CPU and physical memory is maxed by programes not shown before an install

[anx]

Said in the title need help.

[attachment deleted by admin to conserve space]

[SuperDave]

Hello and welcome to Computer Hope Forum. My name is Dave. I will be helping you out with your particular problem on your computer.

1. I will be working on your Malware issues. This may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. If you don't know or understand something, please don't hesitate to ask.
4. Please DO NOT run any other tools or scans while I am helping you.
5. It is important that you reply to this thread. Do not start a new topic.
6. Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
7. Absence of symptoms does not mean that everything is clear.

If you can't access the internet with your infected computer you will have to download and transfer any programs to the computer you're using now and transfer them to the infected computer with a CD-RW or a USB storage device. I prefer a CD because a storage device can get infected. If you use a storage device hold the shift key down while inserting the USB storage device for about 10 secs. You will also have to transfer the logs you receive back to the good computer using the same method until we can get the computer back on-line.
*************************************************************************
I moved this topic to the malware forum because I suspect the computer is infected.Please run these scans and I'll check them out.

Please download AdwCleaner by Xplode onto your Desktop.

Before starting AdwCleaner, close all open programs and internet browsers, then double-click on the AdwCleaner icon.



If Windows prompts you as to whether or not you wish to run AdwCleaner, please allow it to run.
When the AdwCleaner program will open, click on the Scan button as shown below.



AdwCleaner will now start to search for malicious files that may be installed on your computer.
To remove the files that were detected in the previous step, please click on the Clean button.



AdwCleaner will now prompt you to save any open files or data as the program will need to reboot the computer. Please do so and then click on the OK button. AdwCleaner will now delete all detected adware from your computer. When it is done it will display an alert that explains what PUPs (Potentially Unwanted Programs) and Adware are. Please read through this information and then press the OK button. You will now be presented with an alert that states AdwCleaner needs to reboot your computer.
Please click on the OK button to allow AdwCleaner reboot your computer.A log will be produced. Please copy and paste this log in your next reply.
*********************************************
Please download Malwarebytes Anti-Malware from here.
Double Click mbam-setup.exe to install the application.

• It should update automatically if the computer is connected to the internet.
• Click on Threat Scan and click on Scan Now.
  
• The scan may take some time to finish,so please be patient.
• When the scan is complete make sure all the infections have "quarantine" selected in the Action box.
  
• Click on "Apply actions" You may be asked to Restart your computer to completely remove the infections.
  
• When disinfection is completed you can click on "Copy to Clipboard".
  
• Paste the log in you next reply (CTRL+ V)

*************************************************
Please download Junkware Removal Tool to your desktop.

•Warning! Once the scan is complete JRT will shut down your browser with NO warning.

•Shut down your protection software now to avoid potential conflicts.

•Temporarily disable your Antivirus and any Antispyware real time protection before performing a scan. Click this link to see a list of security programs that should be disabled and how to disable them.

•Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click JRT and select Run as Administrator

•The tool will open and start scanning your system.

•Please be patient as this can take a while to complete depending on your system's specifications.

•On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

•Copy and Paste the JRT.txt log into your next message.
***********************************************
Download Security Check by screen317 from one of the following links and save it to your desktop.

Link 1
Link 2

* Double-click Security Check.bat
* Follow the on-screen instructions inside of the black box.
* A Notepad document should open automatically called checkup.txt
* Post the contents of that document in your next reply.

Note: If a security program requests permission from dig.exe to access the Internet, allow it to do so.

[anx]

# AdwCleaner v4.105 - Report created 20/12/2014 at 18:21:47
# Updated 08/12/2014 by Xplode
# Database : 2014-12-16.1 [Live]
# Operating System : Windows 7 Home Premium Service Pack 1 (64 bits)
# Username : Anime Manga Book - COMPAQ-PC
# Running from : C:\Users\Anime Manga Book\Downloads\adwcleaner_4.105.exe
# Option : Clean

***** [ Services ] *****


***** [ Files / Folders ] *****

Folder Deleted : C:\ProgramData\AlawarWrapper
Folder Deleted : C:\ProgramData\b0c9262a33c06251
Folder Deleted : C:\Program Files\002
Folder Deleted : C:\Users\Administrator\AppData\Local\Chromatic Browser
Folder Deleted : C:\Users\Administrator\AppData\Local\torch
Folder Deleted : C:\Users\Guest\AppData\Local\Chromatic Browser
Folder Deleted : C:\Users\Guest\AppData\Local\torch
Folder Deleted : C:\Users\HomeGroupUser$\AppData\Local\Chromatic Browser
Folder Deleted : C:\Users\HomeGroupUser$\AppData\Local\torch
Folder Deleted : C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Extensions\bakijjialdiiboeaknfpmflphhmljfkd
Folder Deleted : C:\Users\Administrator\AppData\Local\Google\Chrome\User Data\Default\Extensions\inndoodhgbcabmjijfdogajddgkljclg
Folder Deleted : C:\Users\Guest\AppData\Local\Google\Chrome\User Data\Default\Extensions\inndoodhgbcabmjijfdogajddgkljclg
Folder Deleted : C:\Users\HomeGroupUser$\AppData\Local\Google\Chrome\User Data\Default\Extensions\inndoodhgbcabmjijfdogajddgkljclg
File Deleted : C:\END
File Deleted : C:\Windows\System32\drivers\netfilter64.sys
File Deleted : C:\Users\Compaq\AppData\Roaming\aps.scan.quick.results
File Deleted : C:\Users\Compaq\AppData\Roaming\aps.scan.results
File Deleted : C:\Users\Compaq\AppData\Roaming\aps.uninstall.scan.results

***** [ Scheduled Tasks ] *****

Task Deleted : BrowserSafeguard Update Task

***** [ Shortcuts ] *****


***** [ Registry ] *****

Key Deleted : HKLM\SOFTWARE\Google\Chrome\Extensions\bakijjialdiiboeaknfpmflphhmljfkd
Key Deleted : [x64] HKLM\SOFTWARE\Google\Chrome\Extensions\bakijjialdiiboeaknfpmflphhmljfkd
Key Deleted : HKLM\SOFTWARE\Classes\soaaferweb.soaaferweb
Key Deleted : HKLM\SOFTWARE\Classes\soaaferweb.soaaferweb.1.8
Key Deleted : HKLM\SOFTWARE\Classes\CLSID\{946B8A29-73C4-C694-9EB2-3CFFF632661B}
Key Deleted : HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{02478D38-C3F9-4EFB-9B51-7695ECA05670}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{EF99BD32-C1FB-11D2-892F-0090271D4F88}
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{946B8A29-73C4-C694-9EB2-3CFFF632661B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\CLSID\{946B8A29-73C4-C694-9EB2-3CFFF632661B}
Key Deleted : [x64] HKLM\SOFTWARE\Classes\Interface\{E3ED53C5-7AD5-4DF5-9734-AFB6E7E5D9DB}
Key Deleted : [x64] HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{31090377-0740-419E-BEFC-A56E50500D5B}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{31090377-0740-419E-BEFC-A56E50500D5B}
Key Deleted : [x64] HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472F-A0FF-E1416B8B2E3A}
Key Deleted : HKLM\SOFTWARE\GlobalUpdate
Key Deleted : HKLM\SOFTWARE\Tutorials
Key Deleted : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5F488658-35A7-2AB8-A756-560BA8F103C3}
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\chatango.com
Key Deleted : HKCU\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage\st.chatango.com

***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17496


-\\ Google Chrome v38.0.2125.111

[C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}
[C:\Users\Compaq\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.tb.ask.com/search/GGmain.jhtml?p2=^HJ^yyyyyy^YYA^us&ptb=8A8B9396-A529-41AD-99A3-8E9CF4F5B899&ind=2014062807&n=780c28d7&psa=&st=sb&searchfor={searchTerms}
[C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
[C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Web Data] - Deleted [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [4962 octets] - [20/12/2014 18:19:16]
AdwCleaner[S0].txt - [4949 octets] - [20/12/2014 18:21:47]

########## EOF - C:\AdwCleaner\AdwCleaner[S0].txt - [5009 octets] ##########

[anx]

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 12/20/2014
Scan Time: 6:31:17 PM
Logfile:
Administrator: Yes

Version: 2.00.4.1028
Malware Database: v2014.12.20.07
Rootkit Database: v2014.12.14.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Enabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Anime Manga Book

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 489195
Time Elapsed: 1 hr, 12 min, 37 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 7
PUP.Optional.CrossRider.A, C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp, Quarantined, [3ce18cd71963c76f4c81fc372dd60bf5],
PUP.Optional.CrossRider.A, C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0, Quarantined, [3ce18cd71963c76f4c81fc372dd60bf5],
PUP.Optional.CrossRider.A, C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\_metadata, Quarantined, [3ce18cd71963c76f4c81fc372dd60bf5],
PUP.Optional.CrossRider.A, C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp, Quarantined, [b36a3b285c20de58d5f86ec5a2612cd4],
PUP.Optional.CrossRider.A, C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0, Quarantined, [b36a3b285c20de58d5f86ec5a2612cd4],
PUP.Optional.CrossRider.A, C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\_metadata, Quarantined, [b36a3b285c20de58d5f86ec5a2612cd4],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}, Quarantined, [7f9e69fa027a3afcff84be972dd66898],

Files: 21
PUP.Optional.CrossRider.A, C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\background.js, Quarantined, [3ce18cd71963c76f4c81fc372dd60bf5],
PUP.Optional.CrossRider.A, C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\icon-128.png, Quarantined, [3ce18cd71963c76f4c81fc372dd60bf5],
PUP.Optional.CrossRider.A, C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\icon-16.png, Quarantined, [3ce18cd71963c76f4c81fc372dd60bf5],
PUP.Optional.CrossRider.A, C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\icon-48.png, Quarantined, [3ce18cd71963c76f4c81fc372dd60bf5],
PUP.Optional.CrossRider.A, C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\manifest.json, Quarantined, [3ce18cd71963c76f4c81fc372dd60bf5],
PUP.Optional.CrossRider.A, C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\_metadata\computed_hashes.json, Quarantined, [3ce18cd71963c76f4c81fc372dd60bf5],
PUP.Optional.CrossRider.A, C:\Users\Anime Manga Book\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\_metadata\verified_contents.json, Quarantined, [3ce18cd71963c76f4c81fc372dd60bf5],
PUP.Optional.CrossRider.A, C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\background.js, Quarantined, [b36a3b285c20de58d5f86ec5a2612cd4],
PUP.Optional.CrossRider.A, C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\icon-128.png, Quarantined, [b36a3b285c20de58d5f86ec5a2612cd4],
PUP.Optional.CrossRider.A, C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\icon-16.png, Quarantined, [b36a3b285c20de58d5f86ec5a2612cd4],
PUP.Optional.CrossRider.A, C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\icon-48.png, Quarantined, [b36a3b285c20de58d5f86ec5a2612cd4],
PUP.Optional.CrossRider.A, C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\manifest.json, Quarantined, [b36a3b285c20de58d5f86ec5a2612cd4],
PUP.Optional.CrossRider.A, C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\_metadata\computed_hashes.json, Quarantined, [b36a3b285c20de58d5f86ec5a2612cd4],
PUP.Optional.CrossRider.A, C:\Users\Plot\AppData\Local\Google\Chrome\User Data\Default\Extensions\ceenmgoldhkkegcnlieacjjhndklllkp\0.1_0\_metadata\verified_contents.json, Quarantined, [b36a3b285c20de58d5f86ec5a2612cd4],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\8afc49b02429a, Quarantined, [7f9e69fa027a3afcff84be972dd66898],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\kioiy.tmp, Quarantined, [7f9e69fa027a3afcff84be972dd66898],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\uksksgmgm.tmp, Quarantined, [7f9e69fa027a3afcff84be972dd66898],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\uuca.tmp, Quarantined, [7f9e69fa027a3afcff84be972dd66898],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\wcykcw.tmp, Quarantined, [7f9e69fa027a3afcff84be972dd66898],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\wsswi.tmp, Quarantined, [7f9e69fa027a3afcff84be972dd66898],
Trojan.Clicker.FMS, C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\yyyqguquyg.tmp, Quarantined, [7f9e69fa027a3afcff84be972dd66898],

Physical Sectors: 0
(No malicious items detected)


(end)

[anx]

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.4.0 (11.29.2014:1)
OS: Windows 7 Home Premium x64
Ran by Anime Manga Book on Sat 12/20/2014 at 20:19:59.72
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values



~~~ Registry Keys



~~~ Files



~~~ Folders

Successfully deleted: [Folder] "C:\Windows\syswow64\ai_recyclebin"



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Sat 12/20/2014 at 20:30:27.20
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[anx]

 UNSUPPORTED OPERATING SYSTEM! ABORTED!





from security check by screen317

[SuperDave]

What AV are you using and is it up-to-date?

Malwarebytes' Anti-Rootkit

Please download Malwarebytes' Anti-Rootkit and save it to your desktop.

• Be sure to print out and follow the instructions provided on that same page for performing a scan.
• Caution: This is a beta version so also read the disclaimer and back up all your data before using.
  
• When the scan completes, click on the Cleanup button to remove any threats found and reboot the computer if prompted to do so.
  
• Perform another scan with Malwarebytes Anti-Rootkit to verify that no threats remain. If they do, then click Cleanup once more and repeat the process.
  
• If there are problems with Internet access, Windows Update, Windows Firewall or other system issues, run the fixdamage tool located in the folder Malwarebytes Anti-Rootkit was run from and reboot your computer.
  
• Two files (mbar-log-YYYY-MM-DD, system-log.txt) will be created and saved within that same folder.
• Copy and paste the contents of these two log files in your next reply.

[anx]

no malware found. I think the problem is solved

[SuperDave]

I'd like to scan your machine with ESET OnlineScan

•Hold down Control and click on the following link to open ESET OnlineScan in a new window.
ESET OnlineScan

•Click the button.
•For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

• Click on to download the ESET Smart Installer. Save it to your desktop.
  
• Double click on the icon on your desktop.
  

•Check
•Click the button.
•Accept any security warnings from your browser.

• Leave the check mark next to Remove found threats.
  

•Check
•Push the Start button.
•ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
•When the scan completes, push
•Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
•Push the button.
•Push
A log file will be saved here: C:\Program Files\ESET\ESET Online Scanner\log.txt

[anx]

C:\Users\Guest.Compaq-PC\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\N9Q2OKFL\abhgtnedg[1].htm   JS/Exploit.Agent.NHN trojan   cleaned by deleting - quarantined
C:\Users\Plot\AppData\Local\Temp\77dc\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DN8MEOJP\index[1].htm   JS/TrojanDownloader.FakeAlert.NAK trojan   cleaned by deleting - quarantined

[SuperDave]

How's your computer working now? Any other issues?

[anx]

no

[SuperDave]

Ok, let's do some clean up.

Click Start> Computer> right click the C Drive and choose Properties> enter
Click Disk Cleanup from there.



Click OK on the Disk Cleanup Screen.
Click Yes on the Confirmation screen.



This runs the Disk Cleanup utility along with other selections if you have chosen any. (if you had a lot System Restore points, you will see a significant change in the free space in C drive)
*******************************************
This step will remove all cleaning tools we used, it'll reset restore points (so you won't get reinfected by accidentally using some older restore point) and it'll make some other minor adjustments...
This is a very crucial step so make sure you don't skip it.
Download DelFix by Xplode to your desktop. Delfix will delete all the used tools and logfiles.

Double-click Delfix.exe to start the tool.
Make sure the following items are checked:

• Activate UAC (optional; some users prefer to keep it off)
• Remove disinfection tools
• Create Registry backup
• Purge System Restore Points
• Re-set system settings

Now click "Run" and wait patiently.
Once finished a logfile will be created. You don't have to attach it to your next reply.
*********************************************
I suggest using WOT - Web of Trust. WOT is a free Internet security addon for your browser. It will keep you safe from online scams, identity theft, spyware, spam, viruses and unreliable shopping sites. WOT warns you before you interact with a risky website. It's easy and it's free.

Check out Keeping Yourself Safe On The Web for tips and free tools to help keep you safe in the future.

Also see Slow Computer? It may not be Malware for free cleaning/maintenance tools to help keep your computer running smoothly.
Safe Surfing!