Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

High network usage, Avast! constantly thinking, suspicious


  • Please log in to reply
19 replies to this topic

#1 windows8newb

windows8newb

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 August 2015 - 11:27 AM

Greetings, this just started today.

 

Windows 8.1 Dell Inspiron laptop here.

 

My Internet today is constantly saying that it is receiving at 7 Mbps, even when I'm not doing anything.  Looking in the Performance Monitor, the thing taking up the network is an svchost (netsvcs), but lists its address as "a23-216-11-90.deploy.static.akamaitechnologies.com" which I find suspicious.  There are other svchost.exe's; another one gives its address as "https-68-142-107-129.lax.llnw.net".  I am near that location geographically, but not sure what it is or why it's taking so much network. 

 

(While I was typing this the svchost taking up the most memory changed address to "cds1174.lax.llnw.net".)

 

Looking in the Details of Task Manager, I see many svchost.exe, but all are in C:\Windows\System32, so that appeared normal.

 

The Avast! icon in the tray is constantly spinning, which makes me nervous.  It just updated today, too.  I ran a Quick Scan with Avast! which returned no threats found.

 

Restarting the computer did not fix this behavior. 

 

I don't think this should be related to a Windows Update as I saw suggested somewhere else; a manual check for updates shows nothing is waiting.  But just in case:  also, looking through my Windows Updates, a couple of weeks ago, my Windows Defender said an update was cancelled.  Should I be alarmed by this; is there any way to make it update?  I use Avast! so maybe it's okay if it's cancelled?

 

I ran a command prompt tasklist/SVC and here's what I got.

 

----

Image Name                     PID Services
========================= ======== ============================================
System Idle Process              0 N/A
System                           4 N/A
smss.exe                       428 N/A
csrss.exe                      588 N/A
wininit.exe                    648 N/A
csrss.exe                      664 N/A
winlogon.exe                   708 N/A
services.exe                   752 N/A
lsass.exe                      760 EFS, SamSs
svchost.exe                    840 BrokerInfrastructure, DcomLaunch, LSM,
                                   PlugPlay, Power, SystemEventsBroker
svchost.exe                    872 RpcEptMapper, RpcSs
dwm.exe                        972 N/A
svchost.exe                   1008 Audiosrv, Dhcp, EventLog,
                                   HomeGroupProvider, lmhosts, Wcmsvc, wscsvc
svchost.exe                    352 Appinfo, BITS, Browser, IKEEXT, iphlpsvc,
                                   LanmanServer, ProfSvc, Schedule, SENS,
                                   ShellHWDetection, Themes, Winmgmt, wuauserv
svchost.exe                    392 EventSystem, fdPHost, FontCache, netprofm,
                                   nsi, WdiServiceHost, WinHttpAutoProxySvc
igfxCUIService.exe             592 igfxCUIService1.0.0.0
svchost.exe                    804 AudioEndpointBuilder,
                                   DeviceAssociationService, NcbService,
                                   Netman, PcaSvc, SysMain, TrkWks,
                                   WdiSystemHost, WlanSvc
RtkAudioService64.exe          800 RtkAudioService
RAVBg64.exe                   1040 N/A
RAVBg64.exe                   1048 N/A
svchost.exe                   1072 CryptSvc, Dnscache, LanmanWorkstation,
                                   NlaSvc
wlanext.exe                   1280 N/A
conhost.exe                   1288 N/A
AvastSvc.exe                  1308 avast! Antivirus
spoolsv.exe                   1464 Spooler
svchost.exe                   1516 BFE, DPS, MpsSvc
armsvc.exe                    1624 AdobeARMservice
taskeng.exe                   1772 N/A
taskhostex.exe                1780 N/A
SynTPEnh.exe                  1816 N/A
GoogleUpdate.exe              1844 N/A
explorer.exe                  1904 N/A
AERTSr64.exe                  1664 AERTFilters
svchost.exe                   1768 DiagTrack
EvtEng.exe                    2088 EvtEng
HeciServer.exe                2176 Intel® Capability Licensing Service Interf
                                   ace
RegSrvc.exe                   2456 RegSrvc
svchost.exe                   2484 stisvc
PocketCloudService.exe        2628 WysePocketCloud
WyseRemoteAccess.exe          2784 WyseRemoteAccess
ZeroConfigService.exe         2852 ZeroConfigService
Dell.ClientFramework.exe      2892 My Dell Client Framework
unsecapp.exe                  3020 N/A
WmiPrvSE.exe                  3104 N/A
WmiPrvSE.exe                  3112 N/A
svchost.exe                   3492 FDResPub, SSDPSRV, TimeBroker
PresentationFontCache.exe     3620 FontCache3.0.0.0
RAVBg64.exe                   3876 N/A
GWX.exe                       3924 N/A
YCMMirage.exe                 3932 N/A
igfxEM.exe                    4052 N/A
igfxHK.exe                    4060 N/A
igfxTray.exe                  4080 N/A
SearchIndexer.exe             2372 WSearch
RtkNGUI64.exe                 2704 N/A
RAVBg64.exe                   4112 N/A
quickset.exe                  4224 N/A
rundll32.exe                  4260 N/A
CLMLSvc.exe                   4396 N/A
devmonsrv.exe                 4520 Bluetooth Device Monitor
AvastUI.exe                   4584 N/A
obexsrv.exe                   4592 Bluetooth OBEX Service
unsecapp.exe                  1460 N/A
IAStorIcon.exe                 140 N/A
OTBSurvey.exe                 3332 Dell Customer Connect
DellUpService.exe             2300 DellUpdate
IAStorDataMgrSvc.exe          4324 IAStorDataMgrSvc
DellUpTray.exe                1672 N/A
jhi_service.exe               2148 jhi_service
LMS.exe                       5004 LMS
SftService.exe                2024 SftService
Taskmgr.exe                   5000 N/A
perfmon.exe                   4664 N/A
firefox.exe                   5904 N/A
cmd.exe                       6112 N/A
conhost.exe                   1740 N/A
tasklist.exe                  5640 N/A
 



