Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible virus taking up CPU


  • This topic is locked This topic is locked
32 replies to this topic

#1 Famuzy

Famuzy

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 09 November 2017 - 02:58 PM

I posted a topic in another sub forum, followed the prep guide which led me here. Here is a link to the original topic: https://www.bleepingcomputer.com/forums/t/662306/possible-virus-taking-up-cpu/

 

Copied from the original topic:

 

 

A little while back, maybe a few weeks or a month ago I got a virus but removed it pretty quickly with a Malwarebytes scan, but i'm thinking it missed something.

 

This process in Task Manager labeled "Windows Process Manager" often takes up a good amount of my CPU, sometimes it sits at 0-3% but other times it will take up 5-10% or more. https://i.imgur.com/DBGcF9m.png

 

If I try to end process it simply doesn't do anything, However when I right click and go to details it shows me something called "pchrvuk.exe". There a multiple of these https://i.imgur.com/mRDRwbA.png

If I try to end task from there, it tells me "Unable to terminate process. The operation could not be completed. Access is denied.https://i.imgur.com/FYXGipH.png

 

When I right click on pchrvuk.exe and click "Open file location", it tells me "Location is not available. C:\users\isaiah\appdata\Local\snnxewc is not accessible. Access is denied" https://i.imgur.com/zu5JAbK.png

I've tried running a custom scan in Malwarebytes on just that folder and it comes up clean.

 

There's also another program in my task manager called "Client Service" that links back to that folder when I Open file location. https://i.imgur.com/YPXuxrC.png

 

Another important thing, this "pchrvuk.exe" is taking up quite a bit of my data usage, which is pretty worrying. https://i.imgur.com/fqH4xoR.png

 

Not entirely sure what all of this means and what to do about it, so hopefully I can find some help here.

 

Edit: I just noticed while scrolling through Task Manager that there are quite alot of svchost.exe's running. Not sure what to make of that or if its related doesnt seem right though. https://i.imgur.com/kkwGzfk.png

 

FRST Log file contents: 

Spoiler
 

 

 
Contents of the "addition" FRST file: 
 
Spoiler
 
 


BC AdBot (Login to Remove)

 


m

#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:07 PM

Posted 09 November 2017 - 03:48 PM

Hi

Welcome :)

I'll be helping you with your computer.

Please read this post completely before beginning. If there's anything that you do not understand, please don't hesitate to ask before proceeding.

Please take note of the guidelines for this fix:

  • Please note that I am a volunteer. I do have a family, a career, and other endeavors that may prevent immediate responses that meet your schedule. Do note that the differences in time zones could present a problem as well. Your patience and understanding will be greatly appreciated.
  • First of all, the procedures we are about to perform are specific to your problem and should only be used on this specific computer.
  • Do not make any changes to your computer that include installing/uninstalling programs, deleting files, modifying the registry, nor running scanners or tools of any kind unless specifically requested by me.
  • Please read ALL instructions carefully and perform the steps fully and in the order they are written.
  • If things appear to be better, let me know. Just because the symptoms no longer exist as before, does not mean that you are clean.
  • Continue to read and follow my instructions until I tell you that your machine is clean.
  • If you have any questions at all, please do not hesitate to ask before performing the task that I ask of you, and please wait for my reply before you proceed.
  • Scanning with programs and reading the logs do take a fair amount of time. Again, your patience will be necessary. :)

Let's begin... :)
 

 

Print these instruction as the tool we are about to run may restart the computer various times.

Download version mbar-1.10.3.1001-nr.exe of Malwarebytes Anti Rootkit (MBAR)

  • Run the exe as administrator by right clicking and select run as administrator.
  • Click ok to extract.
  • After extraction MBAR should start.
  • Click next.
  • Update by hitting the update button.
  • After the update completes hit next.
  • Deselect sectors and system below. Hit the scan button. Please let it finish the scan. This rootkit may slow your machine down and MBAR may look like it will freeze but it will continue to scan. Please allow it to do so.
  • If you get the following error message:

Could not load DDA driver

  • Click Yes and your computer will reboot.
  • After the reboot, the MBAR window should automatically open.

Note: If your Desktop is missing/black, do not worry. This is normal. Please proceed with the remaining instructions below.

  • Click Next followed by Next.
  • Uncheck System and Sectors. Click Scan.
  • If the scan successfully completes, please skip to the Remediation bullet points below.
  • If you receive the same message, "Could not load DDA driver", click Yes.
  • Click OK. Your computer will automatically boot into the Recovery Environment. Proceed with the instructions below afterwards.
  • If Windows did not boot into the recovery environment hold the SHIFT key and click restart computer while holding the shift key down. You should then boot into the boot options menu. Select repair your computer from the list and follow the instructions below.
  • If still not successful from an administrator command prompt in normal windows run the following command:

bcdedit.exe /set {bootmgr} displaybootmenu yes

  • Windows 7:

    Select your desired keyboard layout and click Next.

