Jump to content

wmiprvse.exe and SearchFilterHost.exe high CPU usage


Recommended Posts

It seems I have a similar issue as here: http://forums.malwarebytes.org/index.php?showtopic=122829

I ran AVG and MBAM and they each caught one item and deleted it. But no change on my issue.

Is anyone available to run me through a fix? Would be very much appreciated! :)

DDS (Ver_2012-11-20.01) - NTFS_x86

Internet Explorer: 10.0.9200.16576 BrowserJavaVersion: 10.21.2

Run by JonFergus at 16:19:17 on 2013-05-16

Microsoft Windows 7 Enterprise 6.1.7601.1.1252.1.1033.18.2814.1519 [GMT -7:00]

.

AV: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {0E9420C4-06B3-7FA0-3AB1-6E49CB52ECD9}

SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

SP: AVG AntiVirus Free Edition 2013 *Enabled/Updated* {B5F5C120-2089-702E-0001-553BB0D5A664}

.

============== Running Processes ================

.

C:\PROGRA~1\AVG\AVG2013\avgrsx.exe

C:\Program Files\AVG\AVG2013\avgcsrvx.exe

C:\Windows\system32\wininit.exe

C:\Windows\system32\lsm.exe

C:\Windows\system32\Ati2evxx.exe

c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe

C:\Windows\system32\WLANExt.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\Ati2evxx.exe

C:\Windows\System32\spoolsv.exe

C:\Program Files\AVG\AVG2013\avgidsagent.exe

C:\Program Files\AVG\AVG2013\avgwdsvc.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe

C:\Windows\system32\taskhost.exe

C:\Windows\system32\Dwm.exe

C:\Windows\Explorer.EXE

C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe

C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE

C:\Program Files\AVG\AVG2013\avgnsx.exe

C:\Program Files\AVG\AVG2013\avgemcx.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe

C:\Program Files\AVG Secure Search\vprot.exe

C:\Program Files\AVG\AVG2013\avgui.exe

C:\Program Files\Adobe\Acrobat 10.0\Acrobat\acrotray.exe

C:\Program Files\Common Files\Java\Java Update\jusched.exe

C:\Windows\System32\StikyNot.exe

C:\Program Files\Innovative Solutions\System Tray Cleaner\stc.exe

C:\Program Files\uTorrent\uTorrent.exe

C:\Program Files\Ergonis\PopChar\PopChar.exe

C:\Program Files\Quick Unicode Input\quick.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

C:\Program Files\Windows Media Player\wmpnetwk.exe

C:\Windows\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Windows\servicing\TrustedInstaller.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Windows\system32\msiexec.exe

C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe

C:\Program Files\Mozilla Firefox\plugin-container.exe

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe

C:\Windows\system32\Macromed\Flash\FlashPlayerPlugin_11_7_700_202.exe

C:\Windows\system32\SearchIndexer.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\wbem\wmiprvse.exe

C:\Windows\system32\SearchProtocolHost.exe

C:\Windows\system32\SearchFilterHost.exe

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\svchost.exe -k DcomLaunch

C:\Windows\system32\svchost.exe -k RPCSS

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted

C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalService

C:\Windows\system32\svchost.exe -k netsvcs

C:\Windows\system32\svchost.exe -k NetworkService

C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork

C:\Windows\system32\svchost.exe -k imgsvc

C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted

C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation

.

