CPU using 100% on start up and intermittently

Moved from operating systems

Post by Magnern on Wed 11 Nov 2015, 8:11 am
HP ProBook 6475b labtop
Win7 Pro
8GB ram
AMD A6-4400M APU w/radeon HD graphics
Online Armor Firewall (free)
Microsoft Security Essentials

When the desktop loads something in the background is eating 100% of the CPU and there is nothing in the task manager that is showing up using that much. If I add up the usage of the programs listed it is like maybe 10%. So there must be something hiding.

If someone could advise me on how to start looking for it that would be great! Thank you for reading!

-Magnern

Hello and welcome to GeekPolice.Net My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
Please download AdwCleaner by Xplode onto your Desktop.

Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.



If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.



AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.



AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• It should update automatically if the computer is connected to the internet.
  
• Click on Threat Scan and click on Scan Now.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
  
• Click on "Apply actions" You may be asked to Restart your computer to completely remove the infections.
  
• When disinfection is completed you can click on "Copy to Clipboard".
  
• Paste the log in you next reply (CTRL+ V)
  

*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
*****************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

Thank you for replying! I will run the scans tomorrow while I am at school and get back to you.

Just and FYI the computer force-updated itself and a lot of the problem has been alleviated but I still have a lot of issues on start up. I am still sure there is something lurking and will post the logs tomorrow.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.0 (11.12.2015)
Operating System: Windows 7 Professional x64
Ran by V (Administrator) on Thu 11/19/2015 at 15:47:48.07
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




File System: 1

Successfully deleted: C:\Users\V\AppData\Roaming\Mozilla\Firefox\Profiles\kkfusthh.default\user.js (File)



Registry: 2

Successfully deleted: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} (Registry Key)
Successfully deleted: HKLM\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827} (Registry Key)




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Thu 11/19/2015 at 16:05:51.82
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 11/10/2015
Scan Time: 2:31 PM
Logfile: Malwarebytes log.txt
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.11.10.07
Rootkit Database: v2015.11.04.02
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: V

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 337025
Time Elapsed: 20 min, 41 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 4
PUP.Optional.InstallCore, HKLM\SOFTWARE\WOW6432NODE\InstallCore, Quarantined, [035c205c0e7dc07661025620ec174cb4],
PUP.Optional.Astromenda, HKU\S-1-5-21-639823073-3137791329-2892488224-1001\SOFTWARE\astromenda, Quarantined, [16498bf19dee9f97058b29320cf7936d],
PUP.Optional.InstallCore, HKU\S-1-5-21-639823073-3137791329-2892488224-1001\SOFTWARE\InstallCore, Quarantined, [3d222e4e96f57db9d78b690d50b332ce],
PUP.Optional.Astromenda, HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\UNINSTALL\Astromenda, Quarantined, [98c7b8c4e0ab78be29005ef16c963ac6],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 2
PUP.Optional.Astromenda, C:\Program Files (x86)\Astromenda, Quarantined, [98c7b8c4e0ab78be29005ef16c963ac6],
PUP.Optional.Astromenda, C:\Program Files (x86)\Astromenda\bh, Quarantined, [98c7b8c4e0ab78be29005ef16c963ac6],

Files: 5
PUP.Optional.Astromenda, C:\Users\V\AppData\Roaming\Mozilla\Firefox\Profiles\kkfusthh.default\searchplugins\Astromenda.xml, Quarantined, [bba44f2db9d2c6703477f899ff03b14f],
PUP.Optional.Astromenda, C:\Program Files (x86)\Astromenda\FavIcon.ico, Quarantined, [98c7b8c4e0ab78be29005ef16c963ac6],
PUP.Optional.Astromenda, C:\Program Files (x86)\Astromenda\Sqlite3.dll, Quarantined, [98c7b8c4e0ab78be29005ef16c963ac6],
PUP.Optional.Astromenda, C:\Program Files (x86)\Astromenda\uninst.dat, Quarantined, [98c7b8c4e0ab78be29005ef16c963ac6],
PUP.Optional.Astromenda, C:\Program Files (x86)\Astromenda\uninstall.exe, Quarantined, [98c7b8c4e0ab78be29005ef16c963ac6],

Physical Sectors: 0
(No malicious items detected)


(end)


@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@






# AdwCleaner v5.021 - Logfile created 19/11/2015 at 15:41:59
# Updated 14/11/2015 by Xplode
# Database : 2015-11-19.3 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : V - V-HP
# Running from : C:\Users\V\Downloads\adwcleaner_5.021.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****

File Found : C:\Users\V\AppData\Roaming\Mozilla\Firefox\Profiles\kkfusthh.default\user.js

***** [ DLL ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\AppID\{9CB2CD61-FFA0-406C-9D2D-8FDE6F4A4D8A}
Key Found : HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}
Key Found : HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2fa28606-de77-4029-af96-b231e3b8f827}

***** [ Web browsers ] *****

[C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : aol.com
[C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : ask.com
[C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Found : Astromenda.com

########## EOF - C:\AdwCleaner\AdwCleaner[S2].txt - [1279 bytes] ##########

Please run AdwCleaner again and hit the delete button after the scan. I would also like to see the MBAM log.

-


-

2015/11/23 14:57:09 -0600

mbam-log-2015-11-23 (14-56-52).xml

yes

+


-

V-HP

10.166.32.36

Windows 7 Service Pack 1

x64

V

NTFS




-

threat

completed

339137

808

0

0

0

0

0

0

0

0

-

enabled

enabled

enabled

enabled

disabled

disabled

enabled

enabled

enabled













@@@@@@@@@@@@@@@@@@@@@@@@@@@@@




Results of screen317's Security Check version 1.009  
Windows 7 Service Pack 1 x64 (UAC is enabled)  
Internet Explorer 11  
``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!  
Microsoft Security Essentials  
Antivirus up to date!  
`````````Anti-malware/Other Utilities Check:`````````
Java 8 Update 31  
Java version 32-bit out of Date!
Adobe Flash Player 19.0.0.245  
Mozilla Firefox (42.0)
````````Process Check: objlist.exe by Laurent````````  
Microsoft Security Essentials MSMpEng.exe
Tall Emu Online Armor OAcat.exe
Tall Emu Online Armor oasrv.exe
Tall Emu Online Armor oaui.exe
Tall Emu Online Armor OAhlp.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: 2%
````````````````````End of Log``````````````````````







@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

# AdwCleaner v5.022 - Logfile created 23/11/2015 at 16:38:24
# Updated 22/11/2015 by Xplode
# Database : 2015-11-22.2 [Server]
# Operating system : Windows 7 Professional Service Pack 1 (x64)
# Username : V - V-HP
# Running from : C:\Users\V\Downloads\adwcleaner_5.022.exe
# Option : Cleaning
# Support : http://toolslib.net/forum

***** [ Services ] *****


***** [ Folders ] *****


***** [ Files ] *****


***** [ DLLs ] *****


***** [ Shortcuts ] *****


***** [ Scheduled tasks ] *****


***** [ Registry ] *****

[-] Key Deleted : HKLM\SOFTWARE\Classes\AppID\{9CB2CD61-FFA0-406C-9D2D-8FDE6F4A4D8A}

***** [ Web browsers ] *****

[-] [C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : aol.com
[-] [C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : ask.com
[-] [C:\Users\V\AppData\Local\Google\Chrome\User Data\Default\Web Data] [Search Provider] Deleted : Astromenda.com

*************************

:: "Tracing" keys removed
:: Winsock settings cleared

########## EOF - C:\AdwCleaner\AdwCleaner[C1].txt - [1090 bytes] ##########

I hope I got it right >_<

You really should turn on your Windows Firewall.
The MBAM log is incorrect. Please follow the instructions and run it again.

Update Your Java (JRE)

Old versions of Java have vulnerabilities that malware can use to infect your system.

First Verify your Java Version

If there are any other version(s) installed then update now.

Get the new version (if needed)

If your version is out of date install the newest version of the Sun Java Runtime Environment.

Note: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Be sure to close ALL open web browsers before starting the installation.

Remove any old versions

1. Download JavaRa and unzip the file to your Desktop.
2. Open JavaRA.exe and choose Remove Older Versions
3. Once complete exit JavaRA.

Additional Note: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. To disable the JQS service if you don't want to use it, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and reboot your computer.

Superdave wrote:

[color=green]You really should turn on your Windows Firewall.

I'm using online armor from tall emu as a firewall. I was under the impression that this was superior to windows firewall.

Ok I will re-do the MBAM log

I don't see any evidence that Emu is installed as your firewall. You should check it.

Superdave wrote:

I don't see any evidence that Emu is installed as your firewall. You should check it.

How can I get you evidence? The icon is in the lower right in the task bar and shows online armor as active. Program guard, firewall, web shield and anti-keylogger appear to be active

I hope this is the MBAM log you want.


Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/4/2015
Scan Time: 6:54 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2015.12.04.06
Rootkit Database: v2015.11.26.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: V

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 343828
Time Elapsed: 1 hr, 2 min, 47 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Disabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)

``````````````Antivirus/Firewall Check:``````````````
Windows Firewall Disabled!
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
Java 8 Update 31
Java version 32-bit out of Date!
Adobe Flash Player 19.0.0.245
Mozilla Firefox (42.0)

If EMU was active it should have shown up here. Go to Control Panel and make sure the security is on.

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt