Jump to content

My fan is running overtime, and dllhost.exe and rundll32.exe processes are hogging the processor


Recommended Posts

The problem is pretty much as stated in the title bar. rundll32.exe and dllhost.exe are starting and running and after I end them, they often re-run, and even when they don't seem to be, the fan is working overtime. I ran Avast and Malwarebytes and got 3-4 minor viruses and malwares, which seemed to be attached to programs I have previously downloaded and since deleted.

I ran Farbar and tried to post the text results below, but it was too long for the post, so I have attached the files instead.

 

Thank you very much in advance.

 

FRST.txt

Addition.txt

Link to post
Share on other sites

Hello canary107, welcome to Malwarebytes' Malware Removal forum!
 
My name is Adam. I will be assisting you with your malware-related problems.
If you would allow me to call you by your first name I would prefer that. smile.png
 
General P2P/Piracy Notice: 
 

If you are using Peer to Peer (P2P) filesharing software such as uTorrent, BitTorrent or similar you must either fully uninstall or completely disable the programme(s) from running whilst receiving assistance at this forum. 
Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.
If you have illegal/cracked/keygen or similar software on the computer, please remove/uninstall the software now and read the policy on Piracy. Failure to do so will also result in your topic being closed.

 
======================================================
 
Please read through the points below to ensure this process moves as quickly and efficiently as possible.

  • Ensure you read through my instructions thoroughly, and carry out each step in the order specified.
  • Please do not run any tools or take any steps other than those I provide for you. Independent efforts may make matters worse, and will affect my ability in providing the best set of instructions for you.
  • Please backup important files before proceeding with my instructions. Malware removal can be unpredictable at times.   
  • If you come across any issues whilst following my instructions, please stop and inform me of the issue in as much detail as possible. Please do not hesitate to ask before proceeding.
  • Topics are locked if no response is made after 4 days. Please inform me if you require additional time to complete my instructions.
  • I will notify you when I believe your computer is free of malware. Please bear in mind, absence of symptoms does not necessarily correlate to absence of malware, so please wait until the "All Clean". 
  • Ensure you are following this topic. Click etYzdbu.png at the top of the page. 

======================================================
 

rundll32.exe and dllhost.exe are starting and running and after I end them, they often re-run

System32\rundll32.exe and System32\dllhost.exe are legitimate system files; required for normal operation of your Operating System. Rundll32.exe and Dllhost.exe running is not necessarily indicative of malware.
 
Your FRST logs appear free of malware. The issue you've described concerning your computer's fan may stem from a non-malware issue - this is something we can look into once malware has been ruled out. 
 
In the meantime, please do the following:
 
STEP 1
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Script

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type Notepad and click OK.
  • Copy the entire contents of the codebox below and paste into the Notepad document.
    startCreateRestorePoint:HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTIONToolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No FileCustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No FileCustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No FileCMD: ipconfig /flushdnsEmptyTemp:end
  • Click FileSave As and type fixlist.txt as the File Name
  • Important: The file must be saved in the same location as FRST64.exe. 

NOTICE: This script is intended for use on this particular machine. Do not use this script on any other machine; doing so may cause damage to your Operating System.

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Click Fix.
  • A log (Fixlog.txt) will open on your desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
GfiJrQ9.png Malwarebytes Anti-Malware (MBAM)

  • Open Malwarebytes Anti-Malware and click Update Now.
  • Once updated, click the Settings tab, followed by Detection and Protection and tick Scan for rootkits.
  • Click the Scan tab, ensure Threat Scan is selected and click Start Scan.
  • Note: You may see the following message, "Could not load DDA driver". Click Yes, allow your PC to reboot and continue afterwards. 
  • If threats are detected, click Remove Selected. If you are prompted to reboot, click Yes.
  • Upon completion of the scan (or after the reboot), click the History tab.
  • Click Application Logs and double-click the Scan Log.
  • Click Copy to Clipboard and paste the log in your next reply. 
     

STEP 3
mlEX1wH.png RogueKiller

  • Please download RogueKiller (x64) and save the file to your Desktop.
  • Close any running programmes.
  • Right-Click RogueKiller.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Allow the Prescan to complete. Upon completion, a window will open. Click Accept.
  • A browser window may open. Close the browser window.
  • Click jpgUwzp.png. Upon completion, click phPvmc6.png.
  • Close the programme. Do not fix anything!
  • A log (RKreport.txt) will be open. Copy the contents of the log and paste in your next reply.
     