    Select your user account, enter your user account password (leave blank if you don't have one and click OK.

    Click Command Prompt.

 

  • Windows 10:

    Click Troubleshoot.

    Click Advanced Options followed by Command Prompt.

    Select your account and enter your password if you have one.

 

  • Command Prompt in Recovery Environment:

 

  • Type the following text below into the Command Prompt and press Enter on the keyboard:

BCDEDIT |Find "osdevice"

Note the osdevice partition letter, then type.

X:\mbstart.cmd

Where X is the osdevice letter, and press Enter

  • The tool will start to run.
  • The MBAR window should automatically open.
  • Click Next followed by Next.
  • Uncheck System and Sectors. Click Scan.

 

  • Remediation:

If threats are detected, click the Cleanup button.

If you are prompted to restart, please hit Yes

Upon completion of the scan or after the reboot, two files named  mbar-log.txt and system-log.txt will be created.

Both files can be found in the extracted MBAR folder on your Desktop.

Please attach both files in your next reply.


Edited by JSntgRvr, 09 November 2017 - 03:58 PM.
typo

Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 Famuzy

Famuzy
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 09 November 2017 - 04:09 PM

So I downloaded MBAR, ran as admin like you said but it wont open. I tried waiting a few minutes, then tried running again, waited a few more minutes but its just not working.



#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:07 PM

Posted 09 November 2017 - 04:42 PM

Rename the file as Kittycat and try again.


Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 Famuzy

Famuzy
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 09 November 2017 - 06:50 PM

Rename the file as Kittycat and try again.

Thank you that worked, i completed the scan and rebooted my computer, but its still rebooting. Its been going for about an hour or so, should I do something or just wait?

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:07 PM

Posted 09 November 2017 - 07:13 PM

I would wait for the tool to remove that rootkit at boot.


Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 Famuzy

Famuzy
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 09 November 2017 - 07:18 PM

The laptop finally turned off but now its not turning back on, its been turned off for maybe 10 minutes. I guess ill just wait then? Im typing on my phone right now

Edited by Famuzy, 09 November 2017 - 07:20 PM.


#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:07 PM

Posted 09 November 2017 - 07:32 PM

If it is off restart the computer.

 

See if the two files named  mbar-log.txt and system-log.txt were created.  Both files can be found in the extracted MBAR folder on your Desktop. If found, post their content,


Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:07 PM

Posted 09 November 2017 - 08:33 PM

Famusy, if the files are not present, open FRST, make sure there is a check-mark under addition and click on Scan. Post the FRST.txt and addition.txt newly created.

 

I am about to go offline. Will check on you tomorrow.


Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 Famuzy

Famuzy
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 09 November 2017 - 09:12 PM

My laptop is taking a very long time to turn on, im gonna leave it turning on while I sleep, ill let you know what happens.

#11 Famuzy

Famuzy
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 10 November 2017 - 05:37 AM

I woke up and the laptop still isnt on... This hasnt happened before but i havent restarted it in a pretty long time

#12 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:07 PM

Posted 10 November 2017 - 01:42 PM

I don't know if MBAR had problems booting to the Recovery Environment. See if you can reach the Recovery Environment Command prompt.

 

  • Type the following text below into the Command Prompt and press Enter on the keyboard:

BCDEDIT | Find "osdevice"

Note the osdevice partition letter, then type.

X:\mbstart.cmd

Where X is the osdevice letter, and press Enter

  • If MBAR Runs, then there was a pending process
  • In that case the MBAR window should automatically open.
  • Click Next followed by Next.
  • Uncheck System and Sectors. Click Scan.
  • If threats are detected, click the Cleanup button.
  • If you are prompted to restart, please hit Yes
  • Upon completion of the scan or after the reboot, two files named  mbar-log.txt and system-log.txt will be created.
  • Both files can be found in the extracted MBAR folder on your Desktop.
  • Please attach both files in your next reply.

Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#13 Famuzy

Famuzy
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 10 November 2017 - 02:22 PM

Problem is my laptop wont do anything when i turn it on, I can hear it and the lights in my keyboard turn on but it doesnt connect to the monitor. It usually takes maybe 30 seconds or a little more for the monitor to display anything on startup but its not connecting at all. So for some reason my laptop isnt starting up correctly anymore

Edited by Famuzy, 10 November 2017 - 02:25 PM.


#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 10,473 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:06:07 PM

Posted 10 November 2017 - 05:27 PM

If you press F9 during startup, the computer may enter into the recovery Mode. Select Troubleshoot => Advanced Options => Command Prompt.

 

Let me know if possible.


Under Hurricane Emergency, expect delays on my responses

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 Famuzy

Famuzy
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:05:07 PM

Posted 10 November 2017 - 05:46 PM

No, the monitor is still blank




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users