Status
Not open for further replies.
Operating System
Windows 10
Infection date and initial symptoms
Around April 2019. I got infected with a trojan and ransom virus. It locked most of my files and had quite a few problems as well. After a reinstall of windows, everything went away.
Current issues and symptoms
High CPU and Memory usage even when idle.
Steps taken in order to remove the infection
I reinstalled windows, performed scans with Malwarebytes and windows security. Windows scan has nothing while Malwarebytes have a few threats and have already been quarantined.
System logs
Yes, I've uploaded the FRST.txt logs
Yes, I've uploaded both FRST.txt and Addition.txt logs

nabei

New Member
Had a trojan with ransom virus initially, it locked all my files and messed with my CPU and Memory usage so much that both were so high I couldn't open anything without my PC freezing. Reinstalled Windows and it got rid of the virus and the problems. But ever since then, CPU and memory usage have been unusually high even when idle. I need to have task manager always open, if not CPU will go to 100%. I have 8gb ram (Dual Channel/ 2 × 4gb) but only around 3gb available RAM and maximum 4gb RAM when I close all windows and programs running. CPU can also go up to 100% when installing or running certain programs or when scanning PC.

Screenshot (2).png
1st screenshot: Memory when idle.


Screenshot (4).png
2nd screenshot: CPU when task manager is closed for a while and suddenly opened. CPU drops after opened.


Screenshot (7).png
3rd Screenshot: Chrome and other programs use a good amount of memory, I don't know if this is normal or not.
 

Attachments

nasdaq

Moderator
Verified
Staff member
Hello, Welcome to MALWARETIPS.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Please download the attached Fixlist.txt file to the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the FRST.txt log you have submitted.

Run FRST and click Fix only once and wait.

The Computer will restart when the fix is completed.

It will create a log (Fixlog.txt) please post it to your reply.
===

Please post the Fixlog.txt and let me know what problem persists.

p.s.
Did you reinstall all the Microsoft Windows Updates after the re-intallation of the Operating system?


Check the integrity of the operating system files.
How to run sfc /Scannow

When completed refer to the Microsoft article again and follow the instructions to view details of the System File Checker process

Post the contents of the sfcdetails.txt file for my review.

Let me know if the problem persists.
<<<>>>
 

Attachments

nabei

New Member
Hi Nasdaq, firstly thanks for the warm welcome and the very prompt reply.

I have ran Fix on FRST with your attached Fixlist.txt. Still the same issues, high CPU when task manager is close and overall high memory
with or without task manager open. I have attached the Fixlog.txt.

Screenshot (15).png



I did reinstall all the windows updates after the re-installation of the OS.

I ran the integrity check of the OS files via cmd prompt: sfc /Scannow and got these results, scan log is also attached.Screenshot (14).png

Problems still persisting.

Thank you.
 

Attachments

nasdaq

Moderator
Verified
Staff member
Hi,

Download Farbar's Service Scanner utility
and Save to your Desktop.
If using Windows 7 or above, Right-Click on fss.exe and select Run As Administrator.
If using XP, double-click to start.
Answer Yes to ok when prompted.
If your firewall then puts out a prompt, again, allow it to run.
Once FSS is on-screen, be sure the following items are checkmarked:
Internet Services
Windows Firewall
System Restore
Security Center/Action Center
Windows Update
Windows Defender
Other Services


Click on "Scan".
It will create a log (FSS.txt) in the same directory the tool is run.
Copy & Paste contents of FSS.txt into your reply.
===


--RogueKiller--
  • Download & SAVE to your Desktop Download RogueKiller[/*]
  • Quit all programs that you may have started.[/*]
  • Please disconnect any USB or external drives from the computer before you run this scan![/*]
  • For Vista or above, right-click the program file and select "Run as Administrator"[/*]
  • Accept the user agreements.[/*]
  • Execute the scan and wait until it has finished.[/*]
  • If a Windows opens to explain what [PUM's] are, read about it.[/*]
  • Click the RoguKiller icon on your taksbar to return to the report.[/*]
  • Click open the Report[/*]
  • Click Export TXT button[/*]
  • Save the file as ReportRogue.txt[/*]
  • Click the Remove button to delete the items in RED[/*]
  • Click Finish and close the program.[/*]
  • Locate the ReportRogue.txt file on your Desktop and copy/paste the contents in your next.[/*]
=======

Wait for further instructions.
 

nabei

New Member
Hi

Here is the FSS.txt:

