Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Undetectable Virus or Malware freezes mouse cursor and makes fan run


  • Please log in to reply

#16
koolkat1939

koolkat1939

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

Virustotal  says uphclean.exe and MBR.dat are clean.  I forgot to tell you that aswMBR found something on my computer and the fix button came up and so I clicked on fix. Then it asked me to reboot and so I scanned again after and that it created a MBR.dat . Then fixMBR came up but I didn't click on that I just saved the log. I believe Locky and 5AHSH54OwLwn is part of BDAntiRansomware.

 

 

  :geek:  Hum , are FlashBroker, IFlashBroker6 and RAIDTest Trojans or Viruses ?

 

 

 

:yes:

 

VirusTotal
SHA256:     0e9f08fdf2032a7ebe883ce2c7aef3dc4ce622c2e6f4bebeafa24acf93669c99
File name:     uphclean.exe
Detection ratio:     0 / 53
Analysis date:     2016-08-01 03:48:54 UTC ( 0 minutes ago )
19
7
Probably harmless! There are strong indicators suggesting that this file is safe to use.

    Analysis
    File detail
    Relationships
    Additional information
    Comments
    Votes

Antivirus     Result     Update
ALYac         20160731
AVG         20160801
AVware         20160801
Ad-Aware         20160801
AegisLab         20160801
AhnLab-V3         20160731
Alibaba         20160730
Antiy-AVL         20160801
Arcabit         20160731
Avast         20160801
Avira (no cloud)         20160731
Baidu         20160730
BitDefender         20160801
Bkav         20160727
CAT-QuickHeal         20160730
CMC         20160728
ClamAV         20160801
Comodo         20160801
Cyren         20160801
DrWeb         20160801
ESET-NOD32         20160731
Emsisoft         20160801
F-Prot         20160801
F-Secure         20160801
Fortinet         20160801
GData         20160801
Ikarus         20160731
Jiangmin         20160801
K7AntiVirus         20160731
K7GW         20160801
Kaspersky         20160731
Kingsoft         20160801
Malwarebytes         20160801
McAfee         20160801
McAfee-GW-Edition         20160731
eScan         20160801
Microsoft         20160801
NANO-Antivirus         20160801
Panda         20160731
Qihoo-360         20160801
SUPERAntiSpyware         20160731
Sophos         20160801
Symantec         20160801
Tencent         20160801
TheHacker         20160729
TrendMicro         20160801
TrendMicro-HouseCall         20160801
VBA32         20160729
VIPRE         20160801
ViRobot         20160731
Zillya         20160731
Zoner         20160801
nProtect         20160729
Blog | Twitter | [email protected] | Google groups | ToS | Privacy policy
 

---------------------------------------------------------------------------------------------------------------------------

 

:yes:

 

VirusTotal
SHA256:     6b3b00eb062b2b595eca8eaf08d402be747342f66a800072f82266d099771ed0
File name:     MBR.dat
Detection ratio:     0 / 53
Analysis date:     2016-08-01 03:59:06 UTC ( 0 minutes ago )
0
0

    Analysis
    Additional information
    Comments
    Votes

Antivirus     Result     Update
ALYac         20160731
AVG         20160801
AVware         20160801
Ad-Aware         20160801
AegisLab         20160801
AhnLab-V3         20160731
Alibaba         20160730
Antiy-AVL         20160801
Arcabit         20160731
Avast         20160801
Avira (no cloud)         20160731
Baidu         20160730
BitDefender         20160801
Bkav         20160727
CAT-QuickHeal         20160730
CMC         20160728
ClamAV         20160801
Comodo         20160801
Cyren         20160801
DrWeb         20160801
ESET-NOD32         20160731
Emsisoft         20160801
F-Prot         20160801
F-Secure         20160801
Fortinet         20160801
GData         20160801
Ikarus         20160731
Jiangmin         20160801
K7AntiVirus         20160731
K7GW         20160801
Kaspersky         20160731
Kingsoft         20160801
Malwarebytes         20160801
McAfee         20160801
McAfee-GW-Edition         20160731
eScan         20160801
Microsoft         20160801
NANO-Antivirus         20160801
Panda         20160731
Qihoo-360         20160801
SUPERAntiSpyware         20160731
Sophos         20160801
Symantec         20160801
Tencent         20160801
TheHacker         20160729
TrendMicro         20160801
TrendMicro-HouseCall         20160801
VBA32         20160729
VIPRE         20160801
ViRobot         20160801
Zillya         20160731
Zoner         20160801
nProtect         20160729
Blog | Twitter | [email protected] | Google groups | ToS | Privacy policy
 

