Inactive 100% processor and disk-usage after windows-start, 2 dllhost etc

redtarget.gif

Run OTL
  • Under the Custom Scans/Fixes box at the bottom, paste in the following
Code: 
:OTL
SRV - File not found [Disabled | Stopped] -- C:\Windows\system32\nvvsvc.exe -- (nvsvc)
DRV - File not found [Kernel | On_Demand | Stopped] -- C:\ComboFix\catchme.sys -- (catchme)
FF - HKLM\Software\MozillaPlugins\Adobe Reader: C:\Program Files\Adobe\Reader 10.0\Reader\AIR\nppdf32.dll File not found


:Services

:Reg

:Files
C:\FRST

:Commands
[purity]
[emptytemp]
[emptyjava]
[emptyflash]
[Reboot]
  • Then click the Run Fix button at the top
  • Let the program run unhindered, reboot the PC when it is done
  • You will get a log that shows the results of the fix. Please post it.

NOTE. If for any reason OTL stalls (most likely at "killing processes..." step) run the fix from safe mode.

Last scans...

redtarget.gif
Download Security Check from here or here and save it to your Desktop.
  • Double-click SecurityCheck.exe
  • Follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
NOTE 1. If one of your security applications (e.g., third-party firewall) requests permission to allow DIG.EXE access the Internet, allow it to do so.
NOTE 2 SecurityCheck may produce some false warning(s), so leave the results reading to me.


redtarget.gif
Please download Farbar Service Scanner (FSS) and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and paste the log to your reply.

redtarget.gif
Download Temp File Cleaner (TFC)
Alternate download: http://www.itxassociates.com/OT-Tools/TFC.exe
  • Double click on TFC.exe to run the program.
  • Click on Start button to begin cleaning process.
  • TFC will close all running programs, and it may ask you to restart computer.

redtarget.gif
Please run a free online scan with the ESET Online Scanner

  • Disable your antivirus program
  • Click on "Run ESET Online Scanner" button.
  • Tick the box next to YES, I accept the Terms of Use
  • Click Start
  • Accept any security warnings from your browser.
  • Check Scan archives
  • Click Start
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click on List of found threats
  • Click on Export to text file , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • NOTE. If Eset won't find any threats, it won't produce any log.
 
Broni,

Had a shutdown again but it did not look like overheating(accord to temp). Forgot
to tell you something interesting. I have some (minor) programs on my desktop.
Since a while ago I have noticed that these program-icons have been marked by
a small shield(windows security-icons). They(shields) all disappeard a few "reboots" after Combofix ran! Only one shield is left on mbam-clean....exe. Interestingly all these
programs are virus- malware-programs!?

Disk response-time is now even worse. Between 1500-4000 ms per process/tread
during first 5 min or so. Before when I adjusted the processor-throttle I managed to lower the maximum freq from 100% to around mostly 50-60%. Now it is back to 100%
constantly.

Forgot to tell You it´s snowing and time is 3.13 AM here. Time to go to bed. I´m coming back with the results tomorrow.
 
Maybe I have, but now to the good news. I will do as you instructed me above in a moment. But first I can tell you that my fan tried to start directly when Combfix was finished. It did not succeed though but since this morning it is working fine. And, the
Adobe Flash update-program started in a second behind Combofix. I will update later.

You asked yesterday about improvements. I said I did not have any. But today my Firefox is working better than ever. I can now watch videos without constant small
delays:D. Great! FF in my Sandboxie is not on the same level. Hopefully I just have
to do the filedump out of the box?. I guess the overall feeling is also quite good really! Maybe even the startup-process(svchost) works a little better/faster! We will see.

Since I reinstalled OS I have had problems with MSE. The MsMpEng has gone wild
consuming a lot of memory which have resulted in 3 or 4 reinstallments of MSE.

Today the MSE icon where visible the whole time. Showing it is not inactive(real protection!) and hiding, I guess it should be visible all the time?

Everything is running faster today, definitely!

Icon-problem still not solved. Takes time every time I look into my folders!

Back shortly with new logs(y)
 
OTL Fix Run went fine but took a while(40 sec) for Firefox to get up running. Now I have 2 MSE-icons at program-tray down right(desktop). One of them is Sandboxi Control dressed like MSE. Things like this happens once now and then. Maybe
I should try a Windows Tweaking-program?


All processes killed
========== OTL ==========
Service nvsvc stopped successfully!
Service nvsvc deleted successfully!
File C:\Windows\system32\nvvsvc.exe not found.
Service catchme stopped successfully!
Service catchme deleted successfully!
File C:\ComboFix\catchme.sys not found.
Registry key HKEY_LOCAL_MACHINE\Software\MozillaPlugins\Adobe Reader\ deleted successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
C:\FRST\Quarantine folder moved successfully.
C:\FRST\Logs folder moved successfully.
C:\FRST\Hives\Users\00000002 folder moved successfully.
C:\FRST\Hives\Users\00000001 folder moved successfully.
C:\FRST\Hives\Users folder moved successfully.
C:\FRST\Hives folder moved successfully.
C:\FRST folder moved successfully.
========== COMMANDS ==========
[EMPTYTEMP]
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: Yxan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Ägaren
->Temp folder emptied: 2494358 bytes
->Temporary Internet Files folder emptied: 32974 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 381247059 bytes
->Flash cache emptied: 1931 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 31334 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
RecycleBin emptied: 9074491 bytes
Total Files Cleaned = 375,00 mb
[EMPTYJAVA]
User: All Users
User: Default
User: Default User
User: Public
User: Yxan
User: Ägaren
->Java cache emptied: 0 bytes
Total Java Files Cleaned = 0,00 mb
[EMPTYFLASH]
User: All Users
User: Default
User: Default User
User: Public
User: Yxan
->Flash cache emptied: 0 bytes
User: Ägaren
->Flash cache emptied: 0 bytes
Total Flash Files Cleaned = 0,00 mb
OTL by OldTimer - Version 3.2.69.0 log created on 01282014_233328

Files\Folders moved on Reboot...

PendingFileRenameOperations files...

Registry entries deleted on Reboot...
 
Results of screen317's Security Check version 0.99.79
Windows Vista Service Pack 2 x86 (UAC is enabled)
Internet Explorer 9
Internet Explorer 8
``````````````Antivirus/Firewall Check:``````````````
Microsoft Security Essentials
Antivirus up to date!
`````````Anti-malware/Other Utilities Check:`````````
WinPatrol
Malwarebytes Anti-Malware version 1.75.0.1300
CCleaner
Java 7 Update 45
Java version out of Date!
Adobe Flash Player 11.9.900.170
Mozilla Firefox (26.0)
````````Process Check: objlist.exe by Laurent````````
Microsoft Security Essentials MSMpEng.exe
Microsoft Security Essentials msseces.exe
WinPatrol winpatrol.exe
BillP Studios WinPatrol WinPatrol.exe
`````````````````System Health check`````````````````
Total Fragmentation on Drive C: %
````````````````````End of Log``````````````````````
 
Farbar Service Scanner Version: 08-01-2014
Ran by Ägaren (administrator) on 28-01-2014 at 23:56:10
Running from "C:\Users\Ägaren\Downloads"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-10-22 10:06] - [2013-07-05 04:20] - 0914880 ____A (Microsoft Corporation) 6D0D344F643E28B31262AC2682109A3C

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****
 
I will do the ESET-scan little later due to some working-needs on the computer.
I Think an ESET-scan takes a while!

Getting user folders.
Stopping running processes.
Emptying Temp folders.
User: All Users
User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
User: Public
->Temp folder emptied: 0 bytes
User: Yxan
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->FireFox cache emptied: 0 bytes
->Flash cache emptied: 0 bytes
User: Ägaren
->Temp folder emptied: 31832 bytes
->Temporary Internet Files folder emptied: 33170 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 16280508 bytes
->Flash cache emptied: 492 bytes
%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 11052 bytes
%systemroot%\system32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 0 bytes
Emptying RecycleBin. Do not interrupt.
RecycleBin emptied: 0 bytes
Process complete!
Total Files Cleaned = 16,00 mb
 
Broni, this time when (starting FF?) looking down on program-tray, only Network and Sound-icon is visible. And there are no other icon´s hiding! I closed FF between every
program. I will restart computer.
 
Before re-booting, todays downloads(OTL etc) where given small secuity-shields.
But when program-icon´s disappeard on tray the shields disappeard as well.
I noticed in TaskMgr that the Volume Shadow program was running. After
reboot everything looked normal except a un-normal increase of the processor rpm
just after log in.

How about these 2 dllhost-files which disappears in a few seconds every time I open TaskMgr?

I also got 2 identical Flash Player Plugins for FF. One of them is refering to Proxy-stub-channel? When I configured FF I did check it not to run connected to a Proxy-server. Perhaps this is something else?
 
The hidden Dmk-file is gone according to WinPatrol(y). I also had to remove AdAware(bp)-browsertool from startup(in WinPatrol). Program not seen in RevoUnistaller. Fan now running a bit unnormal. Gasing and braking type!
Shall test something memory-demanding.
 
I still got 2 csrss.exe files running as System-users on 2 PID´s. Her´s what Microsoft says about this file;

"It's normal to have one csrss.exe per user at the same time (say your user account and SYSTEM). It's also fine to have more than one in Windows/System32"

Worry if you have two instances running for the exact same user OR if the source of the running (or one of the running) csrss.exe file(s) is someplace other than Windows/System32.
 
I'm glad to hear some good news :)

Icon-problem still not solved. Takes time every time I look into my folders!
Click to expand...
Give me more details.

User : Yxan is an old user before I did a restore. Not in use anymore.
Click to expand...
You can remove it through Control, Panel>Users

User; Public? Whats that? Guest-account?
Click to expand...
Legit

I still got 2 csrss.exe files running
Click to expand...
Normal.

FSS log says:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
Click to expand...
Go Start and in "Start search" type:
services.msc
Press Enter.
Services window will open.
Right click on DNS Client service, click "Properties" and under "Startup type" select "Automatic" from drop-down menu.
Restart computer.
Post fresh FSS log.

...and Eset.
 
Fan never worked yesterday but amazingly there where no icon-problems either!
I relate at least some of my icon-problems with memory-shortage. Today my fan has been working for 8 hours 100% except for one hour recently when temp where allowed to stretch above and around 80 dgr C for shorter periods(but shutdowns).
(Yesterday there where constant shutdowns). Normally it stays around 50-60 dgr C. When I say icon problem I relate to Explorer and searching in folders. The other more strange behavior has to do with the desktop. The Windows-shields(icons) are back. All icon´s can also disappear when programs are executed some way or another. I.e when I deleted my network desktop-icons returned to standard MS icons! This happened during a period when the fan allowed high cpu-temp! 10 sec later they gradually returned. Maybe you then understand why I am not sure it is(only) a hardware-error(?). Fan worked every day without interuptions after OS reinstallment but started to malfunction around the time I found malware/ virus-infections(before restore). Still I had not visit bad sites or downloaded unknown stuff.

Why 2 identical(long specified commands) csrss.exe files running(Sessions)? I know it is perfectly normal with multiple csrss-files running but not with 2 identical users(System) when there is only one "interactive" user, me the owner(Ägaren)?

How about the 2 dllhost-files? They are also both runned under System-user- identity?

User "Yxan" which was "deleted"(by the restoring-process) when the OS was restored can not be found in Control Panel as a "USER"(under User´s). Do I have to do some registry-deletions here?

Could there be some relationship here between the two sets of exe-files above and two sets of USERS?

DNSCache was disabled by me to reduce the possibility of browser-redirections.
Maybe it´s wise to set the service to automatic? For the moment I have not experienced any problems though! It´s still disabled when you look at my FSS-log
below;

Farbar Service Scanner Version: 08-01-2014
Ran by Ägaren (administrator) on 30-01-2014 at 17:18:48
Running from "C:\Users\Ägaren\Desktop"
Microsoft® Windows Vista™ Home Premium Service Pack 2 (X86)
Boot Mode: Normal
****************************************************************

Internet Services:
============
Dnscache Service is not running. Checking service configuration:
The start type of Dnscache service is set to Disabled. The default start type is Auto.
The ImagePath of Dnscache service is OK.
The ServiceDll of Dnscache service is OK.


Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Security Center:
============


Windows Update:
============

Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
The start type of WinDefend service is set to Demand. The default start type is Auto.
The ImagePath of WinDefend service is OK.
The ServiceDll of WinDefend service is OK.


Windows Defender Disabled Policy:
==========================
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender]
"DisableAntiSpyware"=DWORD:1


Other Services:
==============


File Check:
========
C:\Windows\system32\nsisvc.dll => MD5 is legit
C:\Windows\system32\Drivers\nsiproxy.sys => MD5 is legit
C:\Windows\system32\dhcpcsvc.dll => MD5 is legit
C:\Windows\system32\Drivers\afd.sys => MD5 is legit
C:\Windows\system32\Drivers\tdx.sys => MD5 is legit
C:\Windows\system32\Drivers\tcpip.sys
[2013-10-22 10:06] - [2013-07-05 04:20] - 0914880 ____A (Microsoft Corporation) 6D0D344F643E28B31262AC2682109A3C

C:\Windows\system32\dnsrslvr.dll => MD5 is legit
C:\Windows\system32\mpssvc.dll => MD5 is legit
C:\Windows\system32\bfe.dll => MD5 is legit
C:\Windows\system32\Drivers\mpsdrv.sys => MD5 is legit
C:\Windows\system32\SDRSVC.dll => MD5 is legit
C:\Windows\system32\vssvc.exe => MD5 is legit
C:\Windows\system32\wscsvc.dll => MD5 is legit
C:\Windows\system32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\system32\wuaueng.dll => MD5 is legit
C:\Windows\system32\qmgr.dll => MD5 is legit
C:\Windows\system32\es.dll => MD5 is legit
C:\Windows\system32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\system32\ipnathlp.dll => MD5 is legit
C:\Windows\system32\iphlpsvc.dll => MD5 is legit
C:\Windows\system32\svchost.exe => MD5 is legit
C:\Windows\system32\rpcss.dll => MD5 is legit


**** End of log ****

At last another strange thing. As I told You before I have had different Firewall(Win) problems. Ports have been open for remote control and without logging and
warning-messages. In Windows Firewall you can list exceptions from the firewall-
blocking. This page(FW settings) today contains a lot of programs that are used for remote control. You just have to check a box to get a free unblocked passage through FW. And the same programs can not be deleted from this list.:eek:. Since restoring I have not seen I.e remote-control as an exception(or others). BUT the list is still there. A bit worrysome though.
 
Corretions of above: First section, 4th row;

".....80 dgr C for shorter periods(but shutdowns)."

Should of course be: (but no shutdowns).
 
Here´s a bad quality-image of the FW-Settings. The window contains the remote-type programs with respective boxes for the exception of FW-blocking. Directly below the window there are 4 buttons. The one far out right is the "DELETE"-button. It is GREYED OUT. No problem though to delete the Adaware-program just the other day
 

Attachments

  • FW_settings.pdf
    87.5 KB · Views: 1
Look, you have to fix fan issue.
You've been killing your CPU.
Even running it at 60C you're pushing your luck.
Overheating can cause all kind of issues so that is solved we're not going anywhere else.
 
Very well Broni. I understand Your point. Too much heat produces unreliable software-issues etc. Ok! Fan starts at the moment at 55 dgr driving temp to 43. Looks like fan
now starts at this level repeatedly. Anyway there is still memory-issues.

I have really appreciated your help regarding the infections. Thank You. I had never managed by my self. (y)
 
You must log in or register to reply here.

Similar threads

wshknwntlprtmn
  • Locked
Inactive Not sure what's going on here....
Replies
12
Views
2K
Broni
Broni
E
Solved Svchost.exe launching multiple iexplore.exe - unknown cause
Replies
23
Views
3K
Broni
Broni
L
Solved Unknown spyware/ Monitoring/ Hijacking of my devices
Replies
15
Views
3K
Broni
Broni

Latest posts

Back