0801;TAP-Win32 Adapter V8;C:\Windows\System32\drivers\tap0801.sys [2005-4-13 30720]
S3 tapoas;TAP-Win32 Adapter OAS;C:\Windows\System32\drivers\tapoas.sys [2011-8-18 30720]
S3 Te.Service;Te.Service;C:\Program Files (x86)\Windows Kits\8.1\Testing\Runtimes\TAEF\Wex.Services.exe [2013-8-22 119808]
S3 TsUsbFlt;TsUsbFlt;C:\Windows\System32\drivers\TsUsbFlt.sys [2014-9-10 56832]
S3 TsUsbGD;Remote Desktop Generic USB Device;C:\Windows\System32\drivers\TsUsbGD.sys [2012-11-28 30208]
S3 VBoxUSB;VirtualBox USB;C:\Windows\System32\drivers\VBoxUSB.sys [2014-5-16 115488]
S3 VsEtwService120;Visual Studio ETW Event Collection Service;C:\Program Files\Microsoft Visual Studio 12.0\Common7\Packages\Debugger\Services\VsEtwService.exe [2014-4-30 87736]
S3 VSPerfDrv100;Performance Tools Driver 10.0;C:\Program Files (x86)\Microsoft Visual Studio 10.0\Team Tools\Performance Tools\x64\VSPerfDrv100.sys [2011-1-18 68440]
S3 WatAdminSvc;Windows Activation Technologies Service;C:\Windows\System32\Wat\WatAdminSvc.exe [2012-5-28 1255736]
S3 WDC_SAM;WD SCSI Pass Thru driver;C:\Windows\System32\drivers\wdcsam64.sys [2008-5-6 14464]
S4 AMD External Events Utility;AMD External Events Utility;C:\Windows\System32\atiesrxx.exe [2013-8-30 239616]
S4 Apache2.4;Apache2.4;C:\Apache24\bin\httpd.exe [2012-5-13 22016]
S4 Freemake Improver;Freemake Improver;C:\ProgramData\Freemake\FreemakeUtilsService\FreemakeUtilsService.exe [2012-8-26 100864]
S4 MSSQLServerADHelper100;SQL Active Directory Helper Service;C:\Program Files\Microsoft SQL Server\100\Shared\sqladhlp.exe [2009-7-22 61976]
S4 RsFx0105;RsFx0105 Driver;C:\Windows\System32\drivers\RsFx0105.sys [2011-9-22 311144]
S4 Sony PC Companion;Sony PC Companion;C:\Program Files (x86)\Sony\Sony PC Companion\PCCService.exe [2012-7-22 155824]
S4 SQLAgent$SQLEXPRESS;SQL Server Agent (SQLEXPRESS);C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\SQLAGENT.EXE [2014-7-12 441504]
S4 XTSvcMgr;Novell XTier Service Manager;C:\Program Files\Novell\Client\XTier\Services\xtsvcmgr.exe [2011-11-27 19544]
=============== Created Last 30 ================
2014-10-26 09:54:12    32512    ----a-w-    C:\Windows\System32\drivers\hitmanpro37.sys
2014-10-26 09:52:48    --------    d-----w-    C:\ProgramData\HitmanPro
2014-10-26 09:24:38    11627712    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{B945CB37-1C2E-4409-8C9A-DA48021E83F8}\mpengine.dll
2014-10-26 08:47:32    98816    ----a-w-    C:\Windows\sed.exe
2014-10-26 08:47:32    256000    ----a-w-    C:\Windows\PEV.exe
2014-10-26 08:47:32    208896    ----a-w-    C:\Windows\MBR.exe
2014-10-26 08:47:28    --------    d-----w-    C:\comfix
2014-10-26 08:41:47    --------    d-----w-    C:\Users\Asterix\AppData\Local\Max Secure Software
2014-10-26 08:41:12    --------    d-----w-    C:\Users\Asterix\AppData\Roaming\GetRightToGo
2014-10-25 12:27:58    129752    ----a-w-    C:\Windows\System32\drivers\MBAMSwissArmy.sys
2014-10-25 12:27:38    93400    ----a-w-    C:\Windows\System32\drivers\mbamchameleon.sys
2014-10-25 12:27:38    63704    ----a-w-    C:\Windows\System32\drivers\mwac.sys
2014-10-25 12:27:37    --------    d-----w-    C:\Program Files (x86)\Malwarebytes Anti-Malware
2014-10-25 05:49:04    11627712    ----a-w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\Backup\mpengine.dll
2014-10-24 23:19:56    48240    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2014-10-24 23:19:55    74864    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\breakpadinjector.dll
2014-10-24 23:19:55    20080    ----a-w-    C:\Program Files (x86)\Mozilla Firefox\AccessibleMarshal.dll
2014-10-24 22:05:28    --------    d-----w-    C:\SymCache
2014-10-24 21:58:35    --------    d-----w-    C:\Users\Asterix\AppData\Local\Windows Performance Analyzer
2014-10-24 19:14:08    --------    d-----w-    C:\ProgramData\dbg
2014-10-24 04:08:50    3241472    ----a-w-    C:\Windows\System32\msi.dll
2014-10-24 04:08:49    2363904    ----a-w-    C:\Windows\SysWow64\msi.dll
2014-10-24 04:08:29    3179520    ----a-w-    C:\Windows\System32\rdpcorets.dll
2014-10-24 04:02:12    424448    ----a-w-    C:\Windows\System32\rastls.dll
2014-10-24 04:02:12    372736    ----a-w-    C:\Windows\SysWow64\rastls.dll
2014-10-24 02:55:54    --------    d-----w-    C:\Users\Asterix\AppData\Roaming\Process Hacker 2
2014-10-24 02:41:44    --------    d-----w-    C:\Program Files\Process Hacker 2
2014-10-19 09:35:10    --------    d-----w-    C:\ProgramData\Boxtools
2014-10-18 15:45:12    --------    d-----w-    C:\Users\Asterix\.gradle
2014-10-18 15:44:54    --------    d-----w-    C:\Users\Asterix\AndroidStudioProjects
2014-10-18 15:37:31    --------    d-----w-    C:\Users\Asterix\.AndroidStudioBeta
2014-10-18 15:34:23    --------    d-----w-    C:\Android
2014-10-17 14:19:41    --------    d-----w-    C:\Users\Asterix\AppData\Roaming\Adminscope
2014-10-13 20:46:15    --------    d-----r-    C:\Program Files (x86)\Skype
2014-10-05 07:57:45    --------    d-----w-    C:\Users\Asterix\AppData\Roaming\.intelicharts
2014-10-02 13:32:32    1188440    ------w-    C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{7FA660F1-9636-4506-AE5F-717801983B26}\gapaengine.dll
2014-10-01 13:14:11    519680    ----a-w-    C:\Windows\SysWow64\qdvd.dll
2014-10-01 13:14:11    371712    ----a-w-    C:\Windows\System32\qdvd.dll
2014-09-28 08:10:17    --------    d-----w-    C:\Program Files\NetBeans 8.0.1
2014-09-28 08:01:37    111016    ----a-w-    C:\Windows\System32\WindowsAccessBridge-64.dll
==================== Find3M  ====================
2014-10-24 04:02:48    98216    ----a-w-    C:\Windows\SysWow64\WindowsAccessBridge-32.dll
2014-10-10 02:05:59    276480    ----a-w-    C:\Windows\System32\generaltel.dll
2014-10-10 02:05:42    507392    ----a-w-    C:\Windows\System32\aepdu.dll
2014-10-10 02:00:38    424448    ----a-w-    C:\Windows\System32\aeinv.dll
2014-10-01 09:11:12    25816    ----a-w-    C:\Windows\System32\drivers\mbam.sys
2014-09-29 00:58:48    3198976    ----a-w-    C:\Windows\System32\win32k.sys
2014-09-25 22:32:04    2017280    ----a-w-    C:\Windows\SysWow64\inetcpl.cpl
2014-09-25 22:31:02    2108416    ----a-w-    C:\Windows\System32\inetcpl.cpl
2014-09-22 06:42:39    278152    ------w-    C:\Windows\System32\MpSigStub.exe
