Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Laptop at a Stand Still


  • Please log in to reply

#1
pianoplayer07

pianoplayer07

    Member

  • Member
  • PipPip
  • 48 posts

Hi,

 

This post is dealing with a seperate machine from my other. Roughly a month ago my parents (despite thousands of warnings) accidentally downloaded and ran an installer of Skype from a rogue website. It was removed and I scanned the computer using MSE and MalwareBytes. Both scans returned nothing, so I figured the computer was okay. Yesterday they mentioned having internet problems. When I went to boot the computer, it was literally at a standstill. The process light was constantlly lit. I tried restarting several times, and half the time I couldn't even reach the desktop. I also tried booting into safe mode and it would freeze on the Windows logo. I finally managed to boot and ran MSE and MalwareBytes again with no threats found.

 

Here's were I'm getting suspicious of something going on in the background. I cut the wifi off to see if that was part of the issue and to let the scans run overnight. The processor light wasn't lit and operation was smoother, almost like an outside source was flooding the computer from doing anything. I cut the wifi back on today and now the light is staying lit again. Task manager is not showing any weird processes, although the CPU activity is reaching 100% with no explanation. Also, the computer is starting to get slow again.

 

I'm not sure if this is virus/malware related...or I thought it might just be a hard drive getting ready to die. Not sure. Need your guys' help on this as I'm stumped.

 

Thank you in advance.


  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,031 posts
  • MVP
Probably best to post the logs as you get them.
 
 
Download : ADWCleaner to your desktop.  Make sure you get the correct Download button.  Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @BleepingComputer
 
NOTE: If using Internet Explorer and you get an alert that stops the program downloading, click on the warning and allow the download to complete.
 
Close  all programs, pause your anti-virus and run AdwCleaner (Vista or Win 7 => right click and Run As Administrator).
 
scan-results.jpg
 
Click on Scan  and follow the prompts. Let it run unhindered. When done, click on the Clean button, and follow the prompts. Allow the system to reboot. You will then be presented with the report. Copy & Paste this report on your next reply.
 
The report will be saved in the C:\AdwCleaner folder.
 
 
 
Junkware-Removal-Tool
 
Please download Junkware Removal Tool to your desktop.  Make sure you get the correct Download button.  Sometimes the ads on BleepingComputer will mimic the real Download button which should say: Download Now @Author's site
  • Pause your anti-virus.  Close all browsers.
  • Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".
  • The tool will open and start scanning your system.
  • Please be patient as this can take a while to complete depending on your system's specifications.
  • On completion, a log (JRT.txt) is saved to your desktop and will automatically open.
  • Post the contents of JRT.txt into your next message.
  •  
     
     
    Please download Farbar Recovery Scan Tool and save it to your Desktop. 
     
    Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version. 
     
    •  
  • Right click to run as administrator (XP users click run after receipt of Windows Security Warning - Open File). When the tool opens click Yes to disclaimer. 
  • Press Scan button. 
  • It will produce a log called FRST.txt in the same directory the tool is run from.  
  • Please copy and paste log back here. 
  • The first time the tool is run it generates another log (Addition.txt - also located in the same directory as FRST.exe/FRST64.exe). Please also paste that along with the FRST.txt into your reply. 
  •  
     
     
    Download OTL from
    and Save it to your desktop.
     
    Copy the text in the code box:
     
    DRIVES
    nnetsvcs
    %SYSTEMDRIVE%\*.exe
    %systemroot%\assembly\GAC_32\*.ini
    %systemroot%\assembly\GAC_64\*.ini
    msconfig
    safebootminimal
    safebootnetwork
    activex
    drivers32
    %SYSTEMDRIVE%\*.exe
    %ALLUSERSPROFILE%\Application Data\*.exe
    %APPDATA%\*.
    /md5start
    rsvpsp.dll
    pnrpnsp.dll 
    nwprovau.dll
    nlaapi.dll
    napinsp.dll
    mswsock.dll
    winrnr.dll
    wshelper.dll
    services.exe
    atapi.sys
    explorer.exe
    winlogon.exe
    Userinit.exe
    svchost.exe
    csrss.exe
    PrintIsolationHost.exe
    consrv.dll
    user32.dll
    /md5stop
    C:\Windows\assembly\tmp\U\*.* /s
    %systemroot%\*. /mp /s
    hklm\software\clients\startmenuinternet|command /rs
    hklm\software\clients\startmenuinternet|command /64 /rs
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %ProgramFiles%\WINDOWS NT\*.* /s
    %systemroot%\system32\drivers\*.sys /lockedfiles
    CREATERESTOREPOINT
    
     
    Run OTL (Vista or Win 7 => right click and Run As Administrator)
     
    Paste (Ctrl + v) the copied text in the box where it says Custom Scan/Fixes
     
    Select the All option in the Extra Registry group then Run Scan.
     
