Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Malware - Slowness and Explorer.exe hogging RAM/CPU


  • This topic is locked This topic is locked
6 replies to this topic

#1 homepcsi

homepcsi

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 PM

Posted 23 January 2015 - 02:10 PM

I have a computer that appeared to be showing signs of infection. I've ran all of the usual programs that one would for a typical system clean. I found and removed several infections in the computer but there is one that is proving to be difficult.
 
Avast! Free Antivirus reports every so often that is blocks a malicious web address from executing and the process is fromC:\Windows\System32\Explorer.exe
 
Upon checking the Task Manager to view Processes, I can see that there are two instances of explorer.exe and one of them steady climbs in both Memory and CPU usage until the computer ultimately grinds to a halt. Upon killing the offending explorer.exe, I can continue scanning/using the computer, but within a few minutes, it comes right back. As of this writing, it hasn't happened in a long time now, so I may have fixed the issue already. I'd just feel more comfortable if someone more experienced than I looked at some of my logs.
 
Some background:
 
I have ran and removed any infections found (if applicable) with the following programs:

  • CCleaner
  • MalwareBytes
  • HitmanPro
  • Junkware Removal Tool
  • AdwCleaner
  • FRST64
  • RogueKiller
  • ComboFix
  • GMER 
  • TDSSKiller
  • OTL

At this point, the programs I am running aren't finding any infections, but the issues still persist. I will attach a few logs. Hopefully someone can see something in these logs that I can't. Thanks. Below is the FRST.log:

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 19-01-2015

Ran by renee (administrator) on LIGHTHOUSE1960 on 23-01-2015 13:37:55
Running from C:\Users\renee\Downloads
Loaded Profiles: renee (Available profiles: renee)
Platform: Windows 7 Home Premium Service Pack 1 (X64) OS Language: English (United States)
Internet Explorer Version 11 (Default browser: IE)
Boot Mode: Normal
 
==================== Processes (Whitelisted) =================
 
(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)
 
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Hewlett-Packard Company) C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
(Microsoft Corporation) C:\Windows\SysWOW64\svchost.exe
(QUALCOMM, Inc.) C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kHP.exe
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
(Microsoft Corp.) C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVCM.EXE
(Skyhook Wireless) C:\Program Files\Skyhook Wireless\XPS\xpssvc.exe
(Skyhook Wireless) C:\Program Files\Skyhook Wireless\XPS\xpscontrolpanel.exe
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\avastui.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe
(Garmin Ltd or its subsidiaries) C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
(Microsoft Corporation) C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
(Hewlett-Packard) C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service\IntuitUpdateService.exe
(Intuit Inc.) C:\Program Files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Microsoft Corporation) C:\Windows\System32\cmd.exe
(Microsoft Corporation) C:\Windows\System32\sfc.exe
(Farbar) C:\Users\renee\Downloads\FRST64 (2).exe
 
 
==================== Registry (Whitelisted) ==================
 
(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)
 
HKLM\...\Run: [Skyhook Wireless XPS Service] => C:\Program Files\Skyhook Wireless\XPS\xpscontrolpanel.exe [679240 2010-04-12] (Skyhook Wireless)
HKLM-x32\...\Run: [] => [X]
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [5227112 2015-01-09] (AVAST Software)
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-21-3891340218-3492943677-1852639085-1000\...\Run: [GarminExpressTrayApp] => C:\Program Files (x86)\Garmin\Express Tray\ExpressTray.exe [688984 2014-07-23] (Garmin Ltd or its subsidiaries)
HKU\S-1-5-21-3891340218-3492943677-1852639085-1000\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll (AVAST Software)
BootExecute: autocheck autochk * bootdelete
 
==================== Internet (Whitelisted) ====================
 
(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)
 
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3891340218-3492943677-1852639085-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=msnhome
HKU\S-1-5-21-3891340218-3492943677-1852639085-1000\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKU\S-1-5-21-3891340218-3492943677-1852639085-1000\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.google.com/?gws_rd=ssl
StartMenuInternet: IEXPLORE.EXE - C:\Program Files (x86)\Internet Explorer\iexplore.exe
SearchScopes: HKLM-x32 -> {A55716D7-684D-4B96-859F-2BB903E6D912} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL = 
BHO: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll (AVAST Software)
BHO: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus64.dll (Adblock Plus)
BHO-x32: HP Print Enhancer -> {0347C33E-8762-4905-BF09-768834316C61} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_printenhancer.dll (Hewlett-Packard Co.)
BHO-x32: MSS+ Identifier -> {0E8A89AD-95D7-40EB-8D9D-083EF7066A01} -> C:\Program Files\McAfee Security Scan\3.8.130\McAfeeMSS_IE.dll (McAfee, Inc.)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\ssv.dll (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll (AVAST Software)
BHO-x32: Windows Live ID Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll (Microsoft Corp.)
BHO-x32: No Name -> {90b1ff72-e461-400e-84b3-c0ff85e0e553} ->  No File
BHO-x32: Office Document Cache Handler -> {B4F3A835-0E21-4959-BA22-42B3008E02FF} -> C:\Program Files (x86)\Microsoft Office\Office14\URLREDIR.DLL (Microsoft Corporation)
BHO-x32: No Name -> {b7cb3289-aba0-47b3-a929-e63819a8eea9} ->  No File
BHO-x32: LocationFinder Class -> {BC0E8AD7-13AA-4694-8EDD-0246BC47A35F} -> C:\Program Files (x86)\Skyhook Wireless\Loki Plugin\loki.dll (Skyhook Wireless)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\jp2ssv.dll (Oracle Corporation)
BHO-x32: Adblock Plus for IE Browser Helper Object -> {FFCB3198-32F3-4E8B-9539-4324694ED664} -> C:\Program Files\Adblock Plus for IE\AdblockPlus32.dll (Adblock Plus)
BHO-x32: HP Smart BHO Class -> {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} -> C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll (Hewlett-Packard Co.)
Toolbar: HKLM-x32 - No Name - {de1540e3-8f32-491f-9868-e0b9c191cdd7} -  No File
Toolbar: HKLM-x32 - No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
Toolbar: HKU\S-1-5-21-3891340218-3492943677-1852639085-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
Tcpip\Parameters: [DhcpNameServer] 192.168.3.1
 
FireFox:
========
FF ProfilePath: C:\Users\renee\AppData\Roaming\Mozilla\Firefox\Profiles\c6f2dwlp.default
FF Plugin: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~1\MICROS~2\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @adobe.com/ShockwavePlayer -> C:\Windows\SysWOW64\Adobe\Director\np32dsw_1216156.dll (Adobe Systems, Inc.)
FF Plugin-x32: @ei.HeadlineAlley_29.com/Plugin -> C:\Program Files (x86)\HeadlineAlley_29EI\Installr\1.bin\NP29EISB.dll No File
FF Plugin-x32: @ElectionTracker_59.com/Plugin -> C:\Program Files (x86)\ElectionTracker_59\bar\1.bin\NP59Stub.dll No File
FF Plugin-x32: @Google.com/GoogleEarthPlugin -> C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
FF Plugin-x32: @java.com/DTPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\dtplugin\npDeployJava1.dll (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.25.2 -> C:\Program Files (x86)\Java\jre1.8.0_25\bin\plugin2\npjp2.dll (Oracle Corporation)
FF Plugin-x32: @mcafee.com/McAfeeMssPlugin -> C:\Program Files\McAfee Security Scan\3.8.130\npMcAfeeMss.dll (McAfee, Inc.)
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.30514.0\npctrl.dll ( Microsoft Corporation)
FF Plugin-x32: @microsoft.com/OfficeAuthz,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/SharePoint,version=14.0 -> C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3502.0922 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @microsoft.com/WLPG,version=15.4.3508.1109 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
FF Plugin-x32: @skyhookwireless.com/LokiPlugin -> C:\Program Files (x86)\Skyhook Wireless\Loki Plugin\nploki.dll (Skyhook Wireless)
FF Plugin-x32: @tools.google.com/Google Update;version=3 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: @tools.google.com/Google Update;version=9 -> C:\Program Files (x86)\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Reader 11.0\Reader\AIR\nppdf32.dll (Adobe Systems Inc.)
FF Plugin HKU\S-1-5-21-3891340218-3492943677-1852639085-1000: @hulu.com/Hulu Desktop -> C:\Windows\..\Users\Default\AppData\Local\HuluDesktop\instances\0.9.11.1\npHDPlg.dll (Hulu LLC)
FF Extension: Adblock Plus - C:\Users\renee\AppData\Roaming\Mozilla\Firefox\Profiles\c6f2dwlp.default\Extensions\{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}.xpi [2015-01-14]
FF HKLM-x32\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
FF Extension: HP Smart Web Printing - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3 [2012-03-12]
FF HKLM-x32\...\Firefox\Extensions: [59ffxtbr@ElectionTracker_59.com] - C:\Program Files (x86)\ElectionTracker_59\bar\1.bin
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2014-11-07]
FF HKU\S-1-5-21-3891340218-3492943677-1852639085-1000\...\Firefox\Extensions: [smartwebprinting@hp.com] - C:\Program Files (x86)\HP\Digital Imaging\Smart Web Printing\MozillaAddOn3
 
Chrome: 
=======
CHR HomePage: Default -> hxxp://www.google.com/
CHR StartupUrls: Default -> "hxxp://www.google.com/"
CHR DefaultSuggestURL: Default -> {google:baseSuggestURL}search?{google:searchFieldtrialParameter}client={google:suggestClient}&gs_ri={google:suggestRid}&xssi=t&q={searchTerms}&{google:inputType}{google:cursorPosition}{google:currentPageUrl}{google:pageClassification}{google:searchVersion}{google:sessionToken}{google:prefetchQuery}sugkey={google:suggestAPIKeyParameter}
CHR Plugin: (Remoting Viewer) - internal-remoting-viewer
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.91\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.91\pdf.dll ()
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.91\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U29) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPAUTHZ.DLL (Microsoft Corporation)
CHR Plugin: (Microsoft Office 2010) - C:\PROGRA~2\MICROS~3\Office14\NPSPWRAP.DLL (Microsoft Corporation)
CHR Plugin: (Google Earth Plugin) - C:\Program Files (x86)\Google\Google Earth\plugin\npgeplugin.dll (Google)
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll No File
CHR Plugin: (HeadlineAlley Installer Plugin Stub) - C:\Program Files (x86)\HeadlineAlley_29EI\Installr\1.bin\NP29EISB.dll No File
CHR Plugin: (Loki Plugin) - C:\Program Files (x86)\Skyhook Wireless\Loki Plugin\nploki.dll (Skyhook Wireless)
CHR Plugin: (Windows Live™ Photo Gallery) - C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll (Microsoft Corporation)
CHR Plugin: (Hulu Desktop) - C:\Windows\..\Users\Default\AppData\Local\HuluDesktop\instances\0.9.11.1\npHDPlg.dll (Hulu LLC)
CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Profile: C:\Users\renee\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Voice Search Hotword (Beta)) - C:\Users\renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\bepbmhgboaologfdajaanbcjmnhjmhfn [2014-09-16]
CHR Extension: (Adblock Plus) - C:\Users\renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\cfhdojbkjhnklbpkdaibdccddilifddb [2014-11-07]
CHR Extension: (Google Wallet) - C:\Users\renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-12]
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2014-12-10]
 
==================== Services (Whitelisted) =================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [50344 2014-12-10] (AVAST Software)
S4 DvmMDES; C:\SwSetup\QuickWeb\QW.SYS\config\DVMExportService.exe [338168 2010-03-31] (DeviceVM, Inc.)
R2 Garmin Core Update Service; C:\Program Files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [438616 2014-07-23] (Garmin Ltd or its subsidiaries)
R3 hpqcxs08; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqcxs08.dll [248832 2009-05-21] (Hewlett-Packard Co.) [File not signed]
R2 hpqddsvc; C:\Program Files (x86)\HP\Digital Imaging\bin\hpqddsvc.dll [133120 2009-05-21] (Hewlett-Packard Co.) [File not signed]
S4 HPWMISVC; C:\Program Files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [20480 2010-01-18] () [File not signed]
S4 LightScribeService; C:\Program Files (x86)\Common Files\LightScribe\LSSrvc.exe [73728 2010-02-22] (Hewlett-Packard Company) [File not signed]
S4 McComponentHostService; C:\Program Files\McAfee Security Scan\3.8.130\McCHSvc.exe [288776 2013-09-06] (McAfee, Inc.)
R2 Net Driver HPZ12; C:\Windows\system32\HPZinw12.dll [71680 2008-12-03] (Hewlett-Packard) [File not signed]
R2 Pml Driver HPZ12; C:\Windows\system32\HPZipm12.dll [89600 2008-12-03] (Hewlett-Packard) [File not signed]
R2 QDLService2kHP; C:\Program Files (x86)\QUALCOMM\QDLService2k\QDLService2kHP.exe [331000 2010-03-15] (QUALCOMM, Inc.)
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)
R2 xpssvc; C:\Program Files\Skyhook Wireless\XPS\xpssvc.exe [909128 2010-04-12] (Skyhook Wireless)
 
==================== Drivers (Whitelisted) ====================
 
(If an entry is included in the fixlist, the service will be removed from the registry. The file will not be moved unless listed separately.)
 
U5 AppMgmt; C:\Windows\system32\svchost.exe [27136 2009-07-13] (Microsoft Corporation)
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [29208 2014-12-10] ()
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [83280 2014-12-10] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93568 2014-12-10] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65776 2014-12-10] ()
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1050432 2014-12-10] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [436624 2014-12-10] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [116728 2014-12-10] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [267632 2014-12-10] ()
R1 DVMIO; C:\Windows\System32\DRIVERS\dvmio.sys [20056 2009-11-11] (DeviceVM, Inc.)
S3 hitmanpro37; C:\Windows\system32\drivers\hitmanpro37.sys [43664 2014-11-07] ()
S3 JeppDrive; C:\Windows\System32\Drivers\JeppDrive.sys [28472 2011-08-17] (SMART Modular)
R3 qcfilterhp2k; C:\Windows\System32\DRIVERS\qcfilterhp2k.sys [6400 2010-03-15] (QUALCOMM Incorporated)
R3 qcusbnethp2k; C:\Windows\System32\DRIVERS\qcusbnethp2k.sys [242176 2010-03-15] (QUALCOMM Incorporated)
R3 qcusbserhp2k; C:\Windows\System32\DRIVERS\qcusbserhp2k.sys [121600 2010-03-15] (QUALCOMM Incorporated)
S3 rkhdrv40; C:\Windows\SysWow64\Drivers\rkhdrv40.sys [24448 2015-01-23] ()
U3 TrueSight; C:\Windows\System32\drivers\TrueSight.sys [35064 2015-01-23] ()
R3 XPSVCOM; C:\Windows\System32\DRIVERS\XPSVCOM.sys [16896 2010-03-02] (Skyhook Wireless)
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
 
==================== NetSvcs (Whitelisted) ===================
 
(If an item is included in the fixlist, it will be removed from the registry. Any associated file could be listed separately to be moved.)
 