2014-09-19 01:56:02    2724864    ----a-w-    C:\Windows\System32\mshtml.tlb
2014-09-19 01:55:49    4096    ----a-w-    C:\Windows\System32\ieetwcollectorres.dll
2014-09-19 01:40:43    66048    ----a-w-    C:\Windows\System32\iesetup.dll
2014-09-19 01:40:03    547328    ----a-w-    C:\Windows\System32\vbscript.dll
2014-09-19 01:39:58    48640    ----a-w-    C:\Windows\System32\ieetwproxystub.dll
2014-09-19 01:38:27    83968    ----a-w-    C:\Windows\System32\MshtmlDac.dll
2014-09-19 01:36:57    5829632    ----a-w-    C:\Windows\System32\jscript9.dll
2014-09-19 01:26:00    139264    ----a-w-    C:\Windows\System32\ieUnatt.exe
2014-09-19 01:25:49    111616    ----a-w-    C:\Windows\System32\ieetwcollector.exe
2014-09-19 01:25:12    4201472    ----a-w-    C:\Windows\SysWow64\jscript9.dll
2014-09-19 01:25:09    758272    ----a-w-    C:\Windows\System32\jscript9diag.dll
2014-09-19 01:18:02    940032    ----a-w-    C:\Windows\System32\MsSpellCheckingFacility.exe
2014-09-19 01:14:57    2724864    ----a-w-    C:\Windows\SysWow64\mshtml.tlb
2014-09-19 01:06:47    72704    ----a-w-    C:\Windows\System32\JavaScriptCollectionAgent.dll
2014-09-19 01:02:07    454656    ----a-w-    C:\Windows\SysWow64\vbscript.dll
2014-09-19 01:01:47    61952    ----a-w-    C:\Windows\SysWow64\iesetup.dll
2014-09-19 01:01:03    51200    ----a-w-    C:\Windows\SysWow64\ieetwproxystub.dll
2014-09-19 00:59:40    61952    ----a-w-    C:\Windows\SysWow64\MshtmlDac.dll
2014-09-19 00:50:16    112128    ----a-w-    C:\Windows\SysWow64\ieUnatt.exe
2014-09-19 00:49:31    597504    ----a-w-    C:\Windows\SysWow64\jscript9diag.dll
2014-09-19 00:40:12    1249280    ----a-w-    C:\Windows\System32\mshtmlmedia.dll
2014-09-19 00:36:23    60416    ----a-w-    C:\Windows\SysWow64\JavaScriptCollectionAgent.dll
2014-09-19 00:33:18    2309632    ----a-w-    C:\Windows\System32\wininet.dll
2014-09-19 00:18:55    1068032    ----a-w-    C:\Windows\SysWow64\mshtmlmedia.dll
2014-09-18 23:59:11    1810944    ----a-w-    C:\Windows\SysWow64\wininet.dll
2014-09-13 01:58:18    77312    ----a-w-    C:\Windows\System32\packager.dll
2014-09-13 01:40:05    67072    ----a-w-    C:\Windows\SysWow64\packager.dll
2014-09-10 07:45:44    71344    ----a-w-    C:\Windows\SysWow64\FlashPlayerCPLApp.cpl
2014-09-10 07:45:44    701104    ----a-w-    C:\Windows\SysWow64\FlashPlayerApp.exe
2014-09-09 22:11:04    2048    ----a-w-    C:\Windows\System32\tzres.dll
2014-09-09 21:47:10    2048    ----a-w-    C:\Windows\SysWow64\tzres.dll
2014-09-05 02:11:09    6584320    ----a-w-    C:\Windows\System32\mstscax.dll
2014-09-05 01:52:41    5703168    ----a-w-    C:\Windows\SysWow64\mstscax.dll
2014-08-23 02:07:00    404480    ----a-w-    C:\Windows\System32\gdi32.dll
2014-08-23 01:45:55    311808    ----a-w-    C:\Windows\SysWow64\gdi32.dll
2014-08-01 11:53:22    1031168    ----a-w-    C:\Windows\System32\TSWorkspace.dll
2014-08-01 11:35:06    793600    ----a-w-    C:\Windows\SysWow64\TSWorkspace.dll
2014-07-30 17:11:28    832648    ----a-w-    C:\Windows\apppatch\AppPatch64\EMET64.dll
2014-07-30 17:11:28    761480    ----a-w-    C:\Windows\apppatch\EMET.dll
============= FINISH: 11:52:25,15 ===============

