Anak, thanks for the step-by-step procedure. I just got in from too much yard work and think I'll wait until tomorrow to begin your suggestions. I am a little concerned about removing Norton 360 since I just paid for a year subscription two months ago. I guess I can always re-install the disk--but then it takes a long time for all the updates to load. Is MSE as thorough as Norton 360?
Richard
MSE is more thorough, seamless to Windows, faster, doesn't cause BSODs, doesn't load the system down, updates almost daily and it's free.
Ken
Your welcome rc, Don't mention yard work mine is going to really start once it warms up.
Depending on the exact time line you might be able to get a refund, see: Norton | Support Orders & Billing Issues click on the "Refund Information" tab in the left panel, then "What is the Norton Refund Policy"?.I am a little concerned about removing Norton 360 since I just paid for a year subscription two months ago.
It looks like it runs from "Money back guarantee" to 30 then 60days, you will have to investigate further.
Please refer to carwiz's post. And, if I may add; we see a lot of situations where these "high powered" anti-malware programs cause more problems than they are worth.Is MSE as thorough as Norton 360?
After reading this: Web Browser Forensics, Part 1 | Symantec Connect Community I decided to check my own system to see if I had any IE5 references on my machine, and I do. Just type/copy/paste Content.IE5 into the Start Orb Search box. Click on the first file, mine was startup.txt and do a find/find next under the Edit menu button for Content.IE5 to see your results.The IE5 activity will have to be investigated.
With me it is associated with C:\Windows\system32\pcalua.exe -a C:\Users\Your User Name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
pcalua.exe -a is the important part, and the -a means attributesI have found IE5 elsewhere and it is always associated with C:\Users\Your User Name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\, and all of these files were empty.pcalua.exe is the Program Compatibility Assistant. "The Program Compatibility Assistant is an automatic feature of Windows that runs when it detects an older program has a compatibility problem."
Program Compatibility Assistant: frequently asked questions
Source: What does PCALUA.EXE do? - Microsoft Community
Conclusion IMO:
- Windows 7 was designed for backward compatibility and it is using IE5 as a base.
- Your son may have had old(er) programs on the Asus just as I have/had on my machine.
- Norton in its paranoia; notice pid4 is associated with some of Norton, IE5 errors which could mean poorly written web pages, and the present usage of your current browser, Norton is scanning these files.
- You haven't mentioned it, but I would imagine N360 has real-time-scanning (RTS), and it is running?
- Using MSE that also has RTS my system shows no such activity, and my HDD is quiet.
- I'm assuming you Disabled Norton on the Asus. That alone doesn't mean its stopped, did you stop all of Nortons services?
- Norton is behind your busy HDD.
Is your "older machine" and the Compaq one and the same? Did you have Norton on it/them?
This is a better link if you're still interested in: Running the Norton Removal Tool
Steve
Anak,
I couldn't figure out how you managed to put previous comments in boxes, so you could address them individually. I tried using 'Multi', but nothing happened. So, I'll just put yours in italics and respond.
As stated before, the pid's are changing dynamically there is nothing to worry about. I'll will look at your pid4's
jimbo has some valid points especially about moving over to MSE If you do change to MSE use this Norton removal tool then install MSE. You can uninstall Norton from programs and features in Control Panel then use the removal tool to get the scraps.
I used the Norton Removal tool, restarted, then installed MSE. No change in activity or noise.
This https://www.sevenforums.com/tutorials...ndows-7-a.html tutorial will help, for now concentrate on #'s 3-Startups and 7- process monitor for now.
Before you disable any startups remove Norton, and install MSE do all the necessary reboots. then take a snip of the startups in msconfig. as shown how to get there in step 3.
We can then advise which ones to disable.
In step #3, it says "uncheck everything in msconfig>startup except AV:" There were several items in startup--but only two were checked:
1) Microsoft Security Client (Is that what they mean by AV?)
2) ISUSPM
So is it even necessary that I complete step 3? Past experience in making changes has not worked out favorably for the most part.
See if that calms your machine down, but I still want you to download/install and run process monitor in step #7 and take a snip of that.
Step #7 process monitor--the link to download always says 'webpage cannot be found'. After several attempts I quit trying.
Is your "older machine" and the Compaq one and the same? Did you have Norton on it/them?
Yes the older machine is a Compaq and I had Norton 360 on it as well. No reading/writing noises on it--unless there was an obvious reason.
Just type/copy/paste Content.IE5 into the Start Orb Search box.
Don't know what the Start Orb Search box refers to. When I type 'Content.IE5' in my Start>Search box it just points me back to this forum.
I really appreciate all the time and effort you folks are spending on this issue--but so far nothing has changed.
That's okay rc, it can get a little complicated, so I'm working up a tutorial to show you later.
Your questions from previous post are in green, my replies are black. I omitted some of your replies/questions and just answered, but still followed the intent of your reply.
Okay, on the changeover from Norton to MSE.
For; several items in startup--but only two were checked:
1) Microsoft Security Client (Is that what they mean by AV?)
2) ISUSPM
1) Leave the Microsoft Security Client checked, and yes that is what it means by AV (Anti-virus).
2.)You can either leave it or uncheck ISUSPM. It's usage is explained here: ISUSPM Startup - ISUSPM.exe - Program Information
So is it even necessary that I complete step 3? If you uncheck #2 you will at least have to reboot to make sure the change "took".
If you leave it, no, you don't have to finish step 3.
Step #7 process monitor--the link to download always says 'webpage cannot be found'. After several attempts I quit trying.
Strange, it works for me. What browser are you using?
This is the same link, try it from here: https://blogs.technet.com/b/askperf/...edirected=true
Do you still have, and use the Compaq?
The Start OrbSearch box is exactly what you used, just different terminology.
The problem with not being able to complete the link to Process Monitor, and the continued HDD activity has me a little concerned, as we need that process monitor.
Have you ran a Full scan with MSE yet? If not do so. Follow the removal process if it does find anything.
Even if you have or if MSE hasn't found anything, I would like you to download and install the free versions of Malwarebytes, and Superantispyware If either asks you if you want to try their paid trials say no and continue the installations.
Check that both are up to date, then run full scans. Follow the removal process's if they do find anything, and post results, good or bad in next reply.
Steve,
Step #7 process monitor--the link to download always says 'webpage cannot be found'. After several attempts I quit trying.
Strange, it works for me. What browser are you using? IE9.
This is the same link, try it from here: https://blogs.technet.com/b/askperf/...edirected=true
I follow the link to "Troubleshooting with Process Monitor" but when I try step #1--'Download Process Monitor', it says the webpage cannot be found. HTTP 400. I've tried several times.
Do you still have, and use the Compaq? I'm keeping it as a back up--but it is older, slower, has less RAM, and a low quality video card. But, it still does well on Excel and Word and email--a lot of what I use computers for!
The Start Orb
The problem with not being able to complete the link to Process Monitor, and the continued HDD activity has me a little concerned, as we need that process monitor.
Have you ran a Full scan with MSE yet? If not do so. Follow the removal process if it does find anything.
I've only run a Quick scan. I'll start a full scan when I'm done with this post. I don't suppose it matters that I perform the full scan prior to obtaining the Process Monitor.
Even if you have or if MSE hasn't found anything, I would like you to download and install the free versions of Malwarebytes, and Superantispyware If either asks you if you want to try their paid trials say no and continue the installations.
I'll try those after the full scan.
Check that both are up to date, then run full scans. Follow the removal process's if they do find anything, and post results, good or bad in next reply.[/QUOTE]
Okay, it happened to me. here is the monitor's utility page, see if you can download it from there, it'll be right at the top of the page: Process Monitor then you can still use the troubleshooter guide.
I'll mention this to the tutorial writer greg.
No it doesn't matter, but if you have any malware it would be better to clean before running the monitor.
Well, I ran the full scan with MSE. It took a while to scan over one million items, but found 'no threats'.
I ran Malwarebyte full scan and 1 object was detected (Trojan.Dropper) and eliminated.
Finally I ran SuperAntiSpyware full scan and it found and eliminated 89 tracking cookies.
I saved the screen dumps of the results as well as the SuperAntiSpyware scan log--although I don't see
what help they could be.
I don't believe those actions have had any effect on the noise/activity level so far.
This took several hours and I think I'll quit for the night. I'll try to download the Process Monitor when I get home tomorrow afternoon.
Thanks,
Richard
Okay with the MSE scan. You do have the Real-Time-Scanner turned on don't you?
That Trojan.Dropper is pretty serious, is your son a gamer?
Even though this is a report on Tarcloin, all droppers act the same way. You may want to advise your son to check his new machine, and to be careful what he downloads.TrojanDropper:Win32/Tarcloin is a trojan dropper that stealthily installs BitCoin mining applications onto your computer.
The trojan dropper is a game launcher for games including The Sims 3 and Assassin's Creed III, but also silently drops Trojan:Win32/Tarcloin.A, Trojan:Win32/Tarcloin.B and Trojan:Win32/Tarcloin.A!cfg onto your computer.
Your computer may perform extremely slowly, and may report high CPU usage in the Windows Task Manager (right-click the Taskbar and select Task Manager, then select the Performance tab)
Source: Encyclopedia entry: TrojanDropper:Win32/Tarcloin - Learn more about malware - Microsoft Malware Protection Center
That's normal for Superantispyware (SAS) to catch a high amount of tracking cookies. A tool that I have found to be useful is: SpywareBlaster by Brightfort it will help control those cookies, and more.
All four of these tools are free, but except for MSE, the last three only run when you want them to (on-demand).
Because we found one Trojan, I would like you to run: How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)? | TDSKiller
Follow removal instructions if anything is found.
~ ~~ ~~~ ~~~ ~~ ~
At this point I would like you to run a SFC /scannow to check your system files. Use Option One or Option Two; Steps one and two.
If any integrity violations are found, but SFC could not repair all, reboot machine and run again, run at least three times to repair.
If at this point SFC still can't repair all files go to Option Three, create and post the .CBS log.
A forced Defrag would also be a good move: Disk Defragmenter - Open and Use Option one, step 4 or Option Two or Three.
Try to D/L Process Monitor and let it run to observe.
You could also take a break here and run the machine for a few days to see if it has calmed down.
~ ~~ ~~~ ~~~ ~~ ~
In searching for Trojan Dropper removal tools I found this well laid out plan of attack: How do I remove the Trojan.Dropper/SVCHost-Fake.Process - Microsoft Community
The next ones you could try and stand out to me are HitmanPro, Privex, and Nortons Power Eraser all the links are in that thread.
~ ~~ ~~~ ~~~ ~~ ~
Your situation is similar to what I had to go through with my niece's laptop only hers was worse. If we can't get yours to calm down we may have to do a System Recovery for your Asus.
This is The Support Page for the CM1630
This is The Download Page for the CM1630
How to do a System Recovery for Asus CM1630:
- Use the Download link to retrieve the manual.
- You will have to select the OS you have (32bit or 64bit) to proceed.
- Go to the bottom and click on Manual.
- Scroll down to the next to last entry for CM1630 user's manual(English) click on the Global link, and save .zip file to convenient location (Desktop?), I scanned my copy for malware, MBAM didn't find any. I did not use the Global (DLM) because Asus wanted me to also D/L a manager that I did not want, and you take a risk with D/L'ing malware with P2P.
- Extract File.
- Open PDF and go to Chapter 6: Recovering Your System.
This System Recovery step is only preliminary until we see how your machine is reacting.
Anak,
For MSE, I have the Real-time Protection: On.
I ran the TDSKiller and it found 'no threats'.
I ran SFC /scannow from an Elevated Command Prompt (never heard about it before) and it said 'Windows Resource Protection did not find any integrity violations'.
Then I scheduled and ran scandisk. No issues.
Then I ran disk defrag even though it only was 2% fragmented.
Yes, my son seemed to constantly be playing online games--and he always had the computer running.
Thanks for all the help. I think I'll call it a day and review your other suggestions tomorrow.
Richard
Quote