Sign in with
Sign up | Sign in
Your question

High memory usage question/virus cleanup

Last response: in Windows 7
Share
December 7, 2011 3:05:23 AM

Hi, first off thanks for any help and i appreciate you guys taking the time to read this.

Amd Phenom II x4 B55 BE, 4gb ram, 2 1tb hdd, 1 250gb external, win7 prof. 64-bit, running kaspersky now. Was using avast prior to problem.

Ok to the problem: Unusual or perhaps just new memory usage being high (cpu usage just fine)

Direct cause: svchost.exe (system, pid 888) to be exact

Possible Indirect Cause: Virus (most notably the fakeAV trojan)

Ok, so i got the fakeAV trojan last night late. I have i believe cleaned it completely, still running a few last scans to check, then rerunning a few in safe mode, but so far everything has come back clean lately. (at least each program once clean, usually multiple).

So what this virus does is install a fake av pop up, which of course didn't click and a program called arc.exe (which runs in task manager as microsoft 8 direct blah blah bull) and downloads trojans.

So I manually deleted (end process tree, file location, delete, it was in a temp folder) the arc.exe (which was the fake anti-virus pop up blocking me from accessing anything on my computer), but it damaged the registry and I could no longer execute any .exe files, open any programs, or install anything. I did the manual delete etc etc in safe mode with networking.

So out of necessity I restored the computer to a week ago to fix the registry/file access issue to be able to get av software etc etc.

(I also deleted all the temp folders, prefetch (it had a lot of download instances of the trojan for the arc.exe file) and a few spot files i knew were bad (i keep close tabs on what I've put on my computer when, and using search modified and looking at date created, deleted a few folders and such that were no good).

Then started to run the scans:

So I ran:
AVG (caught alot, twice clean)
AVIRA (caught some, twice clean)
Ad-Adware (caught some cookies and other things, thrice clean)
Malwarebytes (caught alot/most of it, thrice clean)
spybot s&d (ran clean)
CC Cleaner (clean, some stuff cleaned up, currently wiping free space to be extra careful)

Uninstalled all above besides malwarebytes and CC Cleaner.

Installed Kaspersky Internet Suite (full legimate copy i had, was saving it for a build later, but thought might as well) after all the clean scans besides CC Cleaner, found one more instance of the fakeAV. Then ran 3 full clean scans.

So onto the issue at hand. Ever since I got the virus under control, well seemingly under control (still making sure) my ram usage has become abnormally high (about 30-35 % when computer is 'idle'), when it was about maybe....12 or less before that. Now at first i assumed this was avg, cause i have had issues with it hogging system resources before. But the problem persists even after uninstalling AVG and installing Kaspersky instead.

So the process using the memory (or the abnormal amount) is one of the svchost.exe, more specifically the one with superfetch in it, pid 888.

Now, I did delete the prefetch folder and a whole lot of temp files (from almost every temp folder in win7) which I know means alot of programs have to be reset to load quickly etc etc using more system resources. However, I just want to double check that everything running under that svchost is legit.

Here's a pic of the process tree, and whats running.



Uploaded with ImageShack.us

you'll probably have to go to imageshack and then click on the image to be able to read it, thank you tho.
a b 8 Security
a b $ Windows 7
December 7, 2011 3:19:22 AM

Also, if u ever have any infection, do not ever restore, because the infection is there now too and u u will restore with infection as well.
m
0
l
Related resources
December 7, 2011 3:23:57 AM

i realize that...but i really didn't have a choice in the restore matter couldn't get anything to open/run/install.

I did run #1 and #2 (well spybot not combofix since im running 64 bit as the guide says)

both came back clean but i can run them again, i don't mind

Thanks for your help :wahoo:  , really appreciate how quick you responded.
m
0
l
December 7, 2011 3:32:48 AM

ok thanks, i'll run that, and post the logs from the rerun of malwarebytes and this as soon as cc cleaner is done.

