Malware issue, tried everything I know.

[Branden Patey]

I'm having an issue with some sort of malware and I can't for the life of me figure out where the problem even is, let alone attempt to solve it, can anyone help me out?

The issue is excessive CPU usage (80%-99%),memory usage (70%-99%) and disk usage (all over the place, but constantly high). In the task manager it shows multiple processes for msiexec.exe,ctfmon.exe, cmd.exe and conhost.exe which are all using ridiculous amounts of ram and cpu; along with the occasional notepad.exe using excessive resources as well. upon further inspection with process monitor I got lost, there seems to be immense amounts of reading and writing registry values and notepad.exe is connecting to the internet without ever being opened (I use notepad++).

From there I did a scan with AVG 2015,which found no threats, and spybot which found probably about double the threats A weekly scan finds for me. after fixing the threats found in spybot I rebooted only to find no difference. So I went on a cleaning spree, I removed and cleaned up everything I have installed for the last few weeks and cleared every cookie,cache, and temporary file I could find to no avail.

any needed info just let me know, I know what I'm doing for the most part so this should be easy if anyone can point me in the right direction. (I should mention, reformatting will be an absolute last resort for me, it'll take weeks to sort through all my files and find what I need to backup)

 

[toyftw]

I'm having an issue with some sort of malware and I can't for the life of me figure out where the problem even is, let alone attempt to solve it, can anyone help me out?

The issue is excessive CPU usage (80%-99%),memory usage (70%-99%) and disk usage (all over the place, but constantly high). In the task manager it shows multiple processes for msiexec.exe,ctfmon.exe, cmd.exe and conhost.exe which are all using ridiculous amounts of ram and cpu; along with the occasional notepad.exe using excessive resources as well. upon further inspection with process monitor I got lost, there seems to be immense amounts of reading and writing registry values and notepad.exe is connecting to the internet without ever being opened (I use notepad++).

From there I did a scan with AVG 2015,which found no threats, and spybot which found probably about double the threats A weekly scan finds for me. after fixing the threats found in spybot I rebooted only to find no difference. So I went on a cleaning spree, I removed and cleaned up everything I have installed for the last few weeks and cleared every cookie,cache, and temporary file I could find to no avail.

any needed info just let me know, I know what I'm doing for the most part so this should be easy if anyone can point me in the right direction. (I should mention, reformatting will be an absolute last resort for me, it'll take weeks to sort through all my files and find what I need to backup)

Hi - I ran into same thing about a yr ago. I followed the instructions from aford10 here on Toms HW:

http://www.tomshardware.com/forum/8263-63-simple-free-guide-removing-malware

and it worked for me.

 

[brispuss]

No single anti-malware scanner can detect and remove all known malware. So several anti-malware scanners in addition to AVG and Spybot should be downloaded and used.

Recommend (as a minimum) -

Malwarebytes Anti-Malware

Emsisoft Anti-Malware

SUPERAntiSpyware

After downloading the above, install the programs and disable any real-time protection.

Boot into Safe Mode.

Make sure computer is disconnected from the internet.

Run the anti-malware scanners one at a time. If any malware found, delete and/or quarantine them and rerun scanner.

Run same scanner until no more malware detected, and then use another scanner and repeat above step.

When all scanners have been run and malware is no longer being detected, boot in to Normal Mode and see how things go.

If there are continuing issues, then suggest refer here for additional assistance.

 

[Branden Patey]

No single anti-malware scanner can detect and remove all known malware. So several anti-malware scanners in addition to AVG and Spybot should be downloaded and used.

Recommend (as a minimum) -

Malwarebytes Anti-Malware

Emsisoft Anti-Malware

SUPERAntiSpyware

After downloading the above, install the programs and disable any real-time protection.

Boot into Safe Mode.

Make sure computer is disconnected from the internet.

Run the anti-malware scanners one at a time. If any malware found, delete and/or quarantine them and rerun scanner.

