Jump to content

Can't complete memory scan


Recommended Posts

My aging Dell laptop has been showing high CPU usage for Windows update or provtool.exe for about 3 hours after each boot or return from sleep for over 2 weeks. Windows Defender offline scan failed to complete. Attempting to access C:\Windows\System32\config\systemprofile\AppData\Local also stalls.

Malwarebytes scan gets stuck on Memory Scan. I have waited over an hour. On one attempt it counted to 42,852 items before dropping back to 1,711 items at about 45 mins. Running in Safe mode doesn't help. Turning off BitDefender protection shield doesn't help. I tried to reinstall Malwarebytes using the support tool, but that failed after the uninstall due to a network error, so I installed it again manually.

Running ADWCleaner hasn't changed anything.

I found a folder of suspicious looking tools on my C: drive including gmere.exe, PsExec.exe, rapport_usage.exe and others. I removed Rapport previously years ago due to it causing issues.

Can this behaviour be explained as benign? Or is it fixable?

FRST.txt Addition.txt

Edited by AdvancedSetup
Corrected font issue
Link to post
Share on other sites

  • Root Admin

Please go to Control Panel, Programs, Programs and Features, Uninstall a program

Then right-click and uninstall the following

  • Java 8 Update 181 (old compromised version of Java)  

 

Then RESTART the computer

Then open your Bitdefender Antivirus and check for updates. Then do a FULL system scan and let me know if it finds anything

 

 

 

 

Link to post
Share on other sites

  • Root Admin

Try setting up exclusions between Bitdefender and Malwarebytes

https://support.malwarebytes.com/hc/en-us/articles/360038522974-Add-Malwarebytes-to-the-allow-list-on-other-apps

 

The logs don't indicate any obvious threat to account for the issues you speak of. Bitdefender could be stopping Malwarebytes

Try temporarily disabling Bitdefender and then try a Malwarebytes scan and see if it works

 

Link to post
Share on other sites

Malwarebytes got stuck updating on boot this morning. To free up resources being hogged by Provtool, I disabled the triggers in Task Scheduler & rebooted. This allowed the update to complete.

I set up exclusions between Bitdefender and Malwarebytes, per your link (except last 2 as not present on my system). Malwarebytes appeared to have frozen on the memory scan after 25 minutes.

I disabled Bitdefender, rebooted and Malwarebytes then appeared to be stuck on memory scan after 130 minutes. However, I left it running when I went out and it completed in just over 4 hours. It found nothing of concern.

Link to post
Share on other sites

After disabling Provtool, I have been able to gain limited access to C:\Windows\System32\config\systemprofile\AppData\Local where Provtool seems to have been busy creating over 1.3 million mostly empty folders named tw-????-???-????.tmp. Could this huge number of sub-folders be the cause of scans appearing to stall for hours?

Link to post
Share on other sites

  • Root Admin

Yes, it very well could

I can provide you a script to remove that. However if you have that many you'll probably need to run the script a few times as it might time out.

 

Did you setup these proxies on purpose? Are you aware of them?

ProxyServer: [S-1-5-21-755110801-1344220351-577284601-1001] => http=127.0.0.1:4444;https=127.0.0.1:4445;ftp=127.0.0.1:4444

 

I also notice you're using a LastPass extension in your Firefox profile. I would highly suggest you read up about possible security issues with LastPass and decide for yourself if you want to continue to use or not.

Also, please uninstall the Avira Browser Safety extension from all of your browsers

 

One you provide feedback on the above I can complete a script to help you clean up the computer

 

 

Link to post
Share on other sites

A script would be very helpful as attempting to delete them causes windows explorer to freeze and I'm not familiar enough with Powershell to modify scripts I've found.

I was not aware of those proxies.

I was aware of the breach at Lastpass and other questionable practices, so have removed sensitive accounts, with the intention of moving away completely in future.

I disabled Avira & Rapport browser extensions back in 2016. I'm surprised I hadn't deleted them already, so I have removed them from Chrome & Firefox.

