Possible malware: High CPU-usage (100%) (multiple processes cmd, notepad, msiexec)

[ahmedbadenjki]

Hi, 

 

A few days ago I noticed cpu-usage levels were extremely high (100% most of the time). I closed all apps and restarted, computer starts out fine but as soon as I turn on wifi a Notepad launches by itself and computer starts getting really slow. Been noticing several cmd.exe processes open in task manager even tho I haven't launched command prompt. Same thing with conhost.exe msiexec.exe and notepad.exe and more than one explorer.exe 

 

Tried to run virus scan, nothing was found - althought Avast Antivirus keeps notifying me that it blocked a threat and that urls were being blocked such as: reannewscomm.com and other spammy-sounding websites. 

 

Please let me know if there is any other information you need from me at this point.

 

P.S. I'm running Windows 7 with Avast Antivirus

 

Any help is appreciated.

 

Ahmed

[kevinf80]

Hello Ahmed and welcome to Malwarebytes,

Please be aware the following P2P/Piracy Warning is a standard opening reply made here at Malwarebytes, we make no accusations but do make you aware of Forum Protocol....
 

 

If you're using Peer 2 Peer software such as uTorrent, BitTorrent or similar you must either fully uninstall them or completely disable them from running while being assisted here.Failure to remove or disable such software will result in your topic being closed and no further assistance being provided.If you have illegal/cracked software, cracks, keygens etc. on the system, please remove or uninstall them now and read the policy on Piracy.

Anyone other than the original starter of this thread please DO NOT follow the instructions and advice posted as replies here, my help and advice is NOT related to your system and will probably cause more harm than good...
 

Next,

 

Please open Malwarebytes Anti-Malware.
 

• On the Settings tab > Detection and Protection sub tab, Detection Options, tick the box "Scan for rootkits".
• Under Non-Malware Protection sub tab Change PUP and PUM entries to Treat detections as Malware
• Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
• A Threat Scan will begin.
• With some infections, you may or may not see this message box.
  
          'Could not load DDA driver'
• Click 'Yes' to this message, to allow the driver to load after a restart.
• Allow the computer to restart. Continue with the rest of these instructions.
• When the scan is complete, click Apply Actions.
• Wait for the prompt to restart the computer to appear, then click on Yes.
• After the restart once you are back at your desktop, open MBAM once more.

To get the log from Malwarebytes do the following:
 

• Click on the History tab > Application Logs.
• Double click on the scan log which shows the Date and time of the scan just performed.
• Click Export > From export you have three options:
  
    Copy to Clipboard - if seleted right click to your reply and select "Paste" log will be pasted to your reply
    Text file (*.txt)        - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
    XML file (*.xml)      - if selected you will have to name the file and save to a place of choice, recommend "Desktop" then attach to reply
• Please use "Copy to Clipboard, then Right click to your reply > select "Paste" that will copy the log to your reply…

If Malwarebytes is not installed follow these instructions first:

Download Malwarebytes Anti-Malware to your desktop.

• Double-click mbam-setup and follow the prompts to install the program.
• At the end, be sure a checkmark is placed next to the following:
• Launch Malwarebytes Anti-Malware
• A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
• Click Finish. Follow the instructions above....

 

 

Next,

 

Download Farbar Recovery Scan Tool and save it to your desktop.

Note: You need to run the version compatible with your system (32 bit or 64 bit). If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

If your security alerts to FRST either, accept the alert or turn your security off to allow FRST to run. It is not malicious or infected in any way...
 

• Double-click to run it. When the tool opens click Yes to disclaimer.
  (Windows 8/10 users will be prompted about Windows SmartScreen protection - click More information and Run.)
• Make sure Addition.txt is checkmarked under "Optional scans"
• Press Scan button to run the tool....
• It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
• The tool will also make a log named (Addition.txt)  Please attach those logs to your reply.

 

 

Next,

 

Please download RogueKiller and save it to your desktop from the following link: http://www.bleepingcomputer.com/download/roguekiller/
 

• Quit all running programs.
• For Windows XP, double-click to start.
• For Vista,Windows 7/8/8.1/10, Right-click on the program and select Run as Administrator to start and when prompted allow it to run.
• Read and accept the EULA (End User Licene Agreement)
• Click Scan to scan the system.
• When the scan completes select "Report",in the next window select "Export txt" the log will open as a text file post that log... Also save to your Desktop for reference. log will open.
• Close the program > Don't Fix anything!

 

 

Let me see those logs...

 

Thank you,

 

Kevin

[ahmedbadenjki]

Thanks for the quick reply!

 

Farbar logs attached, the rest coming soon

Addition.txt FRST.txt

 

 

[kevinf80]

I wanted you to run Malwarebytes first and post its log first...

[kevinf80]

Unfortunately your logs show illegal software running on your system, that action is a direct breach of forum protocol. Your thread will be locked and close.....

