Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Tons of strange system processes taking up memory/running - PC


  • This topic is locked This topic is locked
30 replies to this topic

#1 PearlIzumi

PearlIzumi

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 10 February 2012 - 06:04 PM

Hey there - one of my PCs has been running awfully slow for quite sometime and I suspect that there is quite a few things going on that is wrong. When you open up the task manager there is in insanely long list of things running, none of which I feel should be there. I tried running malwarebytes, which found a few things, but I think the problem is deeper than that.

Also, I cannot get DDS to run/open on the computer. I've tried multiple times and nothing happens.

Attached Files

  • Attached File  ark.txt   10.5KB   3 downloads


BC AdBot (Login to Remove)

 


#2 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 AM

Posted 10 February 2012 - 07:34 PM

Hi,

Please do the following:


Download OTL to your Desktop
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • Select All Users
  • Under the Custom Scan box paste this in
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    /md5stop
    %systemroot%\*. /rp /s
    CREATERESTOREPOINT
  • Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Post both logs


NEXT



  • Please download aswMBR.exe and save it to your desktop.
  • Double click aswMBR.exe to start the tool.
  • When asked if you want to download Avast's virus definitions please select Yes.
  • Click Scan

  • Upon completion of the scan, click Save log and save it to your desktop, and post that log in your next reply for review. Note - do NOT attempt any Fix yet.
  • You will also notice another file created on the desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) file. Attach that zipped file in your next reply as well.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#3 PearlIzumi

PearlIzumi
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 February 2012 - 03:59 PM

Working on aswMRB now. Will post those shortly. THANK YOU!

Attached Files



#4 PearlIzumi

PearlIzumi
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 February 2012 - 04:28 PM

Here you go! Thanks again, L

Attached Files



#5 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 AM

Posted 12 February 2012 - 04:51 PM

Hi,

Please do the following:

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here
  • Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

  • Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

  • Click on Yes, to continue scanning for malware.
When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#6 PearlIzumi

PearlIzumi
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 12 February 2012 - 06:39 PM

Hi - so I ran combofix and it said that it was scanning for viruses, but when I returned to the computer half an hour later it appeared to be frozen in time with no results. Now that computer will no longer connect to the internet either. How should I proceed?

#7 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 AM

Posted 12 February 2012 - 06:49 PM

see if there is a combofix log at c:\combofix.txt

if not, please re-run combofix > post the resulting log

one of the services required to connect must have been infected and removes, so we will look for it

please run the following:

Please download Farbar Service Scanner and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#8 PearlIzumi

PearlIzumi
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 14 February 2012 - 05:17 PM

I tried to run combofix again and again it failed to complete scan. There is no log. When I open to run it, it tells me that symantic end virus is running even though it's not. I don't use that program.

I ran the Farbar successfully though.

Attached Files

  • Attached File  FSS.txt   4.65KB   2 downloads


#9 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 AM

Posted 14 February 2012 - 07:30 PM

Hi

IE proxy is enabled.
ProxyServer: 172.23.136.11:8080

did you set this proxy? If not, try clearing it

Open up I.E.
  • Check internet options settings.
  • Tools > Internet Options > Connections
  • LAN settings
  • Choose "automatically detect settings"
  • uncheck both proxy settings boxes

NEXT
  • Go to Control Panel and select Internet Options
  • Select the Connections TAB
  • Select LAN settings button
  • Ensure there is no tick in the Proxy Server box
  • Select OK and restart Internet explorer


NEXT

click start > run > type "services.msc" > click ok


navigate to the DHCP service (Dynamic Host Configuration Protocol) and set it to Auto start > now start the service


NEXT


Please download TDSSKiller.zip
  • Extract it to your desktop
  • Double click TDSSKiller.exe
  • when the window opens, click on Change Parameters
  • under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
  • click OK
  • Press Start Scan
    • Only if Malicious objects are found then ensure Cure is selected
    • Then click Continue > Reboot now
  • Copy and paste the log in your next reply
    • A copy of the log will be saved automatically to the root of the drive (typically C:\)

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#10 PearlIzumi

PearlIzumi
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 16 February 2012 - 05:29 PM

Thank you, internet is working again. No malware found with TDSS.

