Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RAM usage stays at 90% even if processes are ended. Unaware of the type of virus


  • This topic is locked This topic is locked
13 replies to this topic

#1 Cat-Hair

Cat-Hair

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 25 April 2016 - 03:49 PM

Hello bleeping computer community,

I have been having a problem for a number of months now that reoccurs every now and then.

My computer starts off with a RAM usage of around 33% (although the compute only has 3gb of ram) and then when I open programs (Chrome/Steam/Word) the RAM usage spike up to the 80%-95% range. I thought at first that my computer was just getting old and that there was nothing I could do but use less programs at once and pray to the based windows 7 Gods. I started to look deeper into what was using up my RAM and the numbers just didn't seem right. I thought it was a virus so i did a factory reset, saving all of my important stuff on another drive. After I did this my computer seemed to be running well. It was was being nippy (a nice change) and it seemed like I had just bought a new PC. Today i logged on my computer, gave it a second to load up, came back, opened up google chrome and then when i tried to type it lagged. I opened up task manager and looked at my usage (CPU = 7% / RAM = 98%). I then closed google chrome and checked my RAM usage, there was no change. I uninstalled chrome thinking it was eating all my RAM but firefox is doing the same thing. I went into my processes again and looked at svchost.exe which was running at approx 1,700,000kb. I researched it and now I am here. Sorry if my explanation sucks.

 

My computer is at least 6 years old.

My specs are:

CPU: i3 540

OS:Win7 (64)

GPU: Intel GMA (no real idea what it actually is, this is what it says on my box)

RAM: 3GB DDR3

PSU: No idea

 

I used FRST (followed instructions from another forum and got these results:

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:25-04-2016
Ran by Home (administrator) on HOME-PC (25-04-2016 21:26:57)
Running from C:\Users\Home\Downloads
Loaded Profiles: Home (Available Profiles: Home)
Platform: Windows 7 Home Premium Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 8 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Processes (Whitelisted) =================

(If an entry is included in the fixlist, the process will be closed. The file will not be moved.)

(Acer Incorporated) C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe
(Symantec Corporation) C:\Program Files (x86)\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe
(Acer Group) C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe
() C:\OEM\USBDECTION\USBS3S4Detection.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAANTmon.exe
(Symantec Corporation) C:\Program Files (x86)\NortonInstaller\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS\A5E82D02\17.1.0.19\InstStub.exe
(Intel Corporation) C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\IAAnotif.exe
(Intel Corporation) C:\Windows\System32\igfxtray.exe
(Intel Corporation) C:\Windows\System32\hkcmd.exe
(Intel Corporation) C:\Windows\System32\igfxpers.exe
() C:\Program Files (x86)\Packard Bell\Hotkey Utility\HotkeyUtility.exe
(Microsoft) C:\Program Files (x86)\Packard Bell\Hotkey Utility\HotkeyUI.exe
(Microsoft Corporation) C:\Windows\System32\taskmgr.exe
(Mozilla Corporation) C:\Program Files (x86)\Mozilla Firefox\firefox.exe


==================== Registry (Whitelisted) ===========================

(If an entry is included in the fixlist, the registry item will be restored to default or removed. The file will not be moved.)

HKLM\...\Run: [IAAnotif] => C:\Program Files (x86)\Intel\Intel Matrix Storage Manager\iaanotif.exe [186904 2009-10-13] (Intel Corporation)
HKLM-x32\...\Run: [Adobe Reader Speed Launcher] => C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Reader_sl.exe [35696 2009-02-28] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [Hotkey Utility] => C:\Program Files (x86)\Packard Bell\Hotkey Utility\HotkeyUtility.exe [563744 2010-03-26] ()
HKLM-x32\...\RunOnce: [IdentityCardFUB] => C:\Windows\oem\IdentityCard\FUB.exe
Winlogon\Notify\igfxcui: C:\Windows\system32\igfxdev.dll (Intel Corporation)
HKU\S-1-5-18\...\RunOnce: [SPReview] => C:\Windows\System32\SPReview\SPReview.exe [301568 2016-04-24] (Microsoft Corporation)

==================== Internet (Whitelisted) ====================

(If an item is included in the fixlist, if it is a registry item it will be removed or restored to default.)

Tcpip\Parameters: [DhcpNameServer] 192.168.1.254
Tcpip\..\Interfaces\{F8EE9510-ED6A-4941-B0B9-79B66AF76C97}: [DhcpNameServer] 192.168.1.254

Internet Explorer:
==================
HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3810&r=17360416n206pe465v1m5y56812034
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3810&r=17360416n206pe465v1m5y56812034
HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3810&r=17360416n206pe465v1m5y56812034
HKLM\Software\Wow6432Node\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3810&r=17360416n206pe465v1m5y56812034
HKU\S-1-5-21-3873116147-1368744103-2316293078-1001\Software\Microsoft\Internet Explorer\Main,Start Page = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3810&r=17360416n206pe465v1m5y56812034
HKU\S-1-5-21-3873116147-1368744103-2316293078-1001\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://homepage.packardbell.com/rdr.aspx?b=ACPW&l=0809&m=imedia_s3810&r=17360416n206pe465v1m5y56812034
SearchScopes: HKLM-x32 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACPW
SearchScopes: HKLM-x32 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL = hxxp://www.google.com/search?sourceid=ie7&q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&rlz=1I7ACPW
SearchScopes: HKU\S-1-5-21-3873116147-1368744103-2316293078-1001 -> DefaultScope {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKU\S-1-5-21-3873116147-1368744103-2316293078-1001 -> {67A2568C-7A0A-4EED-AECC-B5405DE63B64} URL =
SearchScopes: HKU\S-1-5-21-3873116147-1368744103-2316293078-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
BHO-x32: Adobe PDF Link Helper -> {18DF081C-E8AD-4283-A596-FA578C2EBDC3} -> C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2009-02-27] (Adobe Systems Incorporated)
BHO-x32: Symantec NCO BHO -> {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} -> C:\Program Files (x86)\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll [2009-10-29] (Symantec Corporation)
BHO-x32: Symantec Intrusion Prevention -> {6D53EC84-6AAE-4787-AEEE-F4628F01010C} -> C:\Program Files (x86)\Norton Internet Security\Engine\17.1.0.19\IPSBHO.DLL [2009-10-01] (Symantec Corporation)
BHO-x32: Windows Live Sign-in Helper -> {9030D464-4C02-4ABF-8ECC-5164760863C6} -> C:\Program Files (x86)\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2009-01-22] (Microsoft Corporation)
Toolbar: HKLM-x32 - Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files (x86)\Norton Internet Security\Engine\17.1.0.19\coIEPlg.dll [2009-10-29] (Symantec Corporation)
Filter: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: deflate - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\system32\urlmon.dll [2010-11-20] (Microsoft Corporation)
Filter-x32: gzip - {8f6b0360-b80d-11d0-a9b3-006097942311} - C:\Windows\SysWOW64\urlmon.dll [2010-11-20] (Microsoft Corporation)

FireFox:
========
FF ProfilePath: C:\Users\Home\AppData\Roaming\Mozilla\Firefox\Profiles\fwywblin.default
FF Plugin-x32: @microsoft.com/WLPG,version=14.0.8081.0709 -> C:\Program Files (x86)\Windows Live\Photo Gallery\NPWLPG.dll [2009-07-10] (Microsoft Corporation)
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn => not found
FF HKLM-x32\...\Firefox\Extensions: [{4C0766D3-67A7-45a3-85A2-752F77312F32}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn => not found

Chrome:
=======
CHR Profile: C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default
CHR Extension: (Google Slides) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\aapocclcgogkmnckokdopfmhonfmgoek [2016-04-23]
CHR Extension: (Google Docs) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\aohghmighlieiainnegkcijnfilokake [2016-04-23]
CHR Extension: (Google Drive) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\apdfllckaahabafndbhieahigkjlhalf [2016-04-23]
CHR Extension: (YouTube) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\blpcfgokakmgnkcojhhkbfbldkacnbeo [2016-04-23]
CHR Extension: (Google Sheets) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\felcaaldnbdncclmgdcncolpebgiejap [2016-04-23]
CHR Extension: (Google Docs Offline) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi [2016-04-23]
CHR Extension: (Chrome Web Store Payments) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-23]
CHR Extension: (Gmail) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\pjkljhegncpnkpknbcohdijeoejaedia [2016-04-23]

==================== Services (Whitelisted) ========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

R2 Greg_Service; C:\Program Files (x86)\Packard Bell\Registration\GregHSRW.exe [1150496 2009-08-28] (Acer Incorporated)
R2 NIS; C:\Program Files (x86)\Norton Internet Security\Engine\17.1.0.19\ccSvcHst.exe [126392 2009-10-20] (Symantec Corporation)
R2 Updater Service; C:\Program Files\Packard Bell\Packard Bell Updater\UpdaterService.exe [243232 2010-01-29] (Acer Group)
R2 USBS3S4Detection; C:\OEM\USBDECTION\USBS3S4Detection.exe [76320 2009-12-09] ()
R2 WinDefend; C:\Program Files\Windows Defender\mpsvc.dll [1011712 2009-07-14] (Microsoft Corporation)

===================== Drivers (Whitelisted) ==========================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)

S3 ebdrv; C:\Windows\system32\DRIVERS\evbda.sys [3286016 2009-06-10] (Broadcom Corporation)
R3 NAVENG; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100208.002\ENG64.SYS [116272 2010-02-08] (Symantec Corporation)
R3 NAVEX15; C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\Definitions\VirusDefs\20100208.002\EX64.SYS [1742896 2010-02-08] (Symantec Corporation)
R1 SRTSP; C:\Windows\system32\drivers\NISx64\1101000.013\SRTSP64.SYS [504880 2009-10-09] (Symantec Corporation)
R1 SRTSPX; C:\Windows\system32\drivers\NISx64\1101000.013\SRTSPX64.SYS [32304 2009-10-09] (Symantec Corporation)

==================== NetSvcs (Whitelisted) ===================

(If an entry is included in the fixlist, it will be removed from the registry. The file will not be moved unless listed separately.)


