Jump to content

High CPU/Memory Usage - Can't find Issue.


Recommended Posts

Hi, so I've been having abnormally high CPU usage and even memory usage even while the Computer is idle or running nothing extra.
I've been trying to find the issue myself however I've finally succumbed and I've came to ask for help.

Ran a scan using AVG / Malwarebytes. AVG cleaned up a few problems, Malwarebytes didn't find anything.
HOWEVER, it's been blocking outgoing connections coming from: dllhost.exe, cmd.exe, explorer.exe, notepad.exe, conhost.exe
I can see them active in my Task Manager (See attached Example snip)

I've also noticed a PresentationHost.exe active using up A LOT of memory. It won't allow me to end any of the processes either. I've never seen this and I do actively check my pc. (So I thought..)
Before this gets any worse, Help? Please? :unsure:


NOTE: I'd prefer not having to reformat and any help with my issue would be greatly appreciated.



Thanks!

post-194005-0-17514100-1444783801_thumb.

Link to post
Share on other sites

Hello Pancakeboy, welcome to Malwarebytes' Malware Removal forum!
 
My name is Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that.  smile.png
 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable at times.   
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you require additional time to complete my instructions.
  • I will notify you when I believe your computer is free of malware. Please bear in mind, absence of symptoms does not necessarily correlate to absence of malware, so please wait until the "All Clean". 
  • Ensure you are following this topic. Click etYzdbu.png at the top of the page. 

======================================================
 
Please run the following scans so I can ascertain the state of your computer.
 
STEP 1
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is selected and click Start Scan.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 

 
STEP 2

xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Please download Farbar Recovery Scan Tool (x32) or Farbar Recovery Scan Tool (x64) and save the file to your Desktop.
  • Note: Download and run the version compatible with your system (32 or 64-bit). Download both if you're unsure; only one will run.
  • Right-Click FRST.exe or FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Yes to the disclaimer.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
     

STEP 3
YARWD1t.png TDSSKiller Scan

  • Please download TDSSKiller and save the file to your Desktop.
  • Right-Click TDSSKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Change parameters. Place a checkmark next to Detect TDLFS file system and Verify file digital signatures.
  • ​Click Start Scan. Do not use the computer during the scan.
  • If objects are found, change the action to skip.
  • Click Continue and close the window.
  • A log will be created and saved to the root directory (usually C:\). Attach (not copy/paste) the file in your next reply.
     

======================================================
 
STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • MBAM log
  • FRST.txt
  • Addition.txt
  • TDSSKiller log (attached!)
Link to post
Share on other sites

Steps taken:

  1. Opened Malwarebytes Anti-Malware - Clicked update / There was No updates available
  2. Opened settings tab/Detection and Protection / ticked Scan for rootkits
  3. Started "Threat Scan" with Malwarebytes Anti-Malware

10/14/2015 1:45PM CST - waiting for scan to finish
Scan finished. All Clean

 

Here's the Scan and Protection logs for Malwarebytes

Malwarebytes Anti-Malware
www.malwarebytes.org


Detection, 10/15/2015 12:00 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 63572, Outbound, C:\Windows\explorer.exe,
Detection, 10/15/2015 12:00 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 8.19.136.250, connect5364.com, 63856, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:00 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 8.19.136.250, connect5364.com, 63856, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:01 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 64332, Outbound, C:\Windows\explorer.exe,
Detection, 10/15/2015 12:01 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 64644, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:02 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 65166, Outbound, C:\Windows\explorer.exe,
Detection, 10/15/2015 12:04 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 49889, Outbound, C:\Windows\System32\ctfmon.exe,
Detection, 10/15/2015 12:04 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 50520, Outbound, C:\Windows\System32\dllhost.exe,
Detection, 10/15/2015 12:06 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 216.172.57.36, us-w-node1.smartyads.com, 52072, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:06 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 216.172.57.36, us-w-node1.smartyads.com, 52072, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:07 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 216.172.57.36, us-w-node1.smartyads.com, 52811, Outbound, C:\Windows\System32\ctfmon.exe,
Detection, 10/15/2015 12:07 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 216.172.57.36, us-w-node1.smartyads.com, 53241, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:07 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 216.172.57.36, us-w-node1.smartyads.com, 53355, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:07 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 53876, Outbound, C:\Windows\System32\ctfmon.exe,
Detection, 10/15/2015 12:08 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 54527, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:08 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 55306, Outbound, C:\Windows\System32\dllhost.exe,
Detection, 10/15/2015 12:08 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 55318, Outbound, C:\Windows\System32\dllhost.exe,
Detection, 10/15/2015 12:09 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 56505, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:09 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 56625, Outbound, C:\Windows\System32\dllhost.exe,
Detection, 10/15/2015 12:10 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 57000, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:10 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 57363, Outbound, C:\Windows\System32\dllhost.exe,
Detection, 10/15/2015 12:11 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 57774, Outbound, C:\Windows\System32\dllhost.exe,
Detection, 10/15/2015 12:11 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 57867, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:11 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 58203, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:12 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 59032, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:12 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 59377, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:13 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 60034, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:13 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 199.212.255.140, click2.danarimedia.com, 60113, Outbound, C:\Windows\explorer.exe,
Detection, 10/15/2015 12:13 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 199.212.255.140, click2.danarimedia.com, 60113, Outbound, C:\Windows\explorer.exe,
Detection, 10/15/2015 12:14 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 199.212.255.140, click2.danarimedia.com, 60245, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:14 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 199.212.255.140, click2.danarimedia.com, 60444, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:14 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 199.212.255.136, click2.danarimedia.com, 60931, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:14 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 199.212.255.136, click2.danarimedia.com, 60931, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:14 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 199.212.255.136, click2.danarimedia.com, 60969, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:14 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 199.212.255.136, click2.danarimedia.com, 61044, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:15 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 199.212.255.140, click2.danarimedia.com, 61205, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:16 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 199.212.255.138, click2.danarimedia.com, 62028, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:16 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 199.212.255.138, click2.danarimedia.com, 62028, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:16 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 62205, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:17 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 62506, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:18 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 62758, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:18 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 62870, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:18 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 62908, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:18 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 62931, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:18 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.231.8.44, windowssecure-alert.info, 62958, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:18 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.231.8.44, windowssecure-alert.info, 62958, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:20 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 65360, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:20 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 65360, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:21 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 49573, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:21 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 49695, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:21 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 49706, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:21 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 49772, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:22 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 49975, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:22 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 50386, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:23 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 162.221.227.242, 120863.adsdomain.org, 50646, Outbound, C:\Windows\explorer.exe,
Detection, 10/15/2015 12:23 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 162.221.227.242, 120863.adsdomain.org, 50646, Outbound, C:\Windows\explorer.exe,
Detection, 10/15/2015 12:23 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 162.221.227.242, 120863.adsdomain.org, 51394, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:25 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 162.221.227.242, 120863.adsdomain.org, 53200, Outbound, C:\Windows\System32\conhost.exe,
Update, 10/15/2015 12:26 AM, SYSTEM, TRIZ-PC, Scheduler, Failed, Unable to access update server,
Detection, 10/15/2015 12:29 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 162.221.227.242, 218131.adsdomain.org, 55025, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:29 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 162.221.227.242, 218131.adsdomain.org, 55025, Outbound, C:\Windows\System32\PresentationHost.exe,
Detection, 10/15/2015 12:29 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.91, n1.smartyads.com, 55150, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:29 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.91, n1.smartyads.com, 55150, Outbound, C:\Windows\System32\msiexec.exe,
Update, 10/15/2015 12:30 AM, SYSTEM, TRIZ-PC, Scheduler, Malware Database, 2015.10.14.7, 2015.10.15.1,
Protection, 10/15/2015 12:30 AM, SYSTEM, TRIZ-PC, Protection, Refresh, Starting,
Protection, 10/15/2015 12:30 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Stopping,
Protection, 10/15/2015 12:30 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Stopped,
Protection, 10/15/2015 12:31 AM, SYSTEM, TRIZ-PC, Protection, Refresh, Success,
Protection, 10/15/2015 12:31 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Starting,
Protection, 10/15/2015 12:31 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Started,
Detection, 10/15/2015 12:34 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 57181, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:34 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 57181, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:34 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 57183, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:34 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 57214, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:34 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 57310, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:34 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 57342, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:34 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 57353, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:34 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 57376, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:34 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 57377, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:34 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 57573, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:34 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 57573, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:35 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 58344, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:35 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 58601, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:36 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 59272, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:36 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 59292, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:36 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 59336, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:38 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.206, n1.smartyads.com, 60347, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:38 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 61052, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:39 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 162.244.35.55, xml-feed.xmldata.net, 61806, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:39 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 162.244.35.55, xml-feed.xmldata.net, 61807, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:39 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 162.244.35.55, xml-feed.xmldata.net, 61806, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:39 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 62461, Outbound, C:\Windows\System32\dllhost.exe,
Detection, 10/15/2015 12:40 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 62752, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:41 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 63991, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:41 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 64029, Outbound, C:\Windows\System32\dllhost.exe,
Detection, 10/15/2015 12:43 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 65315, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:48 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.219, n1.smartyads.com, 51986, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:48 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.219, n1.smartyads.com, 51986, Outbound, C:\Windows\System32\msiexec.exe,
Detection, 10/15/2015 12:53 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.219, n1.smartyads.com, 55125, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 12:54 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 88.214.193.219, n1.smartyads.com, 55625, Outbound, C:\Windows\System32\taskhost.exe,
Detection, 10/15/2015 12:55 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 54.235.200.161, stats.traffiliate.com, 56480, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 1:00 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 46.229.172.105, mqt.me, 57772, Outbound, C:\Windows\System32\conhost.exe,
Detection, 10/15/2015 1:00 AM, SYSTEM, TRIZ-PC, Protection, Malicious Website Protection, Domain, 46.229.172.105, mqt.me, 57772, Outbound, C:\Windows\System32\conhost.exe,
(end)

TDSSKiller.3.1.0.5_15.10.2015_01.27.26_log.txt

TDSSKiller.3.1.0.5_15.10.2015_01.28.29_log.txt

Link to post
Share on other sites

Hello, 
 
Bedep is responsible for the outbound calls blocked by MBAM:

2015-10-03 07:02 - 2015-10-13 14:03 - 00000000 ___HD C:\ProgramData\{CA2FACF7-9029-4A21-892B-E7F60B39FF1A}

.
STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startCreateRestorePoint:HKLM\...\Run: [CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805}] => "C:\ProgramData\cis5C52.exe" --PostUninstall {15198508-521A-4D69-8E5B-B94A6CCFF805}HKLM\...\Run: [CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}] => "C:\ProgramData\cisA709.exe" --PostUninstall {81EFDD93-DBBE-415B-BE6E-49B9664E3E82}HKLM-x32\...\Run: [] => [X]HKU\S-1-5-21-3397723265-2909267696-1730031062-1000\...\Run: [AVG-Secure-Search-Update_1113a] => C:\Users\Triz\AppData\Roaming\AVG 1113a Campaign\AVG-Secure-Search-Update-1113a.exe /PROMPT /mid=50bc3ccf60b947d19f1ce92931678051-03a7e6d595bb4036d7a2100fc60243d579296913 /CMPID=1113aC:\Users\Triz\AppData\Roaming\AVG 1113a CampaignHKU\S-1-5-21-3397723265-2909267696-1730031062-1000\...\MountPoints2: E - E:\Setup.exeHKU\S-1-5-21-3397723265-2909267696-1730031062-1000\...\MountPoints2: J - J:\RunGame.exeHKU\S-1-5-21-3397723265-2909267696-1730031062-1000\...\MountPoints2: K - K:\setup.exeHKU\S-1-5-21-3397723265-2909267696-1730031062-1000\...\MountPoints2: L - L:\setup.exeHKU\S-1-5-21-3397723265-2909267696-1730031062-1000\...\MountPoints2: M - M:\setup.exeHKU\S-1-5-21-3397723265-2909267696-1730031062-1000\...\MountPoints2: O - O:\Setup.exeHKU\S-1-5-21-3397723265-2909267696-1730031062-1000\...\MountPoints2: {1475c999-7c8e-11e2-96ba-3860778369a2} - N:\setup.exeAppInit_DLLs-x32: c:\progra~3\browse~1\23796~1.11\{16cdf~1\browse~1.dll => No Filec:\progra~3\browse~1SearchScopes: HKLM-x32 -> DefaultScope {006ee092-9658-4fd6-bd8e-a21a348e59f5} URL = BHO-x32: No Name -> {02478D38-C3F9-4efb-9B51-7695ECA05670} ->  => No FileBHO-x32: No Name -> {95B7759C-8C7F-4BF1-B163-73684A933233} ->  => No FileToolbar: HKU\.DEFAULT -> No Name - {A8864317-E18B-4292-99D9-E6E65AB905D3} -  No FileToolbar: HKU\S-1-5-21-3397723265-2909267696-1730031062-1000 -> No Name - {A8864317-E18B-4292-99D9-E6E65AB905D3} -  No FileToolbar: HKU\S-1-5-21-3397723265-2909267696-1730031062-1000 -> No Name - {E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39} -  No FileFF Plugin-x32: @pandonetworks.com/PandoWebPlugin -> C:\Program Files (x86)\Pando Networks\Media Booster\npPandoWebPlugin.dll [No File]C:\Program Files (x86)\Pando NetworksCHR HKLM-x32\...\Chrome\Extension: [mhfdcmehmjcclgopdodkjdicohagipid] - C:\Users\Triz\AppData\Local\Temp\ccex.crx <not found>S3 clwvd; system32\DRIVERS\clwvd.sys [X]2015-10-03 07:02 - 2015-10-13 14:03 - 00000000 ___HD C:\ProgramData\{CA2FACF7-9029-4A21-892B-E7F60B39FF1A}C:\Users\Triz\random_2ac13c47.datC:\Users\Triz\random_2ea8c8ed.datC:\Users\Triz\random_30685a1b.datC:\Users\Triz\random_347e84b9.datC:\Users\Triz\random_398a68e7.datC:\Users\Triz\random_3a898a5e.datC:\Users\Triz\random_3e0a2c59.datC:\Users\Triz\random_44600785.datC:\Users\Triz\random_49337807.datC:\Users\Triz\random_4b946484.datC:\Users\Triz\random_70a5b39b.datC:\Users\Triz\random_72cb5314.datC:\Users\Triz\random_75cc4528.datC:\Users\Triz\random_77c6c985.datC:\Users\Triz\random_7b385c31.datC:\Users\Triz\random_82c449ee.datC:\Users\Triz\random_8593c363.datC:\Users\Triz\random_8bfd8603.datC:\Users\Triz\random_90d6e8fb.datC:\Users\Triz\random_9531e363.datC:\Users\Triz\random_99b09ade.datC:\Users\Triz\random_aaffbc12.datC:\Users\Triz\random_affce8f1.datC:\Users\Triz\random_bbf89c35.datC:\Users\Triz\random_bec0e3cb.datC:\Users\Triz\random_c5b03800.datC:\Users\Triz\random_c97651eb.datC:\Users\Triz\random_d5795e08.datC:\Users\Triz\random_ed61132c.datC:\Users\Triz\random_f7dc2d61.datCustomCLSID: HKU\S-1-5-21-3397723265-2909267696-1730031062-1000_Classes\CLSID\{F9E1BD9A-84B5-4D12-9195-0B3E7D86FD35}\InprocServer32 -> C:\ProgramData\{CA2FACF7-9029-4A21-892B-E7F60B39FF1A}\mciwave.dll => No FileTask: {14910701-BBA0-4F66-A44F-CC8CE702385C} - System32\Tasks\{68F9AE05-559A-4D69-926A-8D3F5E35DAF2} => pcalua.exe -a "C:\Program Files (x86)\Antares Audio Technologies\Uninstall\unins000.exe"Task: {2565AB19-9E62-400C-90C0-07D4D71ABBA2} - System32\Tasks\{7F254FDB-928E-4BCD-93E3-61056BA36C18} => pcalua.exe -a C:\Users\Triz\Downloads\jxpiinstall(1).exe -d "C:\Program Files (x86)\Mozilla Firefox"Task: {AE835891-B4E8-43B8-84C4-4E666010FAAA} - System32\Tasks\{6DFEF5A2-0369-40F2-8298-B2B40BCCAB3F} => pcalua.exe -a C:\Users\Triz\Downloads\setup(3).exe -d C:\Users\Triz\DownloadsTask: {B9FC26D1-6547-48E6-A8C8-5D518C0AFF4E} - \BackgroundContainer Startup Task -> No File <==== ATTENTIONTask: {BDA88F3E-318F-4585-9F2A-8FA171F83B28} - System32\Tasks\{5F332371-C081-4E27-AF7A-BD84569B3F96} => pcalua.exe -a C:\Users\Triz\Downloads\setup(2).exe -d C:\Users\Triz\DownloadsTask: {F01E0B7D-1EC7-42DE-A148-839ABB5DF552} - System32\Tasks\{590CF532-52C6-45B4-B97C-1077AEB6D3EA} => pcalua.exe -a C:\Users\Triz\Downloads\setup.exe -d "C:\Program Files (x86)\Mozilla Firefox"Task: C:\Windows\Tasks\CIS_{15198508-521A-4D69-8E5B-B94A6CCFF805}.job => C:\ProgramData\cis5C52.exe <==== ATTENTIONTask: C:\Windows\Tasks\CIS_{81EFDD93-DBBE-415B-BE6E-49B9664E3E82}.job => C:\ProgramData\cisA709.exe <==== ATTENTIONreg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\Services\vToolbarUpdater18.1.7" /freg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\perkda" /freg: reg delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\vProt" /fC:\Program Files (x86)\Perk Prize PanelC:\Program Files (x86)\AVG SafeGuard toolbarCMD: ipconfig /flushdnsEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
EtQetiM.png Uninstall Software

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type appwiz.cpl and click OK.
  • Search for the following programmes, right-click and click Uninstall.
    • SpyHunter 4 
  • Follow the prompts.
  • Reboot if necessary.
     

STEP 3
nSymGHK.png Folder Options 

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Control Folders and click OK.
  • Click View. Under Hidden files and folders
  • Place a checkmark next to Show hidden files, folders and drives.
  • Remove the checkmark next to Hide extensions for known file types.
  • Remove the checkmark next to Hide protected operating system Files (Recommended).
  • Click Apply followed by OK.
     

STEP 4
nWhGEI3.png VirusTotal Upload

  • Please go to VirusTotal.com.
  • Click Choose File and locate the following file:
    • C:\Users\Triz\Network_Meter_Data.js
  • Click Scan it!.
  • If you receive the following notification: File already analysed click Reanalyse.
  • Once the file has been analyzed, copy the page URL at the top of the window and paste in your next reply. 
  • Please do the same for the files below:
    • C:\Users\Triz\AppData\Local\fusioncache.dat
       

======================================================
 
STEP 5
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt
  • VirusTotal Results
Link to post
Share on other sites

For C:\Users\Triz\Network_Meter_Data.js :
https://www.virustotal.com/en/file/28f10cc4b0ae6d393229819f4116bbeedc11541e7b9a6108eabfe921083b5c2a/analysis/1444974940/

For C:\Users\Triz\AppData\Local\fusioncache.dat
https://www.virustotal.com/en/file/b29a5960a3d21185b05ecb73deb79fd94a785147d7d48c18c880f60080006428/analysis/1444975100/

Fixlog.txt will be attached below. Thank you again for the time out of your day to help me out. Hopefully this works.

Awaiting your next Reply,
Pancakeboy

Fixlog.txt

Link to post
Share on other sites

Thank you again for the time out of your day to help me out.

That's quite alright. 

 

Let's continue -

 

STEP 1

E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.

     

STEP 2

BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Logfile. A log (AdwCleaner[s1].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab, and click Cleaning
  • Follow the prompts and allow your computer to reboot
  • After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for items removed using this tool. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[s1].txt.

 

STEP 3

xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 

     

======================================================

STEP 4

pfNZP4A.png Logs

In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • JRT.txt
  • AdwCleaner[C1].txt
  • FRST.txt
  • Addition.txt
Link to post
Share on other sites

Hello, 
 
I see you have ESET Online Scan installed. Have you performed a scan with this programme? 
Please run another scan using the settings mentioned below. 
 
STEP 1
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Open ESET Online Scan
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to KN1w2nv.png and click SzOC1p0.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

STEP 2
mlEX1wH.png RogueKiller

  • Please download RogueKiller (x64) and save the file to your Desktop.
  • Close any running programmes.
  • Right-Click RogueKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
  • A browser window may open. Close the browser window.
  • Click jpgUwzp.png. Upon completion, click phPvmc6.png.
  • Close the programme. Do not fix anything!
  • A log (RKreport.txt) will be open. Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • ESET Online Scan log
  • RKreport.txt
Link to post
Share on other sites

  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.