 
==================== One Month Created Files and Folders ========
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-23 13:37 - 2015-01-23 13:40 - 00019028 _____ () C:\Users\renee\Downloads\FRST.txt
2015-01-23 13:26 - 2015-01-23 13:26 - 00003288 ____N () C:\bootsqm.dat
2015-01-23 12:18 - 2015-01-23 12:18 - 00000000 ____D () C:\Users\renee\Downloads\tweaking.com_windows_repair_aio
2015-01-23 12:16 - 2015-01-23 12:17 - 07871773 _____ () C:\Users\renee\Downloads\tweaking.com_windows_repair_aio.zip
2015-01-23 11:49 - 2015-01-23 11:50 - 00464491 _____ () C:\Users\renee\Downloads\RootRepeal (1).zip
2015-01-23 11:49 - 2015-01-23 11:49 - 00000000 ____D () C:\Users\renee\Downloads\RootRepeal
2015-01-23 11:48 - 2015-01-23 11:49 - 00464491 _____ () C:\Users\renee\Downloads\RootRepeal.zip
2015-01-23 11:48 - 2015-01-23 11:48 - 00465298 _____ () C:\Users\renee\Downloads\RootRepeal.rar
2015-01-23 11:47 - 2015-01-23 11:47 - 00024448 _____ () C:\Windows\SysWOW64\Drivers\rkhdrv40.sys
2015-01-23 11:46 - 2015-01-23 11:46 - 00000000 ____D () C:\Users\renee\Downloads\RkU37300505
2015-01-23 11:46 - 2015-01-23 11:46 - 00000000 ____D () C:\Users\renee\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Rootkit Unhooker
2015-01-23 11:46 - 2015-01-23 11:46 - 00000000 ____D () C:\RkUnhooker
2015-01-23 11:46 - 2015-01-23 11:46 - 00000000 ____D () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Rootkit Unhooker
2015-01-23 11:45 - 2015-01-23 11:45 - 00158300 _____ () C:\Users\renee\Downloads\RkU37300505.zip
2015-01-23 11:45 - 2015-01-23 11:45 - 00077480 _____ () C:\Users\renee\Downloads\gmer.log
2015-01-23 11:26 - 2015-01-23 11:27 - 00380416 _____ () C:\Users\renee\Downloads\ph9n1c8j.exe
2015-01-23 11:18 - 2015-01-23 11:18 - 00097542 _____ () C:\Users\renee\Downloads\Extras.Txt
2015-01-23 11:17 - 2015-01-23 11:17 - 00081122 _____ () C:\Users\renee\Downloads\OTL.Txt
2015-01-23 11:17 - 2013-10-01 21:22 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\TsUsbFlt.sys
2015-01-23 11:17 - 2013-10-01 21:11 - 00013824 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyControl.exe
2015-01-23 11:17 - 2013-10-01 21:08 - 00012800 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbRedirectionGroupPolicyExtension.dll
2015-01-23 11:17 - 2013-10-01 20:48 - 00056832 _____ (Microsoft Corporation) C:\Windows\system32\MsRdpWebAccess.dll
2015-01-23 11:17 - 2013-10-01 20:48 - 00018944 _____ (Microsoft Corporation) C:\Windows\system32\wksprtPS.dll
2015-01-23 11:17 - 2013-10-01 20:29 - 00062976 _____ (Microsoft Corporation) C:\Windows\system32\tsgqec.dll
2015-01-23 11:17 - 2013-10-01 20:10 - 00044544 _____ (Microsoft Corporation) C:\Windows\system32\TsUsbGDCoInstaller.dll
2015-01-23 11:17 - 2013-10-01 19:15 - 01057280 _____ (Microsoft Corporation) C:\Windows\system32\rdvidcrl.dll
2015-01-23 11:17 - 2013-10-01 19:14 - 00050176 _____ (Microsoft Corporation) C:\Windows\SysWOW64\MsRdpWebAccess.dll
2015-01-23 11:17 - 2013-10-01 19:14 - 00017920 _____ (Microsoft Corporation) C:\Windows\SysWOW64\wksprtPS.dll
2015-01-23 11:17 - 2013-10-01 19:08 - 00083968 _____ (Microsoft Corporation) C:\Windows\system32\TSWbPrxy.exe
2015-01-23 11:17 - 2013-10-01 19:01 - 00420864 _____ (Microsoft Corporation) C:\Windows\system32\wksprt.exe
2015-01-23 11:17 - 2013-10-01 18:58 - 00053248 _____ (Microsoft Corporation) C:\Windows\SysWOW64\tsgqec.dll
2015-01-23 11:17 - 2013-10-01 18:31 - 01147392 _____ (Microsoft Corporation) C:\Windows\system32\mstsc.exe
2015-01-23 11:17 - 2013-10-01 18:08 - 00855552 _____ (Microsoft Corporation) C:\Windows\SysWOW64\rdvidcrl.dll
2015-01-23 11:17 - 2013-10-01 17:34 - 01068544 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstsc.exe
2015-01-23 11:17 - 2013-10-01 15:57 - 06578176 _____ (Microsoft Corporation) C:\Windows\system32\mstscax.dll
2015-01-23 11:17 - 2013-10-01 15:55 - 05698048 _____ (Microsoft Corporation) C:\Windows\SysWOW64\mstscax.dll
2015-01-23 11:10 - 2015-01-23 11:22 - 00000000 ____D () C:\Users\renee\Downloads\shexview-x64
2015-01-23 11:08 - 2015-01-23 11:09 - 00096698 _____ () C:\Users\renee\Downloads\shexview-x64.zip
2015-01-23 11:00 - 2015-01-23 11:01 - 02480312 _____ (Sysinternals - www.sysinternals.com) C:\Users\renee\Downloads\procexp.exe
2015-01-23 10:54 - 2015-01-23 10:54 - 04197016 _____ (Kaspersky Lab ZAO) C:\Users\renee\Downloads\tdsskiller.exe
2015-01-23 10:48 - 2015-01-23 10:48 - 00593080 _____ (Sysinternals - www.sysinternals.com) C:\Users\renee\Downloads\autoruns.exe
2015-01-23 10:46 - 2015-01-23 10:47 - 00602112 _____ (OldTimer Tools) C:\Users\renee\Desktop\OTL (3).exe
2015-01-23 10:44 - 2015-01-23 10:47 - 00602112 _____ (OldTimer Tools) C:\Users\renee\Downloads\OTL.exe
2015-01-23 10:40 - 2015-01-23 10:40 - 00388608 _____ (Trend Micro Inc.) C:\Users\renee\Downloads\HijackThis.exe
2015-01-23 10:40 - 2015-01-23 10:40 - 00009592 _____ () C:\Users\renee\Downloads\hijackthis.log
2015-01-23 10:23 - 2015-01-23 10:23 - 00023854 _____ () C:\ComboFix.txt
2015-01-23 09:52 - 2011-06-26 01:45 - 00256000 _____ () C:\Windows\PEV.exe
2015-01-23 09:52 - 2010-11-07 12:20 - 00208896 _____ () C:\Windows\MBR.exe
2015-01-23 09:52 - 2009-04-19 23:56 - 00060416 _____ (NirSoft) C:\Windows\NIRCMD.exe
2015-01-23 09:52 - 2000-08-30 19:00 - 00518144 _____ (SteelWerX) C:\Windows\SWREG.exe
2015-01-23 09:52 - 2000-08-30 19:00 - 00406528 _____ (SteelWerX) C:\Windows\SWSC.exe
2015-01-23 09:52 - 2000-08-30 19:00 - 00098816 _____ () C:\Windows\sed.exe
2015-01-23 09:52 - 2000-08-30 19:00 - 00080412 _____ () C:\Windows\grep.exe
2015-01-23 09:52 - 2000-08-30 19:00 - 00068096 _____ () C:\Windows\zip.exe
2015-01-23 09:51 - 2015-01-23 10:23 - 00000000 ____D () C:\Qoobox
2015-01-23 09:51 - 2015-01-23 09:52 - 05609462 ____R (Swearware) C:\Users\renee\Downloads\ComboFix.exe
2015-01-23 09:50 - 2015-01-23 10:11 - 00000000 ____D () C:\Windows\erdnt
2015-01-23 09:26 - 2015-01-23 09:26 - 02126848 _____ (Farbar) C:\Users\renee\Downloads\FRST64 (2).exe
2015-01-23 09:26 - 2015-01-23 09:26 - 02126848 _____ (Farbar) C:\Users\renee\Downloads\FRST64 (1).exe
2015-01-22 16:28 - 2015-01-23 13:29 - 00000000 ___HD () C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-01-22 16:28 - 2015-01-22 16:28 - 00000000 ____D () C:\ProgramData\Windows Genuine Advantage
2015-01-22 09:24 - 2015-01-22 09:24 - 00000000 ____D () C:\Users\renee\AppData\Local\{7BD61835-5C3B-4AAB-8CFB-4966E924A6D2}
2015-01-21 10:41 - 2015-01-21 10:42 - 00000000 ____D () C:\Users\renee\AppData\Local\{8FFD8FBD-DE49-4130-8A78-405EDB3CDE9B}
2015-01-15 22:14 - 2015-01-15 22:14 - 00009110 _____ () C:\Users\renee\Downloads\FwdBlueAngelsupclose
2015-01-14 16:50 - 2015-01-22 19:15 - 00002143 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2015-01-14 16:48 - 2015-01-23 13:38 - 00000000 ____D () C:\FRST
2015-01-14 16:48 - 2015-01-14 16:48 - 00305664 _____ (Secure By Design Inc.) C:\Users\renee\Downloads\Ninite Air Auslogics Chrome Firefox Java 8 Installer.exe
2015-01-14 16:47 - 2015-01-14 16:47 - 02125312 _____ (Farbar) C:\Users\renee\Downloads\FRST64.exe
2015-01-14 16:29 - 2015-01-23 13:27 - 00000448 _____ () C:\Windows\setupact.log
2015-01-14 16:29 - 2015-01-14 16:29 - 00000000 _____ () C:\Windows\setuperr.log
2015-01-14 16:28 - 2015-01-23 10:33 - 00001114 _____ () C:\Windows\PFRO.log
2015-01-14 16:25 - 2015-01-14 16:25 - 00044304 _____ () C:\Users\renee\Documents\cc_20150114_162426.reg
2015-01-14 08:03 - 2014-12-18 22:06 - 00210432 _____ (Microsoft Corporation) C:\Windows\system32\profsvc.dll
2015-01-14 08:03 - 2014-12-18 20:46 - 00141312 _____ (Microsoft Corporation) C:\Windows\system32\Drivers\mrxdav.sys
2015-01-14 08:03 - 2014-12-12 00:35 - 05553592 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2015-01-14 08:03 - 2014-12-12 00:31 - 00503808 _____ (Microsoft Corporation) C:\Windows\system32\srcore.dll
2015-01-14 08:03 - 2014-12-12 00:31 - 00296960 _____ (Microsoft Corporation) C:\Windows\system32\rstrui.exe
2015-01-14 08:03 - 2014-12-12 00:31 - 00050176 _____ (Microsoft Corporation) C:\Windows\system32\srclient.dll
2015-01-14 08:03 - 2014-12-12 00:11 - 03971512 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2015-01-14 08:03 - 2014-12-12 00:11 - 03916728 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2015-01-14 08:03 - 2014-12-12 00:07 - 00043008 _____ (Microsoft Corporation) C:\Windows\SysWOW64\srclient.dll
2015-01-14 08:03 - 2014-12-05 23:17 - 00303616 _____ (Microsoft Corporation) C:\Windows\system32\nlasvc.dll
2015-01-14 08:03 - 2014-12-05 22:50 - 00156672 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ncsi.dll
2015-01-14 08:03 - 2014-12-05 22:50 - 00052224 _____ (Microsoft Corporation) C:\Windows\SysWOW64\nlaapi.dll
2015-01-01 17:39 - 2015-01-01 17:39 - 00000000 ____D () C:\Users\renee\AppData\Local\{F3B5514D-5E22-431C-93DB-5CB06B90CA5F}
 