======================================================

STEP 4
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • Fixlog.txt
  • MBAM log
  • RKreport.txt
Link to post
Share on other sites

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Thanks very much for re-opening. The logs requested previously are pasted below. There was an issue with the Rogue Killer log - I selected 'Report' and it only opened a new window within the program, so from there I selected the text version, and it opened a file in notepad, but the file is called rk_340B.tmp. I have posted the contents here anyway.

 

Fixlog contents:
 

Fix result of Farbar Recovery Scan Tool (x64) Version:27-01-2016
Ran by Asus (2016-02-13 22:54:39) Run:1
Running from C:\Users\Asus\Downloads
Loaded Profiles: Asus & postgres (Available Profiles: Asus & n & postgres)
Boot Mode: Normal
==============================================
 
fixlist content:
*****************
start
CreateRestorePoint:
HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer: Restriction <======= ATTENTION
Toolbar: HKLM - No Name - {318A227B-5E9F-45bd-8999-7F8F10CA4CF5} -  No File
CustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.27.5\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.28.1\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.28.13\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.24.15\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.26.9\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.25.11\psuser_64.dll => No File
CustomCLSID: HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}\InprocServer32 -> C:\Users\Asus\AppData\Local\Google\Update\1.3.28.15\psuser_64.dll => No File
CMD: ipconfig /flushdns
EmptyTemp:
end
*****************
 
Error: (0) Failed to create a restore point.
"HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" => key removed successfully
HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => value removed successfully
HKCR\CLSID\{318A227B-5E9F-45bd-8999-7F8F10CA4CF5} => key not found. 
"HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{1423F872-3F7F-4E57-B621-8B1A9D49B448}" => key removed successfully
"HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{5C8C2A98-6133-4EBA-BBCC-34D9EA01FC2E}" => key removed successfully
"HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{78550997-5DEF-4A8A-BAF9-D5774E87AC98}" => key removed successfully
"HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}" => key removed successfully
"HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{C3BC25C0-FCD3-4F01-AFDD-41373F017C9A}" => key removed successfully
"HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}" => key removed successfully
"HKU\S-1-5-21-3474632376-2751809737-3740497399-1000_Classes\CLSID\{D1EDC4F5-7F4D-4B12-906A-614ECF66DDAF}" => key removed successfully
 
=========  ipconfig /flushdns =========
 
 
Windows IP Configuration
 
Successfully flushed the DNS Resolver Cache.
 
========= End of CMD: =========
 
EmptyTemp: => 3.7 GB temporary data Removed.
 
 
The system needed a reboot.
 
==== End of Fixlog 22:58:32 ====
 

MBAM log:

Malwarebytes Anti-Malware
www.malwarebytes.org
 
Scan Date: 13/02/2016
Scan Time: 23:15
Logfile: 
Administrator: Yes
 
Version: 2.2.0.1024
Malware Database: v2016.02.13.04
Rootkit Database: v2016.02.08.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled
 
OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Asus
 
Scan Type: Threat Scan
Result: Completed
Objects Scanned: 575266
Time Elapsed: 31 min, 46 sec
 
Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Warn
PUM: Enabled
 
Processes: 0
(No malicious items detected)
 
Modules: 0
(No malicious items detected)
 
Registry Keys: 0
(No malicious items detected)
 
Registry Values: 0
(No malicious items detected)
 
Registry Data: 0
(No malicious items detected)
 
Folders: 0
(No malicious items detected)
 
Files: 0
(No malicious items detected)
 
Physical Sectors: 0
(No malicious items detected)
 
 
(end)


Contents of the rk_340B.tmp file described above:
 

RogueKiller V11.0.11.0 [Feb  8 2016] (Free) by Adlice Software
 
Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : Asus [Administrator]
Started from : C:\Users\Asus\Desktop\RogueKiller.exe
Mode : Scan -- Date : 02/14/2016 00:09:17
 
¤¤¤ Processes : 0 ¤¤¤
 
¤¤¤ Registry : 3 ¤¤¤
[PUP] (X86) HKEY_LOCAL_MACHINE\Software\Check Point Software Technologies LTD -> Found
[PUM.HomePage] (X64) HKEY_USERS\S-1-5-21-3474632376-2751809737-3740497399-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus.msn.com -> Found
[PUM.HomePage] (X86) HKEY_USERS\S-1-5-21-3474632376-2751809737-3740497399-1000\Software\Microsoft\Internet Explorer\Main | Default_Page_URL : http://asus.msn.com -> Found
 
¤¤¤ Tasks : 0 ¤¤¤
 
¤¤¤ Files : 1 ¤¤¤
[PUP][Folder] C:\Program Files (x86)\Check Point Software Technologies LTD -> Found
 
¤¤¤ Hosts File : 0 ¤¤¤
 
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000036b]) ¤¤¤
 
¤¤¤ Web browsers : 0 ¤¤¤
 
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: ATA ST500LT012-9WS14 SCSI Disk Device +++++
--- User ---
[MBR] 1c18c57b2629d8b05f56b0228b83ead1
[bSP] fdcdaff27f4cd195c6cc123371406d0c : Empty|VT.Unknown MBR Code
Partition table:
0 -  | Offset (sectors): 34 | Size: 128 MB
1 -  | Offset (sectors): 264192 | Size: 200 MB
2 -  | Offset (sectors): 673792 | Size: 204798 MB
3 -  | Offset (sectors): 420100096 | Size: 246208 MB
4 -  | Offset (sectors): 924334080 | Size: 25605 MB
User = LL1 ... OK
User = LL2 ... OK
 
+++++ PhysicalDrive1: ATA SanDisk SSD i100 SCSI Disk Device +++++
--- User ---
[MBR] 1f94be0d0544a31dd25030b5f06fdc5c
[bSP] a57d886496ff6c3fbff2d1b0a8881b81 : Empty|VT.Unknown MBR Code
Partition table:
0 - HFS | Offset (sectors): 8392704 | Size: 18804 MB
1 - Basic data partition | Offset (sectors): 2048 | Size: 4096 MB
User = LL1 ... OK
User = LL2 ... OK


Thanks again for your help and patience.
Link to post
Share on other sites

Hello, 
 

but the file is called rk_340B.tmp. I have posted the contents here anyway.

Thank you. 
 
Please do the following: 
 
STEP 1
BY4dvz9.png AdwCleaner

  • Please download AdwCleaner and save the file to your Desktop.
  • Right-Click AdwCleaner.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts. 
  • Click Scan
  • Upon completion, click Logfile. A log (AdwCleaner[s1].txt) will open. Briefly check the log for anything you know to be legitimate. 
  • Ensure anything you know to be legitimate does not have a checkmark under the corresponding tab, and click Cleaning
  • Follow the prompts and allow your computer to reboot
  • After the reboot, a log (AdwCleaner[C1].txt) will open. Copy the contents of the log and paste in your next reply.

-- File and folder backups are made for items removed using this tool. Should a legitimate file or folder be removed (otherwise known as a 'false-positive'), simple steps can be taken to restore the item. Please do not overly concern yourself with the contents of AdwCleaner[s1].txt.
 

STEP 2
xlK5Hdb.png Farbar Recovery Scan Tool (FRST) Scan

  • Right-Click FRST64.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Ensure the Addition.txt box is checked.
  • Click the Scan button and let the programme run.
  • Upon completion, click OK, then OK on the Addition.txt pop up screen.
  • Two logs (FRST.txt & Addition.txt) will now be open on your Desktop. Copy the contents of both logs and paste in your next reply. 
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • AdwCleaner[C1].txt
  • FRST.txt
  • Addition.txt
Link to post
Share on other sites

Hello, 

 

Please run the following two scans. We will begin looking into non-malware troubleshooting afterwards. Could you also please confirm if the issue described in your first post is consistent with the state of the machine currently. 

 

STEP 1
E3feWj5.png Junkware Removal Tool (JRT)

  • Please download Junkware Removal Tool and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Right-Click JRT.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Follow the prompts and allow the scan to run uninterrupted. 
  • Upon completion, a log (JRT.txt) will open on your desktop.
  • Re-enable your anti-virus software.
  • Copy the contents of JRT.txt and paste in your next reply.
     

STEP 2
GzlsbnV.png ESET Online Scan
Note: This scan may take a long time to complete. Please do not browse the Internet whilst your Anti-Virus is disabled.

  • Please download ESET Online Scan and save the file to your Desktop.
  • Temporarily disable your anti-virus software. For instructions, please refer to the following link.
  • Double-click esetsmartinstaller_enu.exe to run the programme. 
  • Agree to the EULA by placing a checkmark next to Yes, I accept the Terms of Use. Then click Start.
  • Agree to the Terms of Use once more and click Start. Allow components to download.
  • Place a checkmark next to Enable detection of potentially unwanted applications.
  • Click Advanced settings. Place a checkmark next to:
    • Scan archives
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • Ensure Remove found threats is unchecked.
  • Click Start.
  • Wait for the scan to finish. Please be patient as this can take some time.
  • Upon completion, click esetListThreats.png. If no threats were found, skip the next two bullet points. 
  • Click esetExport.png and save the file to your Desktop, naming it something such as "MyEsetScan".
  • Push the Back button.
  • Place a checkmark next to KN1w2nv.png and click SzOC1p0.png.
  • Re-enable your anti-virus software.
  • Copy the contents of the log and paste in your next reply.
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • JRT.txt
  • ESET Online Scan log
Link to post
Share on other sites

Right, right. I will do this now. No time during the week again...