Thank you.
m
0
l
December 7, 2011 5:33:23 AM

ok, ran malwarebytes:
Spoiler
Malwarebytes' Anti-Malware 1.51.2.1300
www.malwarebytes.org

Database version: 8326

Windows 6.1.7601 Service Pack 1 (Safe Mode)
Internet Explorer 9.0.8112.16421

12/7/2011 12:14:21 AM
mbam-log-2011-12-07 (00-14-21).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 378458
Time elapsed: 26 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


and then spybot sd: nothing found, clean system

and then combofix:
Spoiler
ComboFix 11-12-06.01 - Brad 12/07/2011 0:19.1.4 - x64 NETWORK
Microsoft Windows 7 Professional 6.1.7601.1.1252.1.1033.18.4095.2741 [GMT -6:00]
Running from: c:\users\Brad\Downloads\ComboFix.exe
AV: Kaspersky Internet Security *Disabled/Updated* {56547CC9-C9B2-849D-8FEF-A496150D6A06}
FW: Kaspersky Internet Security *Disabled* {6E6FFDEC-83DD-85C5-A4B0-0DA3EBDE2D7D}
SP: Kaspersky Internet Security *Disabled/Updated* {ED359D2D-EF88-8B13-B55F-9FE46E8A20BB}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
* Created a new restore point
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
F:\Autorun.inf
.
.
((((((((((((((((((((((((( Files Created from 2011-11-07 to 2011-12-07 )))))))))))))))))))))))))))))))
.
.
2011-12-07 04:16 . 2011-12-07 05:39 -------- d-----w- C:\virus stuff
2011-12-07 01:47 . 2010-10-06 02:26 109240 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\KavAntiBanner@kaspersky.ru_bak\components\abhelperxpcom.dll
2011-12-07 01:47 . 2010-10-06 02:27 150200 ----a-w- c:\program files (x86)\Mozilla Firefox\extensions\linkfilter@kaspersky.ru_bak\components\kavlinkfilter.dll
2011-12-07 01:46 . 2011-12-07 06:23 -------- d-----w- c:\programdata\Kaspersky Lab
2011-12-07 01:46 . 2011-12-07 01:46 -------- d-----w- c:\program files (x86)\Kaspersky Lab
2011-12-07 01:42 . 2011-12-07 01:42 -------- d-----w- c:\programdata\Kaspersky Lab Setup Files
2011-12-07 01:28 . 2011-12-07 01:28 -------- d-----w- c:\windows\system32\appmgmt
2011-12-07 00:26 . 2011-12-07 00:26 106 ---ha-w- C:\aaw7boot.cmd
2011-12-06 22:36 . 2011-12-07 05:41 -------- d-----w- c:\programdata\Spybot - Search & Destroy
2011-12-06 22:35 . 2010-01-11 00:40 118784 ----a-w- c:\windows\SysWow64\MSSTDFMT.DLL
2011-12-06 22:35 . 2010-01-11 00:40 1071088 ----a-w- c:\windows\SysWow64\MSCOMCTL.OCX
2011-12-06 06:48 . 2011-12-06 06:46 55384 ----a-w- c:\windows\system32\drivers\SBREDrv.sys
2011-12-06 06:42 . 2011-12-06 06:43 -------- dc----w- c:\windows\system32\DRVSTORE
2011-12-06 06:42 . 2011-12-06 06:42 -------- d-----w- c:\programdata\Lavasoft
2011-12-06 05:31 . 2011-12-06 05:31 -------- d--h--w- c:\programdata\Common Files
2011-12-06 05:29 . 2011-12-07 01:36 -------- d-----w- c:\programdata\MFAData
2011-12-06 05:18 . 2011-12-06 05:18 -------- d-----w- c:\users\Brad\AppData\Roaming\Malwarebytes
2011-12-06 05:18 . 2011-12-06 05:18 -------- d-----w- c:\programdata\Malwarebytes
2011-12-06 05:18 . 2011-08-31 23:00 25416 ----a-w- c:\windows\system32\drivers\mbam.sys
2011-12-06 05:16 . 2011-11-21 11:40 8822856 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{27F874E2-73A6-45FB-B640-87B010D87D64}\mpengine.dll
2011-11-22 03:46 . 2011-11-22 03:46 -------- d--h--r- c:\users\Brad\AppData\Roaming\SecuROM
2011-11-08 20:34 . 2011-10-01 05:45 886784 ----a-w- c:\program files\Common Files\System\wab32.dll
2011-11-08 20:34 . 2011-10-01 04:37 708608 ----a-w- c:\program files (x86)\Common Files\System\wab32.dll
2011-11-08 20:34 . 2011-09-29 16:29 1923952 ----a-w- c:\windows\system32\drivers\tcpip.sys
2011-11-08 20:34 . 2011-09-29 04:03 3144704 ----a-w- c:\windows\system32\win32k.sys
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-11-28 18:01 . 2011-04-26 06:23 256960 ----a-w- c:\windows\system32\aswBoot.exe