Thanks for your help

Link to post
Share on other sites

  • Root Admin

Please follow the steps below @Digitopia

[ 1 ]

Your DNS Servers: 192.168.1.254    

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 5 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

  • Quad 9 Public DNS  IPv4  9.9.9.9 and 149.112.112.112  IPv6  2620:fe::fe  and  2620:fe::9  (one of the best for most users)
  • Google Public DNSIPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • CloudflareIPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNSIPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCHIPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b


The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 2 ]

ATTENTION: System Restore is disabled (Total:117.98 GB) (Free:13.83 GB) (12%)

Please enable System Protection and create a NEW System Restore Point

How to Turn On or Off System Protection for Drives in Windows 10
https://www.tenforums.com/tutorials/4533-turn-off-system-protection-drives-windows-10-a.html

How to Create a System Restore Point in Windows 10
https://www.tenforums.com/tutorials/4571-create-system-restore-point-windows-10-a.html

 

[ 3 ]

Please temporarily disable the Bitdefender real-time protection and run the following fix.

If you do not disable Bitdefender while running the fix it will not work

NOTE: The script has a 60 minute time-out setting. If the script cannot complete within 60 minutes it will end and need to be ran again by downloading a new copy of the fix script.

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRST64.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\peryg\Downloads\

NOTE. It's important that both files, FRST64.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

Sorry, I've had a busy day and I'm still working through it.

I've been investigating alternate DNS servers. As I am in a rural area my ISP DNS seems best from DNS Benchmark conclusions.

I have a busy weekend ahead, but I'll try to find time to get the script run.

Link to post
Share on other sites

  • Root Admin

I understand and yes an ISP can often have a fast DNS but the issue with your ISP is that they log every site you ever visit from every device that ever connects to your network.

If you've been with your ISP for say ten year. They now have a log of every site ever visited and what day and time you visited and how often. They typically never delete such logs, they just get archived off.

Quad 9 and DNSWatch as examples do not log anything and they also support Secure DNS which most ISP DNS do not.

You might be interested in this tool. But don't forget, logging should be a concern too in this world of privacy invasion that with AI is going to get worse and worse

https://www.grc.com/dns/benchmark.htm

 

 

When you get time please run the fix and post back the FIXLOG.txt file and we'll try to finish up

 

Edited by AdvancedSetup
Updated information
Link to post
Share on other sites

  • Root Admin

Well, since it did finally complete I would believe that all of those temp folders are now removed.

They do get created new though

Malwarebytes I hope now scans and completes okay now? @Digitopia

 

 

Please RESTART the computer and run the following to get me NEW fresh logs.

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/


Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/


Scan with SecurityCheck by glax24
https://forums.malwarebytes.com/topic/307301-scan-with-securitycheck-by-glax24/

Link to post
Share on other sites

  • Root Admin

Thank you for the logs @Digitopia

The computer has some things we can clean up, but there are no obvious signs of any Trojans or other malware threats on the system at this time.

 

Let's have you go ahead and update the software on the computer first and then when done we can look at doing some generic clean up if you like.

 

Please Uninstall, Update, or otherwise address the following as appropriate for your computer

  1. 7-Zip 18.05 (x64) v.18.05 Warning! Download Update | Uninstall old version and install new one.
  2. Audacity 2.1.2 v.2.1.2 Warning! Download Update
  3. Dell SupportAssist v.2.0.6875.668 Warning! Download Update
  4. FileZilla Client 3.30.0 v.3.30.0 Warning! Download Update
  5. GIMP 2.8.16 v.2.8.16 Warning! Download Update
  6. Google Chrome v.128.0.6613.138 Warning! Download Update
  7. Microsoft Edge WebView2 Runtime v.128.0.2739.79 Warning! Download Update | Uninstall old version and install new one.
  8. Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.32.31332 v.14.32.31332.0 Warning! Download Update
  9. Notepad++ (64-bit x64) v.7.5.6 Warning! Download Update
  10. Skype version 8.34 v.8.34 Warning! Download Update
  11. TeamViewer v.15.46.5 Warning! Download Update
  12. VLC media player v.3.0.3 Warning! Download Update
  13. Windscribe v.1.82 Build 17 Warning! Download Update
  14. Wireshark 4.0.3 64-bit v.4.0.3 Warning! Download Update
  15. Zoom v.5.12.8 (10232) Warning! Download Update


Then RESTART the computer and check for Windows Updates and install any found

 

Once all is complete, RESTART the computer two times and then run the following and we can then do a generic clean up if you like.

