Jump to content

High CPU usage, 100% . . .


NTxLS

Recommended Posts

Greetings from the GREAT Country of TEXAS,

 

This has been on going for several months seems to be travelin around my system, started with "WinAntiRansomWare," new program from WinPatrol site.  Without any thing being done "WinAntiRansom" started using 80 - 90 % of my Processor, monitoring this using Mark Russonivich's "Prodcess Explorer."  My system became very slow.  Heard other members with "WAR" having like problems so I uninstalled "WAR" and that issue seemed to be resolved.  After a couple of days it seems to have retruned this time Avast!FREE titled '2016' was the one with Hi CPU usage.  So that was removed, uninstalled.  All settled again and after a few days was back again this time using two (2) copies of "MBAM.exe" 30 - 35% on one copy and 40 - 45% on the other.  Again removed MBAM Premium that is the PAID version.

 

While not connected to the NET did a little looking around within the Registry finding a KEY entry that seemed to NOT have any connection with any software on my computer with some very strange DATA entries of alpha/numerics AND some ASCII charachters that could not be COPIED.  When right clicking on the data title selecting "Modify" there was not any entry so selecting the "Binary Modify" did show much, about 1,944 entries yet could NOT be copied either.  Found about four (4) RegKeys with similar information entered.  Locations to follow:

 

HKEY_CURRENT_USER\Software\2f3e6df6f5

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\2f3e6df6f5
HKEY_USERS\S-1-5-21-4267585356-2186095281-715594798-1000\Software\2f3e6df6f5
HKEY_USERS\S-1-5-21-4267585356-2186095281-715594798-1003\Software\2f3e6df6f5

 

The third line above was shown in "WAR" registry monitoring, but; did NOT show in the Registry Editor even under Admin access.  Later discovered it had misteriously disappeared.

 

After discovering these entries and NO connection to any of my installed software, took the action of removing them, DELETED.  Done OFF LINE!

 

Proceeded to reinstall, "WinAntiRansom," "Avast! FREE '2016'," AND "MalwareBytes Antimalware Premium" AND 'PeocExpl' ahs since shown normal operations with "IDLE Processor Time" of about 88% - 97% when not running any scans nor on the web.

 

Have used "FRST64.exe" before several times for 'Geeks-to-Go' and FireFox for MBAM.  Because this is rather lenghty will attach those reports shortly.  If you would like the "CheckResults.txt" also have the file to run that one after you request of course.

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

 

FRST needs to run from an account with Administrator rights, can you re-run again...

 

Run FRST one more time, ensure all boxes are checkmarked under "Whitelist" but only Addition.txt and Shortcut.txt under "Optional scan" Select scan, when done post the new logs....
 

Thank you,

 

Kevin

Link to post
Share on other sites

Greetings from the GREAT Country of TEXAS,

 

That previous set of logs were run under Admin Access.

 

As for those ILLEGAL type software, none are on my CPUs before nor ever after . . that is NOT how I operate.

 

Those two (2) files are attached and run as Admin . .  My MBAM Premium is LifeTime Updates.

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Couple of points, FRST has not been executed from an account with Administrator status. That is quite clearly stated in the log header which I quote....

 

Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version:05-12-2015
Ran by DEPro (ATTENTION: The user is not administrator) on DESDSKTP (07-12-2015 12:16:09)
Running from F:\!DwnLdStrg\Installed\FRST_Farbar
Loaded Profiles: DEPro (Available Profiles: DE & HomeUsers & DEPro & DefaultAppPool)
Platform: Windows 7 Professional Service Pack 1 (X64) Language: English (United States)
Internet Explorer Version 11 (Default browser: FF)
Boot Mode: Normal
Tutorial for Farbar Recovery Scan Tool: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

 

The second point regarding the following statement,

 

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....

 

I clearly state that no accusations are being made, we only make you aware of forum protocol...

 

 

One other point, whenever did Texas attain "Country" status. I must have missed that upgrade somehow...

 

Thank you,

 

Kevin..

Link to post
Share on other sites

Greetings from the GREAT Country of TEXAS,

 

You are assuming I am trying to argue with you and I am NOT, doing for you what you are doing for me.  Expressing how I operate by NOT using any of that ILLEGAL software.  THE END of this.

 

As for "FRST64.EXE" is concerned, I have NOT any control over what or how it does it's thing.  I have downloaded, some months ago, a copy and have run it for several different people that have requested those reports and more.  Every time I have run tha file it goes out to the web to check for updates.  I right click on that file, after it's check, and select "Run as Administrator" enter the password for it to do what it is supposed to do, as far as I know.  DO NOT go on the web as "Administrator" there is NOT any way of accessing the web, that is TURNED off, by me, for Admin on my systems.

 

As for running it from my ADMIN account will take a little exra time, because; these issues that are slowing my system it takes more time to reboot to admin, some times up to 20 min. has taken over 35 min.  Then need to reboot as litmited user to send those files, PLEASE be patient with me?

Link to post
Share on other sites

FRST has to be run from an account with Administrator status, that is why the logs you have produced have multiple line entries with "Failed to access process"

 

There is no point progressing any further if you do not follow follow basic instructions to enable a tool to be run correctly.... if you run from a limited account the "Right click" run as administrator is not correct, that does not run the tool at Administrator status from an Administrator account

 

Thank you,

 

Kevin...

Link to post
Share on other sites

Greetings from the GREAT County of TEXAS,

 

No one has mentioned this to me except you and I did not understand fully what was really required.   I have installed, removed, updates, anything that required Administrator Rights from my limited user account with NO troubles.  I even work in the Registry files from the same access.  Was told that is why when 'Right Clicking' and using the "Run as Administrator" was placed there so we do not need to keep switching back and forth.  That has been successfull for me since about 1988 or `89, until NOW!

 

These files were run from my Admin access just for you.  That quote you had in RED is NOT my "Administrator" account, that report is LYING to you, my ADMIN account is "DE" that one mentioned was renamed by WINDOWS and blocked me from accessing my Admin account.  Do not know how it has shown up again as it had been removed after I created a NEW Admin.

Link to post
Share on other sites

Greetings from the Great Country of TEXAS,

 

Forgot to attach those files, here they are just for you . .

 

Also would like to share with you, have been on the internet since before Windows was ever created plus did the surfing thing in Unix Software using TCP/IP to go to another website.  All of the work done of maintaining my computers as well as others is all self-taught.  AND yes I do work in the Registry Files every day.  My training was in Electronics but we also had some logic, binary, hexidecimal, octal, et ceteras with some program introduction.  I did not go on with the programming.  I am now Retired Journeyman Electronics Technician with many other skills added because of my job.  That goes into hydraulics, pneumatics, mechanical, electrical and doing some troubleshooting of computers, Data General 19" Main Frames using a Teletype for input and output, before there were any desktops/laptops.  The END . .

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Excuse me, that is MY Admin account.  Cannot help what that software is telling you about it NOT being an Admin account.  That is what that account was setup as by me using Windows when starting to use this computer system.  My Computer is a Dell OptiPlex 960 running Win7 Professional SP1 with all updates that have been put out by Microsoft.

 

 

FRST has to be run from an account with Administrator status, that is why the logs you have produced have multiple line entries with "Failed to access process"

 

There is no point progressing any further if you do not follow follow basic instructions to enable a tool to be run correctly.... if you run from a limited account the "Right click" run as administrator is not correct, that does not run the tool at Administrator status from an Administrator account

 

Thank you,

 

Kevin...

Link to post
Share on other sites

Greetings from the GREAT Country of TEXAS,

 

That report did ID my user account, that was used to run "FRST64.EXE," as "Administrator" evidently you just did not want to work with me and my system.  PLUS do not understand why this software needs to run a san on "Internet Explorer" as I have NEVER Have used that browser on this computer.

 

Here are two (2) more of those files from FRST64:

 

 

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

Hello NTxLS

 

I've been asked to take a look and see if I can assist you.

 

Please go ahead and run through the following steps and post back the logs when ready.
 
STEP 04
Please download Junkware Removal Tool to your desktop.

  • Shutdown your antivirus to avoid any conflicts.
  • Right click over JRT.exe and select Run as administrator on Windows Vista or Windows 7, double-click on XP.
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next reply message
  • When completed make sure to re-enable your antivirus


STEP 05
Lets clean out any adware now: (this will require a reboot so save all your work)

Please download AdwCleaner by Xplode and save to your Desktop.

  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • When it's done you'll see: Pending: Please uncheck elements you don't want removed.
  • Now click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • Look over the log especially under Files/Folders for any program you want to save.
  • If there's a program you may want to save, just uncheck it from AdwCleaner.
  • If you're not sure, post the log for review. (all items found are adware/spyware/foistware)
  • If you're ready to clean it all up.....click the Clean button.
  • After rebooting, a logfile report (AdwCleaner[s0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  • Items that are deleted are moved to the Quarantine Folder: C:\AdwCleaner\Quarantine
  • To restore an item that has been deleted:
  • Go to Tools > Quarantine Manager > check what you want restored > now click on Restore.


STEP 06
Please open Malwarebytes Anti-Malware and from the Dashboard please Check for Updates by clicking the Update Now... link
Open up Malwarebytes > Settings > Detection and Protection > Enable Scan for rootkits, Under Non Malware Protection set both PUP and PUM to Treat detections as malware.
Click on the SCAN button and run a Threat Scan with Malwarebytes Anti-Malware by clicking the Scan Now>> button. Remove any threats found
Once completed please click on the History > Application Logs and find your scan log and open it and then click on the "copy to clipboard" button and post back the results on your next reply.


STEP 07
button_eos.gif

Please go here to run the online antivirus scannner from ESET.

  • Turn off the real time scanner of any existing antivirus program while performing the online scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Make sure that the option Remove found threats is unticked
  • Click on Advanced Settings and ensure these options are ticked:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology


    [*]Click Scan [*]Wait for the scan to finish [*]If any threats were found, click the 'List of found threats' , then click Export to text file.... [*]Save it to your desktop, then please copy and paste that log as a reply to this topic.


STEP 08
Please download the Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatibale with your system. You can check here if you're not sure if your computer is 32-bit or 64-bit

  • Double-click to run it. When the tool opens click Yes to disclaimer.
  • Press the Scan button.
  • It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
  • The first time the tool is run, it also makes another log (Addition.txt). Please attach it to your reply as well.

Link to post
Share on other sites

Kevin,

 

May I THANK YOU for the assistance you have provided?  Your information provided the PUSH that was needed to advance further in my learning and accepting my limtations at that POINt.  Have gone into some of what is available to me to learn more . . hopping we all can benefit from this.  I have some info on what my issues turned out to be, just do not have any data as to how nor where from this was given to my system.  It all started about the start of this year.  NO, am not going into any of the details unless there is a request, I do feel MBAM should know of this, that is if you are unaware.

 

Symptom: Excessive running of 'Processor' (NO Idle time) and NOT tied to any specific software program any will do.  That is all I will provide at this time.  Do not wish to enundate you with data you are NOT wanting to see.

 

Here is a very large "THANK YOU" for what you have done for ME.

 

Have a very good day and a "Merry Christmas"

Link to post
Share on other sites

Greetings from the GREAT Country of TEXAS,

 

I did NOT see the post just above my last posting.  I will get to that task immediately as I have many of those programs, have not read the full list of "STEPS" at this point."  If there is any data you may like to know about, just ask, 'seek and ye shall find' . .

 

You do not provide the ability to edit any post.  Will make a correction in my above post, the corrections will be in GREEN:

 

". . . limtations at that POINT."  and this one is from my post prior to your list of Steps ". . software needs to run a scan on "Internet . . ."  excuse me as my fingers are not smart enough to recognize these errors and do not reread what is entered.  THANK YOU!

Link to post
Share on other sites

Gretings from the GREAT Country of TEXAS,

 

Just to let you know, this was downloaded just a few days ago and run, as admin, NEVER finishing, about two (2) hours or more.  At present time it has been running about an hour.  Connected to the NET yet JRT could not 'ping' skipping update, running v8.0.1 'Restore Point success . . Processes is where it did NO more. H/D activity lite is flashing . . as well as my WIRELESS hook-up to the net.

Link to post
Share on other sites

Greetins from the GREAT Country of TEXAS,

 

Forgot to mention the above post was done from my Laptop as my desktop was HUNG-up with "JRT.EXE" and needed to close down, could not get anything to take place.  Had to use the four (4) Second Power Switch trick.  Brought it up in Safe Mode just for safety sake then rebooted into normal mode accessing my ADMIN account ran the "JRT.EXE" fresh copy downloaded on 12/03/2015 v8.0.1 SUCCESS!!  Report follows:

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.1 (11.24.2015)
Operating System: Windows 7 Professional x64
Ran by DE (Administrator) on Tue 12/08/2015 at  8:09:13.82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 0




Registry: 0





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Tue 12/08/2015 at  8:12:08.08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 

That other copy will be deleted ASAP as it just never has run.  On to the next one . .

Link to post
Share on other sites

Greetings from the GREAT Country of TEXAS,

 

Opened MBAM Premium v2.2.1024 and checked the settings as noted in your instructions, all set.  Ran Theat Scan and NOTHING found, right clicked and selected "Run as Adinistrator" yet the report tells us 'Administrator - NO' so rerunning that scan at this time, report follows from the one just finished:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/08/2015
Scan Time: 10:31
Logfile:
Administrator: No

Version: 2.2.0.1024
Malware Database: v2015.12.08.03
Rootkit Database: v2015.12.07.01
License: Premium
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: DEPro

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 304202
Time Elapsed: 8 min, 5 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

Link to post
Share on other sites

Greetins from the GREAT Country of TEXAS,

 

Step #7 was NOT easy to accomplish nor per your intructions, below is what was NOT given as selectables:

  • Make sure that the option Remove found threats is unticked [nothing to untick]

  • Click on Advanced Settings and ensure these options are ticked: [Never saw 'Advanced Settings']

{The below items may not have been allowed because of NOT finding any Threat}

    • Scan for potentially unwanted applications

    • Scan for potentially unsafe applications

    • Enable Anti-Stealth Technology

No Threat found so there is NOT any report to post as it did not give any selectables to copy/paste.  This could also be due to a fact that I am using Mozilla FireFox v42.0.x AND have NOT ever used Internet Explorer on this computer.  x32 and x64 IE browswers are installed but NOT used.

 

May I apologize for this lengthy delay in getting this done, some of my NEWEST software for alerting me of what is going on and blocking installs, runnings, reports, et ceteras has given me some issues to get things done as timely as possible.  Several times had to remove some items and restart them.  Now that is all done as reported above.  One last to accomplish . .

Link to post
Share on other sites

Greetings from the GREAT Country of TEXAS,

 

NOT going into any of the details of what was needed to accomplish this task.  It has been a learning experience for myself and have a better understanding of what is needed and how to accomplish this need.  Have learned much and hope can remember all.  Plan on removing the extra software for those special scans and reports, but; keeping the download locations for future references.

 

Thank you very much for this examination and evaluation, hope it was not too difficult going through all of those logs.

 

They were run within my Admin access, now last two (2) logs:

 

FRST.txt

Addition.txt

Link to post
Share on other sites

  • Root Admin

You're running a very old version of SUPERAntiSpyware. I would recommend that for now you fully uninstall it. Once we're done here if you wish to reinstall then go to their site and get the very latest version.

 

You're also running the Enhanced Mitigation Experience Toolkit from Microsoft Corporation (nothing wrong with that, just make sure you have it set and running how you want it)

 

The computer shows you're also running Microsoft Security Client with Avast installed. Please fully uninstall Microsoft Security Client as you cannot run 2 different antivirus programs at the same time as they will normally cause a conflict. The avast installer should have alerted to that and offered to remove but since that's not the case then please go into your Control Panel, Add/Remove Programs and uninstall it and reboot.

 

You're also running an old version of Spybot - Search & Destroy 2 (not sure by name alone if it's the Free version of the paid Home version. In either case again for now please uninstall it and when we're done here if you wish to reinstall you can but make sure you obtain the latest version from their website.

 

You're running a very old Sony SCSI Helper Service (very unlikely that it's needed, SCSI is rare on systems now days) I'd recommend you research that and see if you really need it or not. If not then remove it.

 

You have Seagate Dashboard and Mobile backup - if not using the Seagate backup then don't need this running either.

 

You're running MBAM with Self Protection enabled. For now please go into the Settings and Uncheck the Self Protection and restart the computer. After the restart go back into the MBAM settings and make sure it's still unchecked.

 

You have a service of RogueKiller Truesight running. I would recommend that you uninstall that for now.

 

Please uninstall All versions of Java for now.

 

WOAH... Hold on. This is a Major issue right here. If this cannot be corrected then you will need to format the drive and reinstall Windows.

 

 

Application errors:
==================
Error: (12/08/2015 12:39:45 PM) (Source: Microsoft-Windows-User Profiles Service) (EventID: 1542) (User: NT AUTHORITY)
Description: Windows cannot load classes registry file.
 DETAIL - The system cannot find the file specified.

 

Please  do the following. 

Click on START and type in CMD.EXE and when it shows on the menu right click and choose "Run as administrator"

Then type the following.

 

CHKDSK   C:   /R

 

Then press the Y key to say yes to run it after a restart. Then the Enter key. Then restart the computer and let it run.

 

Then run a new FRST scan with your Admin level account and make sure you place a check mark in the Additions.txt check box and post back both new logs.

 

 

 

Please note the following articles.

 

Do I need a Windows Registry Cleaner?

 

Microsoft Quote

A damaged Windows registry can exhibit a range of symptoms including excessive CPU utilization, longer startup and shutdown times, poor application functionality or random crashes or hangs.  These random crashes and hangs can ultimately lead to data loss due to the systems inability to save data back to the storage location during the occurrence.

 

 

The complexity of finding, preventing, and cleanup from malware
 

Thanks

Link to post
Share on other sites

  • 6 months later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.