-----------------------------------------------------------------------------------------------------------------------------------

 

:yes:  Combofix log

 

 

ComboFix 16-07-25.01 - Owner 07/31/2016  21:24:21.2.1 - x86
Microsoft Windows XP Home Edition  5.1.2600.3.1252.1.1033.18.895.523 [GMT -7:00]
Running from: c:\documents and settings\Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Owner\Desktop\CFScript.txt
AV: Panda Free Antivirus *Disabled/Updated* {5AD27692-540A-464E-B625-78275FA38393}
FW: Panda Firewall *Disabled* {1337562C-110A-4AF8-B12B-750C0B30E802}
FW: ZoneAlarm Free Firewall Firewall *Enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
.
FILE ::
"c:\documents and settings\All Users\Start Menu\Programs\Startup\Oemreset.lnk"
"c:\documents and settings\Owner\Start Menu\Programs\Startup\_uninst_.lnk"
"c:\program files\Common Files\AOL\Loader\aolload.exe"
"c:\windows\pss\_uninst_.lnkStartup"
"c:\windows\pss\Oemreset.lnk"
.
.
(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\All Users\Application Data\TEMP\RAIDTest
c:\documents and settings\Owner\My Documents\New Folder\Free Any Burn 1.4
c:\documents and settings\Owner\My Documents\New Folder\Free Any Burn 1.4\freeanyburn_setup.exe
c:\documents and settings\Owner\My Documents\Tools & Programs\Free Any Burn 1.4
c:\documents and settings\Owner\My Documents\Tools & Programs\Free Any Burn 1.4\freeanyburn_setup.exe
.
.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
-------\Service_asdids
.
.
(((((((((((((((((((((((((   Files Created from 2016-07-01 to 2016-08-01  )))))))))))))))))))))))))))))))
.
.
2016-07-31 23:47 . 2015-05-22 08:45    50832    ----a-w-    c:\windows\system32\drivers\PSKMAD.sys
2016-07-30 02:11 . 2016-07-30 02:12    380928    ----a-w-    C:\9ik17ki1.exe
2016-07-29 14:18 . 2016-07-29 14:18    --------    d-----w-    c:\program files\UPHClean
.
.
.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2016-07-31 23:59 . 2014-09-01 19:12    121560    ----a-w-    c:\windows\system32\drivers\mbamchameleon.sys
2016-07-31 23:59 . 2014-08-03 00:51    170200    ----a-w-    c:\windows\system32\drivers\MBAMSwissArmy.sys
2016-07-26 14:30 . 2014-08-27 02:07    24688    ----a-w-    c:\windows\system32\drivers\TrueSight.sys
2016-07-18 01:23 . 2014-08-04 01:32    796352    ----a-w-    c:\windows\system32\FlashPlayerApp.exe
2016-07-18 01:23 . 2014-08-04 01:32    142528    ----a-w-    c:\windows\system32\FlashPlayerCPLApp.cpl
.
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2005-09-14 14820864]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-09-18 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-09-18 7204864]
"Malwarebytes Anti-Exploit"="c:\program files\Malwarebytes Anti-Exploit\mbae.exe" [2016-06-02 2623456]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 32768]
"readericon"="c:\program files\Digital Media Reader\readericon45G.exe" [2005-12-10 139264]
"nwiz"="nwiz.exe" [2005-09-18 1519616]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2005-01-08 61952]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2002-09-14 212992]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2014-05-08 959904]
"PSUAMain"="c:\program files\Panda Security\Panda Security Protection\PSUAMain.exe" [2015-10-22 54520]
"BDAntiCryptoLocker"="c:\program files\Bitdefender\Tools\BDAntiRansomware\BDAntiRansomware.exe" [2016-05-16 1242144]
"ZoneAlarm"="c:\program files\CheckPoint\ZoneAlarm\zatray.exe" [2016-03-24 134480]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"SoftwareSASGeneration"= 1 (0x1)
"MaxGPOScriptWait"= 600 (0x258)
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\NanoServiceMain]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSUAService]
@="Service"
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"
.
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Oemreset.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Oemreset.lnk
backup=c:\windows\pss\Oemreset.lnkCommon Startup
.
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^_uninst_.lnk]
path=c:\documents and settings\Owner\Start Menu\Programs\Startup\_uninst_.lnk
backup=c:\windows\pss\_uninst_.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APSDaemon]
2013-04-22 04:43    59720    ----a-w-    c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42    1695232    ------w-    c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2013-05-01 10:59    421888    ----a-w-    c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
2010-07-04 19:51    17408    ----a-w-    c:\program files\Unlocker\UnlockerAssistant.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
"c:\\Program Files\\CheckPoint\\ZoneAlarm\\vsmon.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
.
R1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files\Malwarebytes Anti-Exploit\mbae.sys [11/15/2015 6:30 PM 50016]
R1 NNSALPC;NNSAlpc;c:\windows\system32\drivers\NNSAlpc.sys [7/9/2015 8:37 AM 87032]
R1 NNSHTTP;NNSHttp;c:\windows\system32\drivers\NNSHttp.sys [7/9/2015 8:37 AM 202104]
R1 NNSHTTPS;NNSHttps;c:\windows\system32\drivers\NNSHttps.sys [7/9/2015 8:37 AM 109688]
R1 NNSIDS;NNSids;c:\windows\system32\drivers\NNSIds.sys [7/9/2015 8:37 AM 121720]
R1 NNSPICC;NNSPicc;c:\windows\system32\drivers\NNSpicc.sys [7/9/2015 8:37 AM 102264]
R1 NNSPIHS;NNSPihs;c:\windows\system32\drivers\NNSpihs.sys [7/9/2015 8:37 AM 52088]
R1 NNSPOP3;NNSPop3;c:\windows\system32\drivers\NNSPop3.sys [7/9/2015 8:37 AM 120568]
R1 NNSPROT;NNSProt;c:\windows\system32\drivers\NNSProt.sys [7/9/2015 8:37 AM 281720]
R1 NNSPRV;NNSPrv;c:\windows\system32\drivers\NNSPrv.sys [7/9/2015 8:37 AM 209016]
R1 NNSSMTP;NNSSmtp;c:\windows\system32\drivers\NNSSmtp.sys [7/9/2015 8:37 AM 108408]
R1 NNSSTRM;NNSStrm;c:\windows\system32\drivers\NNSStrm.sys [7/9/2015 8:37 AM 240376]
R1 NNSTLSC;NNSTlsc;c:\windows\system32\drivers\NNStlsc.sys [7/9/2015 8:37 AM 94968]
R1 PSINKNC;PSINKNC;c:\windows\system32\drivers\PSINKNC.sys [7/19/2015 9:46 AM 172792]
R2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files\Malwarebytes Anti-Exploit\mbae-svc.exe [11/15/2015 6:30 PM 742368]
R2 NanoServiceMain;Panda Protection Service;c:\program files\Panda Security\Panda Security Protection\PSANHost.exe [10/18/2015 2:32 AM 142072]
R2 PandaAgent;Panda Devices Agent;c:\program files\Panda Security\Panda Devices Agent\AgentSvc.exe [2/22/2016 6:24 PM 73176]
R2 PSINAflt;PSINAflt;c:\windows\system32\drivers\PSINAflt.sys [7/19/2015 9:46 AM 140792]
R2 PSINFile;PSINFile;c:\windows\system32\drivers\PSINFile.sys [7/19/2015 9:46 AM 103288]
R2 PSINProc;PSINProc;c:\windows\system32\drivers\PSINProc.sys [7/19/2015 9:46 AM 114680]
R2 PSINProt;PSINProt;c:\windows\system32\drivers\PSINProt.sys [7/19/2015 9:46 AM 125176]
R2 PSINReg;PSINReg;c:\windows\system32\drivers\PSINReg.sys [7/19/2015 9:46 AM 100600]
R2 PSUAService;Panda Product Service;c:\program files\Panda Security\Panda Security Protection\PSUAService.exe [10/22/2015 9:42 AM 38136]
R2 ZAPrivacyService;ZoneAlarm Privacy Service;c:\program files\CheckPoint\ZoneAlarm\ZAPrivacyService.exe [10/19/2015 10:22 AM 96272]
R3 NNSNAHS;Network Activity Hook Server Service;c:\windows\system32\drivers\NNSNAHS.sys [5/20/2015 3:18 AM 55216]
R3 PSKMAD;PSKMAD;c:\windows\system32\drivers\PSKMAD.sys [7/31/2016 4:47 PM 50832]
.
--- Other Services/Drivers In Memory ---
.
*Deregistered* - mbamchameleon
*Deregistered* - uphcleanhlp
.
.
------- Supplementary Scan -------
.
uStart Page = https://www.yahoo.com/
mStart Page = about:blank
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
TCP: DhcpNameServer = 68.105.28.11 68.105.29.11 68.105.28.12
FF - ProfilePath - c:\documents and settings\Owner\Application Data\Mozilla\Firefox\Profiles\41qyd9cm.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.yahoo.com/
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2016-07-31 21:48
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...  
.
scanning hidden autostart entries ...
.
scanning hidden files ...  
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\.Default\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\.Default\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService_Classes\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\LocalService_Classes\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20_Classes\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-20_Classes\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-676961170-3691123601-236142853-1003\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-676961170-3691123601-236142853-1003\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-842925246-1606980848-1708537768-1003_Classes\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\S-1-5-21-842925246-1606980848-1708537768-1003_Classes\Software\Locky]
@Denied: (B 2 3) (Everyone)
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe,-101"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil32_16_0_0_296_ActiveX.exe"
.
[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
@Denied: (A 2) (Everyone)
@="IFlashBroker6"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"
.
[HKEY_LOCAL_MACHINE\software\Classes\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'explorer.exe'(3084)
c:\windows\system32\WININET.dll
c:\program files\Bitdefender\Tools\BDAntiRansomware\InjectionDll.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\nvsvc32.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\RTHDCPL.EXE
c:\windows\system32\RUNDLL32.EXE
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2016-07-31  21:54:24 - machine was rebooted
ComboFix-quarantined-files.txt  2016-08-01 04:54
ComboFix2.txt  2016-07-30 15:45
.
Pre-Run: 33,290,543,104 bytes free
Post-Run: 33,231,155,200 bytes free
.
- - End Of File - - F4724DA58F2F828D164690D21711BB89
620801C51A4A223B7167BE50689BA748
 


Edited by koolkat1939, 01 August 2016 - 11:01 AM.

  • 0

Advertisements


#17
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,017 posts
  • MVP

Sorry I didn't get notified again.  Going to talk to admin about it.

 

Turns out the two registry entries:

 

[HKEY_USERS\.Default\Software\5AHSH54OwLwn]
@Denied: (B 2 3) (Everyone)
.
[HKEY_USERS\.Default\Software\Locky]
@Denied: (B 2 3) (Everyone)
 

 

 

 
are put in by your BitDefender BDAntiRansomware.exe as a method to keep Locky & something else from installing themselves.  That's why they came back.
 
FlashBroker, IFlashBroker6 are normal Adobe Flash.  Don't know about RAIDTEST but looks like Combofix didn't like it.
 
Are you still getting a lot of fan noise & slowness?  I'm hoping aswmbr's Fix may have done some good.

  • 0

#18
koolkat1939

koolkat1939

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

It helped after you got rid of RAIDTEST but if I uncheck "Display pointer trails" my mouse will freeze and I still have fan issues.


  • 0

#19
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,017 posts
  • MVP

Can you make a new Process Explorer log and post it?

 

Do you still have the same problems in Safe Mode with Networking?

 

 
(Reboot and when you see the maker's logo, hear a beep or it talks about F8, start tapping the F8 key slowly.  Keep tapping until the Safe Mode Menu appears and choose Safe Mode with Networking.  Login with your usual login.)

  • 0

#20
koolkat1939

koolkat1939

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

My mouse will work in Safe Mode but the fan will run if I try using a Anti-virus scan. I forgot how to do the Process Explorer log. Do you want the log while I am in Safe Mode with Networking ?


Edited by koolkat1939, 04 August 2016 - 03:55 PM.

  • 0

#21
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,017 posts
  • MVP
Get Process Explorer
 
Save it to your desktop then run it (Vista or Win7 - right click and Run As Administrator).  
 
View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures
 
 
Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  
 
Wait a full minute then:
 
File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.
 
 
Let's do a log in both.

  • 0

#22
koolkat1939

koolkat1939

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

OK 

 

 

:yes:  Process Explorer  Log in Normal mode :

 

Process    CPU    Private Bytes    Working Set    PID    Description    Company Name    VirusTotal    Verified Signer
System Idle Process    65.28    0 K    28 K    0                
PSUAMain.exe    15.28    16,216 K    9,076 K    2492    AV Console    Panda Security, S.L.        (Verified) Panda Security S.L
Interrupts    12.50    0 K    0 K    n/a    Hardware Interrupts and DPCs            
PSUAService.exe    4.17    12,932 K    1,988 K    1708    PSUAService    Panda Security, S.L.        (Verified) Panda Security S.L
svchost.exe    1.39    17,256 K    27,048 K    636    Generic Host Process for Win32 Services    Microsoft Corporation        (No signature was present in the subject) Microsoft Corporation
procexp.exe    1.39    13,108 K    18,948 K    2840    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com        (Verified) Microsoft Corporation
zatray.exe        48,612 K    22,544 K    3060    ZoneAlarm    Check Point Software Technologies Ltd.        (Verified) Check Point Software Technologies Ltd.
ZAPrivacyService.exe        18,220 K    18,124 K    620    ZAPrivacyService    Check Point Software Technologies, Ltd.        (Verified) Check Point Software Technologies Ltd.
wmiprvse.exe        2,604 K    6,868 K    3756    WMI    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
wmiprvse.exe        2,040 K    5,300 K    3872    WMI    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
winlogon.exe        6,348 K    4,352 K    148    Windows NT Logon Application    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
vsmon.exe        24,004 K    24,864 K    1256    ZoneAlarm    Check Point Software Technologies Ltd.        (Verified) Check Point Software Technologies Ltd.
uphclean.exe        588 K    1,348 K    2020    User Profile Hive Cleanup Service    Windows ® Codename Longhorn DDK provider        (No signature was present in the subject) Windows ® Codename Longhorn DDK provider
unsecapp.exe        1,304 K    4,184 K    3672    WMI    Microsoft Corporation        (No signature was present in the subject) Microsoft Corporation
System        0 K    272 K    4                
svchost.exe        3,080 K    5,008 K    428    Generic Host Process for Win32 Services    Microsoft Corporation        (No signature was present in the subject) Microsoft Corporation
svchost.exe        1,800 K    4,328 K    488    Generic Host Process for Win32 Services    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
svchost.exe        1,292 K    3,604 K    748    Generic Host Process for Win32 Services    Microsoft Corporation        (No signature was present in the subject) Microsoft Corporation
svchost.exe        3,840 K    5,952 K    1008    Generic Host Process for Win32 Services    Microsoft Corporation        (No signature was present in the subject) Microsoft Corporation
svchost.exe        1,372 K    3,600 K    336    Generic Host Process for Win32 Services    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
svchost.exe        1,532 K    3,468 K    3356    Generic Host Process for Win32 Services    Microsoft Corporation        (No signature was present in the subject) Microsoft Corporation
spoolsv.exe        3,408 K    5,016 K    1856    Spooler SubSystem App    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
smss.exe        172 K    432 K    1964    Windows NT Session Manager    Microsoft Corporation        (No signature was present in the subject) Microsoft Corporation
services.exe        1,844 K    21,116 K    160    Services and Controller app    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
rundll32.exe        2,004 K    3,048 K    3912    Run a DLL as an App    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
RTHDCPL.EXE        18,672 K    22,660 K    3880    Realtek HD Audio Control Panel    Realtek Semiconductor Corp.        (Verified) Microsoft Windows Hardware Compatibility Publisher
readericon45G.exe        1,876 K    3,072 K    2292    Sunkist    Alcor Micro, Corp.        (No signature was present in the subject) Alcor Micro, Corp.
PSANHost.exe        103,348 K    11,948 K    1628    Application Host Service    Panda Security, S.L.        (Verified) Panda Security S.L
PDVDServ.exe        856 K    3,156 K    2240    PowerDVD RC Service    Cyberlink Corp.        (No signature was present in the subject) Cyberlink Corp.
nvsvc32.exe        2,068 K    3,656 K    1656    NVIDIA Driver Helper Service, Version 81.33    NVIDIA Corporation        (Verified) Microsoft Windows Hardware Compatibility Publisher
mbae-svc.exe        9,260 K    12,492 K    1268    Malwarebytes Anti-Exploit Service    Malwarebytes Corporation        (Verified) Malwarebytes Corporation
mbae.exe        8,112 K    11,924 K    1660    Malwarebytes Anti-Exploit    Malwarebytes Corporation        (Verified) Malwarebytes Corporation
lsass.exe        4,012 K    6,644 K    228    LSA Shell (Export Version)    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
explorer.exe        13,380 K    21,548 K    1396    Windows Explorer    Microsoft Corporation        (No signature was present in the subject) Microsoft Corporation
csrss.exe        1,924 K    3,964 K    2036    Client Server Runtime Process    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
CCleaner.exe        9,148 K    7,420 K    1600    CCleaner    Piriform Ltd        (Verified) Piriform Ltd
BDAntiRansomware.exe        17,532 K    22,652 K    2968                (Verified) Bitdefender SRL
alg.exe        1,172 K    3,616 K    3532    Application Layer Gateway Service    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
AgentSvc.exe        11,348 K    15,432 K    1676    Agent Service    Panda Security, S.L.        (Verified) Panda Security S.L
 

 

 

------------------------------------------------------------------------------------------------------

 

:yes:   Process Explorer  Log  in Safe Mode with Networking :

 

 

Process    CPU    Private Bytes    Working Set    PID    Description    Company Name    VirusTotal    Verified Signer
System Idle Process    100.00    0 K    16 K    0                
Interrupts    < 0.01    0 K    0 K    n/a    Hardware Interrupts and DPCs            
wmiprvse.exe        1,864 K    4,960 K    1784    WMI    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
winlogon.exe        3,288 K    2,052 K    848    Windows NT Logon Application    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
vsmon.exe        22,956 K    23,528 K    1624    ZoneAlarm    Check Point Software Technologies Ltd.        (Verified) Check Point Software Technologies Ltd.
System        0 K    212 K    4                
svchost.exe        2,992 K    4,864 K    1060    Generic Host Process for Win32 Services    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
svchost.exe        1,644 K    4,172 K    1128    Generic Host Process for Win32 Services    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
svchost.exe        10,648 K    17,104 K    1344    Generic Host Process for Win32 Services    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
svchost.exe        1,288 K    3,568 K    1364    Generic Host Process for Win32 Services    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
svchost.exe        1,068 K    2,964 K    1480    Generic Host Process for Win32 Services    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
smss.exe        168 K    416 K    740    Windows NT Session Manager    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
services.exe        1,696 K    20,912 K    892    Services and Controller app    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
PSUAService.exe        12,700 K    244 K    784    PSUAService    Panda Security, S.L.        (Verified) Panda Security S.L
PSANHost.exe        84,020 K    9,520 K    624    Application Host Service    Panda Security, S.L.        (Verified) Panda Security S.L
procexp.exe        15,468 K    21,808 K    688    Sysinternals Process Explorer    Sysinternals - www.sysinternals.com        (Verified) Microsoft Corporation
notepad.exe        924 K    336 K    640    Notepad    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
lsass.exe        2,144 K    1,248 K    904    LSA Shell (Export Version)    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
explorer.exe        12,664 K    19,620 K    1764    Windows Explorer    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
csrss.exe        1,608 K    3,360 K    824    Client Server Runtime Process    Microsoft Corporation        (Verified) Microsoft Windows Component Publisher
 


  • 0

#23
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,017 posts
  • MVP

The normal mode has this:

 

Interrupts    12.50    0 K    0 K    n/a    Hardware Interrupts and DPCs            

 

That's pretty bad.  Anything over 1.5% slows the CPU a lot more than you would think.

