Solved Virus that infects processes with high CPU usage and creates random process and .exe files with LAG

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
51a5bf3d99e8a-ComboFixlogo16.png
Scan with ComboFix

This is a very powerful tool that should be used only if advised by Malware Analyst.
Do not run ComboFix on your own!


Referring to this instruction, please download ComboFix by sUBs and save it to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

  • Right-click on
    51a5bf3d99e8a-ComboFixlogo16.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Accept the disclaimer and agree if prompted to install Recovery Console.
  • Do not take any actions while ComboFix goes through your System - it may cause it to stall!
  • This scan may take some time!
  • When finished - it will display a logfile (located also on your main drive, usually C:\ComboFix.txt).

Include that log in your next reply.
icon_idea.gif
If you'll encounter any issues with internet connection after running ComboFix, please visit this link.
icon_idea.gif
If an error about operation on the key marked for deletion will appear after running the tool, please reboot your machine.
 

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
3. Open notepad and copy/paste the text in the quotebox below into it:

Code:
KillAll::

RegLockDel::
[HKEY_USERS\S-1-5-21-1933547834-1420827827-3990081825-1001_Classes\Wow6432Node\CLSID\{130F8154-E804-4BD5-A07B-35BE69039715}\{A730F6F3-255C-417C-8986-2C578500547E}*Hidden]
"{6D31FCD2-64F7-4E43-8E18-5A2BBA7D13C9}"="AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAArIQbsT9b/k+GLBrXXftiOgAAAAACAAAAAAAQZgAAAAEAACAAAAAcbY5BhDDIlrldUz3nY2XLEkRTsemQvtOC1VwFB4RiXAAAAAAOgAAAAAIAACAAAACqxiQ1UA8eMHL0l3RYlCvjEIGpL8FQh4H/Mn4QD9OmORAAAABhmHcMpLYjYvMk54oiS5riQAAAACIqxEYsVPxxrAYFjUjtQsTx4j2zU1O6EKMJiT9OhMPKW+Yid2Y2rDfmVN5XfU/KsCbsa3+0OY3o+uMvhn8g3Tc="
"{2338F5D5-2437-4FC3-9005-A01804321264}"="AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAtRgPXe1v1EKGAqQj5b8hpgAAAAACAAAAAAAQZgAAAAEAACAAAADT2JGwvPqMceoWpens0wTEtjIQuz18ZT8C22jMVxrjEwAAAAAOgAAAAAIAACAAAABee9nRSd29klpoPZMsxcd0/C3xDcaM0JPOLIq954vNxCAAAACx8ZzKDeYXQos8ZdxqOGmP/cimDJ1aIMHGOEbHsfgfCEAAAABirUSmTTI+n69/S6/KZLaKaobp7ZMICrHnX7Py2NQPveDRRAaAucIW1JhUMJ1bdUJQIFL0gjNr+uOQs4K7xP1b"
"{FCCCD80D-2A5E-401E-B64F-D1C2E375B955}"="AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAArIQbsT9b/k+GLBrXXftiOgAAAAACAAAAAAAQZgAAAAEAACAAAADY0Cmwu9PyVn6BiUg7WHo08jDh3cwsyaJJISgtSTFOlQAAAAAOgAAAAAIAACAAAACLY51uEbtQIHPTvHwX7mClaC9b4FqLZsogzQ+f331AyhAAAACoDNpicyqg0El7Kk1kVNP5QAAAAOyCcz2k1M55vVjWcIbliBWP2HXKtf8DJaKBk9SZVYHNP81xQWazqT5+DU1gupeD9IuHwDeHx9qGdUjw76qRnro="

File::
C:\mnwu.exe
c:\windows\SYSNATIVE\GameMon.des

Driver::
npggsvc

ClearJavaCache::

Save this as CFScript.txt, in the same location as ComboFix.exe

CFScriptB-4.gif


Refering to the picture above, drag CFScript into ComboFix.exe
When finished, it will produce a log for you at C:\ComboFix.txt which I will require in your next reply.
 

Jeriel1234

New Member
Thread author
Verified
Jun 4, 2015
26
After that, the CFScript.txt disappeared is that normal? This is the log.

The mnwu.exe is still there tho.
 

Attachments

  • ComboFix.txt
    14.7 KB · Views: 18

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
logoMcShield.png
Scan with McSield

Please download McShield by dr_bora and save it to your desktop.

  • Install it on your machine.
  • It will initially run a scan and show the result as a toaster by the system clock.
  • Start the Control Centre by clicking on the
    logoMcShield.png
    icon in your system tray.
  • Go to the Scanner tab and tick unhide items on flash drives.
  • Plug in the drive and McShield will start a scan.
  • A logfile of this scan may be found in the Logs tab of the main screen.

Please include that log in your next reply.
 

Jeriel1234

New Member
Thread author
Verified
Jun 4, 2015
26
I tried to scan with MCShield the drive. But it said there's no drive there. I think I already removed it ages ago.
 

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
RogueKiller.png
Scan with RogueKiller

Please download RogueKiller and save the file to your desktop.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
  • Right-click on
    RogueKiller.png
    icon and select
    RunAsAdmin.jpg
    Run as Administrator to start the tool.
  • Wait patiently until the pre-scan will be done. It shouldn't take more than 2-3 minutes.
  • Accept the Terms of use.
  • When the Scan button becomes available, please click it. RogueKiller will start a full scan.
  • Let this process run uninterrupted!.
  • When finished, a Report button will become available. Click it. You will be presented with a logfile.
Please include the content of this logfile in your next reply.
 

argus

Former MalwareTips Staff
Verified
Apr 24, 2014
3,395
Try System Restore on 04-06-2015 18:26:50
The file is created 2015-06-05 07:43

Do not reboot the PC!
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top