==================== One Month Modified Files and Folders =======
 
(If an entry is included in the fixlist, the file\folder will be moved.)
 
2015-01-23 13:38 - 2010-07-22 05:30 - 01304903 _____ () C:\Windows\WindowsUpdate.log
2015-01-23 13:35 - 2009-07-14 00:13 - 00782510 _____ () C:\Windows\system32\PerfStringBackup.INI
2015-01-23 13:35 - 2009-07-13 23:45 - 00026192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-01-23 13:35 - 2009-07-13 23:45 - 00026192 ____H () C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-01-23 13:29 - 2009-07-13 22:20 - 00000000 ___RD () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories
2015-01-23 13:28 - 2009-07-14 00:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2015-01-23 12:21 - 2009-07-13 21:34 - 00000474 _____ () C:\Windows\win.ini
2015-01-23 11:28 - 2009-07-14 00:08 - 00032582 _____ () C:\Windows\Tasks\SCHEDLGU.TXT
2015-01-23 11:06 - 2013-05-06 13:17 - 00775124 _____ () C:\Windows\SysWOW64\PerfStringBackup.INI
2015-01-23 10:40 - 2010-08-24 01:34 - 00000000 ____D () C:\Users\renee\AppData\Local\VirtualStore
2015-01-23 10:23 - 2009-07-13 22:20 - 00000000 __RHD () C:\Users\Default
2015-01-23 10:09 - 2009-07-13 21:34 - 00000215 _____ () C:\Windows\system.ini
2015-01-23 10:09 - 2009-07-13 21:34 - 00000027 _____ () C:\Windows\system32\Drivers\etc\hosts_bak_18
2015-01-23 09:35 - 2014-12-12 16:29 - 00035064 _____ () C:\Windows\system32\Drivers\TrueSight.sys
2015-01-22 17:06 - 2009-07-13 22:20 - 00000000 ____D () C:\Windows\system32\NDF
2015-01-22 09:37 - 2011-01-25 09:11 - 00000000 ____D () C:\Users\renee\AppData\Local\Windows Live
2015-01-14 17:02 - 2013-11-03 12:41 - 00000000 ____D () C:\Windows\system32\MRT
2015-01-14 16:57 - 2010-08-28 20:59 - 113365784 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-01-14 16:51 - 2014-11-07 09:33 - 00001133 _____ () C:\Users\renee\Desktop\Auslogics DiskDefrag.lnk
2015-01-14 16:49 - 2014-11-07 08:10 - 00001123 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2015-01-14 16:49 - 2014-11-07 08:10 - 00001111 _____ () C:\Users\Public\Desktop\Mozilla Firefox.lnk
2015-01-14 16:49 - 2014-11-07 08:10 - 00000000 ____D () C:\Program Files (x86)\Mozilla Maintenance Service
2015-01-14 16:49 - 2014-11-07 08:10 - 00000000 ____D () C:\Program Files (x86)\Mozilla Firefox
2015-01-14 16:28 - 2014-09-16 22:26 - 00000000 ____D () C:\AdwCleaner
2015-01-14 16:02 - 2010-09-28 23:21 - 00000000 ____D () C:\Users\renee\AppData\Local\CrashDumps
2015-01-14 15:59 - 2014-11-06 15:40 - 00000822 _____ () C:\Users\Public\Desktop\CCleaner.lnk
2015-01-14 15:59 - 2014-11-06 15:40 - 00000000 ____D () C:\Program Files\CCleaner
2015-01-14 15:51 - 2012-07-31 15:07 - 00701616 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-01-14 15:51 - 2012-07-31 15:07 - 00071344 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-01-14 15:45 - 2011-01-25 08:35 - 00000000 ____D () C:\Windows\Minidump
2015-01-14 15:44 - 2010-10-07 16:35 - 00000000 ____D () C:\Users\renee\AppData\Local\Adobe
2015-01-14 14:21 - 2014-09-16 22:36 - 00129752 _____ (Malwarebytes Corporation) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-01-13 05:05 - 2013-05-29 08:52 - 00000000 ____D () C:\Users\renee\AppData\Local\{B954239A-8F21-4753-A1E6-218A4FA97C01}
2015-01-10 19:54 - 2014-02-02 11:40 - 00000000 ____D () C:\Users\renee\AppData\Local\{5C27D6C2-2386-469B-8B38-7AB73AF9AE8D}
2015-01-10 06:28 - 2014-11-07 08:26 - 00002441 _____ () C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Adobe Reader XI.lnk
2015-01-06 04:36 - 2010-08-24 13:41 - 00298120 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe
2014-12-27 18:36 - 2014-03-31 12:15 - 00000000 ____D () C:\Users\renee\AppData\Local\Intuit
2014-12-24 08:36 - 2014-02-04 15:09 - 00000000 ____D () C:\Users\renee\AppData\Local\{BBE708A1-192F-454D-B9BB-A65872011CBF}
 
==================== Files in the root of some directories =======
2011-03-19 22:41 - 2014-09-13 08:16 - 0001854 _____ () C:\Users\renee\AppData\Roaming\GhostObjGAFix.xml
2011-01-10 12:05 - 2011-01-10 12:05 - 0024209 _____ () C:\Users\renee\AppData\Roaming\UserTile.png
2012-03-12 14:37 - 2013-11-03 10:29 - 0002198 _____ () C:\ProgramData\hpzinstall.log
2013-02-25 11:28 - 2014-03-26 17:56 - 0000775 _____ () C:\ProgramData\Microsoft.SqlServer.Compact.400.32.bc
2010-07-22 05:50 - 2010-07-22 05:50 - 0000032 _____ () C:\ProgramData\{051B9612-4D82-42AC-8C63-CD2DCEDC1CB3}.log
2010-07-12 14:24 - 2010-07-12 14:24 - 0000109 _____ () C:\ProgramData\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}.log
2010-07-22 05:49 - 2010-07-22 05:49 - 0000032 _____ () C:\ProgramData\{23F3DA62-2D9E-4A69-B8D5-BE8E9E148092}.log
2010-07-12 14:19 - 2010-07-12 14:20 - 0000105 _____ () C:\ProgramData\{40BF1E83-20EB-11D8-97C5-0009C5020658}.log
2010-07-22 05:49 - 2010-07-22 05:49 - 0000032 _____ () C:\ProgramData\{4FC670EB-5F02-4B07-90DB-022B86BFEFD0}.log
2010-07-22 05:49 - 2010-07-22 05:49 - 0000032 _____ () C:\ProgramData\{9867824A-C86D-4A83-8F3C-E7A86BE0AFD3}.log
2010-07-12 14:18 - 2010-07-12 14:19 - 0000107 _____ () C:\ProgramData\{C59C179C-668D-49A9-B6EA-0121CCFC1243}.log
2010-07-12 14:20 - 2010-07-12 14:24 - 0000110 _____ () C:\ProgramData\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}.log
2010-07-22 05:50 - 2010-07-22 05:50 - 0000105 _____ () C:\ProgramData\{d36dd326-7280-11d8-97c8-000129760cbe}.log
 
==================== Bamital & volsnap Check =================
 
(There is no automatic fix for files that do not pass verification.)
 
C:\Windows\System32\winlogon.exe => File is digitally signed
C:\Windows\System32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\System32\services.exe => File is digitally signed
C:\Windows\System32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\System32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed
C:\Windows\System32\Drivers\volsnap.sys => File is digitally signed
 
 
LastRegBack: 2015-01-14 11:54
 
==================== End Of Log ============================
 
quietman7 also recommended I provide my ComboFix log since I have already ran it. That log can be reviewed below:
 
