Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

High CPU Usage & possible trojan remnants


  • Please log in to reply

#1
Dragnsfire

Dragnsfire

    Member

  • Member
  • PipPip
  • 49 posts

Hi,

 

I am having issues with very high CPU usage by Kaspersky and Chrome. I recently removed the private browsing extension, but Kaspersky is sometimes taking upwards of 40% of my CPU (even when not running a scan or downloading database updates). At one point, I had iSpy installed, but I recently removed it--the files were too large. Instead, I was going to opt for a keylogger and downloaded SpyTech's SpyAgent, but Kaspersky immediately blocked the install, and it looks like a couple of the files were trojans. =/ My computer has always been a little on the slower side (cheap ASUS machine for gaming), but it's been particularly bad lately. I've removed the private browsing extension from Chrome, and the only extensions I have currently are: AdBlock, Google Docs, Google Sheets, Honey, Inbox by Gmail, Kaspersky Password Manager, and Office Online (I use OneDrive regularly). Here are my logs:

 

FRST:

Spoiler
 
 
Addition:
Spoiler
 
Thank you for any help. 

 


Edited by Dragnsfire, 16 January 2017 - 11:58 AM.

  • 0

Advertisements


#2
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP

Please just copy and paste the logs unless I ask you to Attach .  Do not use the Spoiler option.

 

I see this is an upgraded win 10.  Was it 7 or 8 berfore the upgrade?

 

I expect we will find that you have a bad driver since your logs don't show any infection and besides you have Kaspersky and I never find malware with Kaspersky.  Let's look at process explorer:

 

Get Process Explorer
 
Save it to your desktop then run it (Vista or Win7+ - right click and Run As Administrator).  
 
View, Select Column, check Verified Signer, OK
Options, Verify Image Signatures
 
 
Click twice on the CPU column header  to sort things by CPU usage with the big hitters at the top.  
 
Wait a full minute then:
 
File, Save As, Save.  Note the file name.   Open the file  on your desktop and copy and paste the text to a reply.
 
and also at Speccy:
 
Get the free version of Speccy:
 
http://www.filehippo...download_speccy (Look in the upper right for the Download
Latest Version button  - Do NOT press the large Start Download button on the upper left!)  
Download, Save and Install it.  Tell it you do not need CCLEANER.    Run Speccy.  When it finishes (the little icon in the bottom left will stop moving), 
File, Save as Text File,  (to your desktop) note the name it gives. OK.  Open the file in notepad and delete the line that gives the serial number of your Operating System.  
(It will be near the top about 10 lines down.) Save the file.  Attach the file to your next post.  (More Reply Options, Choose File, Open, Attach This File)
 
I would also like to look at the event logs:
 
 
 
1. Please download the Event Viewer Tool by Vino Rosso
and save it to your Desktop:
2. Right-click VEW.exe and Run AS Administrator
3. Under 'Select log to query', select:
 
* System
4. Under 'Select type to list', select:
* Error
* Warning
 
 
Then use the 'Number of events' as follows:
 
 
1. Click the radio button for 'Number of events'
Type 20 in the 1 to 20 box
Then click the Run button.
Notepad will open with the output log.
 
 
Please post the Output log in your next reply then repeat but select Application.  (Each time you run VEW it overwrites the log so copy the first one to a Reply or rename it before running it a second time.)
 
 
 

  • 0

#3
Dragnsfire

Dragnsfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts

Thank you for the response, and my apologies for my own delayed response. Work has been kicking my butt. >.< Good to know I chose a good AV--I just got it about a month ago!

 

This computer was Windows 8 previously (PITA that it was to get it to function like normal Windows). 

 

Process Explorer

Spoiler

 

 

Speccy

Spoiler
 
 

VEW Process

Spoiler
 
 
VEW Application
Spoiler

  • 0

#4
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
AMD A10-6700 72 °C

 

 

This is probably your problem.  An idle desktop should run around 45.  Yours is overheating - most likely because of dust build up on the heatsink.  This is a simple fix.  Shut it down but leave it plugged into the wall outlet..  Open it up (You can find instructions on how to do that on your PC maker's website or perhaps a youtube video)   and locate the heatsink on top of the CPU.  This is a big metal finned thing, usually with a fan attached to it tho some have the air go through a duct and mount the fan in the back.