 

In Safe Mode things are really nice:

 

System Idle Process    100.00    0 K    16 K    0                

Interrupts    < 0.01    0 K    0 K    n/a    Hardware Interrupts and DPCs            

 

Start Run, msconfig, OK
Go to Services tab and click on the box to hide Microsoft Services then uncheck
everything that remains.  Go to Startup tab and uncheck everything.  OK and
reboot.  If it doesn't run faster then go back into msconfig and recheck the
things you turned off.  If it helps then go back and turn on a few items each
time until you find the culprit.
 
Will take a while but if you look at  Process Explorer each time you can get a quick reading on if it helped or not.

  • 0

#24
koolkat1939

koolkat1939

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

:upset:  Yah I did what you said but not much difference. I suspect that the Virus\Malware is disguised or patched as a legitimate file. Looks like I'm going to have to buy a new burner and do a full reinstall of my OS.. :yes:  Thanks for your help. OH can you show me how to clean up these tools and logs ?


Edited by koolkat1939, 04 August 2016 - 06:34 PM.

  • 0

#25
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,017 posts
  • MVP
Since we ran Combofix:
To uninstall combofix, copy the next line:
 
"c:\documents and settings\Owner\Desktop\ComboFix.exe" /Uninstall
 
Start, Run, cmd, OK then right click, Paste, then hit Enter.
 
Speccy you just uninstall and delete its log.
 
Process Explorer and VEW just delete and also delete their logs.
 
FRST we cleanup with Delfix.  This removes our tools and their logs and quarantines and also removes all but the latest System Restore point so there is no chance of the malware coming back with a system restore. Delfix has been a tad too aggressive recently and seems to dislike pdf files in the Downloads folder so if you have any you should move them to a different folder before running Delfix.
 
Ensure Remove disinfection tools is ticked
Also tick:
Create registry backup
Purge system restore
 
Click Run
The program will run for a few moments and then notepad will open with a log. Please paste the log in your next reply

  • 0

Advertisements


#26
koolkat1939

koolkat1939

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

:yes:  Thanks for your help. Do I uninstall UPHClean or do I just leave it ?

 

 

 

Delfix log :

 

# DelFix v1.013 - Logfile created 05/08/2016 at 07:18:04
# Updated 17/04/2016 by Xplode
# Username : Owner - YOUR-CF6AE05ECC
# Operating System : Microsoft Windows XP Service Pack 3 (32 bits)

~ Removing disinfection tools ...

Deleted : C:\32788R22FWJFW
Deleted : C:\Combofix
Deleted : C:\FRST
Deleted : C:\ComboFix.txt
Deleted : C:\TDSSKiller.3.1.0.9_30.07.2016_08.56.43_log.txt
Deleted : C:\Documents and Settings\Owner\Desktop\Addition.txt
Deleted : C:\Documents and Settings\Owner\Desktop\aswmbr.exe
Deleted : C:\Documents and Settings\Owner\Desktop\aswMBR.txt
Deleted : C:\Documents and Settings\Owner\Desktop\Fixlog.txt
Deleted : C:\Documents and Settings\Owner\Desktop\FRST.exe
Deleted : C:\Documents and Settings\Owner\Desktop\FRST.txt
Deleted : C:\Documents and Settings\Owner\Desktop\MBR.dat
Deleted : C:\Documents and Settings\Owner\Desktop\TDSSKiller.3.1.0.9_30.07.2016_08.56.43_log.txt
Deleted : C:\Documents and Settings\Owner\Desktop\tdsskiller.exe
Deleted : HKLM\SOFTWARE\OldTimer Tools
Deleted : HKLM\SOFTWARE\Swearware
Deleted : HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_ASWMBR

~ Creating registry backup ... OK

~ Cleaning system restore ...


New restore point created !

########## - EOF - ##########
 


  • 0

#27
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,017 posts
  • MVP

Leave UPHClean.  It's a fix for Microsoft's mistake.

 

There is one thing we haven't tried:

 

 
Download Save and Run the program
 
You can go through the drivers section and see if there are some you can live temporarily live without.  Uncheck them then reboot and see if Process Explorer looks better.

  • 0

#28
koolkat1939

koolkat1939

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts

:no:  I ran autoruns and selected the Drivers tab.  There was something in red [not verifed] called ASCTRM. I unchecked it and no difference. I looked up the Driver and it's part of the Real Player.  Oh well thanks for your help.


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP