Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

There is some kind of scan being run on my system


  • This topic is locked This topic is locked
18 replies to this topic

#1 KC13

KC13

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 22 November 2015 - 01:13 PM

Hello,

 

As directed in this thread: http://www.bleepingcomputer.com/forums/t/596698/scanning/

 

There is some program or task scanning my system within minutes of startup. So far the cause has eluded detection. It is very frustrating as during the scanning the laptop is totally unusable. If a browser window is open, it keeps minimizing and maximizing without action on my part. I also get "Not Responding" messages in any open windows. This scanning can go on for between 5 and 30+ minutes.

 

EDIT: A scan started at 17:40, totally froze a game I was playing and was still running as of 2 min ago (18:13) when I forceably turned off the laptop. Before doing so, I managed to get into the task manager (took about 10 min to open) and I noticed one process using over 1GB. It was:

 

C:\Windows\system32\svchost.exe -k netsvcs.

 

 

 

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:20-11-2015
Ran by KC13 (administrator) on DV9010CA (22-11-2015 12:52:38)
Running from C:\Users\KC13\Desktop
Loaded Profiles: KC13 (Available Profiles: KC13)
Platform: Windows 7 Ultimate Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(NVIDIA Corporation) C:\Windows\System32\nvvsvc.exe
(Microsoft Corporation) C:\Windows\System32\rundll32.exe
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastSvc.exe
(Microsoft Corporation) C:\Windows\System32\wlanext.exe
(SUPERAntiSpyware.com) C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
(Synaptics, Inc.) C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
(SUPERAntiSpyware) C:\Program Files\SUPERAntiSpyware\SUPERANTISPYWARE.EXE
(AVAST Software) C:\Program Files\AVAST Software\Avast\AvastUI.exe
( Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QLBCtrl.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
(Hewlett-Packard Development Company, L.P.) C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
(Safer-Networking Ltd.) C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe
(Microsoft Corporation) C:\Windows\System32\dllhost.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [SynTPEnh] => C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [1234216 2008-03-28] (Synaptics, Inc.)
HKLM-x32\...\Run: [AvastUI.exe] => C:\Program Files\AVAST Software\Avast\AvastUI.exe [7004376 2015-11-03] (AVAST Software)
HKLM-x32\...\Run: [QlbCtrl.exe] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [323640 2009-11-24] ( Hewlett-Packard Development Company, L.P.)
HKU\S-1-5-19\...\Run: [Sidebar] => %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun
HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\Run: [SUPERAntiSpyware] => C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe [7935904 2015-10-21] (SUPERAntiSpyware)
HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\MountPoints2: {2472d489-5638-11e4-8105-001636e73440} - D:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\MountPoints2: {51103a13-20c7-11e4-acdf-001636e73440} - E:\HWPcAssistant.exe
HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\MountPoints2: {86228111-73ee-11e4-a800-001636e73440} - E:\HTC_Sync_Manager_PC.exe
HKU\S-1-5-21-2611907897-445250194-531414781-1000\...\MountPoints2: {9e23e6eb-0ec0-11e4-bb6b-001636e73440} - E:\HWPcAssistant.exe
ShellIconOverlayIdentifiers: [00avast] -> {472083B0-C522-11CF-8763-00608CC02F24} => C:\Program Files\AVAST Software\Avast\ashShA64.dll [2015-11-03] (AVAST Software)
GroupPolicyScripts\User: Restriction <======= ATTENTION

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:50051;https=127.0.0.1:50051;
Tcpip\Parameters: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{8CE83296-8831-4068-BE49-D24FF4BBA293}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{9F06118B-5B84-4C71-ABA6-841BAE434CBB}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{C5F2DC22-06B9-4D57-BD7E-2529209EACB9}: [DhcpNameServer] 192.168.0.1
Tcpip\..\Interfaces\{F2D8DB7F-F9F7-4CBF-89C6-B7FC3652B7BA}: [DhcpNameServer] 192.168.2.1
Tcpip\..\Interfaces\{F4A7210F-4CE1-4ED6-898F-64B0997A047F}: [DhcpNameServer] 192.168.0.1

Internet Explorer:
==================
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2611907897-445250194-531414781-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Web/index.htm
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-20 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
BHO: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE64.dll [2015-11-03] (AVAST Software)
BHO-x32: Java™ Plug-In SSV Helper -> {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\ssv.dll [2015-11-12] (Oracle Corporation)
BHO-x32: avast! Online Security -> {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} -> C:\Program Files\AVAST Software\Avast\aswWebRepIE.dll [2015-11-03] (AVAST Software)
BHO-x32: Java™ Plug-In 2 SSV Helper -> {DBC80044-A445-435b-BC74-9C25C1C588A9} -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\jp2ssv.dll [2015-11-12] (Oracle Corporation)
DPF: HKLM-x32 {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x86/MuCatalogWebControl.cab?1426457126988

FireFox:
========
FF ProfilePath: C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default
FF Homepage: file:///C:/Web/index.htm
FF Plugin: @adobe.com/FlashPlayer -> C:\Windows\system32\Macromed\Flash\NPSWF64_19_0_0_245.dll [2015-11-13] ()
FF Plugin: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: @adobe.com/FlashPlayer -> C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll [2015-11-13] ()
FF Plugin-x32: @java.com/DTPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\dtplugin\npDeployJava1.dll [2015-11-12] (Oracle Corporation)
FF Plugin-x32: @java.com/JavaPlugin,version=11.66.2 -> C:\Program Files (x86)\Java\jre1.8.0_66\bin\plugin2\npjp2.dll [2015-11-12] (Oracle Corporation)
FF Plugin-x32: @Microsoft.com/NpCtrl,version=1.0 -> c:\Program Files (x86)\Microsoft Silverlight\5.1.40728.0\npctrl.dll [2015-07-28] ( Microsoft Corporation)
FF Plugin-x32: Adobe Reader -> C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll [2015-09-30] (Adobe Systems Inc.)
FF Extension: Black Youtube Theme - C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default\extensions\{2c93446d-612b-416d-9af0-b7355797b611}.xpi [2015-09-28]
FF Extension: NewScrollbars (aka NoiaScrollbars) - C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default\extensions\NoiaScrollbars@ArisT2_Noia4dev.xpi [2015-10-17]
FF Extension: Classic Theme Restorer - C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default\extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi [2015-11-17]
FF Extension: No Name - C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default\Extensions\NoiaButtons@ArisT2_Noia4dev.xpi [2015-10-25] [not signed]
FF HKLM-x32\...\Firefox\Extensions: [wrc@avast.com] - C:\Program Files\AVAST Software\Avast\WebRep\FF
FF Extension: Avast Online Security - C:\Program Files\AVAST Software\Avast\WebRep\FF [2015-11-03]
FF HKLM-x32\...\Firefox\Extensions: [sp@avast.com] - C:\Program Files\AVAST Software\Avast\SafePrice\FF
FF Extension: Avast SafePrice - C:\Program Files\AVAST Software\Avast\SafePrice\FF [2015-11-03]

Chrome:
=======
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-11-03]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 !SASCORE; C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE [172344 2014-08-12] (SUPERAntiSpyware.com)
R2 avast! Antivirus; C:\Program Files\AVAST Software\Avast\AvastSvc.exe [174416 2015-11-03] (AVAST Software)
S4 MDM; C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe [335872 2006-10-26] (Microsoft Corporation) [File not signed]
S3 SDScannerService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDFSSvc.exe [1738168 2014-06-24] (Safer-Networking Ltd.)
R3 SDUpdateService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDUpdSvc.exe [2088408 2014-06-27] (Safer-Networking Ltd.)
S3 SDWSCService; C:\Program Files (x86)\Spybot - Search & Destroy 2\SDWSCSvc.exe [171928 2014-04-25] (Safer-Networking Ltd.)
S3 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2013-05-27] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R3 AmdK8; C:\Windows\System32\DRIVERS\amdk8.sys [64512 2009-07-13] (Microsoft Corporation) [File not signed]
R2 aswHwid; C:\Windows\system32\drivers\aswHwid.sys [28656 2015-11-03] (AVAST Software)
R2 aswMonFlt; C:\Windows\system32\drivers\aswMonFlt.sys [97648 2015-11-03] (AVAST Software)
R1 aswRdr; C:\Windows\system32\drivers\aswRdr2.sys [93528 2015-11-03] (AVAST Software)
R0 aswRvrt; C:\Windows\System32\Drivers\aswRvrt.sys [65224 2015-11-03] (AVAST Software)
R1 aswSnx; C:\Windows\system32\drivers\aswSnx.sys [1059656 2015-11-03] (AVAST Software)
R1 aswSP; C:\Windows\system32\drivers\aswSP.sys [449992 2015-11-03] (AVAST Software)
R2 aswStm; C:\Windows\system32\drivers\aswStm.sys [154256 2015-11-03] (AVAST Software)
R0 aswVmm; C:\Windows\System32\Drivers\aswVmm.sys [273784 2015-11-03] (AVAST Software)
S3 ebdrv; C:\Windows\system32\drivers\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R0 fsbts; C:\Windows\System32\Drivers\fsbts.sys [56016 2014-11-09] ()
R3 HBtnKey; C:\Windows\System32\DRIVERS\cpqbttn.sys [19000 2010-02-24] (Hewlett-Packard Company)
S3 RT73; C:\Windows\System32\DRIVERS\Dr71WU.sys [437248 2007-07-27] (Ralink Technology Corp.)
S3 RtlWlanu; C:\Windows\System32\DRIVERS\rtwlanu.sys [3567320 2014-10-15] (Realtek Semiconductor Corporation                           )
R1 SASDIFSV; C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS [14928 2011-07-22] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
R1 SASKUTIL; C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS [12368 2011-07-12] (SUPERAdBlocker.com and SUPERAntiSpyware.com)
S4 trufos; C:\Windows\System32\drivers\trufos.sys [350160 2015-04-20] (BitDefender S.R.L.)
U4 TrueSight; \??\C:\Windows\System32\drivers\TrueSight.sys [X]

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-22 12:52 - 2015-11-22 12:53 - 00011467 _____ C:\Users\KC13\Desktop\FRST.txt
2015-11-22 12:52 - 2015-11-22 12:52 - 00000000 ____D C:\FRST
2015-11-22 12:50 - 2015-11-22 12:50 - 02345984 _____ (Farbar) C:\Users\KC13\Desktop\FRST64.exe
2015-11-20 22:01 - 2015-11-20 22:02 - 00000977 _____ C:\Users\KC13\Desktop\BugOutBag.txt
2015-11-19 11:08 - 2015-11-19 11:08 - 00002759 _____ C:\Users\Public\Desktop\Sophos Virus Removal Tool.lnk
2015-11-19 11:08 - 2015-11-19 11:08 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2015-11-19 11:08 - 2015-11-19 11:08 - 00000000 ____D C:\Program Files (x86)\Sophos
2015-11-19 10:49 - 2015-11-19 10:52 - 00000000 ____D C:\AdwCleaner
2015-11-12 19:48 - 2015-11-12 19:47 - 00110176 _____ (Oracle Corporation) C:\Windows\system32\WindowsAccessBridge-64.dll
2015-11-12 19:44 - 2015-11-12 19:48 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java
2015-11-12 19:44 - 2015-11-12 19:44 - 00097888 _____ (Oracle Corporation) C:\Windows\SysWOW64\WindowsAccessBridge-32.dll
2015-11-12 19:43 - 2015-11-12 19:43 - 00000000 ____D C:\Program Files (x86)\Java
2015-11-03 16:02 - 2015-11-03 16:02 - 00000000 ____D C:\Users\KC13\AppData\Local\CEF
2015-11-03 15:58 - 2015-11-06 19:33 - 00002441 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Acrobat Reader DC.lnk
2015-11-03 11:09 - 2015-11-03 11:09 - 00386096 _____ (AVAST Software) C:\Windows\system32\aswBoot.exe
2015-11-03 11:09 - 2015-11-03 11:09 - 00043112 _____ (AVAST Software) C:\Windows\avastSS.scr
2015-11-02 16:58 - 2015-11-02 17:00 - 00000617 _____ C:\Users\KC13\Desktop\EverQuest Bypass.lnk
2015-10-25 14:30 - 2015-11-12 19:48 - 00000000 ____D C:\Users\KC13\.oracle_jre_usage

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2015-11-22 12:52 - 2015-08-05 18:12 - 00567926 _____ C:\Windows\setupact.log
2015-11-22 12:46 - 2015-10-15 16:26 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2015-11-22 12:42 - 2014-05-31 09:46 - 00000000 ____D C:\Program Files (x86)\SpywareBlaster
2015-11-22 12:42 - 2014-05-30 13:12 - 00000000 ____D C:\ProgramData\TEMP
2015-11-22 12:41 - 2015-02-12 10:27 - 00192216 _____ (Malwarebytes) C:\Windows\system32\Drivers\MBAMSwissArmy.sys
2015-11-22 12:40 - 2009-07-13 23:45 - 00081904 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2015-11-22 12:40 - 2009-07-13 23:45 - 00081904 _____ C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2015-11-22 12:38 - 2014-05-30 13:40 - 01623914 _____ C:\Windows\WindowsUpdate.log
2015-11-22 12:37 - 2014-05-30 23:13 - 00711330 _____ C:\Windows\system32\perfh019.dat
2015-11-22 12:37 - 2014-05-30 23:13 - 00641826 _____ C:\Windows\system32\perfh00B.dat
2015-11-22 12:37 - 2014-05-30 23:13 - 00146698 _____ C:\Windows\system32\perfc019.dat
2015-11-22 12:37 - 2014-05-30 23:13 - 00135102 _____ C:\Windows\system32\perfc00B.dat
2015-11-22 12:37 - 2014-05-30 14:20 - 00726452 _____ C:\Windows\system32\perfh00C.dat
2015-11-22 12:37 - 2014-05-30 14:20 - 00639384 _____ C:\Windows\system32\perfh001.dat
2015-11-22 12:37 - 2014-05-30 14:20 - 00140970 _____ C:\Windows\system32\perfc00C.dat
2015-11-22 12:37 - 2014-05-30 14:20 - 00128520 _____ C:\Windows\system32\perfc001.dat
2015-11-22 12:37 - 2009-07-14 00:13 - 04078336 _____ C:\Windows\system32\PerfStringBackup.INI
2015-11-22 12:33 - 2009-07-14 00:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2015-11-20 18:03 - 2014-06-01 11:34 - 00000000 ____D C:\Users\KC13\Downloads\Browsers & Email Clients
2015-11-20 11:50 - 2014-05-30 14:07 - 00000000 ____D C:\EverQuest
2015-11-19 22:22 - 2015-04-09 00:03 - 00004184 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2015-11-19 11:33 - 2014-06-05 16:52 - 00000000 ____D C:\Users\KC13\Downloads\Phones
2015-11-19 11:26 - 2014-06-10 09:37 - 00000000 ____D C:\Users\KC13\Downloads\Misc
2015-11-19 11:09 - 2015-03-29 14:36 - 00000000 ____D C:\ProgramData\Sophos
2015-11-19 11:01 - 2014-06-25 13:55 - 00000000 ____D C:\Users\KC13\AppData\Roaming\IObit
2015-11-19 11:01 - 2014-06-25 13:55 - 00000000 ____D C:\ProgramData\IObit
2015-11-19 10:52 - 2014-05-30 10:47 - 00000000 ____D C:\Users\KC13
2015-11-18 12:49 - 2014-05-30 14:46 - 00000000 ____D C:\Legends of Norrath
2015-11-18 10:55 - 2014-06-10 09:13 - 00000000 ____D C:\ProgramData\Malwarebytes' Anti-Malware (portable)
2015-11-18 10:27 - 2015-02-12 10:26 - 00109272 _____ (Malwarebytes) C:\Windows\system32\Drivers\mbamchameleon.sys
2015-11-13 13:07 - 2014-08-25 11:11 - 00000000 ____D C:\Users\KC13\AppData\Local\Adobe
2015-11-13 13:06 - 2014-05-31 10:50 - 00780488 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2015-11-13 13:06 - 2014-05-31 10:50 - 00142536 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2015-11-12 19:46 - 2014-10-02 00:59 - 00000000 ____D C:\Program Files\Java
2015-11-12 19:45 - 2014-05-31 21:12 - 00000000 ____D C:\ProgramData\Oracle
2015-11-12 19:38 - 2014-05-27 20:24 - 00000000 ____D C:\Users\KC13\Downloads\Java
2015-11-11 11:51 - 2014-05-30 15:07 - 00000000 ____D C:\Windows\system32\MRT
2015-11-11 11:45 - 2014-05-31 15:36 - 00000000 ____D C:\ProgramData\Microsoft Help
2015-11-11 11:45 - 2014-05-30 15:07 - 145617392 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2015-11-11 11:40 - 2014-05-30 19:34 - 03956222 _____ C:\Windows\SysWOW64\PerfStringBackup.INI
2015-11-10 15:07 - 2014-06-01 08:44 - 00014316 _____ C:\Users\KC13\Desktop\INR.xlsx
2015-11-07 12:54 - 2014-09-18 09:40 - 00001051 _____ C:\Users\KC13\Desktop\Notepad++.lnk
2015-11-05 14:29 - 2015-08-12 15:35 - 00018276 _____ C:\Windows\PFRO.log
2015-11-03 15:58 - 2014-05-31 10:40 - 00000000 ____D C:\Program Files (x86)\Adobe
2015-11-03 11:09 - 2015-04-09 00:02 - 00449992 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSP.sys
2015-11-03 11:09 - 2015-04-09 00:02 - 00273784 _____ (AVAST Software) C:\Windows\system32\Drivers\aswVmm.sys
2015-11-03 11:09 - 2015-04-09 00:02 - 00154256 _____ (AVAST Software) C:\Windows\system32\Drivers\aswStm.sys
2015-11-03 11:09 - 2015-04-09 00:02 - 00097648 _____ (AVAST Software) C:\Windows\system32\Drivers\aswMonFlt.sys
2015-11-03 11:09 - 2015-04-09 00:02 - 00093528 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRdr2.sys
2015-11-03 11:09 - 2015-04-09 00:02 - 00065224 _____ (AVAST Software) C:\Windows\system32\Drivers\aswRvrt.sys
2015-11-03 11:09 - 2015-04-09 00:02 - 00028656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswHwid.sys
2015-11-03 11:08 - 2015-04-09 00:02 - 01059656 _____ (AVAST Software) C:\Windows\system32\Drivers\aswSnx.sys
2015-10-31 11:24 - 2014-05-31 09:27 - 00000000 ____D C:\Users\KC13\Downloads\Utilities
2015-10-31 10:58 - 2009-07-14 00:08 - 00032632 _____ C:\Windows\Tasks\SCHEDLGU.TXT
2015-10-26 12:34 - 2014-06-01 16:14 - 00000000 ____D C:\Users\KC13\Downloads\Solaris 11
2015-10-26 12:24 - 2014-05-27 20:08 - 00000000 ____D C:\Users\KC13\Downloads\Systems
2015-10-25 16:46 - 2014-06-01 13:03 - 00000000 ____D C:\bin

==================== Files in the root of some directories =======

2014-05-31 15:03 - 2014-06-04 08:27 - 0012978 _____ () C:\Users\KC13\AppData\Roaming\nvModes.001
2014-05-31 14:08 - 2014-06-04 08:27 - 0012978 _____ () C:\Users\KC13\AppData\Roaming\nvModes.dat
2015-04-21 16:52 - 2015-04-21 16:52 - 0015897 _____ () C:\Users\KC13\AppData\Roaming\UserTile.png
2015-01-03 22:29 - 2015-08-22 12:16 - 0169060 _____ () C:\Users\KC13\AppData\Local\ars.cache
2014-05-30 23:38 - 2014-05-30 23:38 - 0000000 _____ () C:\Users\KC13\AppData\Local\AtStart.txt
2015-01-03 22:29 - 2015-08-22 12:17 - 1705490 _____ () C:\Users\KC13\AppData\Local\census.cache
2014-12-28 22:13 - 2014-12-28 22:13 - 0000036 _____ () C:\Users\KC13\AppData\Local\housecall.guid.cache
2014-05-30 23:38 - 2014-05-30 23:38 - 0000000 _____ () C:\Users\KC13\AppData\Local\QSwitch.txt
2014-06-18 18:33 - 2014-06-18 18:33 - 0000218 _____ () C:\Users\KC13\AppData\Local\recently-used.xbel
2015-05-02 12:57 - 2015-09-14 09:11 - 0007618 _____ () C:\Users\KC13\AppData\Local\Resmon.ResmonCfg
2015-01-03 22:27 - 2015-08-22 12:11 - 0000010 _____ () C:\Users\KC13\AppData\Local\sponge.last.runtime.cache
2014-06-04 09:47 - 2015-04-05 10:59 - 0041520 _____ () C:\ProgramData\nvModes.001
2014-06-04 09:47 - 2015-04-04 10:02 - 0041520 _____ () C:\ProgramData\nvModes.dat

Some files in TEMP:
====================
C:\Users\KC13\AppData\Local\Temp\sqlite3.dll


Some zero byte size files/folders:
==========================
C:\Windows\logo_1.exe
C:\Windows\RUNDL132.EXE
C:\Windows\VDLL.DLL
C:\Windows\SysWOW64\runouce.exe

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2015-11-20 08:56

==================== End of FRST.txt ============================

Attached Files


Edited by KC13, 22 November 2015 - 06:17 PM.


BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 AM

Posted 24 November 2015 - 09:39 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

GroupPolicyScripts\User: Restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:50051;https=127.0.0.1:50051;
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2611907897-445250194-531414781-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-11-03]
U4 TrueSight; \??\C:\Windows\System32\drivers\TrueSight.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:D282699C
C:\Windows\logo_1.exe
C:\Windows\RUNDL132.EXE
C:\Windows\VDLL.DLL
C:\Windows\SysWOW64\runouce.exe

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

How is the computer running now?

#3 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 24 November 2015 - 10:48 AM

As you can see, the timestamp on the file is 10:24. The scanning started up again shortly after reboot and ran until 10:43. During that time, the system was almost unusable. I managed to get Task Manager running, and the same above mentioned process (C:\Windows\system32\svchost.exe -k netsvcs) was using 900MB of memory during the scan.

 

 

Fix result of Farbar Recovery Scan Tool (x64) Version:23-11-2015
Ran by KC13 (2015-11-24 10:24:21) Run:1
Running from C:\Users\KC13\Desktop
Loaded Profiles: KC13 (Available Profiles: KC13)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:
RemoveProxy:

GroupPolicyScripts\User: Restriction <======= ATTENTION
ProxyEnable: [.DEFAULT] => Proxy is enabled.
ProxyServer: [.DEFAULT] => http=127.0.0.1:50051;https=127.0.0.1:50051;
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
HKU\S-1-5-21-2611907897-445250194-531414781-1000\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
SearchScopes: HKU\.DEFAULT -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
SearchScopes: HKU\S-1-5-19 -> DefaultScope {0633EE93-D776-472f-A0FF-E1416B8B2E3A} URL =
CHR HKLM-x32\...\Chrome\Extension: [gomekmidlodglbbmalcneegieacbdmki] - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx [2015-11-03]
U4 TrueSight; \??\C:\Windows\System32\drivers\TrueSight.sys [X]
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34
AlternateDataStreams: C:\ProgramData\TEMP:D282699C
C:\Windows\logo_1.exe
C:\Windows\RUNDL132.EXE
C:\Windows\VDLL.DLL
C:\Windows\SysWOW64\runouce.exe

End
*****************

Restore point was successfully created.
Processes closed successfully.

========= RemoveProxy: =========

"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
"HKU\S-1-5-21-2611907897-445250194-531414781-1000\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value removed successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully
HKU\S-1-5-21-2611907897-445250194-531414781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\DefaultConnectionSettings => value removed successfully
HKU\S-1-5-21-2611907897-445250194-531414781-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\\SavedLegacySettings => value removed successfully


========= End of RemoveProxy: =========

C:\Windows\system32\GroupPolicy\User => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyEnable => value not found.
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\\ProxyServer => value not found.
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKU\.DEFAULT\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKU\S-1-5-21-2611907897-445250194-531414781-1000\SOFTWARE\Policies\Microsoft\Internet Explorer => key not found.
HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
HKU\S-1-5-19\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKLM\SOFTWARE\Wow6432Node\Google\Chrome\Extensions\gomekmidlodglbbmalcneegieacbdmki" => key removed successfully
Could not move "C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Scheduled to move on reboot.
TrueSight => service removed successfully
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully.
C:\ProgramData\TEMP => ":D282699C" ADS removed successfully.
C:\Windows\logo_1.exe => moved successfully
C:\Windows\RUNDL132.EXE => moved successfully
C:\Windows\VDLL.DLL => moved successfully
C:\Windows\SysWOW64\runouce.exe => moved successfully
EmptyTemp: => 94.1 MB temporary data Removed.

Result of scheduled files to move (Boot Mode: Normal) (Date&Time: 2015-11-24 10:28:43)

"C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx" => Could not move

==== End of Fixlog 10:28:43 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 AM

Posted 25 November 2015 - 08:21 AM

Read this article print it if you can, and proceed with the suggested fixes.

http://www.wintips.org/how-to-fix-svchost-exe-netsvcs-memory-leak-or-high-cpu-usage-problems/

As you go alone write what you are disabling/doing so that you can restore it should the problem not be solved.

If at any time you need help please let me know.

Keep me posted.

#5 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 AM

Posted 30 November 2015 - 09:57 AM

Are you still with me?

#6 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 01 December 2015 - 09:52 AM

Yes, I'm still with you, but nothing seems to stop the scan. Yesterday, I stopped the windows update service and the scan stopped. Strange as it never affected my system like that before this scanning problem....



#7 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 02 December 2015 - 02:15 PM

More details:

 

When the scanning is happening, there are two processes killing the system:

 

1) C:\Windows\system32\svchost.exe -k netsvcs (Using up to 1.2GB in a 2GB system)

 

     These are the services running under the above process.

     wuauserv
     Winmgmt
     Themes
     ShellHWDetection
     SENS
     Schedule
     ProfSvc
     LanmanServer
     IKEEXT
     EapHost
     AeLookupSvc

2) C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted (When the above process ramps down, this one ramps up. Max 86MB usage)

 

     These are the services running under the above process.

 

     Wlansvc
     WdiSystemHost
     UxSms
     TrkWks
     SysMain
     PcaSvc
     Netman
     CscService
     AudioEndpointBuilder


Edited by KC13, 02 December 2015 - 02:16 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 AM

Posted 02 December 2015 - 02:54 PM

Windows updates is causing the issue.

Run the fix on this page.

http://windows.microsoft.com/en-us/windows/troubleshoot-problems-installing-updates#1TC=windows-7

When completed restart the computer normally.

Keep me posted.

#9 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 03 December 2015 - 09:57 AM

The above didn't work. Same problem processes, same services being run. Thanks for all your help, but this seems like a lost cause. I just wish a flavour of Linux would work with this laptop, but alas, none have so far.



#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 AM

Posted 04 December 2015 - 07:38 AM

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

Lets check further.

You will need to temporarily disable your AV program so it does not interfere.
Info on how to disable your security applications How To Temporarily Disable Your Anti-virus, Firewall And Anti-malware Programs - Security Mini-Guides.

Download Zeok tool from here

When the download appears, save to the Desktop.
On the Desktop, right-click the Zoek.exe file and select: Run as Administrator
(Give it a few seconds to appear.)

Click the Options in bold the following options are available to you.
Select only the check boxes for the options in bold.
 

Running Processes
Installed Programs
Startup Information
FireFox look
Chrome Look
Do a Quick Scan


Do a Quick Scan
HijackThis log
Uninstall list
Shortcut Fix
Do a Deep Scan
Installer List
IE Default
Silent Runner
System Restore Info
Symlink Check
Reset Chrome
System Specs
Recently created
Empty Temp
Auto Clean



Now...
Close any open Browsers.
Click the Run script button, and wait. It takes a few minutes to run all the script.

When the tool finishes, the zoek-results.log is opened in Notepad.
The log is also found on the systemdrive, normally C:\
If a reboot is needed, the log is opened after the reboot.
Do
Please attach the zoek-results.log in your reply. It's probably too long to post.

How to:
In the Reply section in the bottom of the topic Click the "more reply Options" button.
attachlogs.png

Attach the file.
Select the "Choose a File" navigate to the location of the File.
Click the file you wish to Attach.

Click the Add reply button.

Make sure you Enable your AV Program.

#11 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 04 December 2015 - 04:39 PM

Rkill 2.8.2 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2015 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 12/04/2015 04:34:04 PM in x64 mode.
Windows Version: Windows 7 Ultimate Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:

 * Windows Defender Disabled

   [HKLM\SOFTWARE\Microsoft\Windows Defender]
   "DisableAntiSpyware" = dword:00000001

Checking Windows Service Integrity:

 * Windows Defender (WinDefend) is not Running.
   Startup Type set to: Manual

Searching for Missing Digital Signatures:

 * No issues found.

Checking HOSTS File:

 * No issues found.

Program finished at: 12/04/2015 04:38:16 PM
Execution time: 0 hours(s), 4 minute(s), and 11 seconds(s)
 



#12 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 04 December 2015 - 04:53 PM

Zoek.exe v5.0.0.1 Updated 01-December-2015
Tool run by KC13 on Fri 12/04/2015 at 16:40:32.66.

Running in: Normal Mode Internet Access Detected
Launched: C:\Users\KC13\Desktop\zoek.exe [Scan all users]  [Checkboxes used]

==== Running Processes ======================


==== System Restore Info ======================

==== Installed Programs ======================

Adobe Acrobat Reader DC  
Adobe Flash Player 19 ActiveX  
Adobe Flash Player 19 NPAPI  
Adobe PageMaker 7.0  
Adobe Refresh Manager  
Amiga Forever  
Avast Free Antivirus  
Beyond Compare Version 2.5  
Classic Menu 4.x for Office 2007  
Conexant HD Audio  
CPUID CPU-Z 1.72  
EverQuest  
HDAUDIO Soft Data Fax Modem with SmartCP  
HP Quick Launch Buttons  
ImgBurn  
Java 8 Update 66  
Java 8 Update 66 (64-bit)  
Java Auto Updater  
Legends of Norrath  
Lotus SmartSuite - English  
Malwarebytes Anti-Malware version 2.2.0.1024  
Mappie 1.5.8  
Microsoft .NET Framework 4.5.2  
Microsoft Office 2007 Service Pack 3 (SP3)  
Microsoft Office Access MUI (English) 2007  
Microsoft Office Access Setup Metadata MUI (English) 2007  
Microsoft Office Excel MUI (English) 2007  
Microsoft Office File Validation Add-In  
Microsoft Office InfoPath MUI (English) 2007  
Microsoft Office Office 64-bit Components 2007  
Microsoft Office Outlook MUI (English) 2007  
Microsoft Office PowerPoint MUI (English) 2007  
Microsoft Office Professional Plus 2007  
Microsoft Office Proof (English) 2007  
Microsoft Office Proof (French) 2007  
Microsoft Office Proof (Spanish) 2007  
Microsoft Office Proofing (English) 2007  
Microsoft Office Proofing Tools 2007 Service Pack 3 (SP3)  
Microsoft Office Publisher MUI (English) 2007  
Microsoft Office Shared 64-bit MUI (English) 2007  
Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2007  
Microsoft Office Shared MUI (English) 2007  
Microsoft Office Shared Setup Metadata MUI (English) 2007  
Microsoft Office Word MUI (English) 2007  
Microsoft Silverlight  
Microsoft Visual C++ 2005 Redistributable  
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.17  
Microsoft Visual C++ 2008 Redistributable - x64 9.0.30729.6161  
Microsoft Visual C++ 2008 Redistributable - x86 9.0.21022  
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17  
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148  
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161  
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219  
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030  
Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030  
Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030  
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.21005  
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005  
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005  
Microsoft XML Parser  
Mozilla Firefox 42.0 (x86 en-US)  
Mozilla Thunderbird 38.4.0 (x86 en-US)  
MSXML 4.0 SP3 Parser  
MSXML 4.0 SP3 Parser (KB2758694)  
Nero 2015  
Nero Audio Pack 1  
Nero Blu-ray Player  
Nero Burning Core  
Nero Burning ROM  
Nero ControlCenter  
Nero Core Components  
Nero Device Updates  
Nero Disc Menus Basic  
Nero Disc to Device  
Nero Effects Basic  
Nero Express  
Nero Kwik Themes Basic  
Nero Launcher  
Nero MediaHome  
Nero PiP Effects Basic  
Nero Recode  
Nero RescueAgent  
Nero SharedVideoCodecs  
Nero Update  
Nero Video  
neroxml  
Notepad++  
NVIDIA Drivers  
Prerequisite installer  
QLBCASL  
Quark Update  
QuarkXPress  
Security Update for CAPICOM (KB931906)  
Security Update for Microsoft .NET Framework 4.5.2 (KB3023224)  
Security Update for Microsoft .NET Framework 4.5.2 (KB3035490)  
Security Update for Microsoft .NET Framework 4.5.2 (KB3037581)  
Security Update for Microsoft .NET Framework 4.5.2 (KB3074230)  
Security Update for Microsoft .NET Framework 4.5.2 (KB3074550)  
Security Update for Microsoft .NET Framework 4.5.2 (KB3097996)  
Security Update for Microsoft .NET Framework 4.5.2 (KB3098781)  
Security Update for Microsoft Office 2007 suites (KB2596650) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2596754) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2596792) 32-Bit Edition  
Security Update for Microsoft Office 2007 suites (KB2596825) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2596871) 32-Bit Edition  
Security Update for Microsoft Office 2007 suites (KB2597969) 32-Bit Edition  
Security Update for Microsoft Office 2007 suites (KB2687409) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2760585) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2760591) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2817330) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2825645) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2837610) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2850022) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2880507) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2880508) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2881069) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB2920795) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB3085546) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB3085620) 32-Bit Edition   
Security Update for Microsoft Office 2007 suites (KB3101555) 32-Bit Edition   
Security Update for Microsoft Office Access 2007 (KB2596614) 32-Bit Edition   
Security Update for Microsoft Office Compatibility Pack Service Pack 3 (KB3085551) 32-Bit Edition   
Security Update for Microsoft Office Compatibility Pack Service Pack 3 (KB3101558) 32-Bit Edition   
Security Update for Microsoft Office Excel 2007 (KB3101554) 32-Bit Edition   
Security Update for Microsoft Office InfoPath 2007 (KB2687406) 32-Bit Edition   
Security Update for Microsoft Office InfoPath 2007 (KB2687440) 32-Bit Edition   
Security Update for Microsoft Office PowerPoint 2007 (KB2596912) 32-Bit Edition  
Security Update for Microsoft Office PowerPoint 2007 (KB3085548) 32-Bit Edition   
Security Update for Microsoft Office Publisher 2007 (KB2880506) 32-Bit Edition   
Security Update for Microsoft Office Word 2007 (KB3085552) 32-Bit Edition   
Software Director  
Sophos Virus Removal Tool  
Spybot - Search & Destroy  
SpywareBlaster 5.2  
SUPERAntiSpyware  
Synaptics Pointing Device Driver  
Update for 2007 Microsoft Office System (KB967642)  
Update for Microsoft Office 2007 Help for Common Features (KB963673)  
Update for Microsoft Office 2007 suites (KB2596620) 32-Bit Edition  
Update for Microsoft Office 2007 suites (KB2596787) 32-Bit Edition  
Update for Microsoft Office 2007 suites (KB2767916) 32-Bit Edition  
Update for Microsoft Office 2007 suites (KB2965286) 32-Bit Edition  
Update for Microsoft Office Outlook 2007 (KB2863811) 32-Bit Edition  
Update for Microsoft Office Outlook 2007 Junk Email Filter (KB3101557) 32-Bit Edition  
Update for Microsoft Office Script Editor Help (KB963671)  
VCRedistSetup  
Visual dBASE 7.5  
WinRAR 4.11 (64-bit)  
WinZip 18.0  

==== Files Recently Created / Modified ======================

====== C:\Windows ====
2015-12-02 18:26:11    748D1F5A0495A1AA9D44FB51B4C13271    43112    ----a-w-    C:\Windows\avastSS.scr
====== C:\Users\KC13\AppData\Local\Temp ====
====== Java Cache =====
====== C:\Windows\SysWOW64 =====
====== C:\Windows\SysWOW64\drivers =====
====== C:\Windows\Sysnative =====
2015-12-02 18:28:03    C514A8F4AC22AFAFE54B7CA515BBEAE2    386096    ----a-w-    C:\Windows\Sysnative\aswBoot.exe
====== C:\Windows\Sysnative\drivers =====
====== C:\Windows\Tasks ======
====== C:\Windows\Temp ======
======= C:\Program Files =====
======= C:\PROGRA~2 =====
2015-12-03 18:30:30    --------    d-----w-    C:\PROGRA~2\COMMON~1\AV
2015-11-19 16:08:16    --------    d-----w-    C:\PROGRA~2\Sophos
2015-11-13 00:45:40    --------    d-----w-    C:\PROGRA~2\COMMON~1\Java
2015-11-13 00:43:52    --------    d-----w-    C:\PROGRA~2\Java
======= C: =====
====== C:\Users\KC13\AppData\Roaming ======
====== C:\Users\KC13 ======
2015-11-19 16:08:19    --------    d-----w-    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Sophos
2015-11-13 00:44:38    --------    d-----w-    C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Java

====== C: exe-files ==
2015-12-03 18:30:30    F6CC12DB8DC6FB85136BD5D908409FF9    174904    ----a-w-    C:\Program Files\Common Files\AV\avast! Antivirus\upgrade.exe
2015-12-03 18:30:30    F6CC12DB8DC6FB85136BD5D908409FF9    174904    ----a-w-    C:\Program Files (x86)\Common Files\AV\avast! Antivirus\upgrade.exe
2015-12-03 18:30:30    26BA77E86AE40F7EE01D20D49DB5331C    634832    ----a-w-    C:\Program Files\Common Files\AV\avast! Antivirus\backup.exe
2015-12-03 18:30:30    26BA77E86AE40F7EE01D20D49DB5331C    634832    ----a-w-    C:\Program Files (x86)\Common Files\AV\avast! Antivirus\backup.exe
2015-12-02 18:28:03    C514A8F4AC22AFAFE54B7CA515BBEAE2    386096    ----a-w-    C:\Windows\System32\aswBoot.exe
=== C: other files ==

==== Startup Registry Enabled ======================

[HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="%ProgramFiles%\Windows\Sidebar.exe /autoRun"

[HKEY_USERS\S-1-5-21-2611907897-445250194-531414781-1000\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AvastUI.exe"="C:\Program Files\AVAST Software\Avast\AvastUI.exe /nogui"
"QlbCtrl.exe"="C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"

==== Startup Registry Enabled x64 ======================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"

==== Startup Registry Disabled x64 ======================

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\IDriverT]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\MBAMService]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\MozillaMaintenance]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\NAUpdate]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\Nero BackItUp Scheduler 3]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\NMIndexingService]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\WPCSvc]


==== Other Scheduled Tasks ======================

"C:\Windows\SysNative\tasks\AVAST Software\Avast settings backup" [C:\Program Files\Common Files\AV\avast Antivirus\backup.exe]

==== Firefox Start and Search pages ======================

ProfilePath: C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default
user_pref("browser.startup.homepage", "file:///C:/Web/index.htm");
user_pref("services.sync.prefs.sync.browser.search.selectedEngine", true);

==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"sp@avast.com"="C:\Program Files\AVAST Software\Avast\SafePrice\FF" [12/02/2015 01:37 PM]

==== Firefox Extensions ======================

ProfilePath: C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default
- Classic Theme Restorer - %ProfilePath%\extensions\ClassicThemeRestorer@ArisT2Noia4dev.xpi
- NoiaButtons - %ProfilePath%\extensions\NoiaButtons@ArisT2_Noia4dev.xpi
- NewScrollbars aka NoiaScrollbars - %ProfilePath%\extensions\NoiaScrollbars@ArisT2_Noia4dev.xpi
- Black Youtube Theme - %ProfilePath%\extensions\{2c93446d-612b-416d-9af0-b7355797b611}.xpi

ProfilePath: C:\Users\KC13\AppData\Roaming\Thunderbird\Profiles\vwr43q1b.default
- Canadian English Dictionary - %ProfilePath%\extensions\en-CA@dictionaries.addons.mozilla.org
- Noia 2.0 eXtreme - %ProfilePath%\extensions\noia2_full@gd.noia.xpi
- Noia 2.0 eXtreme XT - %ProfilePath%\extensions\noia2_full_xt@gd.noia.xpi

AppDir: C:\Program Files (x86)\Mozilla Firefox
- Default - %AppDir%\browser\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}

==== Firefox Plugins ======================

Profilepath: C:\Users\KC13\AppData\Roaming\Mozilla\Firefox\Profiles\baax4zsx.default
F114FBA6246530B89DD1E04351E0EAC5    - C:\Windows\SysWOW64\Macromed\Flash\NPSWF32_19_0_0_245.dll -    Shockwave Flash


==== Chromium Look ======================

HKEY_LOCAL_MACHINE\SOFTWARE\Google\Chrome\Extensions
gomekmidlodglbbmalcneegieacbdmki - C:\Program Files\AVAST Software\Avast\WebRep\Chrome\aswWebRepChrome.crx[11/03/2015 11:08 AM]

==== C:\zoek_backup content ======================

C:\zoek_backup (files=0 folders=0 0 bytes)

==== EOF on Fri 12/04/2015 at 16:50:23.88 ======================
 



#13 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 04 December 2015 - 04:55 PM

Just for good measure, here is a pic of what it looks like while a scan is running. Today, it ran for over 40 minutes....

Attached Files



#14 nasdaq

nasdaq

  • Malware Response Team
  • 38,586 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:17 AM

Posted 05 December 2015 - 11:14 AM

Download and run this Process Explorer.

https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

See if you can identify the process that is using all you CPU.

Check the Help file for additional information.

Keep me posted.

#15 KC13

KC13
  • Topic Starter

  • Members
  • 92 posts
  • OFFLINE
  •  
  • Local time:08:17 AM

Posted 05 December 2015 - 02:45 PM

OK, I'm in totally unexplored territory here. I have had that tool on my system for ages without understanding how to really use it. It took me quite a while to get the tool loaded during the scanning. I'm not at all sure if the attached pic is what you wanted or not. As I say, much of this is now Greek to me.

 

PS The scan is running as I tried to post this. I'm surprised I still have the laptop as I'm sitting very close to a window. :nono:

Attached Files


Edited by KC13, 05 December 2015 - 02:48 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users