==================== One Month Created files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-25 21:26 - 2016-04-25 21:26 - 00026568 _____ C:\Users\Home\Downloads\Addition.txt
2016-04-25 21:25 - 2016-04-25 21:26 - 00010288 _____ C:\Users\Home\Downloads\FRST.txt
2016-04-25 21:25 - 2016-04-25 21:26 - 00000000 ____D C:\FRST
2016-04-25 21:21 - 2016-04-25 21:22 - 02376192 _____ (Farbar) C:\Users\Home\Downloads\FRST64.exe
2016-04-25 21:19 - 2016-04-25 21:20 - 01726976 _____ (Farbar) C:\Users\Home\Downloads\FRST.exe
2016-04-25 21:08 - 2016-04-25 21:25 - 00000000 ____D C:\Users\Home\AppData\Local\Mozilla
2016-04-25 21:08 - 2016-04-25 21:08 - 00000000 ____D C:\Users\Home\AppData\Roaming\Mozilla
2016-04-25 21:07 - 2016-04-25 21:08 - 00000000 ____D C:\Program Files (x86)\Mozilla Firefox
2016-04-25 21:07 - 2016-04-25 21:07 - 00001135 _____ C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Mozilla Firefox.lnk
2016-04-25 21:07 - 2016-04-25 21:07 - 00001123 _____ C:\Users\Public\Desktop\Mozilla Firefox.lnk
2016-04-25 21:07 - 2016-04-25 21:07 - 00000000 ____D C:\Program Files (x86)\Mozilla Maintenance Service
2016-04-25 20:57 - 2016-04-25 20:58 - 00242104 _____ C:\Users\Home\Downloads\Firefox Setup Stub 45.0.2.exe
2016-04-25 20:29 - 2016-04-25 20:29 - 00007605 _____ C:\Users\Home\AppData\Local\Resmon.ResmonCfg
2016-04-24 22:12 - 2016-04-24 22:12 - 00000000 ____D C:\Windows\system32\SPReview
2016-04-24 22:12 - 2016-04-24 22:12 - 00000000 ____D C:\Users\Default\AppData\Local\Microsoft Help
2016-04-24 22:12 - 2016-04-24 22:12 - 00000000 ____D C:\Users\Default User\AppData\Local\Microsoft Help
2016-04-24 20:50 - 2016-04-24 20:50 - 00000000 ____D C:\Users\Home\Documents\League of Legends
2016-04-24 20:46 - 2016-04-24 20:46 - 00000450 _____ C:\Users\Home\Desktop\DATA (D).lnk
2016-04-24 20:21 - 2016-04-24 20:21 - 00000000 ____D C:\Users\Home\AppData\Local\Steam
2016-04-24 20:19 - 2016-04-24 20:19 - 00000000 ____D C:\Users\Home\AppData\Roaming\Macromedia
2016-04-24 20:19 - 2016-04-24 20:19 - 00000000 ____D C:\Users\Home\AppData\Roaming\LolClient
2016-04-24 20:19 - 2016-04-24 20:19 - 00000000 ____D C:\Users\Home\AppData\Roaming\Adobe
2016-04-24 03:20 - 2016-04-24 03:20 - 00000000 ____D C:\Users\Home\AppData\Roaming\OEM
2016-04-24 03:20 - 2016-04-24 03:20 - 00000000 ____D C:\Users\Home\AppData\Local\VirtualStore
2016-04-23 22:41 - 2016-04-23 22:41 - 00000000 ____D C:\Users\Home\AppData\Roaming\Gyazo
2016-04-23 20:53 - 2016-04-23 20:53 - 00068952 _____ C:\Users\Home\AppData\Local\GDIPFONTCACHEV1.DAT
2016-04-23 20:41 - 2016-04-23 20:41 - 00000000 ____D C:\Users\Home\AppData\Local\Blizzard Entertainment
2016-04-23 20:40 - 2016-04-24 20:27 - 00000000 ____D C:\Users\Home\AppData\Local\Battle.net
2016-04-23 20:40 - 2016-04-23 20:42 - 00000000 ____D C:\Users\Home\AppData\Roaming\Battle.net
2016-04-23 20:37 - 2016-04-23 20:39 - 00000000 ____D C:\Users\Home\AppData\Local\Oblivion
2016-04-23 17:41 - 2016-04-24 20:35 - 00000000 ____D C:\Users\Home\Desktop\Cathaoir's Programs
2016-04-23 17:41 - 2016-04-23 17:41 - 00000000 ____D C:\Users\Home\Tracing
2016-04-23 17:39 - 2016-04-25 20:02 - 00000000 ____D C:\Users\Home\AppData\Roaming\Skype
2016-04-23 17:32 - 2016-04-23 17:32 - 00003270 _____ C:\Windows\System32\Tasks\{F1455E89-63EF-4889-9403-25AE0E6757D3}
2016-04-23 17:29 - 2016-04-23 17:29 - 00003426 _____ C:\Windows\System32\Tasks\{4D56AF72-87AD-4AB2-8797-999602BE5BB8}
2016-04-23 17:28 - 2016-04-23 17:39 - 00000000 ____D C:\Users\Home\AppData\Roaming\Riot Games
2016-04-23 17:24 - 2016-04-25 20:41 - 00000000 ____D C:\Users\Home\AppData\Local\Spotify
2016-04-23 17:24 - 2016-04-23 17:46 - 00001797 _____ C:\Users\Home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Spotify.lnk
2016-04-23 17:24 - 2016-04-23 17:24 - 00000000 ____D C:\Users\Home\AppData\Local\CEF
2016-04-23 17:20 - 2016-04-23 17:28 - 30668968 _____ (Riot Games) C:\Users\Home\Downloads\LeagueofLegends_EUW_Installer_9_15_2014.exe
2016-04-23 17:16 - 2016-04-25 20:41 - 00000000 ____D C:\Users\Home\AppData\Roaming\Spotify
2016-04-23 17:16 - 2016-04-23 17:16 - 00350936 _____ (Spotify Ltd) C:\Users\Home\Downloads\SpotifySetup.exe
2016-04-23 17:14 - 2016-04-23 17:32 - 47405184 _____ (Skype Technologies S.A.) C:\Users\Home\Downloads\SkypeSetupFull.exe
2016-04-23 17:11 - 2016-04-24 02:13 - 00000000 ____D C:\Users\Home\AppData\Local\Google
2016-04-23 17:11 - 2016-04-23 17:11 - 00003270 _____ C:\Windows\System32\Tasks\{991BB842-43E7-4478-95E0-2BF1968A905A}
2016-04-23 16:57 - 2016-04-23 16:59 - 00000000 __RHD C:\Users\Home\Desktop\Games
2016-04-23 16:29 - 2016-04-23 20:51 - 00000000 ____D C:\Users\Home\Desktop\Wallpapers
2016-04-23 16:17 - 2016-04-23 16:17 - 00003110 _____ C:\Windows\System32\Tasks\{833E52CE-A3F9-4BEA-AB31-9D2DB820635E}
2016-04-23 16:16 - 2016-04-23 16:16 - 00003124 _____ C:\Windows\System32\Tasks\{122EBB0A-2134-446C-82FA-4BCC30F4E7C3}
2016-04-23 15:10 - 2016-04-23 15:10 - 00000000 ____D C:\Users\Home\AppData\Local\ElevatedDiagnostics
2016-04-23 14:30 - 2012-11-27 00:30 - 00090112 _____ (Intel Corporation) C:\Windows\system32\igfxCoIn_v2858.dll
2016-04-23 14:30 - 2012-01-10 21:20 - 00375808 _____ (Intel Corporation) C:\Windows\system32\igfxpph.dll
2016-04-23 14:30 - 2012-01-10 21:19 - 00110080 _____ (Intel Corporation) C:\Windows\system32\hccutils.dll
2016-04-23 14:30 - 2012-01-10 21:19 - 00062464 _____ (Intel Corporation) C:\Windows\system32\igfxsrvc.dll
2016-04-23 14:10 - 2016-04-23 16:23 - 00003380 _____ C:\Windows\System32\Tasks\DriverMaxAgent
2016-04-23 13:17 - 2011-04-09 08:02 - 05562240 _____ (Microsoft Corporation) C:\Windows\system32\ntoskrnl.exe
2016-04-23 13:17 - 2011-04-09 07:02 - 03967872 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntkrnlpa.exe
2016-04-23 13:17 - 2011-04-09 07:02 - 03912576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\ntoskrnl.exe
2016-04-23 11:43 - 2016-04-23 11:43 - 00000020 _____ C:\Windows\”÷®
2016-04-23 11:31 - 2016-04-23 11:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Packard Bell
2016-04-23 11:30 - 2016-04-23 11:30 - 00001459 _____ C:\Users\Home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer.lnk
2016-04-23 11:30 - 2016-04-23 11:30 - 00001425 _____ C:\Users\Home\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Internet Explorer (64-bit).lnk
2016-04-23 11:23 - 2016-04-23 17:41 - 00000000 ____D C:\Users\Home
2016-04-23 11:23 - 2016-04-23 11:23 - 00000020 ___SH C:\Users\Home\ntuser.ini
2016-04-23 11:23 - 2016-04-23 11:23 - 00000000 _SHDL C:\Users\Home\My Documents
2016-04-23 11:23 - 2016-04-23 11:23 - 00000000 _SHDL C:\Users\Home\Documents\My Videos
2016-04-23 11:23 - 2016-04-23 11:23 - 00000000 _SHDL C:\Users\Home\Documents\My Pictures
2016-04-23 11:23 - 2016-04-23 11:23 - 00000000 _SHDL C:\Users\Home\Documents\My Music
2016-04-23 07:18 - 2016-04-23 07:20 - 00000000 ___RD C:\Backup
2016-04-20 21:07 - 2016-04-20 21:08 - 00262144 _____ C:\Windows\Minidump\042016-28236-01.dmp
2016-04-20 21:07 - 2016-04-20 21:07 - 494320568 _____ C:\Windows\MEMORY.DMP
2016-04-19 22:27 - 2016-04-20 21:07 - 00000000 ____D C:\Windows\Minidump
2016-04-19 22:27 - 2016-04-19 22:27 - 00262144 _____ C:\Windows\Minidump\041916-25131-01.dmp