ComboFix 15-01-22.02 - renee 01/23/2015   9:55.1.4 - x64
Microsoft Windows 7 Home Premium   6.1.7601.1.1252.1.1033.18.2934.1254 [GMT -5:00]
Running from: c:\users\renee\Downloads\ComboFix.exe
AV: avast! Antivirus *Enabled/Updated* {17AD7D40-BA12-9C46-7131-94903A54AD8B}
SP: avast! Antivirus *Enabled/Updated* {ACCC9CA4-9C28-93C8-4B81-AFE241D3E736}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\users\renee\Documents\~WRL3840.tmp
c:\windows\security\Database\tmp.edb
.
.
(((((((((((((((((((((((((   Files Created from 2014-12-23 to 2015-01-23  )))))))))))))))))))))))))))))))
.
.
2015-01-23 15:09 . 2015-01-23 15:09 -------- d-----w- c:\users\Default\AppData\Local\temp
2015-01-23 15:00 . 2015-01-23 15:00 75888 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EA1DFC54-7FB6-4D29-881B-2A4927945E94}\offreg.dll
2015-01-23 14:37 . 2014-12-02 10:26 11870360 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{EA1DFC54-7FB6-4D29-881B-2A4927945E94}\mpengine.dll
2015-01-22 21:28 . 2015-01-23 12:51 -------- d--h--w- c:\programdata\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}
2015-01-14 21:49 . 2015-01-09 09:06 915376 ----a-w- c:\program files (x86)\Mozilla Firefox\uninstall\helper.exe
2015-01-14 21:49 . 2015-01-09 09:06 49776 ----a-w- c:\program files (x86)\Mozilla Firefox\browser\components\browsercomps.dll
2015-01-14 21:49 . 2015-01-09 09:07 73840 ----a-w- c:\program files (x86)\Mozilla Firefox\wow_helper.exe
2015-01-14 21:48 . 2015-01-23 14:34 -------- d-----w- C:\FRST
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2015-01-23 14:35 . 2014-12-12 21:29 35064 ----a-w- c:\windows\system32\drivers\TrueSight.sys
2015-01-14 21:57 . 2010-08-29 01:59 113365784 ----a-w- c:\windows\system32\MRT.exe
2015-01-14 20:51 . 2012-07-31 20:07 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
2015-01-14 20:51 . 2012-07-31 20:07 701616 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe
2015-01-14 19:21 . 2014-09-17 03:36 129752 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys
2015-01-06 09:36 . 2010-08-24 18:41 298120 ------w- c:\windows\system32\MpSigStub.exe
2014-12-13 05:09 . 2014-12-19 19:51 144384 ----a-w- c:\windows\system32\ieUnatt.exe
2014-12-13 03:33 . 2014-12-19 19:51 115712 ----a-w- c:\windows\SysWow64\ieUnatt.exe
2014-12-11 02:09 . 2014-11-07 16:17 1050432 ----a-w- c:\windows\system32\drivers\aswsnx.sys
2014-12-11 02:08 . 2014-11-07 16:17 116728 ----a-w- c:\windows\system32\drivers\aswStm.sys
2014-12-11 02:08 . 2014-11-07 16:17 267632 ----a-w- c:\windows\system32\drivers\aswVmm.sys
2014-12-11 02:08 . 2014-11-07 16:17 436624 ----a-w- c:\windows\system32\drivers\aswSP.sys
2014-12-11 02:08 . 2014-11-07 16:17 65776 ----a-w- c:\windows\system32\drivers\aswRvrt.sys
2014-12-11 02:08 . 2014-12-11 02:08 364512 ----a-w- c:\windows\system32\aswBoot.exe
2014-12-11 02:08 . 2014-11-07 16:17 83280 ----a-w- c:\windows\system32\drivers\aswmonflt.sys
2014-12-11 02:08 . 2014-11-07 16:17 29208 ----a-w- c:\windows\system32\drivers\aswHwid.sys
2014-12-11 02:08 . 2014-11-07 16:17 93568 ----a-w- c:\windows\system32\drivers\aswRdr2.sys
2014-12-11 02:08 . 2014-12-11 02:08 43152 ----a-w- c:\windows\avastSS.scr
2014-12-04 02:50 . 2014-12-10 15:34 413184 ----a-w- c:\windows\system32\generaltel.dll
2014-12-04 02:50 . 2014-12-10 15:34 741376 ----a-w- c:\windows\system32\invagent.dll
2014-12-04 02:50 . 2014-12-10 15:34 396800 ----a-w- c:\windows\system32\devinv.dll
2014-12-04 02:50 . 2014-12-10 15:34 830976 ----a-w- c:\windows\system32\appraiser.dll
2014-12-04 02:50 . 2014-12-10 15:34 192000 ----a-w- c:\windows\system32\aepic.dll
2014-12-04 02:50 . 2014-12-10 15:34 227328 ----a-w- c:\windows\system32\aepdu.dll
2014-12-04 02:44 . 2014-12-10 15:34 1083392 ----a-w- c:\windows\system32\aeinv.dll
2014-12-01 23:28 . 2014-12-10 15:34 1232040 ----a-w- c:\windows\system32\aitstatic.exe
2014-11-27 01:43 . 2014-12-10 15:34 389296 ----a-w- c:\windows\system32\iedkcs32.dll
2014-11-22 03:13 . 2014-12-10 15:33 25059840 ----a-w- c:\windows\system32\mshtml.dll
2014-11-22 03:06 . 2014-12-10 15:34 2724864 ----a-w- c:\windows\system32\mshtml.tlb
2014-11-22 03:06 . 2014-12-10 15:34 4096 ----a-w- c:\windows\system32\ieetwcollectorres.dll
2014-11-22 02:50 . 2014-12-10 15:34 66560 ----a-w- c:\windows\system32\iesetup.dll
2014-11-22 02:50 . 2014-12-10 15:34 580096 ----a-w- c:\windows\system32\vbscript.dll
2014-11-22 02:49 . 2014-12-10 15:34 48640 ----a-w- c:\windows\system32\ieetwproxystub.dll
2014-11-22 02:49 . 2014-12-10 15:34 2885120 ----a-w- c:\windows\system32\iertutil.dll
2014-11-22 02:48 . 2014-12-10 15:33 88064 ----a-w- c:\windows\system32\MshtmlDac.dll
2014-11-22 02:41 . 2014-12-10 15:34 54784 ----a-w- c:\windows\system32\jsproxy.dll
2014-11-22 02:40 . 2014-12-10 15:34 34304 ----a-w- c:\windows\system32\iernonce.dll
2014-11-22 02:37 . 2014-12-10 15:34 633856 ----a-w- c:\windows\system32\ieui.dll
2014-11-22 02:35 . 2014-12-10 15:34 114688 ----a-w- c:\windows\system32\ieetwcollector.exe
2014-11-22 02:34 . 2014-12-10 15:34 814080 ----a-w- c:\windows\system32\jscript9diag.dll
2014-11-22 02:34 . 2014-12-10 15:34 6039552 ----a-w- c:\windows\system32\jscript9.dll
2014-11-22 02:26 . 2014-12-10 15:34 968704 ----a-w- c:\windows\system32\MsSpellCheckingFacility.exe
2014-11-22 02:22 . 2014-12-10 15:34 490496 ----a-w- c:\windows\system32\dxtmsft.dll
2014-11-22 02:20 . 2014-12-10 15:34 2724864 ----a-w- c:\windows\SysWow64\mshtml.tlb
2014-11-22 02:14 . 2014-12-10 15:34 77824 ----a-w- c:\windows\system32\JavaScriptCollectionAgent.dll
2014-11-22 02:09 . 2014-12-10 15:33 199680 ----a-w- c:\windows\system32\msrating.dll
2014-11-22 02:08 . 2014-12-10 15:34 92160 ----a-w- c:\windows\system32\mshtmled.dll
2014-11-22 02:07 . 2014-12-10 15:34 501248 ----a-w- c:\windows\SysWow64\vbscript.dll
2014-11-22 02:07 . 2014-12-10 15:34 62464 ----a-w- c:\windows\SysWow64\iesetup.dll
2014-11-22 02:06 . 2014-12-10 15:34 47616 ----a-w- c:\windows\SysWow64\ieetwproxystub.dll
2014-11-22 02:05 . 2014-12-10 15:34 64000 ----a-w- c:\windows\SysWow64\MshtmlDac.dll
2014-11-22 02:05 . 2014-12-10 15:34 316928 ----a-w- c:\windows\system32\dxtrans.dll
2014-11-22 01:54 . 2014-12-10 15:34 620032 ----a-w- c:\windows\SysWow64\jscript9diag.dll
2014-11-22 01:49 . 2014-12-10 15:34 718848 ----a-w- c:\windows\system32\ie4uinit.exe
2014-11-22 01:49 . 2014-12-10 15:34 800768 ----a-w- c:\windows\system32\msfeeds.dll
2014-11-22 01:47 . 2014-12-10 15:34 1359360 ----a-w- c:\windows\system32\mshtmlmedia.dll
2014-11-22 01:46 . 2014-12-10 15:34 2125312 ----a-w- c:\windows\system32\inetcpl.cpl
2014-11-22 01:43 . 2014-12-10 15:34 14412800 ----a-w- c:\windows\system32\ieframe.dll
2014-11-22 01:40 . 2014-12-10 15:34 60416 ----a-w- c:\windows\SysWow64\JavaScriptCollectionAgent.dll
2014-11-22 01:29 . 2014-12-10 15:34 4299264 ----a-w- c:\windows\SysWow64\jscript9.dll
2014-11-22 01:28 . 2014-12-10 15:34 2358272 ----a-w- c:\windows\system32\wininet.dll
2014-11-22 01:22 . 2014-12-10 15:34 2052096 ----a-w- c:\windows\SysWow64\inetcpl.cpl
2014-11-22 01:21 . 2014-12-10 15:34 1155072 ----a-w- c:\windows\SysWow64\mshtmlmedia.dll
2014-11-22 01:15 . 2014-12-10 15:34 1548288 ----a-w- c:\windows\system32\urlmon.dll
2014-11-22 01:03 . 2014-12-10 15:34 800768 ----a-w- c:\windows\system32\ieapfltr.dll
2014-11-22 01:00 . 2014-12-10 15:34 1888256 ----a-w- c:\windows\SysWow64\wininet.dll
2014-11-21 11:14 . 2014-09-17 03:35 63704 ----a-w- c:\windows\system32\drivers\mwac.sys
2014-11-21 11:14 . 2014-09-17 03:35 93400 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys
2014-11-21 11:14 . 2013-11-03 16:24 25816 ----a-w- c:\windows\system32\drivers\mbam.sys
2014-11-19 09:31 . 2014-11-19 09:31 1217192 ----a-w- c:\windows\SysWow64\FM20.DLL
2014-11-11 03:09 . 2014-12-10 15:34 1424384 ----a-w- c:\windows\system32\WindowsCodecs.dll
2014-11-11 03:08 . 2014-11-19 01:34 241152 ----a-w- c:\windows\system32\pku2u.dll
2014-11-11 03:08 . 2014-11-19 01:34 728064 ----a-w- c:\windows\system32\kerberos.dll
2014-11-11 02:44 . 2014-12-10 15:34 1230336 ----a-w- c:\windows\SysWow64\WindowsCodecs.dll
2014-11-11 02:44 . 2014-11-19 01:33 186880 ----a-w- c:\windows\SysWow64\pku2u.dll
2014-11-11 02:44 . 2014-11-19 01:33 550912 ----a-w- c:\windows\SysWow64\kerberos.dll
2014-11-11 01:46 . 2014-12-10 15:34 119296 ----a-w- c:\windows\system32\drivers\tdx.sys
2014-11-08 03:16 . 2014-12-10 15:30 2048 ----a-w- c:\windows\system32\tzres.dll
2014-11-08 02:45 . 2014-12-10 15:30 2048 ----a-w- c:\windows\SysWow64\tzres.dll
2014-11-07 14:16 . 2014-11-07 14:16 43664 ----a-w- c:\windows\system32\drivers\hitmanpro37.sys
2014-11-07 13:16 . 2014-11-07 13:16 111016 ----a-w- c:\windows\system32\WindowsAccessBridge-64.dll
2014-11-07 13:12 . 2014-07-09 13:26 98216 ----a-w- c:\windows\SysWow64\WindowsAccessBridge-32.dll
2014-10-30 02:03 . 2014-12-10 15:30 165888 ----a-w- c:\windows\system32\charmap.exe
2014-10-30 01:45 . 2014-12-10 15:30 155136 ----a-w- c:\windows\SysWow64\charmap.exe
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GarminExpressTrayApp"="c:\program files (x86)\Garmin\Express Tray\ExpressTray.exe" [2014-07-23 688984]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="c:\program files\AVAST Software\Avast\AvastUI.exe" [2015-01-09 5227112]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 5 (0x5)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableUIADesktopToggle"= 0 (0x0)
"SoftwareSASGeneration"= 1 (0x1)
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ   autocheck autochk *\0bootdelete
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\hitmanpro37.sys]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37Crusader]
@=""
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\HitmanPro37CrusaderBoot]
@=""
.
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x]
R3 AmUStor;AM USB Stroage Driver;c:\windows\system32\drivers\AmUStor.SYS;c:\windows\SYSNATIVE\drivers\AmUStor.SYS [x]
R3 hitmanpro37;HitmanPro 3.7 Support Driver;c:\windows\system32\drivers\hitmanpro37.sys;c:\windows\SYSNATIVE\drivers\hitmanpro37.sys [x]
R3 IEEtwCollectorService;Internet Explorer ETW Collector Service;c:\windows\system32\IEEtwCollector.exe;c:\windows\SYSNATIVE\IEEtwCollector.exe [x]
R3 JeppDrive;JeppDrive Service;c:\windows\system32\Drivers\JeppDrive.sys;c:\windows\SYSNATIVE\Drivers\JeppDrive.sys [x]
R3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x]
R3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys;c:\windows\SYSNATIVE\drivers\rdpvideominiport.sys [x]
R3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x]
R3 SrvHsfHDA;SrvHsfHDA;c:\windows\system32\DRIVERS\VSTAZL6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTAZL6.SYS [x]
R3 SrvHsfV92;SrvHsfV92;c:\windows\system32\DRIVERS\VSTDPV6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTDPV6.SYS [x]
R3 SrvHsfWinac;SrvHsfWinac;c:\windows\system32\DRIVERS\VSTCNXT6.SYS;c:\windows\SYSNATIVE\DRIVERS\VSTCNXT6.SYS [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe;c:\windows\SYSNATIVE\Wat\WatAdminSvc.exe [x]
R3 yukonw7;NDIS6.2 Miniport Driver for Marvell Yukon Ethernet Controller;c:\windows\system32\DRIVERS\yk62x64.sys;c:\windows\SYSNATIVE\DRIVERS\yk62x64.sys [x]
R4 AESTFilters;Andrea ST Filters Service;c:\program files\IDT\WDM\AESTSr64.exe;c:\program files\IDT\WDM\AESTSr64.exe [x]
R4 DvmMDES;DeviceVM Meta Data Export Service;c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe;c:\swsetup\QuickWeb\QW.SYS\config\DVMExportService.exe [x]
R4 hpsrv;HP Service;c:\windows\system32\Hpservice.exe;c:\windows\SYSNATIVE\Hpservice.exe [x]
R4 HPWMISVC;HPWMISVC;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe;c:\program files\Hewlett-Packard\HP Quick Launch\HPWMISVC.exe [x]
R4 IAStorDataMgrSvc;Intel® Rapid Storage Technology;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe;c:\program files (x86)\Intel\Intel® Rapid Storage Technology\IAStorDataMgrSvc.exe [x]
R4 McComponentHostService;McAfee Security Scan Component Host Service;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe;c:\program files\McAfee Security Scan\3.8.130\McCHSvc.exe [x]
R4 UNS;Intel® Management & Security Application User Notification Service;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe;c:\program files (x86)\Intel\Intel® Management Engine Components\UNS\UNS.exe [x]
S0 aswRvrt;avast! Revert; [x]
S0 aswVmm;avast! VM Monitor; [x]
S1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys;c:\windows\SYSNATIVE\drivers\aswSnx.sys [x]
S1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys;c:\windows\SYSNATIVE\drivers\aswSP.sys [x]
S1 DVMIO;DeviceVM IO Service;c:\windows\system32\DRIVERS\dvmio.sys;c:\windows\SYSNATIVE\DRIVERS\dvmio.sys [x]
S2 aswHwid;avast! HardwareID;c:\windows\system32\drivers\aswHwid.sys;c:\windows\SYSNATIVE\drivers\aswHwid.sys [x]
S2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys;c:\windows\SYSNATIVE\drivers\aswMonFlt.sys [x]
S2 aswStm;aswStm;c:\windows\system32\drivers\aswStm.sys;c:\windows\SYSNATIVE\drivers\aswStm.sys [x]
S2 Garmin Core Update Service;Garmin Core Update Service;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe;c:\program files (x86)\Garmin\Core Update Service\Garmin.Cartography.MapUpdate.CoreService.exe [x]
S2 HP Wireless Assistant Service;HP Wireless Assistant Service;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe;c:\program files\Hewlett-Packard\HP Wireless Assistant\HPWA_Service.exe [x]
S2 HPDrvMntSvc.exe;HP Quick Synchronization Service;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe;c:\program files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe [x]
S2 IntuitUpdateServiceV4;Intuit Update Service v4;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe;c:\program files (x86)\Common Files\Intuit\Update Service v4\IntuitUpdateService.exe [x]
S2 QDLService2kHP;Qualcomm Gobi 2000 Download Service (HP);c:\program files (x86)\QUALCOMM\QDLService2k\QDLService2kHP.exe;c:\program files (x86)\QUALCOMM\QDLService2k\QDLService2kHP.exe [x]
S2 xpssvc;Skyhook Wireless XPS Service;c:\program files\Skyhook Wireless\XPS\xpssvc.exe;c:\program files\Skyhook Wireless\XPS\xpssvc.exe [x]
S3 dc3d;MS Hardware Device Detection Driver (USB);c:\windows\system32\DRIVERS\dc3d.sys;c:\windows\SYSNATIVE\DRIVERS\dc3d.sys [x]
S3 HECIx64;Intel® Management Engine Interface;c:\windows\system32\DRIVERS\HECIx64.sys;c:\windows\SYSNATIVE\DRIVERS\HECIx64.sys [x]
S3 Impcd;Impcd;c:\windows\system32\DRIVERS\Impcd.sys;c:\windows\SYSNATIVE\DRIVERS\Impcd.sys [x]
S3 IntcDAud;Intel® Display Audio;c:\windows\system32\DRIVERS\IntcDAud.sys;c:\windows\SYSNATIVE\DRIVERS\IntcDAud.sys [x]
S3 Point64;Microsoft Mouse and Keyboard Center Filter Driver;c:\windows\system32\DRIVERS\point64.sys;c:\windows\SYSNATIVE\DRIVERS\point64.sys [x]
S3 qcfilterhp2k;Gobi 2000 USB Composite Device Filter Driver(03F0-251D);c:\windows\system32\DRIVERS\qcfilterhp2k.sys;c:\windows\SYSNATIVE\DRIVERS\qcfilterhp2k.sys [x]
S3 qcusbnethp2k;Gobi 2000 USB-NDIS miniport(03F0-251D);c:\windows\system32\DRIVERS\qcusbnethp2k.sys;c:\windows\SYSNATIVE\DRIVERS\qcusbnethp2k.sys [x]
S3 qcusbserhp2k;Gobi 2000 USB Device for Legacy Serial Communication(03F0-251D);c:\windows\system32\DRIVERS\qcusbserhp2k.sys;c:\windows\SYSNATIVE\DRIVERS\qcusbserhp2k.sys [x]
S3 XPSVCOM;XPSVCOM;c:\windows\system32\DRIVERS\XPSVCOM.sys;c:\windows\SYSNATIVE\DRIVERS\XPSVCOM.sys [x]
.
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ   hpqcxs08 hpqddsvc
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
2010-02-22 18:38 451872 ----a-w- c:\program files (x86)\Common Files\LightScribe\LSRunOnce.exe
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\active setup\installed components\{8A69D345-D564-463c-AFF1-A69D9E530F96}]
2015-01-23 00:14 1086280 ----a-w- c:\program files (x86)\Google\Chrome\Application\40.0.2214.91\Installer\chrmstp.exe
.
.
--------- X64 Entries -----------
.
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2014-12-11 02:08 860984 ----a-w- c:\program files\AVAST Software\Avast\ashShA64.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skyhook Wireless XPS Service"="c:\program files\Skyhook Wireless\XPS\xpscontrolpanel.exe" [2010-04-13 679240]
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
mLocal Page = c:\windows\SysWOW64\blank.htm
TCP: DhcpNameServer = 192.168.3.1
FF - ProfilePath - c:\users\renee\AppData\Roaming\Mozilla\Firefox\Profiles\c6f2dwlp.default\
.
- - - - ORPHANS REMOVED - - - -
.
BHO-{90b1ff72-e461-400e-84b3-c0ff85e0e553} - (no file)
BHO-{b7cb3289-aba0-47b3-a929-e63819a8eea9} - (no file)
Toolbar-{de1540e3-8f32-491f-9868-e0b9c191cdd7} - (no file)
Toolbar-Locked - (no file)
Toolbar-{4F524A2D-5354-2D53-5045-7A786E7484D7} - (no file)
Wow6432Node-HKLM-Run-<NO NAME> - (no file)
HKLM_Wow6432Node-ActiveSetup-{2D46B6DC-2207-486B-B523-A557E6D54B47} - start
Toolbar-Locked - (no file)
AddRemove-{08DB3902-2CE0-474D-BCE3-0177766CE9F1} - c:\program files (x86)\InstallShield Installation Information\{08DB3902-2CE0-474D-BCE3-0177766CE9F1}\setup.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\system32\\Macromed\\Flash\\FlashUtil64_16_0_0_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_257_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil32_16_0_0_257_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.16"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_257.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash32_16_0_0_257.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2015-01-23  10:23:17
ComboFix-quarantined-files.txt  2015-01-23 15:23
.
Pre-Run: 147,550,203,904 bytes free
Post-Run: 146,984,570,880 bytes free
.
- - End Of File - - 19B92B837CCCF0A84466BF37836BDBAF
 