    You should get two logs.  Please copy and paste both of them.
     
     
     

    Get the free version of Speccy:
     
    http://www.filehippo...download_speccy  (Look in the upper right for the Download
    Latest Version button  - Do NOT press the large Start Download button on the upper left!)  Download, Save and Install it.  Run Speccy.  When it finishes (the little icon in the bottom left will stop moving), File, Save as Text File,  (to your desktop) note the name it gives. OK.  Open the file in notepad and delete the line that gives the serial number of your Operating System.  (It will be near the top about 10 lines down.) Attach the file to your next post.
     
     
     

    Get Process Explorer
     
    Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).  
     
    View, Select Column, check Verified Signer, OK
    Options, Verify Image Signatures
     
     
    Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  
     
    Wait a full minute then:
     
    File, Save As, Save.  Open the file Procexp.txt on your desktop and copy and paste the text to a reply.
     
    IF Running XP:
    1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
    2. Click Properties, and then click Tools.
    3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
    4. Check both boxes and then click Start.
    You will receive the following message:
    The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
    Click Yes to schedule the disk check, but don't restart yet.
     
    Start, Run, eventvwr.msc, OK to bring up the Event Viewer.  Right click on System and Clear All Events, No (we don't want to save the old log), OK. Repeat for Application. 
     
    Reboot. 
     
    The disk check will run and will probably take an hour or more to finish.
     
     
    1. Please download the Event Viewer Tool by Vino Rosso
    and save it to your Desktop:
    2. Double-click VEW.exe
    3. Under 'Select log to query', select:
     
    * System
    4. Under 'Select type to list', select:
    * Error
    * Warning
     
     
    Then use the 'Number of events' as follows:
     
     
    1. Click the radio button for 'Number of events'
    Type 20 in the 1 to 20 box
    Then click the Run button.
    Notepad will open with the output log.
     
     
    Please post the Output log in your next reply then repeat but select Application.
     
    IF running Vista or Win 7:
     
    1. Double-click My Computer, and then right-click the hard disk that you want to check. C:
    2. Click Properties, and then click Tools.
    3. Under Error-checking, click Check Now. A dialog box that shows the Check disk options is displayed,
    4. Check both boxes and then click Start.
    You will receive the following message:
    The disk check could not be performed because the disk check utility needs exclusive access to some Windows files on the disk. These files can be accessed by restarting Windows. Do you want to schedule the disk check to occur the next time you restart the computer?
    Click Yes to schedule the disk check, but don't restart yet.
     
    Right click on (My) Computer and select Manage (Continue) Then the Event Viewer. Next select Windows Logs.  Right click on System and Clear Log, Clear. Repeat for Application. Reboot. The disk check will run and will probably take an hour or more to finish.
     
     
    Start, All Programs, Accessories then right click on Command Prompt and Run as Administrator.  Then type (with an Enter after each line).
     
    sfc /scannow
     
    (SPACE after sfc.  This will check your critical system files. Does this finish without complaint?  IF it says it couldn't fix everything then:
     
    Copy the next two lines:
     
    findstr  /c:"[SR]"  \windows\logs\cbs\cbs.log  >  \windows\logs\cbs\junk.txt 
    notepad \windows\logs\cbs\junk.txt 
     
    Start, All Programs, Accessories, right click on Command Prompt and Run as Administrator, Continue.  Right click and Paste or Edit then Paste and the copied line should appear.
    Hit Enter if notepad does not open.  Copy and paste the text from notepad into a reply.  Close nOtepad.  Close the Command Window.
     