BC AdBot (Login to Remove)

 


#2 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:53 PM

Posted 02 August 2015 - 11:32 AM

Hello,
 
please download MiniToolBox by Farbar and save it to your desktop.
 
Run tool as Administrator and make sure that these options are checked :
 
  • Flush DNS
  • Reset IE Proxy Settings
  • Reset FF Proxy Settings
  • List Installed Programs
 
Post log here .
 
Step 2
 
Download TFC by OldTimer and save it to your desktop.
 
Run it as Administrator and click on Start button.
 
If programs need reboot, allow it to do so.
 
NOTE: IF your desktop disappears, don't panic, it's normal.
 
Step 3
 
Scan with Malwarebytes AntiRootkit
 
Please download MBAR and save it to your desktop.
 
Run tool as Administrator, tool will extract itself, and then launch.
 
Click Next to accept terms and conditions, and click Update to obtain latest definitions.
 
If malware is found click on Cleanup button , but make sure that Create restore point option is checked before proceeding !
 
Program will ask you to restart, allow it to do so.
 
Note: If you're experiencing internet connection issues or other anomalies after running MBAR and removal of rootkits, it is recommended to run fixdamage.exe located inside mbar folder. Run it as Administrator and press Y if asks you do you want to continue.
 
Step 4
 
Scan with Norton Power Eraser
 
CAUTION: NPE uses aggressive methods to detect and remove malware,so do not touch any of settings !
 
Download NPE by Symantec and save it to your desktop.
 
Run the tool as Administrator,accept license agreement,and click  Scan button. 
 
Program will ask you to reboot to continue scanning (includes rootkit scan),so allow it to restart.
 
After restart program will automatically launch itself and start scanning. Scanning takes 5-10 minutes,so be patient !
 
If malware is detected,make sure that Create restore point option is checked,then click Fix button. After that,click on Restart now to complete removal.
 
Step 5
 
Scan with Malwarebytes AntiMalware
 
Download Malwarebytes and install it on your system (Run setup as Administrator).
 
At the end of installation, uncheck "Enable free trial of Malwarebytes Premium", then click Finish.
 