============== Pseudo HJT Report ===============

.

uStart Page = hxxp://search.conduit.com?SearchSource=10&CUI=UN20859411146742156&UM=2&ctid=CT3291673

BHO: AVG Safe Search: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} -

BHO: Java Plug-In SSV Helper: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre7\bin\ssv.dll

BHO: Windows Live ID Sign-in Helper: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll

BHO: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\14.2.0.1\AVG Secure Search_toolbar.dll

BHO: Adobe PDF Conversion Toolbar Helper: {AE7CD045-E861-484f-8273-0445EE161910} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

BHO: Java Plug-In 2 SSV Helper: {DBC80044-A445-435b-BC74-9C25C1C588A9} - c:\program files\java\jre7\bin\jp2ssv.dll

BHO: SmartSelect Class: {F4971EE7-DAA0-4053-9964-665D8EE6A077} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

TB: AVG Security Toolbar: {95B7759C-8C7F-4BF1-B163-73684A933233} - c:\program files\avg secure search\14.2.0.1\AVG Secure Search_toolbar.dll

TB: Adobe PDF: {47833539-D0C5-4125-9FA8-0819E2EAAC93} - c:\program files\common files\adobe\acrobat\activex\AcroIEFavClient.dll

uRun: [RESTART_STICKY_NOTES] c:\windows\system32\StikyNot.exe

uRun: [iSUSPM] "c:\programdata\flexnet\connect\11\ISUSPM.exe" -scheduler

uRun: [sTC] "c:\program files\innovative solutions\system tray cleaner\stc.exe" -startup

uRun: [uTorrent] "c:\program files\utorrent\uTorrent.exe" /MINIMIZED

uRunOnce: [spUninstallDeleteDir] rmdir /s /q "c:\users\jonfergus\appdata\roaming\SearchProtect"

mRun: [vProt] "c:\program files\avg secure search\vprot.exe"

mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"

mRun: [AVG_UI] "c:\program files\avg\avg2013\avgui.exe" /TRAYONLY

mRun: [Adobe Acrobat Speed Launcher] "c:\program files\adobe\acrobat 10.0\acrobat\Acrobat_sl.exe"

mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 10.0\acrobat\Acrotray.exe"

mRun: [sunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"

mRunOnce: [spUninstallCleanUp] REG delete HKEY_CURRENT_USER\Software\SearchProtect /f

dRun: [searchProtect] \SearchProtect\bin\cltmng.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\popchar.lnk - c:\program files\ergonis\popchar\PopChar.exe

StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\quicku~1.lnk - c:\program files\quick unicode input\quick.exe

mPolicies-System: ConsentPromptBehaviorAdmin = dword:5

mPolicies-System: ConsentPromptBehaviorUser = dword:3

mPolicies-System: EnableUIADesktopToggle = dword:0

mPolicies-System: FilterAdministratorToken = dword:1

DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

TCP: NameServer = 8.8.8.8 192.168.5.1

TCP: Interfaces\{52BBB533-8D4D-4AA8-805F-704DBC67398D} : DHCPNameServer = 8.8.8.8 192.168.5.1

TCP: Interfaces\{52BBB533-8D4D-4AA8-805F-704DBC67398D}\254434B4F5055726C69636 : DHCPNameServer = 192.168.2.1

TCP: Interfaces\{52BBB533-8D4D-4AA8-805F-704DBC67398D}\478656778696475686F6573756 : DHCPNameServer = 64.59.168.13 64.59.168.15 64.59.174.84

TCP: Interfaces\{52BBB533-8D4D-4AA8-805F-704DBC67398D}\543594350275966496 : DHCPNameServer = 192.168.50.1 207.194.55.129 204.174.16.4

TCP: Interfaces\{52BBB533-8D4D-4AA8-805F-704DBC67398D}\C4962627162797D2055726C69636 : DHCPNameServer = 8.8.8.8 192.168.100.32

Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} -

Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\program files\common files\skype\Skype4COM.dll

Handler: viprotocol - {B658800C-F66E-4EF3-AB85-6C0C227862A9} - c:\program files\common files\avg secure search\viprotocolinstaller\14.2.0\ViProtocol.dll

Handler: wlpg - {E43EF6CD-A37A-4A9B-9E6F-83F89B8E6324} - c:\program files\windows live\photo gallery\AlbumDownloadProtocolHandler.dll

SSODL: WebCheck - <orphaned>

mASetup: {8A69D345-D564-463c-AFF1-A69D9E530F96} - "c:\program files\google\chrome\application\26.0.1410.64\installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --multi-install --chrome

.

================= FIREFOX ===================

.

FF - ProfilePath - c:\users\jonfergus\appdata\roaming\mozilla\firefox\profiles\jt933bls.default\

FF - prefs.js: browser.search.defaulturl - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3291673&CUI=UN42658357821230193&UM=2&SearchSource=3&q={searchTerms}

FF - prefs.js: browser.search.selectedEngine - Search Spin V1 Customized Web Search

FF - prefs.js: browser.startup.homepage - hxxp://us.mg1.mail.yahoo.com/dc/launch?.gx=0&.rand=fpkmoe32ofeft#mail

FF - prefs.js: keyword.URL - hxxp://search.conduit.com/ResultsExt.aspx?ctid=CT3291673&SearchSource=2&CUI=UN42658357821230193&UM=2&q=

FF - plugin: c:\program files\adobe\acrobat 10.0\acrobat\air\nppdf32.dll

FF - plugin: c:\program files\adobe\reader 10.0\reader\air\nppdf32.dll

FF - plugin: c:\program files\common files\avg secure search\sitesafetyinstaller\14.2.0\npsitesafety.dll

FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll

FF - plugin: c:\program files\google\update\1.3.21.145\npGoogleUpdate3.dll

FF - plugin: c:\program files\java\jre7\bin\plugin2\npjp2.dll

FF - plugin: c:\program files\microsoft silverlight\5.1.20125.0\npctrlui.dll

FF - plugin: c:\program files\mie\alternatiff\npzzatif.dll

FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

FF - plugin: c:\windows\system32\macromed\flash\NPSWF32_11_7_700_202.dll

FF - ExtSQL: 2013-04-23 16:42; {19503e42-ca3c-4c27-b1e2-9cdb2170ee34}; c:\users\jonfergus\appdata\roaming\mozilla\firefox\profiles\jt933bls.default\extensions\{19503e42-ca3c-4c27-b1e2-9cdb2170ee34}.xpi

.

---- FIREFOX POLICIES ----

FF - user.js: extensions.BabylonToolbar.tlbrSrchUrl - hxxp://search.babylon.com/?babsrc=TB_def&mntrId=8e0d725b00000000000000235ae9b0cb&q=

FF - user.js: extensions.BabylonToolbar.id - 8e0d725b00000000000000235ae9b0cb

FF - user.js: extensions.BabylonToolbar.appId - {BDB69379-802F-4eaf-B541-F8DE92DD98DB}

FF - user.js: extensions.BabylonToolbar.instlDay - 15670

FF - user.js: extensions.BabylonToolbar.vrsn - 1.8.3.8

FF - user.js: extensions.BabylonToolbar.vrsni - 1.8.3.8

FF - user.js: extensions.BabylonToolbar_i.vrsnTs - 1.8.3.819:44:54

FF - user.js: extensions.BabylonToolbar.prtnrId - babylon

FF - user.js: extensions.BabylonToolbar.prdct - BabylonToolbar

FF - user.js: extensions.BabylonToolbar.aflt - babsst

FF - user.js: extensions.BabylonToolbar_i.smplGrp - none

FF - user.js: extensions.BabylonToolbar.tlbrId - irhnew

FF - user.js: extensions.BabylonToolbar.instlRef - sst

FF - user.js: extensions.BabylonToolbar.dfltLng - en

FF - user.js: extensions.BabylonToolbar.excTlbr - false

FF - user.js: extensions.BabylonToolbar.admin - false

.

============= SERVICES / DRIVERS ===============

.