 

Scan with Farbar Recovery Scan Tool
https://forums.malwarebytes.com/topic/306601-scan-with-farbar-recovery-scan-tool/


Scan with FSS Farbar Service Scanner
https://forums.malwarebytes.com/topic/306736-scan-with-fss-farbar-service-scanner/

 

 

 

 

Link to post
Share on other sites

  • Root Admin

Please follow the steps below @Digitopia

[ 1 ]

Please make the following change in Malwarebytes if you're using the Premium or Trial version

  • Please open Malwarebytes. Click on the small gear icon to open the Settings and go to the General tab.
  • Then turn off "Always register Malwarebytes in the Windows Security Center"
  • Restart the computer

 

[ 2 ]

Your DNS Servers: 192.168.1.254  

Please consider changing your default DNS server settings. Please choose one provider only

DNS is what lets users connect to websites using domain names instead of IP addresses

Pick just one of these 5 providers. And be aware that you need to modify 1 time for IPv4 & a 2nd pass for IPv6

  • Quad 9 Public DNS  IPv4  9.9.9.9 and 149.112.112.112  IPv6  2620:fe::fe  and  2620:fe::9  (one of the best for most users)
  • Google Public DNSIPv4   8.8.8.8 and 8.8.4.4   IPv6   2001:4860:4860::8888 and 2001:4860:4860::8844
  • CloudflareIPv4   1.1.1.1 and 1.0.0.1   IPv6   2606:4700:4700::1111 and 2606:4700:4700::1001
  • OpenDNSIPv4   208.67.222.222 and 208.67.220.220  IPv6  2620:119:35::35 and 2620:119:53::53
  • DNSWATCHIPv4   84.200.69.80 and 84.200.70.40   IPv6  2001:1608:10:25::1c04:b12f and 2001:1608:10:25::9249:d69b


The Ultimate Guide to Changing Your DNS Server
https://www.howtogeek.com/167533/the-ultimate-guide-to-changing-your-dns-server/

Here is a YouTube video on Changing DNS settings if needed

 

[ 3 ]

Are you still using a Brother printer from circa 2012?

HKLM-x32\...\Run: [BrStsMon00] => C:\Program Files (x86)\Browny02\Brother\BrStMonW.exe [3076096 2012-06-06] (Brother Industries, Ltd.) [File not signed]
S3 BrYNSvc; C:\Program Files (x86)\Browny02\BrYNSvc.exe [266240 2012-06-05] (Brother Industries, Ltd.) [File not signed]

If you're no longer using the Brother printer we should remove the driver settings for it to stop calling it.

 

[ 4 ]

You have an entry for Windscribe but I don't see it as an installed application. If you're no longer using it then we should remove that as well

HKU\S-1-5-21-755110801-1344220351-577284601-1001\...\Run: [Windscribe] => "C:\Program Files (x86)\Windscribe\Windscribe.exe" -os_restart (No File)

The same with Microsoft OneNote - if you're not using it we should remove the entry

Startup: C:\Users\peryg\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Send to OneNote.lnk [2017-02-23]
ShortcutTarget: Send to OneNote.lnk -> C:\Program Files (x86)\Microsoft Office\Office15\ONENOTEM.EXE (Microsoft Corporation -> Microsoft Corporation)

 

[ 5 ]

Are you sure you want this enabled or allowed? Push Notifications on your browser appear to be enabled.

CHR Notifications: Default -> hxxp://forum-sbmcc.co.uk; hxxp://sbmcc.co.uk; hxxps://mg.mail.yahoo.com; hxxps://retail.santander.co.uk; hxxps://teams.microsoft.com; hxxps://uk-mg42.mail.yahoo.com; hxxps://web.whatsapp.com

https://blog.malwarebytes.com/security-world/technology/2019/01/browser-push-notifications-feature-asking-abused/

Turn notifications on or off - Google Chrome

Web Push notifications in Firefox

 

[ 6 ]

Please temporarily disable the Bitdefender real-time protection while this fix runs.
After the computer restarts Bitdefender should automatically re-enable real-time protection, but double-check that is has been re-enabled

How do I temporarily disable Bitdefender in Windows?
https://www.bitdefender.com/consumer/support/answer/28557/

 

Please run the following fix

 

NOTE: Please read all of the information below before running this fix.

  • NOTICE: This script was written specifically for this user, for use on this particular machine.
  • Running this on another machine may cause damage to your operating system that cannot be undone.

Once the fix has been completed, please attach the file FIXLOG.TXT to your next reply

Farbar program:   FRSTEnglish.exe

Save the attached file:  FIXLIST.TXT to this folder C:\Users\peryg\Downloads\

NOTE. It's important that both files, FRSTEnglish.exe, and fixlist.txt are in the same location or the fix will not work.

Please make sure you disable any real-time antivirus or security software before running this script. Once completed, make sure you re-enable it.

 

 

Run the Farbar program with Admin rights and press the Fix button just once and wait.

The fix may possibly take up to 60 minutes to complete

If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log named Fixlog.txt in the same folder you ran the Farbar program from. Please attach that log on your next reply.

 

  1. NOTE:  This fix will run a scan to check that all Microsoft operating system files are valid and not corrupt and attempt to correct any invalid files. It will also run a disk check on the restart to ensure disk integrity.
  2. NOTE: As part of this fix all temporary files will be removed. If you have any open web pages that have not been bookmarked please make sure you bookmark them now as all open applications may be automatically closed.
                Also, make sure you know the passwords for all websites as cookies may possibly be removed in some cases, but not all cases.
  3. NOTE: As part of this fix, it will also reset the network to default settings including the firewall. If you have custom firewall rules you need to save please export or save them first before running this fix.

The following directories are emptied:

  • Windows Temp
  • Users Temp folders
  • Edge, IE, FF, Chrome, and Opera caches, HTML5 storages, Cookies and History
  • Recently opened files cache
  • Discord cache
  • Java cache
  • Steam HTML cache
  • Explorer thumbnail and icon cache
  • BITS transfer queue (qmgr*.dat files)
  • Recycle Bin

Important: items are permanently deleted. They are not moved to quarantine. If you have any questions or concerns please ask before running this fix.

The system will be rebooted after the fix has run.

fixlist.txt

Thanks

 

Link to post
Share on other sites

1. Done

2. Maybe later

3. I occasionally use this old laser printer

4. Using Registry Editor find function, I found these:

Computer\HKEY_USERS\S-1-5-21-755110801-1344220351-577284601-1001\SOFTWARE\Windscribe

Computer\HKEY_USERS\S-1-5-21-755110801-1344220351-577284601-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\DefaultAccount\Cloud\{c6bdcb8b-18eb-4c34-93f3-9cbbbd6364a9}$windows.data.apps.appleveltileinfo$appleveltilelist\windows.data.apps.appleveltileinfo$w~{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}windscribewindscribelauncher.exe

Computer\HKEY_USERS\S-1-5-21-755110801-1344220351-577284601-1001\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\DefaultAccount\Current\{c6bdcb8b-18eb-4c34-93f3-9cbbbd6364a9}$windows.data.apps.appleveltileinfo$appleveltilelist\windows.data.apps.appleveltileinfo$w~{7c5a40ef-a0fb-4bfc-874a-c0f2e0b9fa8e}windscribewindscribelauncher.exe

I have disabled Windscribe again in Settings > Startup apps, I can only assume this was re-anabled when I uninstalled it yesterday.

Should I also delete all the keys above?
 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.