14:26:38.0923 7184 TDSS rootkit removing tool 2.7.13.0 Feb 15 2012 19:33:14
14:26:39.0690 7184 ============================================================
14:26:39.0690 7184 Current date / time: 2012/02/16 14:26:39.0690
14:26:39.0690 7184 SystemInfo:
14:26:39.0690 7184
14:26:39.0690 7184 OS Version: 5.1.2600 ServicePack: 2.0
14:26:39.0690 7184 Product type: Workstation
14:26:39.0690 7184 ComputerName: AO9-BO1
14:26:39.0690 7184 UserName: llindley
14:26:39.0690 7184 Windows directory: C:\WINDOWS
14:26:39.0690 7184 System windows directory: C:\WINDOWS
14:26:39.0690 7184 Processor architecture: Intel x86
14:26:39.0690 7184 Number of processors: 1
14:26:39.0690 7184 Page size: 0x1000
14:26:39.0690 7184 Boot type: Normal boot
14:26:39.0690 7184 ============================================================
14:26:41.0457 7184 Drive \Device\Harddisk0\DR0 - Size: 0x12A05F2000 (74.51 Gb), SectorSize: 0x200, Cylinders: 0x25FE, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'K0', Flags 0x00000054
14:26:41.0614 7184 Drive \Device\Harddisk1\DR9 - Size: 0x1E3000000 (7.55 Gb), SectorSize: 0x200, Cylinders: 0x3D9, SectorsPerTrack: 0x3F, TracksPerCylinder: 0xFF, Type 'W'
14:26:41.0614 7184 \Device\Harddisk0\DR0:
14:26:41.0614 7184 MBR used
14:26:41.0614 7184 \Device\Harddisk0\DR0\Partition0: MBR, Type 0x7, StartLBA 0x17886, BlocksNum 0x94E7137
14:26:41.0614 7184 \Device\Harddisk1\DR9:
14:26:41.0614 7184 MBR used
14:26:41.0614 7184 \Device\Harddisk1\DR9\Partition0: MBR, Type 0xC, StartLBA 0x3F, BlocksNum 0xF17FC1
14:26:41.0661 7184 Initialize success
14:26:41.0661 7184 ============================================================

#11 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 AM

Posted 16 February 2012 - 08:53 PM

TDSSKiller doesn't appear to have run to completion

could you please delete the copy you have on your desktop, download a fresh copy and run it again, give it plenty of time


it should say something like this at the end when it is done

2011/07/19 00:38:16.0406 3068 ================================================================================
2011/07/19 00:38:16.0406 3068 Scan finished
2011/07/19 00:38:16.0406 3068 ================================================================================

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#12 PearlIzumi

PearlIzumi
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:06:15 AM

Posted 17 February 2012 - 01:56 PM

Still clear.

Attached Files



#13 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 AM

Posted 17 February 2012 - 07:32 PM

OK, that is a good sign

please delete the copy of combofix that you have on the desktop

download a fresh copy

now boot into safe mode and try running it in safe mode > click OK to run it if it gives you an AV error again

To Enter Safemode
  • Go to Start> Shut off your Computer> Restart
  • As the computer starts to boot-up, Tap the F8 KEY repeatedly,
  • this will bring up a menu.
  • Use the Up and Down Arrow Keys to scroll up to Safemode
  • Then press the Enter Key on your Keyboard
  • go into your usual account



If it still wont run, then try starting it with this command:

Press the WinKey + R to open a run box:

Copy/paste the following text into the open run box > Click OK

ComboFix /nombr

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#14 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 AM

Posted 23 February 2012 - 11:04 PM

Due to the lack of feedback, this topic is now closed.In the event you still have problems, please send me or any Moderator a Private Message and ask them to reopen this topic within the next 5 days. Please include a link to your topic in the Private Message. Thank you.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015


#15 CatByte

CatByte

    bleepin' tiger


  • Malware Response Team
  • 14,664 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Canada
  • Local time:10:15 AM

Posted 28 February 2012 - 11:10 AM

This topic has been re-opened at the request of the person who originally posted.

Microsoft MVP - 2010, 2011, 2012, 2013, 2014, 2015





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users