Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unexplained harddrive and processor activity and slowness


  • This topic is locked This topic is locked
15 replies to this topic

#1 joerie

joerie

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 25 October 2015 - 06:05 AM

Dear experts,

My laptop shows unexplained harddrive, processor and internet activity and is generally slow. ESET and Malwarebytes found some malware and removed them, but that did not help. I also reduced the amount of applications during start-up. I still think there is some malware on my computer and I have made logs via FRST. Could you please have a look at them to see if something is wrong. Thank you!

Attached Files



BC AdBot (Login to Remove)

 


#2 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:38 PM

Posted 26 October 2015 - 06:39 AM

Hello joerie and welcome to Bleeping Computer.

My name is Satchfan and I would be glad to help you with your computer problem.

Please read the following guidelines which will help to make cleaning your machine easier:
 

  • please follow all instructions in the order posted
  • please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear
  • all logs/reports, etc. must be posted in Notepad. Please ensure that word wrap is unchecked. In Notepad click Format, uncheck Word wrap if it is checked
  • if you don't understand something, please don't hesitate to ask for clarification before proceeding
  • the fixes are specific to your problem and should only be used for this issue on this machine.
  • please reply within 3 days. If you do not reply within this period I will post a reminder but topics with no reply in 4 days will be closed!

IMPORTANT:

Please DO NOT install/uninstall any programs unless asked to.
Please DO NOT run any scans other than those requested


P2P - I see you have P2P software, (uTorrent), installed on your machine.

We are not here to pass judgment on file-sharing as a concept but we will warn you that engaging in this activity will always make your computer very susceptible to infection and re-infection.

If your computer is infected, it almost certainly contributed to your current situation.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are more often than not, infected. Those who write malware use P2P file-sharing as a major vehicle to spread their wares.

Please see this topic for more information:

P2P File Sharing Risks.

I would strongly recommend that you uninstall it now. You can do so via Control Panel, Programs, and then Programs and Features.

Should you decide to keep it, please don’t use it until we have finished up here.

===================================================

Note: Please carry out these instructions in the order given.

===================================================

Uninstall programs

Popcorn Time is considered to be Adware. It normally gets installed on your PC along with free software and after installation it starts displaying ads, pop-ups, banners on your PC or in browsers. I recommended you remove it.
 

  • hold down the Windows logo key and press X to open a menu at the lower-left area of the screen
  • select Programs and Features from the menu
  • search and select Popcorn Time then click on Uninstall
  • reboot your computer.

===================================================

NOTE: You need to move Farbar Recovery Scan Tool to your desktop otherwise the "fix" will not work.

  • go to your Downloads folder and locate Farbar Recovery Scan Tool
  • right click and select Cut
  • go to an empty spot on your desktop, right click and select Paste

Farbar Recovery Scan Tool should now be on your desktop.

Run Farbar Recovery Scan Tool

Open notepad. Please copy the contents of the code box below and paste it into Notepad.


CHR HomePage: Default -> hxxp://www.trovi.com/?gd=&ctid=CT3325159&octid=EB_ORIGINAL_CTID&ISID=MEBC69051-CDB3-43C4-BF6D-0089F7C5B53B&SearchSource=55&CUI=&UM=8&UP=SPB3CE7223-B019-4263-A45E-4E7EF217C73D&D=053115&SSPV=
FirewallRules: [TCP Query User{66037992-0030-4EA5-9908-44D71D94A5E6}C:\users\youri\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\youri\appdata\local\popcorn time\nw.exe
FirewallRules: [UDP Query User{0027C705-ACDC-4E82-8801-CEA581E028BB}C:\users\youri\appdata\local\popcorn time\nw.exe] => (Allow) C:\users\youri\appdata\local\popcorn time\nw.exe
FirewallRules: [{84C3EAEA-1A55-4A01-8A1B-B31B1657B5E4}] => (Block) C:\users\youri\appdata\local\popcorn time\nw.exe
FirewallRules: [{A1A7C5FE-E6E6-4C09-8DF6-7F6835EFC16E}] => (Block) C:\users\youri\appdata\local\popcorn time\nw.exe
EmptyTemp:

NOTE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system

  • save the files as fixlist.txt in the same folder as FRST – NOTE: It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work
  • run FRST64 then click Fix just once and wait
  • it will create a log (Fixlog.txt); please post it to your reply.

================================================

Download and run AdwCleaner

Download AdwCleaner from here and save it to your desktop.

  • run AdwCleaner
  • when it has finished, select Clean
  • if it asks to reboot, allow the reboot
  • on reboot a log will be produced; please attach the content of the log to your next reply.

================================================

Run Farbar Recovery Scan Tool

Please run FRST again and post the new log.

Logs to include with next post:

Fixlog.txt
AdwCleaner log
New Frst.txt


Thanks

Satchfan

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#3 joerie

joerie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 26 October 2015 - 04:03 PM

Dear Satchfan,

Thank you for looking at my problem. I attached the files.

Regards,

Joerie

Attached Files



#4 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:38 PM

Posted 26 October 2015 - 05:35 PM

That's looking better joerie.

 

Can you please update and run Malwarebytes and send the new log.

 

Also, how is your computer now and what problems remain?

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#5 joerie

joerie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 27 October 2015 - 02:03 PM

Hereby the new scan results. I am not sure my computer is faster now, I will have to check more. It still seems a bit slow. What exactly was wrong with it?

Regards,

Joerie

Attached Files

  • Attached File  FRST.txt   46.41KB   1 downloads


#6 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:38 PM

Posted 27 October 2015 - 05:16 PM

Can you please update and run Malwarebytes and send the new log

 

Please send this log.

 

Thanks

 

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#7 joerie

joerie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 28 October 2015 - 12:58 PM

Hereby the malware log. 

Regards,

Joerie

Attached Files



#8 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:38 PM

Posted 28 October 2015 - 03:34 PM

That was OK so what problems remain?


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#9 joerie

joerie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 29 October 2015 - 12:02 PM

It seems a lot better now. I am not sure if it is because of the malware removal. I noticed that after stopping the VPN connection, there was less hard disk activity. What was exactly wrong with my computer?

Regards,

Joerie



#10 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:38 PM

Posted 30 October 2015 - 07:38 AM

Hi Joerie

 

I apologise for the delay but I have been very busy.
 

What was exactly wrong with my computer?

 

Trovi Search is a browser hijacker and that was removed from Firefox. Plus Popcorn Time which was adware.

 

 

From FRST fix log:

 

EmptyTemp: => 7.7 GB tijdelijke gegevens verwijderd

That was a LOT of temporary data that was removed. Many of those were likely caused by PIA Manager which creates folders in the Windows temp directory each time it is run.

 

 

It may be a good idea to run Eset again. If it doesn’t run, uninstall it and run it again.

Please let me see the results (if any).

Satchfan
 


Edited by satchfan, 30 October 2015 - 07:40 AM.

My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#11 joerie

joerie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 31 October 2015 - 01:41 PM

Dear Satchfan,

Ran ESET again and it did not find anything. The hard disk activity seems to be linked to PIA, so I will have a look into that. Thank you very much for your help.

Regards,

Joerie



#12 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:38 PM

Posted 01 November 2015 - 03:46 AM

Are there any remaining problems? If all is well I'll send instruvtions to tidy up.


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#13 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:38 PM

Posted 05 November 2015 - 06:35 AM

Hi joerie

It has been several days since I asked if there were any remaining problems.

Please let me know if you still need help. If I do not hear from you within 24 hours I'll assume that all is now OK and close this topic.

Satchfan


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.


#14 joerie

joerie
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:02:38 PM

Posted 05 November 2015 - 02:50 PM

Sorry for responding late. Everything is well now, thank you.
Regards

#15 satchfan

satchfan

  • Malware Response Team
  • 2,785 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Devon, UK
  • Local time:02:38 PM

Posted 05 November 2015 - 04:29 PM

Glad to hear that all is well.

Now that you’re free from malware, as long as your computer seems to be running well, please follow these simple steps to tidy up you computer and decrease the likelihood of getting infected again:

Uninstall AdwCleaner

  • double click on adwcleaner.exe to run the tool
  • click on Uninstall
  • confirm with Yes.

===================================================

Download & run Delfix

  • download Delfix from here to remove many of the tools we've used during the cleaning process.
  • ensure “Remove disinfection tools” is checked.

Also place a checkmark next to:


o    Create registry backup
o    Purge system restore

  • click the Run button.

You can delete all other logs and programs we’ve used that are on your desktop. Just click on them and press Delete.

===================================================

Recommended programs

SpywareBlaster. SpywareBlaster protects against bad ActiveX, it immunizes your PC against them. It blocks over 11,000 bad sites and uses no resources of your computer.

======================

Update and run Malwarebytes. This really is an excellent program that you should also update and run on a regular basis, probably weekly.

======================

It’s important to keep programs up to date so that malware doesn't exploit any old security flaws.

FileHippo Update Checker is an extremely helpful program that will tell you which of your programs need to be updated.

======================

Download WOT

Web of Trust, warns you about risky websites that try to scam visitors, deliver malware or send spam. Protect your computer against online threats by using WOT as your front-line layer of protection when browsing or searching in unfamiliar territory. WOT's color-coded icons show you ratings for 21 million websites, helping you avoid the dangerous sites:


green if it's safe
yellow for caution
red for unsafe
 

You can download the WOT add-on for Firefox, Chrome, Internet Explorer, Opera, and Safari browsers. It does not slow down your browsing experience, it is easy to use and free. Just click “Download” and you are ready to go!

======================

MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

A couple of links with information here and here which can answer any questions you might have about installing/using it.

======================

Unchecky

Be careful when downloading free software. Many free programs come bundled with adware, many of which cause redirects/popups and verge on being malware. There is a program that automatically “unckecks” the boxes you may not notice when downloading programs.

Download and install Unchecky .

======================

Download and install CryptoPrevent

Crypto Ransomware Warning

There are particularly nasty “Ransomware” infections out there at the moment that encrypt your files and the only way possible to get them “de-crypted” is to pay a ransome. You can read more about this here.

  • download CryptoPrevent
  • save the file to your Desktop and then open the program by clicking Run when prompted from your browser or by going to the desktop where the file was saved and double-clicking.
  • accept all the defaults during the install. The last screen of the install has a checkmark in "Launch CryptoPrevent". This will launch the program once you click Finish
  • you will get a prompt asking if you purchased a Product Key for Automatic Updates. Click No
  • you will then be prompted to learn more about automatic updates or if you want to purchase a key. This is up to you but you don't have to
  • click OK to continue and select your protection level. Go ahead and click OK.
  • click the Apply button to set Default protection
  • you may get a message stating that Windows Sidebar and Desktop Gadgets are a major security vulnerability and asking you if you want to disable them. If you don't use these features, answer Yes.

You are now protected.

Note: The free version doesn't provide automatic updates but should be updated often, (at least weekly), as this infection has serious consequences. To update it manually, open the program, select the “Updates” menu then select Check for Updates to see if there are any available.

===================================================

I also recommend that you read the following:

How to prevent malware by miekiemoes

Simple and easy ways to keep your computer safe and secure on the Internet  by Lawrence Abrams

I will keep this open for 24 hours in case you have any problems, after which I’ll close the topic.

Safe computing

Satchfan
 

 


My help is always free of charge. If you are happy with the help provided, if you wish you can make a donation to buy me a beer.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users