Regarding the question you asked, the state of the machine now is different than it was originally, but I am not convinced that all is entirely well. I suppose it may turn out that it's just a malfunctioning or defective hard drive or something.

The full sequence of events has been as follows:

1. The fans were running madly and there were constant CPU spikes. I rebooted several times and gave it a break, all to no avail.
2. I ran malwarebytes and Avast anti-virus, which picked up maybe three items between them (one was something to do with a Yontoo search bar, which I had supposedly previously noticed and uninstalled). The fan continued to run excessively, with CPU spikes, and I wrote my message asking for help here.
3. A day or so later and having returned to my home network, the fans stopped running, but CPU spikes continued, now mostly coming from WmiPrvSE.exe
4. Two further crashes (blue screen of death style crashes) over a couple of days.
5. No crashes for last 10 days or so and computer mostly fine, but sometimes still runs slow and RAM usage often still seems on the high side.

Thanks.

Link to post
Share on other sites

Right, right. I will do this now. No time during the week again...

That's quite alright; please take all the time you need. :) I only request being made aware in advance (see Post #2) if additional time is required so I know if you still require assistance or not. Some users simply do not respond back, resulting in the assumption they no longer require assistance.

Link to post
Share on other sites

Hi,

The JRT and ESET scan logs are pasted below:

JRT:
 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.3 (02.09.2016)
Operating System: Windows 7 Home Premium x64 
Ran by Asus (Administrator) on 20/02/2016 at 15:10:45.50
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 
 
 
File System: 14 
 
Successfully deleted: C:\Users\Asus\AppData\Local\{B8AA8470-AEB9-492A-8F89-631BF9CAD654} (Empty Folder)
Successfully deleted: C:\Users\Asus\AppData\Local\{F6130B31-A293-4C95-8EC4-3E6097EA931E} (Empty Folder)
Successfully deleted: C:\Users\Asus\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal (File) 
Successfully deleted: C:\Users\Asus\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage (File) 
Successfully deleted: C:\Users\Asus\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage-journal (File) 
Successfully deleted: C:\Users\Asus\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_www.azlyrics.com_0.localstorage (File) 
Successfully deleted: C:\Users\Asus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GEWHXVZF (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Asus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H66RP01U (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Asus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IXUPTDRW (Temporary Internet Files Folder) 
Successfully deleted: C:\Users\Asus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WL3ZXQ7S (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GEWHXVZF (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H66RP01U (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\IXUPTDRW (Temporary Internet Files Folder) 
Successfully deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WL3ZXQ7S (Temporary Internet Files Folder) 
 
 
 
Registry: 0 
 
 
 
 
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on 20/02/2016 at 15:13:57.93
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


ESET Scan Log:

C:\AdwCleaner\Quarantine\C\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.29.17\zonealarmApp.dll.vir a variant of Win32/Toolbar.Montiera.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.29.17\zonealarmEng.dll.vir a variant of Win32/Toolbar.Montiera.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.29.17\zonealarmsrv.exe.vir a variant of Win32/Toolbar.Montiera.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Program Files (x86)\Check Point Software Technologies LTD\zonealarm\1.8.29.17\bh\zonealarm.dll.vir a variant of Win32/Toolbar.Escort.A potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Asus\AppData\Roaming\Check Point Software Technologies LTD\zonealarm\1.8.29.17\uninstall.exe.vir Win32/Toolbar.Montiera.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Asus\AppData\Roaming\Check Point Software Technologies LTD\zonealarm\1.8.29.17\uninstall_d.exe.vir Win32/Toolbar.Montiera.B potentially unwanted application
C:\AdwCleaner\Quarantine\C\Users\Asus\AppData\Roaming\Check Point Software Technologies LTD\zonealarm\1.8.29.17\zonealarm4ffx.exe.vir Win32/Toolbar.Montiera.E potentially unwanted application
C:\Users\Asus\Downloads\HSS-3.42-install-plain-701-plain.exe Win32/Bundled.Toolbar.Ask.L potentially unsafe application
C:\Users\Asus\Downloads\zafwSetupWeb_120_104_000.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Users\Asus\Downloads\zafwSetupWeb_130_208_000.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Users\Sacha\Downloads\ccsetup326.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Sacha\Downloads\debutsetup.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\Users\Sacha\Pictures\My Pictures\Downloads\zaSetup_92_044_000_en.exe a variant of Win32/Toolbar.Conduit.AI potentially unwanted application
D:\backup restore\C\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0\back.js JS/Adware.Yontoo.B application
D:\backup restore\C\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0\yl.js JS/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\YontooDesktop.exe a variant of MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\dat\Desktop.OS.dll a variant of MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\dat\Desktop.OS.Plugin.dll MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\dat\Dora.dat a variant of MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\dat\HealthMonitor.dat a variant of MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\dat\HeartBeat.dat a variant of MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\Downloads\ccsetup326.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\backup restore\C\Users\Sacha\Downloads\debutsetup.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
D:\backup restore\C\Users\Sacha\Pictures\My Pictures\Downloads\zaSetup_92_044_000_en.exe a variant of Win32/Toolbar.Conduit.AI potentially unwanted application
 
 

Thanks.

Link to post
Share on other sites

Hello, 
 

C:\Users\Asus\Downloads\HSS-3.42-install-plain-701-plain.exe Win32/Bundled.Toolbar.Ask.L potentially unsafe application
C:\Users\Asus\Downloads\zafwSetupWeb_120_104_000.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Users\Asus\Downloads\zafwSetupWeb_130_208_000.exe Win32/Toolbar.Conduit potentially unwanted application
C:\Users\Sacha\Downloads\ccsetup326.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
C:\Users\Sacha\Downloads\debutsetup.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
C:\Users\Sacha\Pictures\My Pictures\Downloads\zaSetup_92_044_000_en.exe a variant of Win32/Toolbar.Conduit.AI potentially unwanted application

The following items are installers for software, and have been flagged because they bundle additonal software considered potentially unwanted. You may wish to delete these files.  
 

D:\backup restore\C\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0\back.jsJS/Adware.Yontoo.B application
D:\backup restore\C\Users\Matt\AppData\Local\Google\Chrome\User Data\Default\Extensions\niapdbllcanepiiimjjndipklodoedlc\1.0.3_0\yl.jsJS/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\YontooDesktop.exe a variant of MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\dat\Desktop.OS.dll a variant of MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\dat\Desktop.OS.Plugin.dll MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\dat\Dora.dat a variant of MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\dat\HealthMonitor.dat a variant of MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\AppData\Roaming\Yontoo\dat\HeartBeat.dat a variant of MSIL/Adware.Yontoo.A application
D:\backup restore\C\Users\Sacha\Downloads\ccsetup326.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application
D:\backup restore\C\Users\Sacha\Downloads\debutsetup.exe a variant of Win32/Toolbar.Conduit.H potentially unwanted application
D:\backup restore\C\Users\Sacha\Pictures\My Pictures\Downloads\zaSetup_92_044_000_en.exe a variant of Win32/Toolbar.Conduit.AI potentially unwanted application

The following files reside on your backup drive. I suggest deleting the folders and files in bold below.  
 

5. No crashes for last 10 days or so and computer mostly fine, but sometimes still runs slow and RAM usage often still seems on the high side.

Let's look into a potential software-related cause first. There also appears to be an issue with the creation of System Restore Points, which we can look into as well. 

STEP 1
gxJsKn9.png Farbar Service Scanner (FSS)

  • Please download FSS and save the file to your Desktop.
  • Right-Click FSS.exe and select AVOiBNU.jpg Run as administrator to run the programme.
  • Ensure the following items are checked:
    • Internet Services 
    • Windows Firewall 
    • System Restore 
    • Security Center/Action Center 
    • Windows Update
    • Windows Defender
    • Other Services
  • Click YMLYaf6.png.
  • A log (FSS.txt) will be created on your Desktop. Copy the contents of the log and paste in your next reply.
     

STEP 2
F0hoanr.png Clean Boot

  • Press the Windows Key pdKOQKY.png + r on your keyboard at the same time. Type msconfig and click OK.
  • If prompted for an administrator password or for confirmation, type the password, or provide confirmation.
  • In the General tab, click Selective Startup.
  • Remove the checkmark next to Load startup items.
  • Click the Services tab.
  • Place a checkmark next to Hide all Microsoft services.
  • Click Disable all, followed by OK.
  • When prompted, click Restart and boot normally into Windows.
  • Check your computer's performance, and let me know the results. 
     

======================================================
 
STEP 3
pfNZP4A.png Logs
In your next reply please include the following logs. Please be sure to copy and paste the requested logs, as well as provide information on any questions I may have asked.

  • FSS.txt
  • Clean boot results
Link to post
Share on other sites

  • 2 weeks later...
  • Root Admin

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.