Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

High CPU, Memory issues, fan running and almost sure have been hacked


  • This topic is locked This topic is locked
29 replies to this topic

#1 maughb

maughb

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 11 February 2016 - 05:44 PM

Hi, I'm new to posting on these forums but have read with admiration many of the helpful people out there aiding others to have a smooth running machine again! I'm far from being a techie and have been tearing my hair out with this laptop simply not running as it should. I was running Windows 7 for several years fine and then noticed that the fan was on almost all the time and certainly anytime any browser window or piece of software was opened. I'm not sure how much detail to go into about my conviction that I was hacked but let's say that I used to own some domain names set to autorenew and then suddenly realised I was no longer the owner and had received not one email reminder to renew nor that I was no longer the owner. I realised that remote access was allowed on my machine (so obviously unticked as fast as I could!). I rolled back with the Toshiba HDD recovery utility back to factory settings and the machine ran fine again for a couple of months. Then the same problems with fan, memory and CPU started up again. I wondered if an upgrade to Windows 10 would fix things but, if anything, it has made things worse! I also saw that enable remote access had been allowed again. Rkill seems to pick up a few issues so I will post that after the farbar report (which I have to confess I do not understand much of at all). I would be extremely grateful for help as soon as anyone is able on this as I am at my wits end and cannot afford to bin this machine and buy a new one! Many thanks. My computer will not even allow me to paste the farbar report into this post now so I have had to add as an attachment. I was able to paste the farbar report into the post once but then tried to post my message and was told I had not put any content in so had to start again!

 

 

Attached Files



BC AdBot (Login to Remove)

 


#2 Bezukhov

Bezukhov

    Bleepin' Jazz Fan!


  • Members
  • 2,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Providence, R.I.
  • Local time:10:39 AM

Posted 15 February 2016 - 04:49 PM

I am currently going over this. Please have a little more patience. If you could please tell me the model number of this computer, that would be helpful.
To err is Human. To blame it on someone else is even more Human.

#3 maughb

maughb
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 15 February 2016 - 05:13 PM

Hi and thanks for looking into our problem. C660-11H is model number. Feel free to contact me anytime and, as I'm very grateful for your expertise and time, I'll respond as promptly as i can.

#4 Bezukhov

Bezukhov

    Bleepin' Jazz Fan!


  • Members
  • 2,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Providence, R.I.
  • Local time:10:39 AM

Posted 17 February 2016 - 01:07 PM

Thank you for your patience. Before we get to work here are a few things to keep in mind:
  • Please do not run any tools on your own while we solve this. Some are rather powerful, and using one at the wrong moment can have catastrophic effects. Also please refrain from seeking help for this problem elsewhere. Too many cooks spoils the broth.
  • Next, it is important that the instructions given be performed in the order given. We may need one tool to finish its job before another one starts.
  • If at any time my instructions are not clear stop and ask for clarification.
  • Rather than attach any logs to your post it is better that you copy and paste them instead, except if instructed otherwise.
  • Any program that I ask you run should only be run once.
  • As soon as your computer is clean I will let you know.
  • Please try to complete any tasks and reply in 24 hours. I will try to do likewise.
  • If you have any pirated software on your system I must ask that you remove them. No need for you to tell me if you do. Many times such programs are the source of many an infection, which makes cleaning a sick computer just that more difficult. And it's also against BleepingComputer's rules.
  • Lastly, do not make any changes to your computer from here on out until you get an "All Clear from me.
Thank you for that prompt response. I would like a look at the state of your hardware. I like to do this with older computers.
  • Download Speccy from HERE. The file will be spsetup128.zip
  • Right click on spsetup128.zip, choose Extract as the option
  • Accept the prompt to extract it to the folder given.
  • Double click on Speccy64.exe.
  • After the analysis is finished, click File in the upper left corner
  • Choose Save as Text file. Note the name and place of that file.
  • Copy and paste the results in your next reply
I see that you have already ran a couple of tools. As I mentioned above, please refrain from doing that while I am helping you. Meanwhile these tools did produce logs. It would be a big help to see them. They are in the following locations:

C:\TDSSKiller.3.1.0.9_09.02.2016_07.30.15_log.txt
C:\ComboFix.txt

In the meantime please perform the following scans

:step1:
Please download GMER from one of the following locations and save it to your desktop:

Main Mirror which will download a randomly named file
Zipped Mirror - Unzip the file to its own folder such as C:\gmer
Disconnect from the Internet and close all running programs
Temporarily disable any real-time active protection
It is very important you do not use your computer while GMER is running
Double-click on the randomly named GMER gmericon_zps951fd5aa.jpg icon
GMER will open to the Rootkit/Malware tab and perform an automatic quick scan
If you receive a warning about rootkit activity and are asked to fully scan your system click NO
Please check in the Quick scan box
Please uncheck the following:

IAT/EAT
Show All <<< Important

GMER2new_zpsdd936679.jpg
Click Scan
If you see a rootkit warning window click OK
When the scan is finished, Save the results to your desktop as gmer.log
Click Copy then paste the results in your reply
Exit GMER and be sure to re-enable your Antivirus, Firewall and any other security programs you had disabled

Note:

If you encounter any problems, try running GMER in Safe Mode
If GMER crashes or keeps resulting in a Blue Screen of Death, uncheck Devices on the right side before scanning

:step2:
  • Please download MBRScan and save it to your desktop.
  • Doubleclick on MBRScan.exe and click the Report button. (Vista and Windows 7 Users, right click on MBRScan and then click on run as administrator).
  • Please don't use the computer while the scan is running. The computer may not respond until the scan is done. Please be patient and don't force a restart of the computer.
  • When the scan is finished, a log file will appear.
  • Save that log file to your desktop and post its content in your next reply.
Any questions, please ask. And let me know how your computer is running.
To err is Human. To blame it on someone else is even more Human.

#5 maughb

maughb
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 17 February 2016 - 02:14 PM

Hi and many thanks for your detailed information (and the Art Blakey link - spent hours last night listening to some mindblowing jazz!)

I have had to attach the files rather than paste them. Apologies but for some reason I am unable to paste anything into the subject of the message. I have absolutely no idea why but hope this is acceptable to you? Today was first time I have turned on machine since I posted for help so I have not been checking on how it is running lately. Today it seems not too bad so far but then it always seemed to do that. It would seem ok for a couple of hours and then fan, memory and cpu would all start flying up even when idel. I will turn machine off again until I hear back from you. Regards.

Attached Files



#6 maughb

maughb
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 17 February 2016 - 02:23 PM

By the way with the gmer scan i was unable to tick all the boxes shown in your graphic as all ones in top column were greyed out apart from services, registry and files. It's possible I've done something incorrectly. Please advise if so.

#7 Bezukhov

Bezukhov

    Bleepin' Jazz Fan!


  • Members
  • 2,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Providence, R.I.
  • Local time:10:39 AM

Posted 19 February 2016 - 06:45 PM

Sorry for the wait. I know you're worried about this. To be honest nothing I've seen indicates any clear evidence of any hack. We will dig deeper into this. And no need to worry about that GMER log.

For this step you will need a USB flash drive. Back up any files from that drive that you wish to save.

  • Press the windows key Windows_Logo_key.gif + r on your keyboard at the same time. Type in notepad and press Enter
  • Please copy and paste the contents of the below code box into the open notepad and save it on the flashdrive as fixlist.txt
SaveMbr: Drive=0

Next...

Boot into advanced startup options..

  • Plug your USB that has FRST64.exe into the sick computer.
  • Probably the easiest method is to boot into normal Windows or Safe Mode and then press Ctrl + Alt + Del
  • At the next screen click on the power button in the lower right screen, then press and HOLD the "Shift" key and simultaneously click on the restart option in the lower right screen.
  • At the next screen choose troubleshoot.
  • Next screen choose Advanced Options.
  • Next screen choose Command Prompt.
  • If it prompts you for a password type it now. (If you do NOT have a password simply press enter)
  • After the Command Prompt window loads type notepad and press enter
  • From notepad press File > Open > then navigate to your USB drive > choose all files
  • Right click on FRST64.exe and run as admin
  • Press Fix
  • It will make a log (mbrdump.txt) on the flash drive. Please attach it to your reply. If you open the file you will not be able to read it.
  • Next press Scan
  • It will save the FRST.txt to your USB

Attach both logs with your next reply

Any questions please bring them to my attention.


Edited by Bezukhov, 20 February 2016 - 04:28 AM.

To err is Human. To blame it on someone else is even more Human.

#8 maughb

maughb
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 20 February 2016 - 04:54 AM

Hi again. Well that sounds like good news but it makes it a bigger mystery how someone managed to steal my websites off me! I've done as you asked and attach the files you requested. I'll await your reply. Many thanks for investigating my issue - especially if I have been wasting your time if I haven't been hacked! No issues to report when carrying out what you requested.

Attached Files



#9 maughb

maughb
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 20 February 2016 - 10:40 AM

Typically the computer is running with fan on most of the time and "system and compressed memory" and using 25-30%+ of CPU and memory is a fairly constant 25% usage. These figures are when sitting idle doing nothing.



#10 Bezukhov

Bezukhov

    Bleepin' Jazz Fan!


  • Members
  • 2,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Providence, R.I.
  • Local time:10:39 AM

Posted 22 February 2016 - 04:12 PM

I'm back. The good news is that there's nothing wrong with your Master Boot Record. I need you to try a couple of different scans:

:step1:
  • Please download SystemLook from one of the links below and save it to your Desktop.

Download For 64-bit users

  • Right click on SystemLook.exe, click Run As Administrator
  • Copy the content of the following codebox into the main textfield:
:service
mtqjxm
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
:step2:
Please download AdwCleaner by Xplode and save to your Desktop.
  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • The tool will start to update the database, please wait a bit.
  • Click on I agree button.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Logfile button...a logfile (AdwCleaner[S#].txt) will open in Notepad for review (where the largest value of # represents the most recent report).
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.
Please let me know of any questions, and if there are any changes in your computers performance.
To err is Human. To blame it on someone else is even more Human.

#11 maughb

maughb
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 23 February 2016 - 03:19 AM

Hi There. Did as you asked. It appears that systemlook wasn't able to run for some reason. Grateful for your attention when you have a mo. Cheers.

 

 

Attached Files



#12 Bezukhov

Bezukhov

    Bleepin' Jazz Fan!


  • Members
  • 2,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Providence, R.I.
  • Local time:10:39 AM

Posted 24 February 2016 - 08:00 PM

The more I dig into your various logs, the less I see any evidence of an active infection. I still have some more scans to run. I always like second, third and even a fourth opinion before I really commit myself to anything.

Please download Malwarebytes Anti-Malware to your desktop.

  • Double-click mb3-setup-1878.1878-3.5.1.2522.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to the following:
    • Launch Malwarebytes Anti-Malware
    • A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
  • Click Finish.
  • On the Dashboard, click the 'Update Now >>' link
  • After the update completes, click the 'Scan Now >>' button.
  • Or, on the Dashboard, click the Scan Now >> button.
  • If an update is available, click the Update Now button.
  • A Threat Scan will begin.
  • When the scan is complete, if there have been detections, click Apply Actions to allow MBAM to clean what was detected.
  • In most cases, a restart will be required.
  • Wait for the prompt to restart the computer to appear, then click on Yes.
  • After the restart once you are back at your desktop, open MBAM once more.
  • Click on the History tab > Application Logs.
  • Double click on the scan log which shows the Date and time of the scan just performed.
  • Click 'Export'.
  • Click 'Text file (*.txt)'
  • In the Save File dialog box which appears, click on Desktop.
  • In the File name: box type a name for your scan log.
  • A message box named 'File Saved' should appear stating "Your file has been successfully exported".
  • Click Ok
  • Attach that saved log to your next reply.

Pl;ease inform me of any questions or changes in your computer's performance.


To err is Human. To blame it on someone else is even more Human.

#13 maughb

maughb
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 25 February 2016 - 01:34 PM

Hi. I'm sorry this is possibly turning out to be a not particularly exciting one for you to investigate it would appear! I do very much appreciate your time and efforts though. Main computer issues of late are Microsoft Edge seeming to consume a fairly constant 39% of our 8Gb memory and 25% of CPU and fan running more than 50% of the time. I do run MBAM regularly and, as I suspected, it hasn't come up with anything as usual. My wife appears to have had her gmail hacked somehow as has received a spam email offering to help her teen fight acne apparently sent from herself to herself via some site called lawrenewal.com. May be a red herring but thought I would mention to you.

Attached Files



#14 maughb

maughb
  • Topic Starter

  • Members
  • 30 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:39 PM

Posted 25 February 2016 - 02:07 PM

P.S noticed when computer idle "sysstem and compressed memory" keeps hogging large amounts of CPU and causing fan to come on very regularly. Again probably unrelated but as I am not really much of a geek I have not much idea what is relevant and what is not!



#15 Bezukhov

Bezukhov

    Bleepin' Jazz Fan!


  • Members
  • 2,617 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Providence, R.I.
  • Local time:10:39 AM

Posted 26 February 2016 - 06:20 PM

Hi. I'm sorry this is possibly turning out to be a not particularly exciting one for you to investigate it would appear!


Perish the thought! They're all interesting. No two are ever alike. That email could have been someone else's computer generating spam. If you see anything odd like that again, don't open it!
 
One more scan we can try:

ESET Online Scanner
  • Click here to download the installer for ESET Online Scanner and save it to your Desktop.
  • Disable all your antivirus and antimalware software - see how to do that here.
  • Right click on esetsmartinstaller_enu.exe and select Run as Administrator.
  • Place a checkmark in YES, I accept the Terms of Use, then click Start. Wait for ESET Online Scanner to load its components.
  • Select Enable detection of potentially unwanted applications.
  • Click Advanced Settings
  • Very Important! Uncheck "Remove found threats"
  • Do place a checkmark in the following:
  • Scan archives
  • Scan for potentially unsafe applications
  • Enable Anti-Stealth technology
  • Click Start to begin scanning.
  • ESET Online Scanner will start downloading signatures and scan. Please be patient, as this scan can take quite some time.
  • When the scan is done, click List threats (only available if ESET Online Scanner found something).
  • Click Export, then save the file to your desktop.
  • Click Back, then Finish to exit ESET Online Scanner.
Please let me know of any questions regarding this scan.
To err is Human. To blame it on someone else is even more Human.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users