 

Thank you,

 

Kevin

[ahmedbadenjki]

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 17/02/2016

Scan Time: 15:53

Logfile: 

Administrator: Yes

 

Version: 2.2.0.1024

Malware Database: v2016.02.17.07

Rootkit Database: v2016.02.17.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: Ahmed

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 473515

Time Elapsed: 1 hr, 9 min, 40 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Enabled

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 21

Trojan.Bedep.Generic, HKLM\SOFTWARE\CLASSES\CLSID\{279A6B6B-CC7C-490B-8FA4-BFD80F1CF2AA}, Delete-on-Reboot, [b8132f324653a09692e1fcf7827ffc04], 

Trojan.Bedep.Generic, HKU\S-1-5-21-3886721561-2564760882-2778430979-1000_Classes\CLSID\{279A6B6B-CC7C-490B-8FA4-BFD80F1CF2AA}, Delete-on-Reboot, [b8132f324653a09692e1fcf7827ffc04], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\INTERFACE\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{47A1DF02-BCE4-40C3-AE47-E3EA09A65E4A}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\TYPELIB\{1112F282-7099-4624-A439-DB29D6551552}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\INTERFACE\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\INTERFACE\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\INTERFACE\{FA7B2795-C0C8-4A58-8672-3F8D80CC0270}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\TYPELIB\{1112F282-7099-4624-A439-DB29D6551552}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\TYPELIB\{1112F282-7099-4624-A439-DB29D6551552}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\OCComSDK.ComSDK.1, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\OCComSDK.ComSDK, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\OCComSDK.ComSDK, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\OCComSDK.ComSDK, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\WOW6432NODE\CLASSES\OCComSDK.ComSDK.1, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\OCComSDK.ComSDK.1, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, HKLM\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{B9D64D3B-BE75-4FA2-B94A-C4AE772A0146}, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 7

Trojan.Bedep.Generic, C:\ProgramData\{2F752DAC-F812-4497-9E91-D8701A4745CB}\qwave.dll, Delete-on-Reboot, [b8132f324653a09692e1fcf7827ffc04], 

PUP.Optional.OpenCandy, C:\Users\Ahmed\AppData\Local\Temp\HYDB53F.tmp.1455750466\HTA\install.1455750466.zip, Quarantined, [bc0fd0912d6ce452436eaf99ab57718f], 

PUP.Optional.OpenCandy, C:\Users\Ahmed\AppData\Local\Temp\HYDB53F.tmp.1455750466\HTA\3rdparty\OCComSDK.dll, Quarantined, [3e8db1b0a4f5c1755c550b3d738f8779], 

PUP.Optional.OpenCandy, C:\Users\Ahmed\AppData\Local\Temp\HYDB53F.tmp.1455750466\HTA\3rdparty\OCSetupHlp.dll, Quarantined, [814aa1c0e7b29f97bc3e976814f01ce4], 

PUP.Optional.OpenCandy, C:\Users\Ahmed\AppData\Local\Temp\HYDCC38.tmp.1455750538\HTA\install.1455750538.zip, Quarantined, [c803f26f07928aacbdf4b3953bc77789], 

PUP.Optional.OpenCandy, C:\Users\Ahmed\AppData\Local\Temp\HYDCC38.tmp.1455750538\HTA\3rdparty\OCComSDK.dll, Quarantined, [7259c29f5b3e12243e73034519e9d12f], 

PUP.Optional.OpenCandy, C:\Users\Ahmed\AppData\Local\Temp\HYDCC38.tmp.1455750538\HTA\3rdparty\OCSetupHlp.dll, Quarantined, [c308bda4148561d5c535c83727ddac54], 

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

[AdvancedSetup]

C:\Program Files\KMSpico
C:\Windows\AutoKMS
Task: {ACE69153-8A1D-4D16-A1A4-8F1EE5DC7932} - System32\Tasks\AutoKMS => C:\Windows\AutoKMS\AutoKMS.exe [2013-12-23] ()
FirewallRules: [{37E7C956-646B-4710-AF52-56C6EF5BBBBC}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{05DCC76E-017C-4F8E-86EF-ED144C7E1B8D}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{DF04AE6B-1D38-43A2-9DD5-23A05A9F3E0E}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{F405F61A-DC76-44FF-95D2-F7D55D4071FB}] => (Allow) C:\Program Files\KMSpico\AutoPico.exe
FirewallRules: [{4B5B781D-288E-425A-B523-0E0970E3887A}] => (Allow) C:\Program Files\KMSnano\qemu-system-i386.exe
FirewallRules: [{A8C4CA58-197B-4220-B4E6-ADE3B4CAA9BE}] => (Allow) C:\Program Files\KMSnano\qemu-system-i386.exe
FirewallRules: [{F60B19BE-5AFD-47B2-99D8-B33D43365BFB}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe
FirewallRules: [{29A5388E-8A09-4B79-B91F-C4B8DCC73293}] => (Allow) C:\Program Files\KMSpico\KMSELDI.exe

This topic will now be closed due to evidence of cracked or pirated software on this system.

Piracy Policy