 

Attached Files



BC AdBot (Login to Remove)

 


m

#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:35 PM

Posted 25 January 2015 - 10:13 AM




Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Open notepad (Start =>All Programs => Accessories => Notepad). Please copy the entire contents of the code box below.
start

CloseProcesses:

HKLM-x32\...\Run: [] => [X]
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
HKU\S-1-5-21-3891340218-3492943677-1852639085-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Policy restriction <======= ATTENTION
SearchScopes: HKLM-x32 -> {A55716D7-684D-4B96-859F-2BB903E6D912} URL = http://www.bing.com/search?q={searchTerms}&form=HPNTDF&pc=HPNTDF&src=IE-SearchBox
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO-x32: No Name -> {90b1ff72-e461-400e-84b3-c0ff85e0e553} ->  No File
BHO-x32: No Name -> {b7cb3289-aba0-47b3-a929-e63819a8eea9} ->  No File
Toolbar: HKLM-x32 - No Name - {de1540e3-8f32-491f-9868-e0b9c191cdd7} -  No File
Toolbar: HKLM-x32 - No Name - {4F524A2D-5354-2D53-5045-7A786E7484D7} -  No File
Toolbar: HKU\S-1-5-21-3891340218-3492943677-1852639085-1000 -> No Name - {2318C2B1-4965-11D4-9B18-009027A5CD4F} -  No File
FF Plugin: @microsoft.com/GENUINE -> disabled No File
FF Plugin-x32: @ei.HeadlineAlley_29.com/Plugin -> C:\Program Files (x86)\HeadlineAlley_29EI\Installr\1.bin\NP29EISB.dll No File
FF Plugin-x32: @ElectionTracker_59.com/Plugin -> C:\Program Files (x86)\ElectionTracker_59\bar\1.bin\NP59Stub.dll No File
FF Plugin-x32: @microsoft.com/GENUINE -> disabled No File
FF HKLM-x32\...\Firefox\Extensions: [59ffxtbr@ElectionTracker_59.com] - C:\Program Files (x86)\ElectionTracker_59\bar\1.bin
CHR Plugin: (Native Client) - C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.91\ppGoogleNaClPluginChrome.dll No File
CHR Plugin: (Shockwave Flash) - C:\Program Files (x86)\Google\Chrome\Application\40.0.2214.91\gcswf32.dll No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\nppdf32.dll No File
CHR Plugin: (Java Deployment Toolkit 6.0.290.11) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npdeployJava1.dll No File
CHR Plugin: (Java™ Platform SE 6 U29) - C:\Program Files (x86)\Java\jre6\bin\new_plugin\npjp2.dll No File
CHR Plugin: (Google Update) - C:\Program Files (x86)\Google\Update\1.3.21.99\npGoogleUpdate3.dll No File
CHR Plugin: (HeadlineAlley Installer Plugin Stub) - C:\Program Files (x86)\HeadlineAlley_29EI\Installr\1.bin\NP29EISB.dll No File
CHR Plugin: (Shockwave for Director) - C:\Windows\SysWOW64\Adobe\Director\np32dsw.dll No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files (x86)\Microsoft Silverlight\4.1.10111.0\npctrl.dll No File
CHR Plugin: (Default Plug-in) - default_plugin No File
CHR Extension: (Google Wallet) - C:\Users\renee\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2013-09-12]
S3 catchme; \??\C:\ComboFix\catchme.sys [X]
Task: {363F2A1E-6C80-48F1-8477-CB9EBBC47D35} - \Scheduled Update for Ask Toolbar No Task File <==== ATTENTION
AlternateDataStreams: C:\ProgramData\Temp:EA029835
AlternateDataStreams: C:\Users\renee\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_0favicon-2079221766
AlternateDataStreams: C:\Users\renee\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_1favicon1313128964
AlternateDataStreams: C:\Users\renee\AppData\Roaming\Microsoft\Windows\Start Menu\Yahoo!.website:TASKICON_2favicon-2092717923
C:\Program Files (x86)\ElectionTracker_59
C:\Program Files (x86)\HeadlineAlley_29EI

End
Save the files as fixlist.txt into the same folder as FRST

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log Fixlog.txt please post it to your reply.
===

Download Security Check by screen317 from here
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
p.s.
If the SecurityCheck program fails to run for any reason, run it as an Administrator.

If the site is busy or not available use this mirror site:
http://www.bleepingcomputer.com/download/securitycheck/

How is the computer running now?

#3 homepcsi

homepcsi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 PM

Posted 26 January 2015 - 09:49 AM

Hi nasdaq and thank you for your help! :)

 

I performed the FRST fixlist.txt as you instructed and restarted the computer. Immediately upon logging back in, Avast Free Anti-Virus reported it blocked a malicious website from being opened by Explorer.exe. I will provide the screenshot below:

 

CN5lWtF.png

 

 

I also ran Security Check. Here is the log contents from that scan:

 

 Results of screen317's Security Check version 0.99.95  
 Windows 7 Service Pack 1 x64 (UAC is enabled)  
 Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
 Windows Firewall Enabled!  
avast! Antivirus   
 Antivirus up to date!   
`````````Anti-malware/Other Utilities Check:`````````
 Rootkit Unhooker Uninstall   
 Java 7 Update 55  
 Java 8 Update 25  
 Java version 32-bit out of Date!
  Java 64-bit 8 Update 31  
 Adobe Reader XI  
 Mozilla Firefox (35.0)
 Google Chrome (39.0.2171.99)
 Google Chrome (40.0.2214.91)
````````Process Check: objlist.exe by Laurent````````  
 AVAST Software Avast AvastSvc.exe  
 AVAST Software Avast avastui.exe  
`````````````````System Health check`````````````````
 Total Fragmentation on Drive C: 3%
````````````````````End of Log``````````````````````



#4 homepcsi

homepcsi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 PM

Posted 26 January 2015 - 09:56 AM

Also, I forgot to mention, Explorer.exe is still hogging an extreme amount of RAM/CPU. The problem still persists.



#5 homepcsi

homepcsi
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:35 PM

Posted 26 January 2015 - 11:47 AM

Me again and I apologize for going ahead with scans without you instructing me to, but Avast suggested I run a boot-time scan so I figured while I awaited your response, I'd allow it to. The scan completed and found 20 infections in the User\AppData\LocalLow folder. All of them seem to be randomly named .dll files and Avast identified them all as, "Threat: Win32:Malware-gen" except for one which was identified as "Threat:HTML:lframe-inf".

 

I allowed it to automatically fix all detected items and rebooted the computer. There is now only one instance of Explorer.exe running as it should be and it hovering around a steady 14MB of RAM instead of 1.8GB or higher. CPU usage is stable, the Avast detection warnings stopped, and the computer is no longer slow. I think it's safe to say my problem is solved.

 

Nasdaq, thank you very much for your help and time.


Edited by homepcsi, 26 January 2015 - 11:48 AM.


#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:35 PM

Posted 26 January 2015 - 01:49 PM

Good news.

I suggest you remove these old version of Java using the Add/Remove Programs applet.

Java 7 Update 55
Java 8 Update 25

===

If all is well.

To learn more about how to protect yourself while on the internet read this little guide Best security practices Keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#7 nasdaq

nasdaq

  • Malware Response Team
  • 38,223 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:10:35 PM

Posted 01 February 2015 - 09:11 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users