==================== One Month Modified files and folders ========

(If an entry is included in the fixlist, the file/folder will be moved.)

2016-04-25 21:18 - 2009-07-14 06:13 - 00720488 _____ C:\Windows\system32\PerfStringBackup.INI
2016-04-25 21:18 - 2009-07-14 05:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2016-04-25 21:18 - 2009-07-14 05:45 - 00009696 ____H C:\Windows\system32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2016-04-25 21:18 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\inf
2016-04-25 21:11 - 2014-12-03 21:19 - 00000890 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2016-04-25 21:11 - 2009-07-14 06:08 - 00000006 ____H C:\Windows\Tasks\SA.DAT
2016-04-25 21:09 - 2010-03-18 22:39 - 00000000 ____D C:\Program Files (x86)\Google
2016-04-25 20:33 - 2014-12-03 21:19 - 00000894 _____ C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2016-04-25 19:58 - 2009-07-14 05:45 - 00311040 _____ C:\Windows\system32\FNTCACHE.DAT
2016-04-25 19:53 - 2009-07-14 08:45 - 00000000 ____D C:\Program Files\Windows Journal
2016-04-25 19:53 - 2009-07-14 06:32 - 00000000 ____D C:\Program Files\Windows Sidebar
2016-04-25 19:53 - 2009-07-14 06:32 - 00000000 ____D C:\Program Files\Windows Portable Devices
2016-04-25 19:53 - 2009-07-14 06:32 - 00000000 ____D C:\Program Files\Windows Photo Viewer
2016-04-25 19:53 - 2009-07-14 06:32 - 00000000 ____D C:\Program Files\Windows Defender
2016-04-25 19:53 - 2009-07-14 06:32 - 00000000 ____D C:\Program Files\DVD Maker
2016-04-25 19:53 - 2009-07-14 06:32 - 00000000 ____D C:\Program Files (x86)\Windows Sidebar
2016-04-25 19:53 - 2009-07-14 06:32 - 00000000 ____D C:\Program Files (x86)\Windows Portable Devices
2016-04-25 19:53 - 2009-07-14 06:32 - 00000000 ____D C:\Program Files (x86)\Windows Photo Viewer
2016-04-25 19:53 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\SysWOW64\Setup
2016-04-25 19:53 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\SysWOW64\oobe
2016-04-25 19:53 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\SysWOW64\migwiz
2016-04-25 19:53 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\SysWOW64\manifeststore
2016-04-25 19:53 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\SysWOW64\Dism
2016-04-25 19:53 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\SysWOW64\AdvancedInstallers
2016-04-25 19:53 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\servicing
2016-04-25 19:52 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\Setup
2016-04-25 19:52 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\oobe
2016-04-25 19:52 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\migwiz
2016-04-25 19:52 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\manifeststore
2016-04-25 19:52 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\Dism
2016-04-25 19:52 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\system32\AdvancedInstallers
2016-04-25 19:52 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\PolicyDefinitions
2016-04-24 22:22 - 2009-07-14 03:36 - 00175616 _____ (Microsoft Corporation) C:\Windows\system32\msclmd.dll
2016-04-24 22:22 - 2009-07-14 03:36 - 00152576 _____ (Microsoft Corporation) C:\Windows\SysWOW64\msclmd.dll
2016-04-24 20:28 - 2014-12-10 23:26 - 00000000 ____D C:\Program Files (x86)\Hearthstone
2016-04-24 20:26 - 2016-02-22 22:19 - 00466456 _____ (Creative Labs) C:\Windows\system32\wrap_oal.dll
2016-04-24 20:26 - 2016-02-22 22:19 - 00444952 _____ (Creative Labs) C:\Windows\SysWOW64\wrap_oal.dll
2016-04-24 20:26 - 2016-02-22 22:19 - 00122904 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\system32\OpenAL32.dll
2016-04-24 20:26 - 2016-02-22 22:19 - 00109080 _____ (Portions © Creative Labs Inc. and NVIDIA Corp.) C:\Windows\SysWOW64\OpenAL32.dll
2016-04-24 20:25 - 2014-12-10 23:16 - 00000000 ____D C:\Program Files (x86)\Battle.net
2016-04-24 20:21 - 2015-12-23 17:47 - 00000000 ____D C:\Program Files (x86)\Steam
2016-04-23 17:39 - 2014-12-03 21:23 - 00000000 ____D C:\ProgramData\Skype
2016-04-23 17:39 - 2010-03-18 22:31 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Skype
2016-04-23 17:22 - 2014-12-03 11:26 - 00000000 ____D C:\Users\Home\Documents\Cathaoirs Section
2016-04-23 16:53 - 2015-07-05 22:00 - 00000000 ____D C:\Users\Home\Documents\My Games
2016-04-23 16:53 - 2014-12-08 11:00 - 00000000 ____D C:\Users\Home\Documents\Wedding Info
2016-04-23 16:53 - 2014-12-03 11:29 - 00000000 ___RD C:\Users\Home\Documents\Scanned Documents
2016-04-23 16:53 - 2014-12-03 11:29 - 00000000 ___RD C:\Users\Home\Documents\My Stationery
2016-04-23 16:53 - 2014-12-03 11:29 - 00000000 ____D C:\Users\Home\Documents\Symantec
2016-04-23 16:53 - 2014-12-03 11:29 - 00000000 ____D C:\Users\Home\Documents\OneNote Notebooks
2016-04-23 16:53 - 2014-12-03 11:28 - 00000000 ____D C:\Users\Home\Documents\mum
2016-04-23 16:53 - 2014-12-03 11:28 - 00000000 ____D C:\Users\Home\Documents\Kendrick Lamar-The New West (CrackMixtapes.com)
2016-04-23 16:53 - 2014-12-03 11:28 - 00000000 ____D C:\Users\Home\Documents\Kendrick Lamar - good kid, m.A.A.d city (iTunes Version) - Thisisbuckwild.com
2016-04-23 16:53 - 2014-12-03 11:26 - 00000000 ____D C:\Users\Home\Documents\GTA San Andreas User Files
2016-04-23 16:49 - 2015-11-10 18:50 - 00000000 ____D C:\Users\Home\Documents\From Memory Pen
2016-04-23 16:45 - 2015-11-10 18:03 - 00000000 ____D C:\Users\Home\Documents\Computing Coursework
2016-04-23 16:45 - 2014-12-14 17:43 - 00000000 ____D C:\Users\Home\Documents\flybe.com - Flight booking confirmed_files
2016-04-23 16:45 - 2014-12-03 11:26 - 00000000 ____D C:\Users\Home\Documents\first comm photos cathaoir
2016-04-23 16:45 - 2014-12-03 11:26 - 00000000 ____D C:\Users\Home\Documents\Fax
2016-04-23 16:45 - 2014-12-03 11:26 - 00000000 ____D C:\Users\Home\Documents\Dublin Hols 2008 photos
2016-04-23 16:43 - 2015-11-23 22:25 - 00000000 ____D C:\Users\Home\Documents\Cathaoir Coursework
2016-04-23 16:42 - 2014-12-03 11:29 - 00000000 ____D C:\Users\Home\Documents\aoife
2016-04-23 16:31 - 2014-12-10 23:06 - 00000000 ____D C:\ProgramData\Battle.net
2016-04-23 14:44 - 2010-03-18 22:39 - 00000000 ____D C:\ProgramData\Partner
2016-04-23 14:44 - 2010-03-18 22:35 - 00000000 ____D C:\Program Files (x86)\Microsoft Silverlight
2016-04-23 14:43 - 2014-12-02 15:03 - 00000000 ____D C:\Windows\system32\MRT
2016-04-23 14:39 - 2014-12-02 15:03 - 135176864 _____ (Microsoft Corporation) C:\Windows\system32\MRT.exe
2016-04-23 14:38 - 2010-03-18 22:31 - 00000000 ____D C:\Program Files (x86)\Microsoft Office
2016-04-23 13:58 - 2015-05-07 17:37 - 00000000 ____D C:\ProgramData\Package Cache
2016-04-23 13:15 - 2010-03-18 22:36 - 00000000 ____D C:\Program Files (x86)\Packard Bell
2016-04-23 13:14 - 2010-03-18 22:43 - 00000000 ____D C:\ProgramData\Adobe
2016-04-23 13:14 - 2010-03-18 22:43 - 00000000 ____D C:\Program Files (x86)\Adobe
2016-04-23 13:14 - 2010-03-18 22:36 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Packard Bell - Security & Support
2016-04-23 13:08 - 2014-12-02 12:37 - 00000000 ____D C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Windows Live
2016-04-23 12:26 - 2014-12-03 21:19 - 00003890 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2016-04-23 12:26 - 2014-12-03 21:19 - 00003638 _____ C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2016-04-23 12:22 - 2010-03-18 22:27 - 00000000 ____D C:\ProgramData\WildTangent
2016-04-23 12:22 - 2010-03-18 22:27 - 00000000 ____D C:\Program Files (x86)\Packard Bell Games
2016-04-23 11:45 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\Help
2016-04-23 11:31 - 2009-10-05 21:30 - 00000000 ____D C:\Windows\DeployWinRE2
2016-04-23 11:29 - 2010-03-18 07:10 - 00000000 ___HD C:\OEM
2016-04-23 11:27 - 2009-07-14 04:20 - 00000000 ____D C:\Windows\rescache
2016-04-23 11:26 - 2010-03-18 22:46 - 00000000 ____D C:\ProgramData\OEM
2016-04-23 11:23 - 2010-03-18 07:12 - 00000000 ____D C:\Windows\Panther
2016-04-23 11:20 - 2009-07-14 04:20 - 00000000 __RHD C:\Users\Public\Libraries
2016-04-23 07:49 - 2009-03-12 10:30 - 00000000 ____D C:\Windows\LP
2016-04-23 07:46 - 2009-07-14 06:32 - 00028672 _____ C:\Windows\system32\config\BCD-Template
2016-04-23 07:29 - 2015-01-19 16:38 - 00000000 ____D C:\Users\New User\AppData\Local\Spotify
2016-04-23 07:26 - 2015-07-05 22:00 - 00000000 ____D C:\Users\New User\AppData\Local\Oblivion
2016-04-23 07:20 - 2015-07-17 18:38 - 00000000 ____D C:\Users\locales
2016-04-23 07:20 - 2014-12-10 23:16 - 00000000 ____D C:\Users\New User\AppData\Local\Battle.net
2016-04-23 07:20 - 2014-12-02 16:32 - 00000000 __SHD C:\Users\New User\AppData\Local\EmieUserList
2016-04-23 07:20 - 2014-12-02 16:32 - 00000000 __SHD C:\Users\New User\AppData\Local\EmieSiteList
2016-04-23 07:20 - 2014-12-02 16:32 - 00000000 __SHD C:\Users\New User\AppData\Local\EmieBrowserModeList
2016-04-23 07:20 - 2014-12-02 12:27 - 00000000 ____D C:\Users\New User
2016-04-22 22:00 - 2015-01-19 16:35 - 00000000 ____D C:\Users\New User\AppData\Roaming\Spotify
2016-04-22 21:55 - 2015-04-21 20:36 - 00000000 ____D C:\Users\New User\Tracing
2016-04-22 21:15 - 2016-02-20 20:15 - 00000911 _____ C:\Windows\Tasks\EPSON XP-322 323 325 Series Update {E6608A40-48CE-4AE6-A4A0-CDB8667CEE35}.job
2016-04-22 20:24 - 2014-12-03 11:22 - 00000000 ____D C:\Users\Home\Desktop\Mum's Work
2016-04-20 20:58 - 2014-12-03 21:29 - 00000000 ____D C:\Users\New User\AppData\Roaming\Skype
2016-04-19 21:07 - 2014-12-03 12:35 - 00004182 _____ C:\Windows\System32\Tasks\avast! Emergency Update
2016-04-14 19:24 - 2015-08-05 20:30 - 00000000 ____D C:\Users\New User\AppData\Local\ElevatedDiagnostics
2016-04-10 22:12 - 2015-07-05 23:41 - 00000023 _____ C:\Windows\BlendSettings.ini
2016-04-08 19:59 - 2015-08-04 23:29 - 00000000 ____D C:\Program Files (x86)\Minecraft
2016-04-07 19:30 - 2015-05-06 21:29 - 00000000 ____D C:\Users\New User\AppData\Roaming\Update Manager
2016-04-06 10:18 - 2014-12-02 13:07 - 00453280 ____N (Microsoft Corporation) C:\Windows\system32\MpSigStub.exe

==================== Files in the root of some directories =======

2016-04-25 20:29 - 2016-04-25 20:29 - 0007605 _____ () C:\Users\Home\AppData\Local\Resmon.ResmonCfg

==================== Bamital & volsnap =================

(There is no automatic fix for files that do not pass verification.)

C:\Windows\system32\winlogon.exe => File is digitally signed
C:\Windows\system32\wininit.exe => File is digitally signed
C:\Windows\SysWOW64\wininit.exe => File is digitally signed
C:\Windows\explorer.exe => File is digitally signed
C:\Windows\SysWOW64\explorer.exe => File is digitally signed
C:\Windows\system32\svchost.exe => File is digitally signed
C:\Windows\SysWOW64\svchost.exe => File is digitally signed
C:\Windows\system32\services.exe => File is digitally signed
C:\Windows\system32\User32.dll => File is digitally signed
C:\Windows\SysWOW64\User32.dll => File is digitally signed
C:\Windows\system32\userinit.exe => File is digitally signed
C:\Windows\SysWOW64\userinit.exe => File is digitally signed
C:\Windows\system32\rpcss.dll => File is digitally signed
C:\Windows\system32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\system32\Drivers\volsnap.sys => File is digitally signed


LastRegBack: 2016-04-24 03:50

==================== End of FRST.txt ============================

 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 PM

Posted 26 April 2016 - 10:23 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKU\S-1-5-21-3873116147-1368744103-2316293078-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn => not found
FF HKLM-x32\...\Firefox\Extensions: [{4C0766D3-67A7-45a3-85A2-752F77312F32}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn => not found
CHR Extension: (Chrome Web Store Payments) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-23]
Task: {2AE5CE13-8584-4C35-852E-ED5D28BD5523} - System32\Tasks\{833E52CE-A3F9-4BEA-AB31-9D2DB820635E} => pcalua.exe -a C:\Users\Home\Downloads\win32.exe -d C:\Users\Home\Downloads
Task: {5DCD7051-B802-445F-8985-D0CE70173361} - System32\Tasks\{991BB842-43E7-4478-95E0-2BF1968A905A} => Chrome.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=4.1.0.179.370&LastError=404
Task: {B447FE48-44B6-47AB-B957-68844D20C821} - System32\Tasks\{F1455E89-63EF-4889-9403-25AE0E6757D3} => Chrome.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=4.1.0.179.370&LastError=404
C:\Users\Home\Downloads\win32.exe
C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

Is the issue persisting?

#3 Cat-Hair

Cat-Hair
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 26 April 2016 - 02:02 PM

So i did what you instructed me to do,

Restarted my PC a minute ago and did some testing.

I seem to be having the same problem where i close a program and svchost quickly climbs to 1,400,000+K. It wont go down, even if I close even more programs.

This is the file that was created after using the fix button

 

Fix result of Farbar Recovery Scan Tool (x64) Version:25-04-2016
Ran by Home (2016-04-26 19:53:24) Run:1
Running from C:\Users\Home\Downloads
Loaded Profiles: Home (Available Profiles: Home)
Boot Mode: Normal
==============================================

fixlist content:
*****************
start


CreateRestorePoint:
EmptyTemp:
CloseProcesses:

SearchScopes: HKU\S-1-5-21-3873116147-1368744103-2316293078-1001 -> {6A1806CD-94D4-4689-BA73-E35EA1EA9990} URL =
FF HKLM-x32\...\Firefox\Extensions: [{BBDA0591-3099-440a-AA10-41764D9DB4DB}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\IPSFFPlgn => not found
FF HKLM-x32\...\Firefox\Extensions: [{4C0766D3-67A7-45a3-85A2-752F77312F32}] - C:\ProgramData\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_17.1.0.19\coFFPlgn => not found
CHR Extension: (Chrome Web Store Payments) - C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-23]
Task: {2AE5CE13-8584-4C35-852E-ED5D28BD5523} -
System32\Tasks\{833E52CE-A3F9-4BEA-AB31-9D2DB820635E} => pcalua.exe -a C:\Users\Home\Downloads\win32.exe -d C:\Users\Home\Downloads
Task: {5DCD7051-B802-445F-8985-D0CE70173361} - System32\Tasks\{991BB842-43E7-4478-95E0-2BF1968A905A} => Chrome.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=4.1.0.179.370&LastError=404
Task: {B447FE48-44B6-47AB-B957-68844D20C821} - System32\Tasks\{F1455E89-63EF-4889-9403-25AE0E6757D3} => Chrome.exe hxxp://www.skype.com/go/downloading?source=lightinstaller&ver=4.1.0.179.370&LastError=404
C:\Users\Home\Downloads\win32.exe
C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda

End
*****************

Restore point was successfully created.
Processes closed successfully.
"HKU\S-1-5-21-3873116147-1368744103-2316293078-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{6A1806CD-94D4-4689-BA73-E35EA1EA9990}" => key removed successfully
HKCR\CLSID\{6A1806CD-94D4-4689-BA73-E35EA1EA9990} => key not found.
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{BBDA0591-3099-440a-AA10-41764D9DB4DB} => value removed successfully
HKLM\Software\Wow6432Node\Mozilla\Firefox\Extensions\\{4C0766D3-67A7-45a3-85A2-752F77312F32} => value removed successfully
C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\Task: {2AE5CE13-8584-4C35-852E-ED5D28BD5523} - => key not found.
System32\Tasks\{833E52CE-A3F9-4BEA-AB31-9D2DB820635E} => pcalua.exe -a C:\Users\Home\Downloads\win32.exe -d C:\Users\Home\Downloads => Error: No automatic fix found for this entry.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{5DCD7051-B802-445F-8985-D0CE70173361}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{5DCD7051-B802-445F-8985-D0CE70173361}" => key removed successfully
C:\Windows\System32\Tasks\{991BB842-43E7-4478-95E0-2BF1968A905A} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{991BB842-43E7-4478-95E0-2BF1968A905A}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{B447FE48-44B6-47AB-B957-68844D20C821}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{B447FE48-44B6-47AB-B957-68844D20C821}" => key removed successfully
C:\Windows\System32\Tasks\{F1455E89-63EF-4889-9403-25AE0E6757D3} => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\{F1455E89-63EF-4889-9403-25AE0E6757D3}" => key removed successfully
"C:\Users\Home\Downloads\win32.exe" => not found.
"C:\Users\Home\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda" => not found.
EmptyTemp: => 334.3 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 19:54:21 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 PM

Posted 27 April 2016 - 06:01 AM


Lets check further.

Please download and run the following tool to help allow other programs to run. (courtesy of BleepingComputer.com)
There are 3 different versions. If one of them won't run then download and try to run the other one.
Vista and Win7 users need to right click and choose Run as Admin
You only need to get one of them to run, not all of them.

rkill.exe
rkill.com
rkill.scr

It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If this is the case, then you will need to download the files requested on another computer and then transfer them to the desktop of the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.

When completed it will create a log. Please post the content on your next reply.
===

--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller
  • Quit all programs that you may have started.
  • Please disconnect any USB or external drives from the computer before you run this scan!
  • For Vista or above, right-click the program file and select "Run as Administrator"
  • Accept the user agreements.
  • Execute the scan and wait until it has finished.
  • If a Windows opens to explain what [PUM's] are, read about it.
  • Click the RoguKiller icon on your taksbar to return to the report.
  • Click open the Report
  • Click Export TXT button
  • Save the file as ReportRogue.txt
  • Click the Remove button to delete the items in RED
  • Click Finish and close the program.
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.
=======

#5 Cat-Hair

Cat-Hair
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 27 April 2016 - 01:45 PM

Here is the Rkill64 report

 

Rkill 2.8.4 by Lawrence Abrams (Grinler)
http://www.bleepingcomputer.com/
Copyright 2008-2016 BleepingComputer.com
More Information about Rkill can be found at this link:
 http://www.bleepingcomputer.com/forums/topic308364.html

Program started at: 04/27/2016 07:10:26 PM in x64 mode.
Windows Version: Windows 7 Home Premium Service Pack 1

Checking for Windows services to stop:

 * No malware services found to stop.

Checking for processes to terminate:

 * No malware processes found to kill.

Checking Registry for malware related settings:

 * No issues found in the Registry.

Resetting .EXE, .COM, & .BAT associations in the Windows Registry.

Performing miscellaneous checks:
 

 

 

 

 

Here is the RogueKiller report

 

RogueKiller V12.1.4.0 [Apr 25 2016] (Free) by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/software/roguekiller/
Blog : http://www.adlice.com

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Home [Administrator]
Started from : C:\Users\Home\Downloads\RogueKiller(1).exe
Mode : Scan -- Date : 04/27/2016 19:39:59

¤¤¤ Processes : 0 ¤¤¤

¤¤¤ Registry : 8 ¤¤¤
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3873116147-1368744103-2316293078-1001\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3873116147-1368744103-2316293078-1001\Software\Microsoft\Internet Explorer\Main | Start Page :
[PUM.HomePage] (X64) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3873116147-1368744103-2316293078-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3873116147-1368744103-2316293078-1001\Software\Microsoft\Internet Explorer\Main | Default_Page_URL :

¤¤¤ Tasks : 0 ¤¤¤

¤¤¤ Files : 0 ¤¤¤

¤¤¤ Hosts File : 0 ¤¤¤

¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ST3500418AS +++++
--- User ---
[MBR] 74b02f6799268d67e7dc0ff4fa7615c3
[BSP] f0eba3abd830b52e6ec975e06229a3dd : Windows Vista/7/8 MBR Code
Partition table:
0 - [XXXXXX] ACER (0x27) [VISIBLE] Offset (sectors): 2048 | Size: 21504 MB
1 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 44042240 | Size: 100 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 44247040 | Size: 227278 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 509712384 | Size: 228056 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
User = LL1 ... OK
User = LL2 ... OK

+++++ PhysicalDrive1: Generic- SD/MMC USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive2: Generic- Compact Flash USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive3: Generic- SM/xD Picture USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )

+++++ PhysicalDrive4: Generic- MS/MS-Pro USB Device +++++
Error reading User MBR! ([15] The device is not ready. )
Error reading LL1 MBR! NOT VALID!
Error reading LL2 MBR! ([32] The request is not supported. )
 



#6 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 PM

Posted 28 April 2016 - 06:12 AM



Lets investigate the instances of svchost.exe usage.

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2


If your operating system is 64 bit download this tool:
SystemLook_x64.exe
  • Double-click SystemLook.exe
  • to run it.
  • Copy and paste the content
  • of the following bold text into the main textfield:
    :regfind
    svchost.exe
    :filefind
    svchost.exe
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  • Note: The log can also be found on your Desktop entitled SystemLook.txt.
===

#7 Cat-Hair

Cat-Hair
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 28 April 2016 - 04:18 PM

Message was too long, i've attatched the .txt instead

Attached Files


Edited by Cat-Hair, 28 April 2016 - 04:19 PM.


#8 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 PM

Posted 29 April 2016 - 08:30 AM

Download and run this Process Explorer tool.
https://technet.microsoft.com/en-us/sysinternals/processexplorer.aspx

Read the instructions on the page and see if you can find which processes is using the most bytes...

Look at Services.exe > Svchost.exe

Can you find what might be using the extra RAM?

#9 Cat-Hair

Cat-Hair
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 29 April 2016 - 11:23 AM

svchost.exe:968 is the one that is running at the 1,000,000+K

 

The other svchosts seem to be okay



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 PM

Posted 30 April 2016 - 06:25 AM

Double click I.D.

A Windows will open

Under Image > Auto-Start location.
Select Explore

Which registry key is it referencing?

#11 Cat-Hair

Cat-Hair
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:24 PM

Posted 02 May 2016 - 04:43 PM

I cant find the svchost.exe:968 anymore and my computer seems to be running normally.

 

If the problem occurs again I will follow the last instruction you sent me.

 

Side note: A lot of the svchosts have no autostart location (marked 'n/a')



#12 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 PM

Posted 03 May 2016 - 06:31 AM

That's not a problem. The operating system manages these of and when needed.

Let me know if a week if the problem if solved.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 PM

Posted 09 May 2016 - 07:39 AM

If all is well.

To learn more about how to protect yourself while on the internet read this little guide best security practices keep safe.
http://www.bleepingcomputer.com/forums/t/407147/answers-to-common-security-questions-best-practices/

#14 nasdaq

nasdaq

  • Malware Response Team
  • 39,508 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:01:24 PM

Posted 15 May 2016 - 08:34 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users