R0 AVGIDSHX;AVGIDSHX;c:\windows\system32\drivers\avgidshx.sys [2013-2-8 60216]

R0 Avglogx;AVG Logging Driver;c:\windows\system32\drivers\avglogx.sys [2013-2-8 245048]

R0 Avgmfx86;AVG Mini-Filter Resident Anti-Virus Shield;c:\windows\system32\drivers\avgmfx86.sys [2013-2-8 96568]

R0 Avgrkx86;AVG Anti-Rootkit Driver;c:\windows\system32\drivers\avgrkx86.sys [2013-2-8 39224]

R1 AVGIDSDriver;AVGIDSDriver;c:\windows\system32\drivers\avgidsdriverx.sys [2013-3-29 208184]

R1 AVGIDSShim;AVGIDSShim;c:\windows\system32\drivers\avgidsshimx.sys [2013-3-1 22328]

R1 Avgldx86;AVG AVI Loader Driver;c:\windows\system32\drivers\avgldx86.sys [2013-2-8 170808]

R1 Avgtdix;AVG TDI Driver;c:\windows\system32\drivers\avgtdix.sys [2013-3-21 182072]

R1 avgtp;avgtp;c:\windows\system32\drivers\avgtpx86.sys [2012-9-3 33112]

R2 AVGIDSAgent;AVGIDSAgent;c:\program files\avg\avg2013\avgidsagent.exe [2013-4-25 4936752]

R2 avgwd;AVG WatchDog;c:\program files\avg\avg2013\avgwdsvc.exe [2013-4-18 283136]

R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]

R2 MBAMScheduler;MBAMScheduler;c:\program files\malwarebytes' anti-malware\mbamscheduler.exe [2013-5-16 418376]

R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2013-5-16 701512]

R2 vToolbarUpdater14.2.0;vToolbarUpdater14.2.0;c:\program files\common files\avg secure search\vtoolbarupdater\14.2.0\ToolbarUpdater.exe [2013-2-18 968880]

R3 L1C;NDIS Miniport Driver for Atheros AR8131/AR8132 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1c50x86.sys [2012-6-7 45952]

R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2013-5-16 22856]

R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2013-5-16 40776]

S2 SkypeUpdate;Skype Updater;c:\program files\skype\updater\Updater.exe [2013-2-28 161384]

S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

S3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys [2011-4-11 62464]

S3 RdpVideoMiniport;Remote Desktop Video Miniport Driver;c:\windows\system32\drivers\rdpvideominiport.sys [2010-11-20 15872]

S3 StorSvc;Storage Service;c:\windows\system32\svchost.exe -k LocalSystemNetworkRestricted [2009-7-13 20992]

S3 Synth3dVsc;Synth3dVsc;c:\windows\system32\drivers\Synth3dVsc.sys [2011-4-11 77184]

S3 terminpt;Microsoft Remote Desktop Input Driver;c:\windows\system32\drivers\terminpt.sys [2011-4-11 25600]

S3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\TsUsbFlt.sys [2010-11-20 52224]

S3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys [2010-11-20 27264]

S3 tsusbhub;tsusbhub;c:\windows\system32\drivers\tsusbhub.sys [2011-4-11 112640]

S3 WatAdminSvc;Windows Activation Technologies Service;c:\windows\system32\wat\WatAdminSvc.exe [2012-5-6 1343400]

.

=============== File Associations ===============

.

FileExt: .txt: txtfile=c:\windows\system32\NOTEPAD.EXE %1 [userChoice]

.

=============== Created Last 30 ================

.

2013-05-16 23:14:01 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2013-05-16 22:43:17 -------- d-----w- c:\users\jonfergus\appdata\roaming\Malwarebytes

2013-05-16 22:43:04 -------- d-----w- c:\programdata\Malwarebytes

2013-05-16 22:43:03 22856 ----a-w- c:\windows\system32\drivers\mbam.sys

2013-05-16 22:43:03 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2013-05-15 23:59:32 -------- d-----w- c:\program files\MIE

2013-05-15 17:14:06 2347520 ----a-w- c:\windows\system32\win32k.sys

2013-05-15 17:14:04 40960 ----a-w- c:\windows\system32\wwanprotdim.dll

2013-05-15 17:14:04 186368 ----a-w- c:\windows\system32\wwansvc.dll

2013-05-15 17:13:25 728424 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys

2013-05-15 17:13:25 218984 ----a-w- c:\windows\system32\drivers\dxgmms1.sys

2013-05-15 17:13:19 47104 ----a-w- c:\windows\system32\appinfo.dll

2013-05-15 17:13:19 1796096 ----a-w- c:\windows\system32\authui.dll

2013-05-15 17:13:19 101720 ----a-w- c:\windows\system32\consent.exe

2013-05-13 17:22:58 -------- d-----w- C:\SearchProtect

2013-05-07 01:43:09 9728 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l1-1-0.dll

2013-04-24 00:10:59 -------- d-----w- c:\program files\Conduit

2013-04-24 00:10:55 -------- d-----w- c:\users\jonfergus\appdata\local\Conduit

2013-04-24 00:09:38 -------- d-----w- c:\users\jonfergus\appdata\local\CRE

2013-04-24 00:06:04 -------- d-----w- c:\program files\Google Books Downloader

2013-04-23 17:12:26 1211752 ----a-w- c:\windows\system32\drivers\ntfs.sys

2013-04-22 18:15:48 -------- d-----w- c:\programdata\GenuTax

.

==================== Find3M ====================

.

2013-05-15 21:23:47 71048 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl

2013-05-15 21:23:47 692104 ----a-w- c:\windows\system32\FlashPlayerApp.exe

2013-05-07 01:43:09 5632 ---ha-w- c:\windows\system32\api-ms-win-downlevel-shlwapi-l2-1-0.dll

2013-04-13 04:45:16 474624 ----a-w- c:\windows\apppatch\AcSpecfc.dll

2013-04-13 04:45:15 2176512 ----a-w- c:\windows\apppatch\AcGenral.dll

2013-04-05 05:28:24 1767424 ----a-w- c:\windows\system32\wininet.dll

2013-04-05 05:26:26 2877440 ----a-w- c:\windows\system32\jscript9.dll

2013-04-05 05:26:21 61440 ----a-w- c:\windows\system32\iesetup.dll

2013-04-05 05:26:21 109056 ----a-w- c:\windows\system32\iesysprep.dll

2013-04-05 04:29:45 2706432 ----a-w- c:\windows\system32\mshtml.tlb

2013-04-05 03:38:25 71680 ----a-w- c:\windows\system32\RegisterIEPKEYs.exe

2013-04-04 12:35:08 94112 ----a-w- c:\windows\system32\WindowsAccessBridge.dll

2013-03-29 09:53:48 208184 ----a-w- c:\windows\system32\drivers\avgidsdriverx.sys

2013-03-21 10:08:24 182072 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2013-03-19 05:04:13 3968856 ----a-w- c:\windows\system32\ntkrnlpa.exe

2013-03-19 05:04:10 3913560 ----a-w- c:\windows\system32\ntoskrnl.exe

2013-03-19 04:48:45 38912 ----a-w- c:\windows\system32\csrsrv.dll

2013-03-19 02:49:16 69632 ----a-w- c:\windows\system32\smss.exe

2013-03-14 00:46:13 861088 ----a-w- c:\windows\system32\npdeployJava1.dll

2013-03-14 00:46:13 782240 ----a-w- c:\windows\system32\deployJava1.dll

2013-03-01 16:32:20 22328 ----a-w- c:\windows\system32\drivers\avgidsshimx.sys

2013-02-18 18:04:38 33112 ----a-w- c:\windows\system32\drivers\avgtpx86.sys

.

============= FINISH: 16:20:51.81 ===============

Link to post
Share on other sites

Hello and welcome, JFergus: :)

Malware removal work is handled in a dedicated area of the forum, not here.

So, for expert assistance, please follow the recommendations in this pinned topic: Available Assistance For Possibly Infected Computers.

A qualified helper will guide you through the cleanup process.

>>Since you've already run DDS, you'll want to post those same logs (both DDS.txt & attach.txt) in your new topic over in the malware removal section. :)

Thanks,

daledoc1

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.