2011-11-11 02:55 . 2011-07-15 03:34 414368 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Steam"="c:\program files (x86)\Steam\steam.exe" [2011-08-03 1242448]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]
"ATICustomerCare"="c:\program files (x86)\ATI\ATICustomerCare\ATICustomerCare.exe" [2009-06-14 307200]
"DivXUpdate"="c:\program files (x86)\DivX\DivX Update\DivXUpdate.exe" [2011-03-21 1230704]
"SunJavaUpdateSched"="c:\program files (x86)\Common Files\Java\Java Update\jusched.exe" [2010-10-29 249064]
"Adobe ARM"="c:\program files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2011-06-06 937920]
"avp"="c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\avp.exe" [2010-11-03 365336]
"Malwarebytes' Anti-Malware"="c:\virus stuff\Malwarebytes' Anti-Malware\mbamgui.exe" [2011-08-31 449608]
.
c:\users\Brad\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.3.lnk - c:\program files (x86)\OpenOffice.org 3\program\quickstart.exe [2010-12-13 1198592]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)
"ConsentPromptBehaviorUser"= 3 (0x3)
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\sbhook.dll
.
[HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\drivers32]
"mixer2"=wdmaud.drv
.
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Security Packages REG_MULTI_SZ kerberos msv1_0 schannel wdigest tspkg pku2u livessp
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001
.
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [2010-03-18 138576]
R3 ALSysIO;ALSysIO;c:\users\Brad\AppData\Local\Temp\ALSysIO64.sys [x]
R3 DAUpdaterSvc;Dragon Age: Origins - Content Updater;c:\program files (x86)\steam\steamapps\common\dragon age ultimate edition\bin_ship\DAUpdaterSvc.Service.exe [2011-08-27 25832]
R3 Futuremark SystemInfo Service;Futuremark SystemInfo Service;c:\program files (x86)\Futuremark\Futuremark SystemInfo\FMSISvc.exe [2011-03-01 130976]
R3 Lavasoft Kernexplorer;Lavasoft helper driver;c:\virus stuff\Lavasoft\Ad-Aware\KernExplorer64.sys [x]
R3 PCAMp50a64;PCAMp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCAMp50a64.sys [x]
R3 PCASp50a64;PCASp50a64 NDIS Protocol Driver;c:\windows\system32\Drivers\PCASp50a64.sys [x]
R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys [x]
R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [x]
R3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\Wat\WatAdminSvc.exe [x]
S1 BIOS;BIOS;c:\windows\system32\drivers\BIOS64.sys [2009-06-10 14136]
S1 BS_I2cIo;BS_I2cIo;c:\windows\system32\drivers\BS_I2c64.sys [x]
S1 kl2;kl2;c:\windows\system32\DRIVERS\kl2.sys [x]
S1 KLIM6;Kaspersky Anti-Virus NDIS 6 Filter;c:\windows\system32\DRIVERS\klim6.sys [x]
S2 AdobeARMservice;Adobe Acrobat Update Service;c:\program files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe [2011-06-06 64952]
S2 cpuz135;cpuz135;c:\windows\system32\drivers\cpuz135_x64.sys [x]
S2 MBAMService;MBAMService;c:\virus stuff\Malwarebytes' Anti-Malware\mbamservice.exe [2011-08-31 366152]
S2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [2011-04-08 2218600]
S2 Stereo Service;NVIDIA Stereoscopic 3D Driver Service;c:\program files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe [2011-04-08 378472]
S3 dc3d;MS Hardware Device Detection Driver;c:\windows\system32\DRIVERS\dc3d.sys [x]
S3 klmouflt;Kaspersky Lab KLMOUFLT;c:\windows\system32\DRIVERS\klmouflt.sys [x]
S3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [x]
S3 NVHDA;Service for NVIDIA High Definition Audio Driver;c:\windows\system32\drivers\nvhda64v.sys [x]
S3 Point64;Microsoft IntelliPoint Filter Driver;c:\windows\system32\DRIVERS\point64.sys [x]
S3 RTL8167;Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys [x]
.
.
.
--------- x86-64 -----------
.
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RtHDVCpl"="c:\program files\Realtek\Audio\HDA\RAVCpl64.exe" [2010-04-30 10806816]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2011-04-13 2399632]
"Start WingMan Profiler"="c:\program files\Logitech\Gaming Software\LWEMon.exe" [2010-06-14 190536]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs"=0x1
"AppInit_DLLs"=c:\progra~2\KASPER~1\KASPER~1\x64\sbhook64.dll
.
------- Supplementary Scan -------
.
uLocal Page = c:\windows\system32\blank.htm
uStart Page = hxxp://www.google.com/
mLocal Page = c:\windows\SysWOW64\blank.htm
IE: Add to Anti-Banner - c:\program files (x86)\Kaspersky Lab\Kaspersky Internet Security 2011\ie_banner_deny.htm
TCP: DhcpNameServer = 192.168.1.254
FF - ProfilePath - c:\users\Brad\AppData\Roaming\Mozilla\Firefox\Profiles\jc5s9sj8.default\
.
- - - - ORPHANS REMOVED - - - -
.
AddRemove-Wolfenstein - Enemy Territory - c:\wolfet\Uninstall\Unwise.exe
.
.
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-3998357918-2554074887-1086401637-1001\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashUtil10p_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Shockwave Flash Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
@="0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
@="ShockwaveFlash.ShockwaveFlash.10"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="ShockwaveFlash.ShockwaveFlash"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
@Denied: (A 2) (Everyone)
@="Macromedia Flash Factory Object"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx"
"ThreadingModel"="Apartment"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
@="FlashFactory.FlashFactory.1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
@="c:\\Windows\\SysWOW64\\Macromed\\Flash\\Flash10p.ocx, 1"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
@="{D27CDB6B-AE6D-11cf-96B8-444553540000}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
@="1.0"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
@="FlashFactory.FlashFactory"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Wow6432Node\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\PCW\Security]
@Denied: (Full) (Everyone)
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SysWOW64\PnkBstrA.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.exe
c:\program files (x86)\OpenOffice.org 3\program\soffice.bin
.
**************************************************************************
.
Completion time: 2011-12-07 00:27:18 - machine was rebooted
ComboFix-quarantined-files.txt 2011-12-07 06:27
.
Pre-Run: 859,438,985,216 bytes free
Post-Run: 859,129,311,232 bytes free
.
- - End Of File - - 141E767AB1BD18C4D34237BDF1E4027C


don't really know what any of that really means

then cc cleaner for the registry, fixed a few things, nothing but uninstalled stuff though.

then the trojan removal tool: but the boot scan ran, but didn't give me a log or anything to read? Did i do something wrong. Fast scan gives a log, but not bootscan.

running kaspersky full scan: all clean

memory for svchost still really high, not annoyingly, i have plenty of memory available...just higher than before.

Thanks,

-losty-
m
0
l
a b 8 Security
a b $ Windows 7
December 7, 2011 5:44:47 AM

Looks clean, but delete all the system restore points.
m
0
l
December 7, 2011 5:50:36 AM

ok will do, and i shouldn't worry about the memory thing?

Appreciate everything, is there a rep or reward system i can give you?
m
0
l
a b 8 Security
a b $ Windows 7
December 7, 2011 5:54:19 AM

I would not worry about RAM, as it was scanned by Kaspersky and restarted multiple times : )
m
0
l
a b 8 Security
a b $ Windows 7
December 7, 2011 5:55:48 AM

Also, if u have made a recent back up for your PC, it may be infected too, so thing about that also.
m
0
l
a b 8 Security
a b $ Windows 7
December 7, 2011 6:41:28 AM

Good luck!
m
0
l
!