Make sure you have latest definitions by clicking on Update Now,then under Scan choose Threat Scan.
 
After scanning is done, click on Remove if malware is found,tool will ask for restart , allow it to do so.
 
Attach MBAM log here (you can find it in History > Application Logs).
 
Step 6
 
Scan with Zemana Antimalware
 
Download Zemana Antimalware and install it on your system.
 
Under Scan type choose Full Scan and let the tool scan system.
 
If malware is found click Next to remove it, if tool asks for restart, allow it .
 
If no malware is found , just exit program.
 
NOTE: Leave actions at default.
 
Attach log here.


#3 windows8newb

windows8newb
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 August 2015 - 12:44 PM

Currently posting from my iPhone as I may have a problem.

I ran MiniToolbox and TFC like you said. Malware bytes anti root kit found nothing. The high network usage seems to have stopped. But I see Dism Servicing Host (in a temp folder) and SetupHost.exe (folder something like Windows.~BT\Sources) are taking a lot of memory.

The problem now is I download NPE and it asked to restart like you said. But my PC is trying to shut down but says "Keep your PC on until this is done. Installing update 1 of 1..." I wasn't aware I updated anything other than Avast today, but even so, could whatever NPE is trying to do interfere with an update?

It's been about 15 minutes now.

#4 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:53 PM

Posted 02 August 2015 - 12:45 PM

Do a cold reset, Norton will load at startup. 



#5 windows8newb

windows8newb
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 August 2015 - 12:49 PM

Never mind, like 2 seconds later it restarted (of course) and NPE is running. Will proceed and post logs in a bit, malware bytes will take some time on my machine.

#6 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:53 PM

Posted 02 August 2015 - 12:49 PM

Alright, no hurry .



#7 windows8newb

windows8newb
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 August 2015 - 01:02 PM

Ok here is a summary thus far:

 

The high network usage behavior seems to have stopped, but I didn't check it between steps so I'm not sure what exactly fixed it.  I ran MiniToolBox and TFC and then noticed it had stopped.

 

Dism Host Servicing Process (appears to be in a Temp file but access is denied) and Modern Setup Host (SetupHost.exe in C:\$Windows.~BT\Sources) are taking up huge amounts of memory.

Are these related to Windows 10 upgrade?  I don't want that so I never clicked to reserve it.

TFC did not ask to reboot.

Malwarebytes Anti-Rootkit just said Scan complete, no malware found, didn't ask to restart.  Already had Malwarebytes Anti-Rootkit, just upated and ran instead of downloading new.


MiniToolBox log:

 

MiniToolBox by Farbar  Version: 25-07-2015 01
Ran by Admin (administrator) on 02-08-2015 at 09:47:45
Running from "C:\Users\Alison\Desktop"
Microsoft Windows 8.1  (X64)
Model: Inspiron 5547 Manufacturer: Dell Inc.
Boot Mode: Normal
***************************************************************************

========================= Flush DNS: ===================================

Windows IP Configuration

Successfully flushed the DNS Resolver Cache.

"Reset IE Proxy Settings": IE Proxy Settings were reset.

"Reset FF Proxy Settings": Firefox Proxy settings were reset.


