Solved Virus that infects processes with high CPU usage and creates random process and .exe files with LAG

Jeriel1234

New Member
Thread author
Verified
Jun 4, 2015
26
Like what I said above this virus infects processes with high CPU usage even if they are not meant to be.

It also creates multiple random letter processes with .exe files like rtqwb.exe or winltfr.exe which causes lag, and if I delete or end the task it just comes up with another file/process.

Please help me.

Thanks.
 

Attachments

  • Addition_05-06-2015_08-40-00.txt
    80.2 KB · Views: 26
  • FRST_05-06-2015_08-40-00.txt
    45.5 KB · Views: 32

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
Enable in msconfig

MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3


Reboot PC and re-run farbar.
 

Jeriel1234

New Member
Thread author
Verified
Jun 4, 2015
26
Enable in msconfig

MSCONFIG\Services: gupdate => 2
MSCONFIG\Services: gupdatem => 3


Reboot PC and re-run farbar.
Here you go, I included Addition.text by the way.
 

Attachments

  • Addition_05-06-2015_13-33-08.txt
    73.2 KB · Views: 27
  • FRST_05-06-2015_13-33-08.txt
    20.3 KB · Views: 24

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
FRST.gif
Fix with Farbar Recovery Scan Tool

icon_exclaim.gif
This fix was created for this user for use on that particular machine.
icon_exclaim.gif

icon_exclaim.gif
Running it on another one may cause damage and render the system unstable.
icon_exclaim.gif
Download attached fixlist.txt file and save it to the Desktop:

Both files, FRST and fixlist.txt have to be in the same location or the fix will not work!

  • Right-click on
    FRST.gif
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
    (XP users click run after receipt of Windows Security Warning - Open File).
  • Press the Fix button just once and wait.
  • If for some reason the tool needs a restart, please make sure you let the system restart normally. After that let the tool complete its run.
  • When finished FRST will generate a log on the Desktop, called Fixlog.txt.

Please attach it to your reply.
 

Attachments

  • fixlist.txt
    3 KB · Views: 28

Jeriel1234

New Member
Thread author
Verified
Jun 4, 2015
26
How's your computer behaving now?
Sad to say but its still the same, it still infects processes with high cpu usage and creates executable files and process that causes lag.

Please work with me until it fixes thanks.
 

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
51a612a8b27e2-Zoek.png
Scan with ZOEK

Please download ZOEK by Smeenk and save it to your desktop (preferred version is the *.exe one)
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on
    51a612a8b27e2-Zoek.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Wait patiently until the main console will appear, it may take a minute or two.
  • In the main box please paste in the following script:
    Code:
    createsrpoint;
    autoclean;
    emptyalltemp;
    bitsadmin /reset /allusers;b
    ipconfig /flushdns;b
  • Make sure that Scan All Users option is checked.
  • Push Run Script and wait patiently. The scan may take a couple of minutes.
  • When the scan completes, a zoek-results logfile should open in notepad.
  • If a reboot is needed, it will be opened after it. You may also find it at your main drive (usually C:\ drive)

Post its content into your next reply.
 

Jeriel1234

New Member
Thread author
Verified
Jun 4, 2015
26
Here you go.


Zoek.exe v5.0.0.0 Updated 04-May-2015
Tool run by User on Fri 06/05/2015 at 14:10:18.98.
Microsoft Windows 7 Professional 6.1.7600 x64
Running in: Normal Mode Internet Access Detected
Launched: C:\Users\User\Desktop\zoek.exe [Scan all users] [Script inserted]

==== System Restore Info ======================

6/5/2015 2:13:49 PM Zoek.exe System Restore Point Created Successfully.

==== Safe Boot Check ======================

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
Value AlternateShell is missing
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
Value AlternateShell is missing

==== Empty Folders Check ======================

C:\PROGRA~2\GUM339E.tmp deleted successfully
C:\PROGRA~2\Hostless Modem deleted successfully
C:\PROGRA~2\Realtek Sound Manager deleted successfully
C:\PROGRA~3\ggReatesaveer deleted successfully
C:\PROGRA~3\IDM deleted successfully
C:\PROGRA~3\Malwarebytes' Anti-Malware (portable) deleted successfully
C:\Users\User\AppData\Roaming\BitTorrent deleted successfully
C:\Users\User\AppData\Roaming\DMCache deleted successfully
C:\Users\User\AppData\Roaming\TaiG deleted successfully
C:\Users\User\AppData\Roaming\{D3735205-6509-4D20-AFC7-B1FCB0FD2C21} deleted successfully
C:\Users\User\AppData\Roaming\{F26A87B3-562E-4A3F-8F78-2C31557FA0F2} deleted successfully
C:\Users\User\AppData\Local\Razer deleted successfully
C:\Users\User\AppData\Local\skwas deleted successfully

==== Deleting CLSID Registry Keys ======================

HKEY_USERS\S-1-5-21-1933547834-1420827827-3990081825-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{15B851AF-A4B9-43EF-97D3-28E1B4A5DB9B} deleted successfully
HKEY_USERS\S-1-5-21-1933547834-1420827827-3990081825-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1902485B-CE75-42C1-BA2D-57E660793D9A} deleted successfully
HKEY_USERS\S-1-5-21-1933547834-1420827827-3990081825-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D} deleted successfully
HKEY_USERS\S-1-5-21-1933547834-1420827827-3990081825-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D} deleted successfully
HKEY_USERS\S-1-5-21-1933547834-1420827827-3990081825-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C442AC41-9200-4770-8CC0-7CDB4F245C55} deleted successfully
HKEY_USERS\S-1-5-21-1933547834-1420827827-3990081825-1001\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C442AC41-9200-4770-8CC0-7CDB4F245C55} deleted successfully
HKEY_USERS\S-1-5-21-1933547834-1420827827-3990081825-1001\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{E0DACC63-037F-46EE-AC02-E4C7B0FBFEB4} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D} deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{C442AC41-9200-4770-8CC0-7CDB4F245C55} deleted successfully
HKEY_CLASSES_ROOT\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55} deleted successfully
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55} deleted successfully

==== Deleting CLSID Registry Values ======================


==== Deleting Services ======================


==== FireFox Fix ======================

ProfilePath: C:\Users\User\AppData\Roaming\Mozilla\Firefox\Profiles\w5cnczr9.default

user.js not found
---- Lines extensions.2NO removed from prefs.js ----
user_pref("extensions.2NO.epoch", "1397643994");
user_pref("extensions.2NO.url", "http://getjpi1.info/sync2/?q=hfZ9oe...Uojw9rdwEpja6qjg9qShIC7n0rjnEqdw8rjaGqjrHtNhV
---- Lines extensions.rxHYGCk4 removed from prefs.js ----
user_pref("extensions.rxHYGCk4.epoch", "1397643994");
user_pref("extensions.rxHYGCk4.url", "http://sunnyspytaxs.us/sync2/?q=hfZ...stNtVh7n0rjnErja4rdC8pjn6tMFHhd9Fqda9rjkFrds7
---- Lines extensions.sVwMht1u removed from prefs.js ----
user_pref("extensions.sVwMht1u.epoch", "1397643993");
user_pref("extensions.sVwMht1u.url", "http://getjpinet.info/sync2/?q=hfZ9...tNtVh7n0rjnErja4rdC8qHw7tMFHhd9Fqda9rjkFrds7r
---- FireFox user.js and prefs.js backups ----

prefs_20150605_0242_.backup

==== Registry Fix Code ======================

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot]
"AlternateShell"="cmd.exe"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot]
"AlternateShell"="cmd.exe"

==== Batch Command(s) Run By Tool======================


==== Deleting Files \ Folders ======================


==== Firefox Extensions Registry ======================

[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Mozilla\Firefox\Extensions]
"daplinkchecker@speedbit.com"="C:\Program Files (x86)\DAP\daplinkchecker" []
[HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions]
"{F17C1572-C9EC-4e5c-A542-D05CBB5C5A08}"="C:\Program Files (x86)\DAP\DAPFireFox" []

==== Firefox Extensions ======================

==== Firefox Plugins ======================


==== Chromium Look ======================

Google Chrome Version: 43.0.2357.81


==== Set IE to Default ======================

Old Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="res://ieframe.dll/tabswelcome.htm"

New Values:
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://www.google.com"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main]
"Start Page"="http://go.microsoft.com/fwlink/?LinkId=69157"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AboutURLs]
"Tabs"="about:newtab"

==== All HKCU SearchScopes ======================

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes
"DefaultScope"="{0633EE93-D776-472f-A0FF-E1416B8B2E3A}"
{012E1000-F331-11DB-8314-0800200C9A66} Google Url="http://www.google.com/search?q={searchTerms}"
{0633EE93-D776-472f-A0FF-E1416B8B2E3A} Bing Url="http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC"

==== Deleting CLSID Registry Keys ======================


==== Deleting CLSID Registry Values ======================

HKEY_USERS\S-1-5-21-1933547834-1420827827-3990081825-1001\Software\Mozilla\Firefox\Extensions\{F17C1572-C9EC-4e5c-A542-D05CBB5C5A08} deleted successfully
HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\fiddlerhook@fiddler2.com deleted successfully
HKEY_LOCAL_MACHINE\software\Wow6432Node\mozilla\Firefox\extensions\daplinkchecker@speedbit.com deleted successfully

==== Deleting Registry Keys ======================

HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\143455c0-f3b4-4538-b486-6f64e256840f deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\a6f5fe56-1eba-4095-8e3f-ee55d91b1d39 deleted successfully
HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\b7b2f406-2981-4fb0-8d8c-bfa3974fbb50 deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Creative Cloud deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeAAMUpdater-1.0 deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS6ServiceManager deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\adsacquy deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aeria Ignite deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Akamai NetSession Interface deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AND Start deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AppsHat deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BlueStacks Agent deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CheckNDISPort_df deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Facebook Update deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iFunBox Fast App Install Handler deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kpcgrhynko deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Manager deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Service deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Windows Services deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDP deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SwitchBoard deleted successfully
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe deleted successfully

==== Empty IE Cache ======================

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5 emptied successfully

==== Empty FireFox Cache ======================

No FireFox Profiles found

==== Empty Chrome Cache ======================

No Chrome Cache found

==== Empty All Flash Cache ======================

No Flash Cache Found

==== Empty All Java Cache ======================

Java Cache cleared successfully

==== C:\zoek_backup content ======================
 

Jeriel1234

New Member
Thread author
Verified
Jun 4, 2015
26
Well I'm really sorry because, at first it fixed the virus that creates multiple process/files but there's one file which is not erased its called mwnu.exe that is located in Local Disk (C:) that keeps coming back when I delete it.

It didn't fix the virus that infects normal processes with high cpu usage.
 

Jeriel1234

New Member
Thread author
Verified
Jun 4, 2015
26
I forgot to say something, I said it fixed, but when I deleted mnwu.exe it came back. The virus that creates multiple processes and files.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top