Jump to content

infected pc hidden high cpu usage


Recommended Posts

I noticed Chrome was slower than usual and that my cpu was unusually high. 

I did run the FRST. Logs are attached. I did the scan two times, with the 2nd time only containing the default checks. The 1st scan, I ticked all of the boxes on purpose just to see if I had any other files that were impacted. 

I have scanned with Malwarebytes Anti-Malware, and it hasn't found anything before except PuP, which I delete. I didn't run it first this time, because I was 100% convinced that Malwarebytes and Kaspersky wasn't going to find this one. And, FRST did find issues with the Windows Update service and with Harddisck2 DR5. And, the scan using Malwarebytes says taht the startup files, memore, rootkits and scan registry all check out. Its still doing the scan file system. I do own the Premium version. 

The codeIntegrity, thought Kaspersky was a bit off because the set of per-page image hashes could not be found on the system.

Uploaded is the default scan of FRST. Thanks!

Addition.txt

FRST.txt

Link to post
Share on other sites

Hello and :welcome:

 

adwcleaner_new.png Fix with AdwCleaner

Please download AdwCleaner by Xplode and save the file to your Desktop.

  • Right-click on adwcleaner_new.png icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
  • Accept the Terms of use.
  • Wait until the database is updated.
  • Click Scan.
  • When finished, please click Cleaning.
  • Your PC should reboot now.
  • After reboot, logfile will be opened. Copy its content into your next reply.

Note: Reports will be saved in your system partition, usually at C:\Adwcleaner

 


 

2eyjdoj.png Check Disk

  • Press the WindowsKey.png on your keyboard. Type cmd and right click >> Run as Administrator.
  • Copy/Enter the command below and press Enter:
    chkdsk C: /r
  • You should get a message to schedule Check Disk at next system restart. Please type Y and press Enter.
  • All you should do now is to restart your PC and let the Check Disk process finish uninterrupted.


Check Disk report:

  • Press the WindowsKey.png + R on your keyboard at the same time. Type powershell.exe and click OK.
  • Copy and paste the following command inside powershell window and press Enter:
    get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message | out-file Desktop\CHKDSKResults.txt
  • Paste the contents into your next reply.

Link to post
Share on other sites

This is reply 1 (of two): I am going to do check disk now. And sorry, but I forgot to move the frst logs to the desktop before running adwcleaner, from the desktop. If this matters, then I can redo that. I have read where it does matter in some cases, in order for the cleaning to be effective. Brain dead here. 

The 1st log:

# AdwCleaner v6.030 - Logfile created 30/11/2016 at 17:17:45
# Updated on 19/10/2016 by Malwarebytes
# Database : 2016-11-29.1 [Server]
# Operating System : Windows 7 Home Premium Service Pack 1 (X64)
# Username : Kyttyr - STEPHANIE-PC
# Running from : C:\Users\Kyttyr\Desktop\AdwCleaner.exe
# Mode: Clean
# Support : hxxps://www.malwarebytes.com/support

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder deleted: C:\Users\Kyttyr\AppData\Local\Hola
[-] Folder deleted: C:\Users\Kyttyr\AppData\Local\PackageAware
[-] Folder deleted: C:\Users\Kyttyr\AppData\Roaming\Hola
[-] Folder deleted: C:\ProgramData\apn
[#] Folder deleted on reboot: C:\ProgramData\Application Data\apn


***** [ Files ] *****

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[-] Key deleted: HKLM\SOFTWARE\Classes\RealWorld.DocumentOperationIconToLibr.1
[-] Key deleted: HKLM\SOFTWARE\Classes\RealWorld.DocumentOperationIconToLibrar
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\RealWorld.DocumentOperationIconToLibr.1
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\RealWorld.DocumentOperationIconToLibrar
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{DE9028D0-5FFA-4E69-94E3-89EE8741F468}
[-] Key deleted: HKLM\SOFTWARE\Classes\CLSID\{E7DF6BFF-55A5-4EB7-A673-4ED3E9456D39}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{03E2A1F3-4402-4121-8B35-733216D61217}
[-] Key deleted: HKLM\SOFTWARE\Classes\Interface\{9E3B11F6-4179-4603-A71B-A55F4BCB0BEC}
[-] Key deleted: HKLM\SOFTWARE\Classes\TypeLib\{9C049BA6-EA47-4AC3-AED6-A66D8DC9E1D8}
[-] Key deleted: HKU\S-1-5-21-1979773469-2207282672-5165823-1003\Software\Hola
[#] Key deleted on reboot: HKCU\Software\Hola
[-] Key deleted: HKLM\SOFTWARE\Tarma Installer
[#] Key deleted on reboot: [x64] HKCU\Software\Hola
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Features\D2A425F405350054677A7A857BC0D100
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\Products\D2A425F405350054677A7A857BC0D100
[-] Key deleted: HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\7AB5857A57A0687786597A857BFFFFFF
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D2A425F405350054677A7A857BC0D100
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8036C72171EF4ba46856BF57969F6A36
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\89BB7852687BDC34B9A81E01C7FF9173
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CBC85D72B148084ABE8C2F072F781F4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8CC5A38A64D6098468BC8395BA0EFF03
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\8DF9A1AC557F56c49B56F6B83E293C15
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\A97C590397DCC454AA8923563BAB10E4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B08932C78B697C244BE7BA3E6FF09B62
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\CFA51B44D54927c4E9B7BC1D3FD1E49F
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\D14A7F65792054F418578C78367D13F7
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DFE9F0BD163D827438CB6AD6B100EC48
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\F739A19A8327dc64C9A8B641A9E89646
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\158D6D9E3FE81fa428925F22ACB3A965
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\15E6C514FEFC09f45BAFAAE1D7546ED4
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\1DB42320A8525634AA089F0BEC86473B
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\22468B0D6050b2e46B9C4B67A8F59577
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\2251BF05A2F606d43BB064BD63CBD87E
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3255D95681398614190EDF0A4F3F77DB
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\3CDF313E9B28c944FBC7579CF4949414
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\71E54748EDD3dc1468548785DC856EDA
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\754590DD06DE8d249B526503432F99D4
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\D2A425F405350054677A7A857BC0D100
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Features\D2A425F405350054677A7A857BC0D100
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\Products\D2A425F405350054677A7A857BC0D100
[#] Key deleted on reboot: [x64] HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\7AB5857A57A0687786597A857BFFFFFF
[-] Key deleted: [x64] HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\7AB5857A57A0687786597A857BFFFFFF
[-] Key deleted: HKCU\Software\MozillaPlugins\@hola.org/FlashPlayer
[-] Key deleted: HKCU\Software\MozillaPlugins\@hola.org/vlc
[-] Key deleted: HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.apn.native_messaging_host_aaaaaiabcopkplhgaedhbloeejhhankf


***** [ Web browsers ] *****

[-] Chrome preferences cleaned: "browser.search.selectedEngine" -  "AVG Secure Search"
[-] [C:\Users\Stephanie\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\Stephanie\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com
[-] [C:\Users\Kyttyr\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: aaaaaiabcopkplhgaedhbloeejhhankf
[-] [C:\Users\Kyttyr\AppData\Local\Google\Chrome\User Data\Default] [extension] Deleted: ndibdjnfmopecpmkdieinmbadjfpblof
[-] [C:\Users\Kyttyr\AppData\Local\Google\Chrome\User Data\Default] [homepage] Deleted: hxxp://mysearch.avg.com?cid={C2F9228E-ED7C-4EB0-AFE1-C4F1FE5F1306}&mid=35879665952c47d2a8ec11b19c22ad72-98e38f64e5694b2d248c2d29f033dd7165034272&lang=en&ds=gm011&coid=avgtbdisgm&cmpid=&pr=sa&d=2014-03-03 14:59:17&v=18.0.0.248&pid=safeguard&sg=&sap=hp


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [7008 Bytes] - [30/11/2016 17:17:45]
C:\AdwCleaner\AdwCleaner[S0].txt - [6985 Bytes] - [30/11/2016 16:59:47]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [7154 Bytes] ##########
 

Link to post
Share on other sites

1. I did type in by hand the entire code because windows insisted that paste options does NOT mean that they need to enable pasting for real. 

2. Nothing happened. I just got a command prompt again. However, during start up, it did say that there were no errors. I felt like I was talking to the windows rep who insisted there was no issues and thought he had removed everything viral. He had not. Hola should not have been found, but was. (They have a viral adware crap.)  Thanks! 

I can NOT delete the below. I tried. :P I only pasted it in so that I could check it against what I typed in, and it matched. Logging out did not cancel or delete the below. 

 

get-winevent -FilterHashTable @{logname="Application"; id="1001"}| ?{$_.providername –match "wininit"} | fl timecreated, message | out-file Desktop\CHKDSKResults.txt
Link to post
Share on other sites

Yes, I did. And I did type in Y. Also, when I rebooted, it did run a check and said there were no issues. That check was extremely quick. The speed at which is was, alarmed me, because I am familiar with disc checking while in safe mode, and that normally takes a large measureable amount of time. It did not ever go into safe mode either. I do know that elements of Hola was removed before this last time and that I suspected that not all of it got removed before. 

Link to post
Share on other sites

Ok.

 

FRST.gif Scan with Farbar Recovery Scan Tool
 
Please re-run Farbar Recovery Scan Tool to give me a fresh look at your system.

  • Right-click on FRST.gif icon and select RunAsAdmin.jpg Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Make sure that Addition option is checked.
  • Press Scan button and wait.
  • The tool will produce two logfiles on your desktop: FRST.txt and Addition.txt.


Please upload them into your next reply.

Link to post
Share on other sites

Guest tpkyterooguest

sorry but i figured out that i must have bumbed keyboard which stopped process after reboot before it could even start. i am doing the check but started right after i posted above. i could not come here because pc is doing that. im on phone and cant log in now.  

13% 655875 out of 612176 files processed.  stage 4 of 5.  thanks

Link to post
Share on other sites

I am still having CPU hikes and the CPU monitor won't tell me what is causing those hikes. Chrome - Gchat, still has slow typing where it pauses and then quickly catches up. I did redo the FRST scan and will post the latest results. I am strongly considering uninstalling Chrome and reinstalling it. I'll wait before I do that though. I have to do something first, so will be gone for about 3 hours. 

FRST.txt

Addition.txt

Link to post
Share on other sites

It doesn't stay idle when I run the program. Right now, its down to 45 C. and both core 0 and core 1 is either the same, or 1 degree difference. with cpu at 9%. I took  my computer outside and then drove in a cold car to the coffee shop. Would you agree that my fans probably need a good cleaning or a cooling device bought for my laptop? Thanks!

Link to post
Share on other sites

I also found that it did help a little to redo everything I did before, but this time have the files in the same location as the program. My RAM is still higher but I've noticed some improvements. It deleted 3 more files that weren't needed - avg toolbar that normally I untick so it does not install and 2 other files. Thanks again!

Link to post
Share on other sites

I'll go buy a can of air compressor and try and do that. I know how to do it on a desk top tower, but never tried to on a laptop. Thanks! I did buy a cooler thing to put the laptop on. I guess we can close this. I'll start a new one if I find I need to after I get things all cleaned up. Thanks again! 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.