Run same scanner until no more malware detected, and then use another scanner and repeat above step.

When all scanners have been run and malware is no longer being detected, boot in to Normal Mode and see how things go.

If there are continuing issues, then suggest refer here for additional assistance.

after multiple spybot scans,malwarebytes scans, scans with the emsisoft one, and a couple registry cleanings with ccleaner my issue appeared to be fixed. so I uninstalled emsisoft anti-malware, I only usually need spybot and AVG and multiple scanners start to take up ram, and everything came back as if I had never scanned anything. I'm guessing emsisoft was blocking whatever the real problem is so I went to that link for more assistance and the page was down, I checked the hosts file and it seems only spybot's edits are there, and it's definitely not down.

also, it seems that it isn't specific programs that are using everything,it looks like something is being disguised as random programs. sometimes it's notepad.exe (when there is no notepad open) ,sometimes it could be a duplicate of WmiPrvSE.exe, and it theres even a duplicate of explorer.exe at times which in process explorer seems to be nested within the explorer.exe that other normal stuff is. These seemingly fake programs all have weird connections to the internet, even notepad, and the duplicates have differences in the threads and strings.

**EDIT** I should mention that other than to visit webpages and check if the problem was gone or not I did everything in safe mode.

I don't know what to do :/
I really don't want to start fresh with this laptop, would there be any logs I could include with my original post that would help to figure it out?

 

[toyftw]

No single anti-malware scanner can detect and remove all known malware. So several anti-malware scanners in addition to AVG and Spybot should be downloaded and used.

Recommend (as a minimum) -

Malwarebytes Anti-Malware

Emsisoft Anti-Malware

SUPERAntiSpyware

After downloading the above, install the programs and disable any real-time protection.

Boot into Safe Mode.

Make sure computer is disconnected from the internet.

Run the anti-malware scanners one at a time. If any malware found, delete and/or quarantine them and rerun scanner.

Run same scanner until no more malware detected, and then use another scanner and repeat above step.

When all scanners have been run and malware is no longer being detected, boot in to Normal Mode and see how things go.

If there are continuing issues, then suggest refer here for additional assistance.

after multiple spybot scans,malwarebytes scans, scans with the emsisoft one, and a couple registry cleanings with ccleaner my issue appeared to be fixed. so I uninstalled emsisoft anti-malware, I only usually need spybot and AVG and multiple scanners start to take up ram, and everything came back as if I had never scanned anything. I'm guessing emsisoft was blocking whatever the real problem is so I went to that link for more assistance and the page was down, I checked the hosts file and it seems only spybot's edits are there, and it's definitely not down.

also, it seems that it isn't specific programs that are using everything,it looks like something is being disguised as random programs. sometimes it's notepad.exe (when there is no notepad open) ,sometimes it could be a duplicate of WmiPrvSE.exe, and it theres even a duplicate of explorer.exe at times which in process explorer seems to be nested within the explorer.exe that other normal stuff is. These seemingly fake programs all have weird connections to the internet, even notepad, and the duplicates have differences in the threads and strings.

**EDIT** I should mention that other than to visit webpages and check if the problem was gone or not I did everything in safe mode.

I don't know what to do :/
I really don't want to start fresh with this laptop, would there be any logs I could include with my original post that would help to figure it out?

I had a virus(turned out to be multiple) that three anti spy/malware programs didn't get rid of.
I then tried virusfighter one of the programs pffered by spamfighter(.com). Trial period is free
(30 days if I remember correctly). In any event, it detected and eliminated several viruses.

http://www.spamfighter.com/VIRUSfighter/

Worth a try.

 

[Branden Patey]

No single anti-malware scanner can detect and remove all known malware. So several anti-malware scanners in addition to AVG and Spybot should be downloaded and used.

Recommend (as a minimum) -

Malwarebytes Anti-Malware

Emsisoft Anti-Malware

SUPERAntiSpyware

After downloading the above, install the programs and disable any real-time protection.

Boot into Safe Mode.

Make sure computer is disconnected from the internet.

Run the anti-malware scanners one at a time. If any malware found, delete and/or quarantine them and rerun scanner.

Run same scanner until no more malware detected, and then use another scanner and repeat above step.

When all scanners have been run and malware is no longer being detected, boot in to Normal Mode and see how things go.

If there are continuing issues, then suggest refer here for additional assistance.

after multiple spybot scans,malwarebytes scans, scans with the emsisoft one, and a couple registry cleanings with ccleaner my issue appeared to be fixed. so I uninstalled emsisoft anti-malware, I only usually need spybot and AVG and multiple scanners start to take up ram, and everything came back as if I had never scanned anything. I'm guessing emsisoft was blocking whatever the real problem is so I went to that link for more assistance and the page was down, I checked the hosts file and it seems only spybot's edits are there, and it's definitely not down.

also, it seems that it isn't specific programs that are using everything,it looks like something is being disguised as random programs. sometimes it's notepad.exe (when there is no notepad open) ,sometimes it could be a duplicate of WmiPrvSE.exe, and it theres even a duplicate of explorer.exe at times which in process explorer seems to be nested within the explorer.exe that other normal stuff is. These seemingly fake programs all have weird connections to the internet, even notepad, and the duplicates have differences in the threads and strings.

**EDIT** I should mention that other than to visit webpages and check if the problem was gone or not I did everything in safe mode.

I don't know what to do :/
I really don't want to start fresh with this laptop, would there be any logs I could include with my original post that would help to figure it out?

I had a virus(turned out to be multiple) that three anti spy/malware programs didn't get rid of.
I then tried virusfighter one of the programs pffered by spamfighter(.com). Trial period is free
(30 days if I remember correctly). In any event, it detected and eliminated several viruses.

http://www.spamfighter.com/VIRUSfighter/

Worth a try.

thanks, no luck though.

 

[Paul NZ]

You should also disable system restore. Since depending on the malware, it can hide in the folders.

I would also use adwcleaner . Just make sure you know what it's removing

 

[brispuss]

As stated earlier other scanners may have to be used also, as not every known malware can be detected by one scanner alone.

If there are ongoing difficulties, then visit the website linked previously for more detailed help (link copied here).

 

[Branden Patey]

No replies over at bleepingcomputer but I found a scanner called "hijack this", it appears to have found some issues but I'm not 100% sure on that. can anyone take a look and let me know if any of this needs fixing?

http://pastebin.com/PWsi4cHg

 

[Paul NZ]

Hijackthis just shows you what runs when you boot / whats installed

These dont have to be there

O4 - HKCU\..\Run: [CCleaner Monitoring] "C:\Program Files\CCleaner\CCleaner64.exe" /MONITOR

O4 - HKCU\..\Run: [uTorrent] "C:\Users\branden\AppData\Roaming\uTorrent\uTorrent.exe" /MINIMIZED

I dont know what autochk is.

O4 - Startup: autochk.lnk.disabled

O4 - Startup: Dropbox.lnk.disabled

I would remove spybot. Its had its day. Dont install too many av programs. If theyre running at the same time. They'll conflict

This 8.8.8.8,8.8.8.8 should be 8.8.8.8 and 8.8.4.4

Update firefox its up to 37.02. If Java isnt 8 update 45 uninstall it then update it

 

[rajopemmpi]

I too ran into this problem. Please help me.

Conhost.exe, presentationhost.exe, notepad.exe, eating up most of mem, when internet iis turned on
Tried malwarebytts, awscleaner etc.

Please help me

 

[Jesus Fcb]

So much thanks to "brispuss", your solution worked for me, those AV found more than 1500 threats that Avast Couldn't detect, Now those 3 AV plus Google Chrome are who eat my Ram <<LoL!