Farbar Service Scanner Version: 27-01-2016
Ran by PC (administrator) on 05-12-2019 at 15:06:16
Running from "C:\Users\PC\Desktop"
Microsoft Windows 10 Pro (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============

Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => File is digitally signed
C:\Windows\System32\drivers\nsiproxy.sys => File is digitally signed
C:\Windows\System32\drivers\afd.sys => File is digitally signed
C:\Windows\System32\drivers\tdx.sys => File is digitally signed
C:\Windows\System32\Drivers\tcpip.sys => File is digitally signed
C:\Windows\System32\dnsrslvr.dll => File is digitally signed
C:\Windows\System32\dnsapi.dll => File is digitally signed
C:\Windows\SysWOW64\dnsapi.dll => File is digitally signed
C:\Windows\System32\mpssvc.dll => File is digitally signed
C:\Windows\System32\bfe.dll => File is digitally signed
C:\Windows\System32\drivers\mpsdrv.sys => File is digitally signed
C:\Windows\System32\SDRSVC.dll => File is digitally signed
C:\Windows\System32\vssvc.exe => File is digitally signed
C:\Windows\System32\wscsvc.dll => File is digitally signed
C:\Windows\System32\wbem\WMIsvc.dll => File is digitally signed
C:\Windows\System32\wuaueng.dll => File is digitally signed
C:\Windows\System32\qmgr.dll => File is digitally signed
C:\Windows\System32\es.dll => File is digitally signed
C:\Windows\System32\cryptsvc.dll => File is digitally signed
C:\Program Files\Windows Defender\MpSvc.dll => File is digitally signed
C:\Windows\System32\ipnathlp.dll => File is digitally signed
C:\Windows\System32\iphlpsvc.dll => File is digitally signed
C:\Windows\System32\svchost.exe => File is digitally signed
C:\Windows\System32\rpcss.dll => File is digitally signed


**** End of log ****
 

Attachments

nabei

New Member
There were no detections after the scan. no red items either to remove either.
Here is the RogueKiller.txt

RogueKiller Anti-Malware V13.5.7.0 (x64) [Nov 20 2019] (Free) by Adlice Software
mail : Contact - Adlice Software
Website : RogueKiller Anti-Malware Free Download: Best Malware Removal
Operating System : Windows 10 (10.0.17763) 64 bits
Started in : Normal mode
User : PC [Administrator]
Started from : C:\Program Files\RogueKiller\RogueKiller64.exe
Signatures : 20191203_134524, Driver : Loaded
Mode : Standard Scan, Scan -- Date : 2019/12/05 15:13:53 (Duration : 00:04:00)
Switches : -refid 3

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Processes ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Process Modules ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Services ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Tasks ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Registry ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ WMI ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Hosts File ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Files ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤

¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤ Web browsers ¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤¤Screenshot (17).png
 

Attachments

nasdaq

Moderator
Verified
Staff member
Hi,

Check your Virtual Memory settings.
If possibly Increasing Virtual Memory in Windows 10 as suggested in this article.

---

Make sure you have all the latest drivers.

Any change?
 

nabei

New Member
Hi,

I have done both things.

i didn't have to change anything about the virtual memory cause my current setting was the recommended setting.

All my driver are up to date.

Sadly, still no change.
 

nasdaq

Moderator
Verified
Staff member
Hi,

There are errors on your addition.txt log on the Realtek audio driver.
Update using this link.

If the problem persists Repair these services.

Boot with Safe Mode with Networking. Execute the following.

Please Download Tweaking.com - Windows Repair from Here
  • Install and then run the program[/*]
  • Execute the instructions on Step 1 Important[/*]
  • Click Next on Step 2 Optional, do the Pre Scan skip Step 3 and 4 Optional for now.[/*]
  • On Step 5 Backup System Restore Do a Registry backup. When you have completed this click Next[/*]
  • Click Repairs - Open Repairs in the bottom right corner[/*]
  • Uncheck the All repair button then select just the item(s) listed below[/*]

  • Code:
    01 - Repair Registry Permissions
    03 - Reset Service permissions
    04 - Register System Files
    05 - Repair WMI
    10 - Remove Policies Set By Infections
    16 - Repair Windows Updates
    20 - Repair MSI (Windows Installer)
    25 - Restore Important Windows Services
    26 - Set Windows Service to Default Startup
    [/*]
  • Click the Start button and let the process run to completion. Copy any error messages into Notepad, Save it on your Desktop. ( Reboot if asked to do so)[/*]
  • Please copy and paste the Contents of this file on your next reply.[/*]
===

Restart the computer normally.

How is the computer running now?
 
Status
Not open for further replies.