=========================== Installed Programs ============================

Adobe Acrobat Reader DC (HKLM-x32\...\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}) (Version: 15.008.20082 - Adobe Systems Incorporated)
Adobe Flash Player 18 NPAPI (HKLM-x32\...\Adobe Flash Player NPAPI) (Version: 18.0.0.209 - Adobe Systems Incorporated)
Amazon 1Button App (HKLM-x32\...\{0A7D6F3C-F2AB-48ED-BE23-99791BFF87D6}) (Version: 1.0.0.4 - Amazon)
Avast Free Antivirus (HKLM-x32\...\Avast) (Version: 10.3.2225 - AVAST Software)
Canon IJ Scan Utility (HKLM-x32\...\Canon_IJ_Scan_Utility) (Version:  - Canon Inc.)
Canon MG2500 series MP Drivers (HKLM\...\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MG2500_series) (Version: 1.00 - Canon Inc.)
Canon MG2500 series On-screen Manual (HKLM-x32\...\Canon MG2500 series On-screen Manual) (Version: 7.6.1 - Canon Inc.)
Canon MG2500 series User Registration (HKLM-x32\...\Canon MG2500 series User Registration) (Version:  - ‭Canon Inc.)
Canon My Image Garden (HKLM-x32\...\Canon My Image Garden) (Version: 2.0.1 - Canon Inc.)
Canon My Image Garden Design Files (HKLM-x32\...\Canon My Image Garden Design Files) (Version: 2.0.0 - Canon Inc.)
Canon My Printer (HKLM-x32\...\CanonMyPrinter) (Version: 3.1.0 - Canon Inc.)
Canon Quick Menu (HKLM-x32\...\CanonQuickMenu) (Version: 2.2.1 - Canon Inc.)
CCleaner (HKLM\...\CCleaner) (Version: 4.16 - Piriform)
CPUID HWMonitor 1.25 (HKLM\...\CPUID HWMonitor_is1) (Version:  - )
CutePDF Writer 3.0 (HKLM\...\CutePDF Writer Installation) (Version:  3.0 - Acro Software Inc.)
CyberLink Media Suite 10 (HKLM-x32\...\InstallShield_{8F14AA37-5193-4A14-BD5B-BDF9B361AEF7}) (Version: 10.0 - CyberLink Corp.)
Dell Backup and Recovery - Support Software (HKLM-x32\...\{A9668246-FB70-4103-A1E3-66C9BC2EFB49}) (Version: 1.6.2.0 - Dell Inc.)
Dell Backup and Recovery (HKLM-x32\...\{0ED7EE95-6A97-47AA-AD73-152C08A15B04}) (Version: 1.6.2.0 - Dell Inc.)
Dell Customer Connect (HKLM-x32\...\{FEFDCDCF-C49C-45D0-AAF8-5345858ADEC7}) (Version: 1.2.1.0 - Dell Inc.)
Dell Digital Delivery (HKLM-x32\...\{03A9F528-A754-460F-B2C1-AC125A147114}) (Version: 2.8.5000.0 - Dell Products, LP)
Dell Product Registration (HKLM-x32\...\{764E68FE-C2F9-410E-90A8-CE7F8B9A36E2}) (Version: 2.03.0204 - Aviata Inc.)
Dell Touchpad (HKLM\...\SynTPDeinstKey) (Version: 18.0.5.1 - Synaptics Incorporated)
Dell Update (HKLM-x32\...\{90437913-9D4D-4D9D-B438-B8664DF851E9}) (Version: 1.7.1007.0 - Dell Inc.)
DSC/AA Factory Installer (HKLM\...\{F7A70D00-F283-45C8-B163-49EC365D7E27}) (Version: 3.5.6426.22 - PC-Doctor, Inc.) Hidden
Google Chrome (HKLM-x32\...\Google Chrome) (Version: 44.0.2403.125 - Google Inc.)
Google Update Helper (HKLM-x32\...\{60EC980A-BDA2-4CB6-A427-B07A5498B4CA}) (Version: 1.3.28.1 - Google Inc.) Hidden
Google Update Helper (HKLM-x32\...\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}) (Version: 1.3.25.11 - Google Inc.) Hidden
Intel® Management Engine Components (HKLM-x32\...\{65153EA5-8B6E-43B6-857B-C6E4FC25798A}) (Version: 9.5.22.1760 - Intel Corporation)
Intel® Processor Graphics (HKLM-x32\...\{F0E3AD40-2BBD-4360-9C76-B9AC9A5886EA}) (Version: 10.18.14.4170 - Intel Corporation)
Intel® PROSet/Wireless Software for Bluetooth® Technology(patch version 3.0.1342.2) (HKLM\...\{302600C1-6BDF-4FD1-1311-148929CC1385}) (Version: 3.1.1311.0402 - Intel Corporation)
Intel® Rapid Storage Technology (HKLM\...\{409CB30E-E457-4008-9B1A-ED1B9EA21140}) (Version: 12.8.2.1000 - Intel Corporation)
Intel® PROSet/Wireless Software (HKLM-x32\...\{313c06de-4aa7-4a1f-930a-f10f80380426}) (Version: 17.14.0 - Intel Corporation)
LG ODD Auto Firmware Update (HKLM-x32\...\{6179550A-3E7C-499E-BCC9-9E8113E0A285}) (Version: 10.01.0712.01 - )
Malwarebytes Anti-Malware version 2.1.8.1057 (HKLM-x32\...\Malwarebytes Anti-Malware_is1) (Version: 2.1.8.1057 - Malwarebytes Corporation)
Microsoft Office (HKLM-x32\...\{90150000-0138-0409-0000-0000000FF1CE}) (Version: 15.0.4454.1510 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.40416.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM-x32\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161 (HKLM\...\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM-x32\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM-x32\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x64 Redistributable - 10.0.40219 (HKLM\...\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM-x32\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030 (HKLM-x32\...\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}) (Version: 11.0.61030.0 - Microsoft Corporation)
Mozilla Firefox 39.0 (x86 en-US) (HKLM-x32\...\Mozilla Firefox 39.0 (x86 en-US)) (Version: 39.0 - Mozilla)
Mozilla Maintenance Service (HKLM-x32\...\MozillaMaintenanceService) (Version: 31.0 - Mozilla)
My Dell (HKLM\...\PC-Doctor for Windows) (Version: 3.5.6426.22 - PC-Doctor, Inc.)
My Dell Client Framework (HKLM-x32\...\{05F1B866-2372-4E82-9AA8-C64FB11CEF8B}) (Version: 1.0.0.3 - Dell) Hidden
My Dell Client Framework (HKLM-x32\...\InstallShield_{05F1B866-2372-4E82-9AA8-C64FB11CEF8B}) (Version: 1.0.0.3 - Dell)
OpenOffice 4.1.1 (HKLM-x32\...\{9395F41D-0F80-432E-9A59-B8E477E7E163}) (Version: 4.11.9775 - Apache Software Foundation)
PocketCloud (HKLM-x32\...\{D9752C7D-A595-4687-A0D5-362E9C311C55}) (Version: 2.7.14 - Wyse Technology)
Quickset64 (HKLM\...\{87CF757E-C1F1-4D22-865C-00C6950B5258}) (Version: 10.16.007 - Dell Inc.)
Realtek High Definition Audio Driver (HKLM-x32\...\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}) (Version: 6.0.1.7404 - Realtek Semiconductor Corp.)
Windows Frotz (HKLM-x32\...\WindowsFrotz) (Version:  - )
Windows Glulxe (HKLM-x32\...\WinGlulxe) (Version:  - )
YouCam (HKLM-x32\...\{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.1.5324 - CyberLink Corp.) Hidden
YouCam (HKLM-x32\...\InstallShield_{01FB4998-33C4-4431-85ED-079E3EEFE75D}) (Version: 3.1.5324 - CyberLink Corp.) Hidden

**** End of log ****
 


TFC report:

 

Getting user folders.
 
Stopping running processes.
 
Emptying Temp folders.
 
 
User: Admin
->Temp folder emptied: 72844638 bytes
->Temporary Internet Files folder emptied: 9783932 bytes
->FireFox cache emptied: 11866603 bytes
->Google Chrome cache emptied: 10730070 bytes
->Flash cache emptied: 492 bytes
 
User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Alison
->Temp folder emptied: 15079386 bytes
->Temporary Internet Files folder emptied: 17011549 bytes
->FireFox cache emptied: 9371096 bytes
->Google Chrome cache emptied: 54666307 bytes
->Flash cache emptied: 523 bytes
 
User: All Users
 
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
 
User: Default User
 
User: Public
 
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 232789239 bytes
 
Emptying RecycleBin. Do not interrupt.
 
RecycleBin emptied: 16431688 bytes
Process complete!
 
Total Files Cleaned = 430.00 mb



#8 windows8newb

windows8newb
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 August 2015 - 01:03 PM

I will post NPE, then set up Malwarebytes (not Anti-rootkit) and that will take a while.  NPE found something.  I had it create a restore point and then fix the issue.  It restarted and did so.

 

NPE:

 

____________________________
Registry Key: HKEY_USERS\S-1-5-21-46811878-2307496345-1293814372-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1803"
____________________________
____________________________
Registry Key: HKEY_USERS\S-1-5-21-46811878-2307496345-1293814372-1004\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\"1803"
____________________________

File Thumbprint - SHA:
Not Available
____________________________
 



#9 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:53 PM

Posted 02 August 2015 - 01:13 PM

Ok, sounds good to me.



#10 windows8newb

windows8newb
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 August 2015 - 02:14 PM

Malwarebytes done, moving on to Zemana

 

I don't see crazy high usage of my network anymore, nor do I currently see Dism Host Servicing or Setuphost.exe.

 

So far the only thing that found anything was NPE, how bad was the registry key it fixed?

 

Malwarebytes log:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 8/2/2015
Scan Time: 11:04 AM
Logfile:
Administrator: Yes

Version: 2.1.8.1057
Malware Database: v2015.08.02.03
Rootkit Database: v2015.07.30.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 8.1
CPU: x64
File System: NTFS
User: Admin

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 452556
Time Elapsed: 33 min, 26 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#11 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:53 PM

Posted 02 August 2015 - 02:19 PM

Just a security zone modification.



#12 windows8newb

windows8newb
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 August 2015 - 02:21 PM

First thing Zemana found (it just started) is C:\Program Files\AVAST Software\Avast\WebRep\FF which it is labeling as a PUA.FirefoxExt!Gr.  However I think this is my Avast! extension for Firefox, so I'll keep it unless you know it to be harmful.

 

I will let it run for a while now and run an errand.



#13 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:53 PM

Posted 02 August 2015 - 02:25 PM

It's a false positive. If multiple items were detected then set that item to ignore.



#14 windows8newb

windows8newb
  • Topic Starter

  • Members
  • 140 posts
  • OFFLINE
  •  
  • Local time:05:53 AM

Posted 02 August 2015 - 04:07 PM

Scan completed.  I have only been back at the computer for a little bit.  So far I don't see anything hogging my internet, although "System" in Task Manager spiked my disk usage to 100% for a few minutes.

 

Is there anything else I should run or do?  I'm not terribly worried unless you saw anything of concern in my logs.

 

Here is the Zemana log (I set the Avast! detection to be excluded, and it didn't find anything else:

 

Zemana AntiMalware 2.16.179.938 (Installed)

-------------------------------------------------------
Scan Result            : Completed
Scan Date              : 2015/8/2
Operating System       : Windows 8.1 64-bit
Processor              : 4X Intel® Core™ i7-4510U CPU @ 2.00GHz
BIOS Mode              : UEFI
CUID                   : 0095302AFB54CD430C46CA
Scan Type              : Deep Scan
Duration               : 26m 42s
Scanned Objects        : 201672
Detected Objects       : 1
Excluded Objects       : 0
Read Level             : Normal
Auto Upload            : Yes
Include All Extensions : No
Scan Documents         : No
Domain Info            : WORKGROUP,0,2
Detected Objects
-------------------------------------------------------

Avast Online Security
Status             : Scanned
Object             : %programw6432%\avast software\avast\webrep\ff
MD5                : -
Publisher          : -
Size               : -
Version            : -
Detection          : PUA.FirefoxExt!Gr
Cleaning Action    : Repair
Traces             :
                Browser Extension - Avast Online Security

Cleaning Result
-------------------------------------------------------
Cleaned               : 1
Reported as safe      : 0
Failed                : 0
 



#15 Firehouse

Firehouse

  • Members
  • 637 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:53 PM

Posted 02 August 2015 - 04:19 PM

Very good. Now we will do a post-cleanup procedure and that's it.

 

Run Delfix by Xplode with following checked :

Remove disinfection tools

Reset system settings

Purge system restore

 

Attach log here. http://www.bleepingcomputer.com/download/delfix/






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users