Attached Files

BC AdBot (Login to Remove)


#2 geverl

  • Topic Starter

  • Members
  • 4 posts
  • Local time:08:56 PM

Posted 28 October 2014 - 04:32 AM

I've tried most of the software at http://www.bleepingcomputer.com/download/windows/security to no avail.
When I boot in safe mode with pretty much everything disabled, Windows Explorer works fine. After having wasted several days with useless scanner software I've installed an SSD drive and installed Windows 7 on it, which works fine. The disk on which the infected Windows 7 is installed is now used purely for data storage, although I can still boot into the infected Windows if need be.

#3 HelpBot


    Bleepin' Binary Bot

  • Bots
  • 12,762 posts
  • Gender:Male
  • Local time:03:56 PM

Posted 31 October 2014 - 07:40 AM

Hello and welcome to Bleeping Computer!

I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything.

We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.

To help Bleeping Computer better assist you please perform the following steps:


step1.gif In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.

CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/553373 <<< CLICK THIS LINK

If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.


step2.gifIf you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lower right hand of this page). In that reply, please include the following information:

  • If you have not done so already, include a clear description of the problems you're having, along with any steps you may have performed so far.
  • A new DDS log. For your convenience, you will find the instructions for generating these logs repeated at the bottom of this post.
    • Please do this even if you have previously posted logs for us.
    • If you were unable to produce the logs originally please try once more.
    • If you are unable to create a log please provide detailed information about your installed Windows Operating System including the Version, Edition and if it is a 32bit or a 64bit system.
    • If you are unsure about any of these characteristics just post what you can and we will guide you.
  • Please tell us if you have your original Windows CD/DVD available.
  • Upon completing the above steps and posting a reply, another staff member will review your topic and do their best to resolve your issues.

Thank you for your patience, and again sorry for the delay.


We need to see some information about what is happening in your machine. Please perform the following scan again:

  • Download DDS by sUBs from the following link if you no longer have it available and save it to your destop.

    DDS.com Download Link
  • Double click on the DDS icon, allow it to run.
  • A small box will open, with an explanation about the tool. No input is needed, the scan is running.
  • Notepad will open with the results.
  • Follow the instructions that pop up for posting the results.
  • Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet and disable all antivirus protection. Run the scan, enable your A/V and reconnect to the internet.

Information on A/V control can be found HERE.

As I am just a silly little program running on the BleepingComputer.com servers, please do not send me private messages as I do not know how to read and reply to them! Thanks!

#4 geverl

  • Topic Starter

  • Members
  • 4 posts
  • Local time:08:56 PM

Posted 02 November 2014 - 05:01 AM

As mentioned above, I've got a well working system now. I would love to find out what caused the problems, but I do not want to risk compromising my new installation. Depending on how clever the suspected malware is, I'm afraid it might infect my new Windows partition when I boot into the old, infected, Windows.

#5 stragis


  • Members
  • 675 posts
  • Gender:Male
  • Local time:12:56 PM

Posted 02 November 2014 - 05:31 PM

Hi Geverl,

My name is Stragis and I'll be helping you out here.  Please allow me some time to review the information you have provided.  In the mean time, please refrain from making any additional changes to the infected hard drive as this can make it difficult for me to assist you.  Thanks, and I'll post back here as soon as possible!


#6 stragis


  • Members
  • 675 posts
  • Gender:Male
  • Local time:12:56 PM

Posted 06 November 2014 - 05:27 PM

Hello geverl,
I would like to welcome you to the Malware Removal section of the forum.