 

See if you can figure out how to remove the fan without disturbing the heatsink.  (If you move the heatsink you will have to replace the thermal paste.)  Make sure you know which way the fan was facing so you can put it back the same way.

 

Between the heatsink and the fan you will find a layer of dust.  Remove the dust with a vacuum cleaner hose and a small brush  then reinstall the fan and turn it on.  Observe the fan.  It should start up quickly.  It may slow down right after the start but the start should be smooth and there should be no strange noises or you will need to replace the fan.

 

Shut it down again and put it back together.  When you boot this time let it run for 30 minutes then create a new speccy log and see what the temp is now.


  • 0

#5
Dragnsfire

Dragnsfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts

Okay, got everything cleaned up and somehow managed to not move the heatsink. Totally voided my warranty for the machine, but I think it was about up, anyway! (Whole reason I never took the cover off before. Break that seal and that's it!) I ended up getting 45 minutes uptime because I was trying to reinstall the Kaspersky private browsing extension. Incidentally, that seems to conflict in Chrome/Firefox with Facebook. (FB on Chrome and FF already seem to have some loading issues, and I noticed my CPU usage going up on both, essentially coming to a standstill, every time I open FB (and my CPU usage going up, at times, to 100%), both with and without using the Kaspersky private browsing (it's only slightly less without the KPB). Edge is the only browser I can load FB on without it putting my CPU usage at crippling levels. 

 

Here's the Speccy log:

Spoiler

Edited by Dragnsfire, 21 January 2017 - 03:07 PM.

  • 0

#6
Dragnsfire

Dragnsfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts

Incidentally, here's a screenshot of the CPU  usage. 

 

CPU01_zpsj3boit87.jpg


  • 0

#7
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP

See if Firefox works better in its safe mode:

 

https://support.mozi...using-safe-mode

 

I have recently installed F B  Purity

 

http://www.fbpurity.com/install.htm

 

to control all of the ads and suggested garbage on facebook.  It's made a big difference in the speed.


  • 0

#8
Dragnsfire

Dragnsfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts

Sadly, both are just the same. Even with Kaspersky's extension disabled, it somehow kills my ability to use either Chrome or FF with Facebook, so it might be a social media thing. (Bright side...my computer doesn't sound like a jet engine preparing for takeoff?) :) I double checked, and Kaspersky wasn't actively doing a scan or anything (I have that on a schedule). Looks like I may need to toss an email to their support division. Not sure if it's a bug or if it's just my 2-year-old computer unable to handle their level of awesome protection. At least it did it's job and kept me from getting infected. 

 

Firefox in Safe Mode:

 

CPU02_zpszpfzuchw.jpg

 

 

FB Purity in Chrome:

 

CPU03-FB%20Purity_zpsromegjsh.jpg


  • 0

#9
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
See if you can get RogueKiller to work:
 
 
Download RogueKiller  and save it on your desktop.  
Quit all programs 
Start RogueKiller.exe (right click and Run As Admin).
Wait until Prescan has finished ...  
Click on Start Scan
Click on Start Scan
Wait for the end of the scan.  
 
Open Report
open Txt
Copy and paste the text from the report to a reply

  • 0

#10
Dragnsfire

Dragnsfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts

As requested... (As an aside, I occasionally use the Honey extension, but it's not something I'm dead set on keeping. The other two Chrome configs--not sure why AVG is still on there at all, and I've been trying to figure out how to get rid of speeddial for forever.) 

 

RogueKiller log:

Spoiler

Edited by Dragnsfire, 21 January 2017 - 08:02 PM.

  • 0

#11
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP

Keep honey if you like it but let rogue killer remove the rest.

 

Does task manager look any better now?


  • 0

#12
Dragnsfire

Dragnsfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts

Only if I don't enable Kaspersky's extension/addon for Chrome/FF, but it's still high (around 70-80% overall). As soon as I enable them again, it's back to screenshots like the last one. As soon as I close FB, it goes back down to normal levels. Not sure if maybe it's a FB issue, but Edge is the only browser I can open FB in right now that doesn't make my computer sound like it's gonna take off. 


  • 0

#13
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP

This is only in Facebook?

 

 
There is a program called tcpview.  http://live.sysinter...com/Tcpview.exe Download, Save and then run it by right clicking and Run As Admin.
 
Then File, Save As (to your desktop), tcp , OK.  This should createa  file tcp.txt on your desktop.  Attach or copy and paste it to a reply.
 
 
Make two logs.  One with facebook and one without.

  • 0

#14
Dragnsfire

Dragnsfire

    Member

  • Topic Starter
  • Member
  • PipPip
  • 49 posts

Chrome - Without FB going:

Spoiler
 
 
Chrome w/ FB (trying to load haha):
Spoiler

Edited by Dragnsfire, 22 January 2017 - 04:47 PM.

  • 0

#15
RKinner

RKinner

    Malware Expert

  • Expert
  • 20,028 posts
  • MVP
 
When you fire up Facebook, Kaspersky really gets busy.

avp.exe 2820 TCP qi-jenn-pc 53588 38.113.165.113 https ESTABLISHED 349 428,002 349 47,115 7,458 675 5 5
avp.exe 2820 TCP qi-jenn-pc 53589 38.113.165.113 https ESTABLISHED 333 405,746 333 44,939 7,490 810 5 6
avp.exe 2820 TCP qi-jenn-pc 53591 38.113.165.113 https ESTABLISHED 423 515,750 423 57,105 4,494 405 3 3
avp.exe 2820 TCP qi-jenn-pc 53592 38.113.165.113 https ESTABLISHED 446 548,652 446 60,210
avp.exe 2820 TCP qi-jenn-pc 53594 38.113.165.113 https ESTABLISHED 384 471,024 384 51,840 7,490 675 5 5
avp.exe 2820 TCP qi-jenn-pc 53595 38.113.165.113 https ESTABLISHED 386 475,844 386 52,110 5,992 540 4 4
avp.exe 2820 TCP qi-jenn-pc 53596 38.113.165.113 https ESTABLISHED 398 494,044 398 53,730 7,490 675 5 5
avp.exe 2820 TCP qi-jenn-pc 53597 38.113.165.113 https ESTABLISHED 353 443,722 353 47,655 7,490 675 5 5
avp.exe 2820 TCP qi-jenn-pc 53598 38.113.165.113 https ESTABLISHED 395 488,958 395 53,325 8,972 810 6 6
avp.exe 2820 TCP qi-jenn-pc 53599 38.113.165.113 https ESTABLISHED 340 419,832 340 45,900 2,996 270 2 2

 

 

Facebook itself is just these:

 

chrome.exe 11788 TCP qi-jenn-pc 53583 edge-star-mini-shv-01-sjc2.facebook.com https ESTABLISHED 1,720 4,626,681 255 2,535,858
chrome.exe 11788 TCP qi-jenn-pc 53593 edge-star-shv-01-sjc2.facebook.com https ESTABLISHED 3,791 4,404,824 8,522 5,250,704 70,820 58,648 39 104

 

 

 
I use Avast and it doesn't call back to the mothership like Kaspersky appears to be doing.  My facebook traffic is also a lot less but some of that could be be caused by FBP or you might have a video posted on your page that plays when you hit the site:
 
chrome.exe 7652 TCP ssd-guy 59381 edge-star-mini-shv-01-mia1.facebook.com https ESTABLISHED 119 101,039 418 640,605
chrome.exe 7652 TCP ssd-guy 59398 edge-star-shv-01-mia1.facebook.com https ESTABLISHED 49 54,807 47 11,476

 

 

Send me a PM with your facebook page (or just your facebook name) and I will look at it with tcpview and see what sort of traffic I get.

 

You might have better luck on the Kaspersky forum:  https://forum.kaspersky.com/


  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP