71 processes at idle / computer slow - what's wrong?

catalogue · 03 Feb 2014

Devlin1888 said:

Please download Junkware Removal Tool to your desktop.

The only thing I recognize in there is Ixquick, which I want. It's a non-tracking non-spying alternative to Google search.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Thisisu
Version: 6.1.0 (01.07.2014:1)
OS: Windows 7 Professional x64
Ran by R on Mon 02/03/2014 at 18:43:13.86
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

~~~ Services

~~~ Registry Values

~~~ Registry Keys

Successfully deleted: [Registry Key] HKEY_CURRENT_USER\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\caphyon
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\conduit
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\au__rasapi32
Successfully deleted: [Registry Key] HKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\au__rasmancs

~~~ Files

~~~ Folders

~~~ FireFox

Successfully deleted: [File] C:\Users\R\AppData\Roaming\mozilla\firefox\profiles\cx93p3fq.default\extensions\searchy@searchy.xpi
Successfully deleted: [Folder] C:\Users\R\AppData\Roaming\mozilla\firefox\profiles\cx93p3fq.default\extensions\staged
Successfully deleted the following from C:\Users\R\AppData\Roaming\mozilla\firefox\profiles\cx93p3fq.default\prefs.js

user_pref("browser.search.defaultenginename", "Ixquick HTTPS");
user_pref("browser.search.selectedEngine", "Ixquick HTTPS");
Emptied folder: C:\Users\R\AppData\Roaming\mozilla\firefox\profiles\cx93p3fq.default\minidumps [369 files]

~~~ Event Viewer Logs were cleared

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Mon 02/03/2014 at 18:48:00.08
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShamrockRig · 03 Feb 2014

Conduit is a webpage hijacker, adwcleaner and JRT specialize in the removal of this and programs that are similar as well as many other things. Conduit is typically installed by the user when they click "Express" install instead of "Custom" Clicking custom allows you to choose which programs to install that come with the one you originally wanted.

Also removed some others similar to conduit.

As for the Ixquick.com read here http://forums.anvisoft.com/viewtopic-53-4463-0.html

Il post back in a few minutes with some other programs to run.
Cheers

Also make sure you run the clean/delete part of Adwcleaner

ShamrockRig · 03 Feb 2014

I would like you to run Rogue killer, you can get it from here Download RogueKiller - MajorGeeks

Same process, run the program and post the results.

Also could you run Malwarebytes which can be downloaded from here Malwarebytes Anti-Malware - Protect, Detect & Remove Malware From Your PC

Make sure to download the free version and Un-tick the free trial version on offer!

Run a quick scan and post the results here.

Thanks

windude99 · 03 Feb 2014

Also, to help prevent the installation of unwanted programs when you install a program, download Unchecky: Unchecky - Keeps your checkboxes clear
Even with this application though, be sure to check which things you want and uncheck the things that you don't.

catalogue · 04 Feb 2014

Devlin1888 said:

Also make sure you run the clean/delete part of Adwcleaner

Does JRT remove things, or only find them? (I understand that ADW has separate buttons for finding and removing things but I'm not clear on JRT.

Devlin1888 said:

a
As for the Ixquick.com read here How to Remove Ixquick.com Redirect (Ixquick.com Search Hijacking Removal Guide)- AnviSoft

The Ixquick issue is complicated and may need its own separate thread. I do not believe it is hijacking or redirecting. It is recognized as one of the top two non-tracking non-spying search providers, the other being Duckduckgo. (Ixquick and Startpage.com are sister pages from the same company. One provides Google results - it's their explicit, intended purpose, with Google's permission, the other collates from multiple other engines.)

It's my default search provider in Firefox. I have had no evidence of redirects or hijacking at all (unusual pop-ups, unintended webpages opening, unfamiliar URLs in the address bar, which I keep visible at all times). I know what redirects look like because I had a redirect problem about 4 years ago on a different computer; I cleaned it out right away.

Ixquick is listed at Prism-break.org, a directory of privacy-protecting (NSA-resistant) applications and services with extremely rigorous standards that has been covered in international media. Very few products of any kind - and none that are proprietary - meet their requirments. (That rules out all of Microsoft, Google and Apple. The site discourages people from using Windows altogether.)

See Ixquick's discussion of privacy issues here (and other information like full names, bios, photos and contact information of company officers, which I don't think I've seen for any computer product ever.)

As for the hijacking issue - if you search for 'ixquick redirect', the results apart from avisoft are at very shady looking sites from places like Lithuania and Brazil, with names like yac.mx and 60boy.com. Something's fishy if those are top results for removing a browser hijacker, and the absence of familiar PC help, news, or cleanup sites should raise flags. Even more suspicious is that those two sites are identical, with different URLs leading to identical pages.

Still, if conclusive information turns up, I could be convinced otherwise. I'm not saying there isn't a malicious Ixquick redirect out there. (Personally, I find it more plausible that some rogue hacker or even someone secretly backed by Google is behind the redirect, than that the operation is an elaborate scam that has fooled not only Prism-break but also the Netherlands Data Protection Authority at which Ixquick is registered.... but this is purely opinion.)

Coverage of Ixquick ----------------------------------

http://www.theguardian.com/technolog...es-2013-google

Dutch search engine ignores IP addresses ? The Register

Scroogle's Gone? Here's Who Still Offers Private Searching

Search Engines Ixquick & StartPage Double Up On Security Measures With 2 New Encryption Standards

Startpage and Ixquick search engines improve user privacy further | Ghacks (This is one person's own tech blog that I have been following for years)

Shady-looking virus-removal sites ----------------------------

http://www.yac.mx/en/guides/virus-gu...val-guide.html

A guide on how to delete/remove Ixquick.com Redirect (Removal Instructions)

catalogue · 04 Feb 2014

Devlin1888 said:

I would like you to run Rogue killer...

Many thanks for all this help. I will do these things. I try to be super-vigilant about always, always choosing 'Custom' installs and unchecking anything suspicious, but of course something could have slipped through at some point.

I already have Malwarebytes - the free version which only scans when you tell it to (i.e. 'manually'). If I understand correctly only the paid version monitors continually and does automatic scheduled scans.

I read somewhere that the free version is adequate if you run it every week or two and also have MS Security Essentials, which I do.

catalogue · 04 Feb 2014

Two things don't show up in the log:

- List of browser extensions, which shows a few that I removed some time ago. Apparently Firefox didn't completely delete them.
- MDR section which I pasted at the end. It says "Invalid partition table.Error loading operating system.Missing operating system".
------------------------------------------------------------------
RogueKiller V8.8.3 _x64_ [Jan 24 2014] by Tigzy
mail : tigzyRK<at>gmail<dot>com
Feedback : http://www.adlice.com/forum/
Website : RogueKiller download
Blog : Adlice Software | malware analysis

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : R [Admin rights]
Mode : Scan -- Date : 02/04/2014 11:27:35
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 16 ¤¤¤
[HJ POL][PUM] HKCU\[...]\System : DisableTaskMgr (0) -> FOUND
[HJ POL][PUM] HKCU\[...]\System : DisableRegistryTools (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : ConsentPromptBehaviorAdmin (0) -> FOUND
[HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_ShowMyGames (0) -> FOUND
[HJ SMENU][PUM] HKCU\[...]\Advanced : Start_TrackProgs (0) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND
[HJ DESK][PUM] HKCU\[...]\NewStartPanel : {645FF040-5081-101B-9F08-00AA002F954E} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND
[HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

¤¤¤ Scheduled tasks : 0 ¤¤¤

¤¤¤ Startup Entries : 0 ¤¤¤

¤¤¤ Web browsers : 0 ¤¤¤

¤¤¤ Browser Addons : 0 ¤¤¤

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

¤¤¤ External Hives: ¤¤¤

¤¤¤ Infection : ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
--> %SystemRoot%\System32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) ST9500420AS +++++
--- User ---
[MBR] 856421149ca2309c05c09135b46c396f
[BSP] 55809368190c9f11845a881640868884 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1200 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2459648 | Size: 459738 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 944003072 | Size: 16000 Mo
User = LL1 ... OK!
User = LL2 ... OK!

Finished : << RKreport[0]_S_02042014_112735.txt >>

------------------------------------------------------------------------

MDR SECTION:

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST9500420AS +++++
--- User ---
[MBR] 856421149ca2309c05c09135b46c396f
[BSP] 55809368190c9f11845a881640868884 : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 1200 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 2459648 | Size: 459738 Mo
2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 944003072 | Size: 16000 Mo

33 c0 8e d0 bc 00 7c 8e c0 8e d8 be 00 7c bf 00 06
b9 00 02 fc f3 a4 50 68 1c 06 cb fb b9 04 00 bd be
07 80 7e 00 00 7c 0b 0f 85 0e 01 83 c5 10 e2 f1 cd
18 88 56 00 55 c6 46 11 05 c6 46 10 00 b4 41 bb aa
55 cd 13 5d 72 0f 81 fb 55 aa 75 09 f7 c1 01 00 74
03 fe 46 10 66 60 80 7e 10 00 74 26 66 68 00 00 00
00 66 ff 76 08 68 00 00 68 00 7c 68 01 00 68 10 00
b4 42 8a 56 00 8b f4 cd 13 9f 83 c4 10 9e eb 14 b8
01 02 bb 00 7c 8a 56 00 8a 76 01 8a 4e 02 8a 6e 03
cd 13 66 61 73 1c fe 4e 11 75 0c 80 7e 00 80 0f 84
8a 00 b2 80 eb 84 55 32 e4 8a 56 00 cd 13 5d eb 9e
81 3e fe 7d 55 aa 75 6e ff 76 00 e8 8d 00 75 17 fa
b0 d1 e6 64 e8 83 00 b0 df e6 60 e8 7c 00 b0 ff e6
64 e8 75 00 fb b8 00 bb cd 1a 66 23 c0 75 3b 66 81
fb 54 43 50 41 75 32 81 f9 02 01 72 2c 66 68 07 bb
00 00 66 68 00 02 00 00 66 68 08 00 00 00 66 53 66
53 66 55 66 68 00 00 00 00 66 68 00 7c 00 00 66 61
68 00 00 07 cd 1a 5a 32 f6 ea 00 7c 00 00 cd 18 a0
b7 07 eb 08 a0 b6 07 eb 03 a0 b5 07 32 e4 05 00 07
8b f0 ac 3c 00 74 09 bb 07 00 b4 0e cd 10 eb f2 f4
eb fd 2b c9 e4 64 eb 00 24 02 e0 f8 24 02 c3 49 6e
76 61 6c 69 64 20 70 61 72 74 69 74 69 6f 6e 20 74
61 62 6c 65 00 45 72 72 6f 72 20 6c 6f 61 64 69 6e
67 20 6f 70 65 72 61 74 69 6e 67 20 73 79 73 74 65
6d 00 4d 69 73 73 69 6e 67 20 6f 70 65 72 61 74 69
6e 67 20 73 79 73 74 65 6d 00 00 00 63 7b 9a 36 57
b0 8c 00 00

3.....|......|.........Ph...........~..|.............V.U.F...F...A..U..]r...U.u.....t..F.f`.~..t&fh....f.v.h..h.|h..h...B.V.................|.V..v..N..n...fas..N.u..~...... ....U2..V...]...>.}U.un.v....u.....d......`.|....d.u.......f#.u;f..TCPAu2....r,fh....fh....fh....fSfSfUfh....fh.| ..fah.....Z2...|.................2.......<.t.............+..d..$...$..Invalid partition table.Error loading operating system.Missing operating system...c{.6W....

User = LL1 ... OK!
User = LL2 ... OK!
--------------------------------------------------

71 processes at idle / computer slow - what's wrong?

RogueKiller log