Around here they call me Stragis and I will be your acting computer wizard. I'm glad to help you with your malware problems.

Very Important --> Please read this post completely, I have spent my time to put together somethings for you to keep in mind while I am helping you to make things go easier, faster and smoother for both of us!
  • Please do not run any tools unless instructed to do so.
    • We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.
  • Please do not attach logs or use code boxes, just copy and paste the text.
    • Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.
  • Please read every post completely before doing anything.
    • Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.
  • Please provide feedback about your experience as we go.
    • A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.
NOTE: At the top of your post, click on the "Follow This Topic" Button, make sure that the "Receive notification" box is checked and that it is set to "Instantly" - This will send you an e-mail as soon as I reply to your topic, allowing us to resolve the issue faster.

NOTE: Backup any files that cannot be replaced. Removing malware can be unpredictable and this step can save a lot of heartaches if things don't go as planned. You can put them on a CD/DVD, external drive or a pen drive, anywhere except on the computer.

NOTE: It is good practice to copy and paste the instructions into wordpad and print them in case it is necessary for you to go offline during the cleanup process. To open wordpad, navigate to Start Menu > All Programs > Accessories > wordpad . Please remember to copy the entire post so you do not miss any instructions.

I want to inform you that I'm still in my training program so my posts must be reviewed by an instructor. This may lead to a slight delay in my answers.

While we're working together; if I haven't posted anything for 48 hours straight, please, feel free to send me a personal message. I will bump the topic if there is no response from you for 3 days. After 5 days of inactivity, the topic will be closed.

Going over your logs I noticed that you have BitTorrent installed.
  • Avoid gaming sites, pirated software, cracking tools, keygens, and peer-to-peer (P2P) file sharing programs.
  • They are a security risk which can make your computer susceptible to a wide variety of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites.
  • Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users.
  • The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications.
  • It is pretty much certain that if you continue to use P2P programs, you will get infected again.
    I would recommend that you uninstall BitTorrent, however that choice is up to you. If you choose to remove these programs, you can do so via Start > Control Panel > Add/Remove Programs.
If you wish to keep it, please do not use it until your computer is cleaned.

 Download RogueKiller for 32bit or Roguekiller for 64bit to your Desktop
  • Close all the running programs
  • Windows Vista/7 users: right click onRogueKiller.exe, click Run as Administrator
  • Otherwise just double-click on RogueKiller.exe
  • Pre-scan will start. Let it finish.
  • Click on SCAN button.
  • Wait until the Status box shows Scan Finished
  • Click on Delete.
  • Wait until the Status box shows Deleting Finished.
  • Click on Report and copy/paste the content of the Notepad into your next reply.
  • RKreport.txt could also be found on your desktop.
  • If more than one log is produced post all logs.
  • If RogueKiller has been blocked, do not hesitate to try a few times more. If really won't run, rename it to winlogon.exe (or winlogon.com) and try again

I also have a few questions for you about the machine while I work out the best action steps.
It sounds like you are seeing a single core at 100% usage and as a result, overall system slowness. When did this start?
Did you purchase/build this machine around 27/05/2012?
Is this machine your personal PC or owned by a Corporation?

#7 stragis


  • Members
  • 675 posts
  • Gender:Male
  • Local time:12:56 PM

Posted 10 November 2014 - 03:03 PM

I have not seen a reply from you since my post 3 days ago. If there is no response by the 5th day this topic will be closed.


#8 whoabuddy


    Bleepin' Verbose

  • Malware Response Instructor
  • 2,053 posts
  • Gender:Male
  • Location:Cottonwood, AZ
  • Local time:11:56 AM

Posted 12 November 2014 - 03:23 PM

Due to the lack of feedback, this topic is now closed.

In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days.

Please include a link to your topic in the Private Message. Thank you.
Meditate. Elevate. Appreciate. | "Life is a journey, love is the destination, happiness is the path!"
If I am helping you and have not responded within 48 hours, please send me a PM.
Vi Veri Universum Vivus Vici (VVVVV)
Excellent Security Advice
Proud member of UNITE

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users