Jump to content

Windows Process Manager (32 Bit) High CPU Usage (Virus?)


Recommended Posts

Hi,

Recently ended up with a solid amount of malware (worst was programs called anonymizergadget, emigrates, and uninitiated) which took control of my chrome and created popup ads, etc. etc. Cleaned it up and all looked good until I noticed Windows Process Manager (32 Bit) was using anywhere from 10-40% of my CPU at any time. When I go to the path it takes me to \Appdata\Local\avaorlt and denies access, unable to interact at all. Properties in task manager names it as wmnteal.exe.

Did a scan with FRST, the two files are attached, along with a screenshot of the process in task manager.

FRST.txt

Addition.txt

Task Manager Screenshot.png

Link to post
Share on other sites

Hello theories and welcome to Malwarebytes,

Your system is infected with smartservice, you will need access to a spare PC and a USB flash drive 4GB or above. If those are available to you do the following:

Boot up your spare PC plug in the flash drive, navigate to that drive, right click on it direct and select format. Quick option is adequate...

Next,

On that same PC downoad and save FRST to same Flash drive, make sure to get the correct version, if you are unsure d/l and save both, only the correct one will run. Do not plug Flash Drive into sick PC until booted to Recovery Environment.

http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Next,

Boot sick PC to Recovery Environment, if you are unsure of that action have a read at the following link, maybe bookmark for future reference...

https://www.tenforums.com/tutorials/2294-boot-advanced-startup-options-windows-10-a.html

Next,

From the Windows 10 Tutorial you should get access to the Advanced Startup Options at boot for Windows 10

user posted image


From that window select "Troubleshoot"


user posted image


From the next window select "Advance Options"


user posted image


From that Window select "Command Prompt"

Ensure to plug the flash drive into a USB port... You should now be in Recovery Environment with the Command Prompt Window open......

Continue with the following:
 
  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" or "My PC" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter Note: Replace letter E with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.


Thank you,

Kevin..

 

 

Link to post
Share on other sites

Nevermind, booted into advanced startup after more tries than I want to admit. Unfortunetely, both FRST64.exe and FRST.exe are apparently incompatible with my current version of Windows. Can't figure out why.

Windows 10 Pro 64bit OS, x64-based processor

Version 1709

OS Build 16299.125

Link to post
Share on other sites

If that is your spare PC information we can use that to create a Recovery Drive, we can then use that RD to boot your sick PC to the Recovery Environment.....

Go to your spare PC, plug in Flash drive. Open the search function bottom left hand corner of the Desktop type in or copy/paste create recovery drive hit enter....

In the new window UNCheck "Back up system files to recovery drive" from there click "Next" from there just follow the prompts, The flash drive will be formatted before the Recovery Drive is created.

When that is complete you will need to add FRST again to same flash drive... https://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

We now need to boot the infected PC direct to the Recovery Environment which is on the Flash Drive... It will may be necessary to change the boot order in the infected PC to boot from the USB Flash drive: https://craftedflash.com/info/how-boot-computer-from-usb-flash-drive

After booting to the Recovery Environment select the correct keyboard, from the next window select "Trouble Shoot" then "Command Prompt"

Continue with the following:
 
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" or "My PC" and find your flash drive letter and close the notepad.
  • In the command window type E:\frst64 or E:\frst depending on your version. Press Enter
  • Note: Replace letter E with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Press Scan button.
  • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

 

Edited by kevinf80
Link to post
Share on other sites

Quick question. Whenever I boot from C:\, my primary SSD and OS, my internal HDD is named F:\.

When I boot from F:\, it is an OS from before I got an SSD, and the SSD is named F:\ with the HDD being C:\.

I used some third party software to basically copy and move my files and OS to my SSD.

If I boot from C:\ and use FRST, would the drive letters remain the same?

FRST states that I have multiple OS and offers to scan C:\ or F:\. I can't tell which is which so I'm worried I just gave you two F:\ logs, which won't have the infection.

That probably makes no sense and is hard to understand so I'm sorry for the confusion.

Link to post
Share on other sites

There is only one way to deal with smart service infection, that is running FRST from the Recovery Environment via a USB flash drive...

These are the drives I can see from logs you`ve just posted...

==================== Drives ================================

Drive c: (Storage) (Fixed) (Total:930.97 GB) (Free:120.76 GB) NTFS
Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (Seagate Backup Plus Drive) (Fixed) (Total:1863.01 GB) (Free:1103.69 GB) NTFS
Drive g: (SSD) (Fixed) (Total:111.24 GB) (Free:10.03 GB) NTFS
Drive h: () (Fixed) (Total:0.44 GB) (Free:0.42 GB) NTFS
Drive i: () (Fixed) (Total:0.44 GB) (Free:0.06 GB) NTFS
Drive k: (TY_USB) (Removable) (Total:29.23 GB) (Free:29.23 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.5 GB) (Free:0.49 GB) NTFS
Drive y: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from drive)]

======================================================

This how drives were listed in your original logs from Normal mode:

==================== Drives ================================

Drive c: (SSD) (Fixed) (Total:111.24 GB) (Free:9.79 GB) NTFS
Drive d: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive e: (System Reserved) (Fixed) (Total:0.1 GB) (Free:0.06 GB) NTFS ==>[system with boot components (obtained from drive)]
Drive f: (Storage) (Fixed) (Total:930.97 GB) (Free:53.83 GB) NTFS
Drive g: (Seagate Backup Plus Drive) (Fixed) (Total:1863.01 GB) (Free:1177.27 GB) NTFS

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or 8) (Size: 931.5 GB) (Disk ID: 9FD03CB5)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=931 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 MB) - (Type=27)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 111.8 GB) (Disk ID: 3BF131C1)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=111.2 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=450 MB) - (Type=27)

========================================================
Disk: 2 (MBR Code: Windows 7 or 8) (Size: 1863 GB) (Disk ID: 22601CA8)
Partition 1: (Not Active) - (Size=1863 GB) - (Type=07 NTFS)

======================================

From the original logs it would seem that smartservice infection is on the SSD. All logs produced via Recovery Environment are not from SSD, they from HDD.

As it stands we are just not making any progress... it is 30 minutes after midnight local time for me, I`m in need of sleep for now...

 

Link to post
Share on other sites

Get some sleep! Your life is a priortity over this, don't worry.

The original logs have C:\ as the SSD, but in the new logs, G:\ is the SSD. I need to scan G:\ now, which I originally thought was a whole different drive. Not sure why the letters switched, but oh well. Will get back to you.

Edited by theories
Link to post
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.