     
    1. Please download the Event Viewer Tool by Vino Rosso
    and save it to your Desktop:
    2. Right-click VEW.exe and Run AS Administrator
    3. Under 'Select log to query', select:
     
    * System
    4. Under 'Select type to list', select:
    * Error
    * Warning
     
     
    Then use the 'Number of events' as follows:
     
     
    1. Click the radio button for 'Number of events'
    Type 20 in the 1 to 20 box
    Then click the Run button.
    Notepad will open with the output log.
     
     
    Please post the Output log in your next reply then repeat but select Application.

    • 0

    #3
    pianoplayer07

    pianoplayer07

      Member

    • Topic Starter
    • Member
    • PipPip
    • 48 posts

    Here is the log for ADWCleaner.

    Attached Files


    • 0

    #4
    pianoplayer07

    pianoplayer07

      Member

    • Topic Starter
    • Member
    • PipPip
    • 48 posts

    JRT results.

    Attached Files

    • Attached File  JRT.txt   885bytes   37 downloads

    • 0

    #5
    pianoplayer07

    pianoplayer07

      Member

    • Topic Starter
    • Member
    • PipPip
    • 48 posts

    FRST logs.

    Attached Files


    • 0

    #6
    pianoplayer07

    pianoplayer07

      Member

    • Topic Starter
    • Member
    • PipPip
    • 48 posts

    OTL logs.

     

    Attached Files


    Edited by pianoplayer07, 01 May 2014 - 11:16 AM.

    • 0

    #7
    pianoplayer07

    pianoplayer07

      Member

    • Topic Starter
    • Member
    • PipPip
    • 48 posts

    SPECCY results.

    Attached Files


    Edited by pianoplayer07, 01 May 2014 - 11:17 AM.

    • 0

    #8
    pianoplayer07

    pianoplayer07

      Member

    • Topic Starter
    • Member
    • PipPip
    • 48 posts

    System Idle Process Results.

    Attached Files


    • 0

    #9
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    Not seeing anything.  Temps are good.  Hard drive has a few errors but doesn't look bad.  No really bad malware tho we did remove some adware.  You can uninstall Speccy.  

     

    I don't have good instructions for Win 8 yet so after you run Process Explorer just skip to VEW.

     

     


    • 0

    #10
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    Process Explorer shows:

     

    Interrupts 4.64 0 K 0 K n/a Hardware Interrupts and DPCs

     

    Not sure what it should say on Win 8 but on Win 7 this should be down around 1.00.  Usually this indicates a bad driver.  Have you tried a System Restore to an earlier time?

     

    http://www.bleepingc...-restore-guide/


    • 0

    Advertisements


    #11
    pianoplayer07

    pianoplayer07

      Member

    • Topic Starter
    • Member
    • PipPip
    • 48 posts

    Here are the 2 VEW logs. Win 8 disk check was different, so I was wondering about that. I just skipped that portion.

    Attached Files


    • 0

    #12
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    This seems to be the problem:

     

    Log: 'System' Date/Time: 01/05/2014 5:35:29 PM
    Type: Error Category: 0
    Event: 98 Source: Microsoft-Windows-Ntfs
    Volume C: (\Device\HarddiskVolume2) needs to be taken offline for a short time to perform a Spot Fix.  Please run
     CHKDSK  /SPOTFIX 

    locally via the command line, or run "REPAIR-VOLUME <drive:>" locally or remotely via PowerShell.

     

    Later on we see:

     

    Log: 'System' Date/Time: 01/05/2014 5:36:14 PM
    Type: Warning Category: 0
    Event: 153 Source: disk
    The IO operation at logical block address 00 for Disk 0 (PDO name: \Device\00000027) was retried.
     
    So try and run the chkdsk like they say.

    • 0

    #13
    pianoplayer07

    pianoplayer07

      Member

    • Topic Starter
    • Member
    • PipPip
    • 48 posts

    Okay, I let that run. Now what?


    • 0

    #14
    RKinner

    RKinner

      Malware Expert

    • Expert
    • 20,031 posts
    • MVP

    run VEW again and let's see if new alarms are present.


    • 0

    #15
    pianoplayer07

    pianoplayer07

      Member

    • Topic Starter
    • Member
    • PipPip
    • 48 posts

    New VEW logs.

    Attached Files


    • 0






    Similar Topics

    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users

    As Featured On:

    Microsoft Yahoo BBC MSN PC Magazine Washington Post HP