Hard drive constantly read/writing

[rcan1015]

Anak, thanks for the step-by-step procedure. I just got in from too much yard work and think I'll wait until tomorrow to begin your suggestions. I am a little concerned about removing Norton 360 since I just paid for a year subscription two months ago. I guess I can always re-install the disk--but then it takes a long time for all the updates to load. Is MSE as thorough as Norton 360?

Richard

 

[carwiz]

MSE is more thorough, seamless to Windows, faster, doesn't cause BSODs, doesn't load the system down, updates almost daily and it's free.

Ken

 

[Anak]

Your welcome rc, Don't mention yard work mine is going to really start once it warms up.

I am a little concerned about removing Norton 360 since I just paid for a year subscription two months ago.

Depending on the exact time line you might be able to get a refund, see: Norton | Support Orders & Billing Issues click on the "Refund Information" tab in the left panel, then "What is the Norton Refund Policy"?.

It looks like it runs from "Money back guarantee" to 30 then 60days, you will have to investigate further.

Is MSE as thorough as Norton 360?

Please refer to carwiz's post. And, if I may add; we see a lot of situations where these "high powered" anti-malware programs cause more problems than they are worth.

The IE5 activity will have to be investigated.

After reading this: Web Browser Forensics, Part 1 | Symantec Connect Community I decided to check my own system to see if I had any IE5 references on my machine, and I do. Just type/copy/paste Content.IE5 into the Start Orb Search box. Click on the first file, mine was startup.txt and do a find/find next under the Edit menu button for Content.IE5 to see your results.

With me it is associated with C:\Windows\system32\pcalua.exe -a C:\Users\Your User Name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\

pcalua.exe -a is the important part, and the -a means attributes

pcalua.exe is the Program Compatibility Assistant. "The Program Compatibility Assistant is an automatic feature of Windows that runs when it detects an older program has a compatibility problem."
Program Compatibility Assistant: frequently asked questions

Source: What does PCALUA.EXE do? - Microsoft Community

I have found IE5 elsewhere and it is always associated with C:\Users\Your User Name\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\, and all of these files were empty.

Conclusion IMO:

• Windows 7 was designed for backward compatibility and it is using IE5 as a base.
• Your son may have had old(er) programs on the Asus just as I have/had on my machine.
• Norton in its paranoia; notice pid4 is associated with some of Norton, IE5 errors which could mean poorly written web pages, and the present usage of your current browser, Norton is scanning these files.
• You haven't mentioned it, but I would imagine N360 has real-time-scanning (RTS), and it is running?
• Using MSE that also has RTS my system shows no such activity, and my HDD is quiet.
• I'm assuming you Disabled Norton on the Asus. That alone doesn't mean its stopped, did you stop all of Nortons services?
• Norton is behind your busy HDD.

Is your "older machine" and the Compaq one and the same? Did you have Norton on it/them?

This is a better link if you're still interested in: Running the Norton Removal Tool


Steve

 

[rcan1015]

Anak,
I couldn't figure out how you managed to put previous comments in boxes, so you could address them individually. I tried using 'Multi', but nothing happened. So, I'll just put yours in italics and respond.

As stated before, the pid's are changing dynamically there is nothing to worry about. I'll will look at your pid4's

jimbo has some valid points especially about moving over to MSE If you do change to MSE use this Norton removal tool then install MSE. You can uninstall Norton from programs and features in Control Panel then use the removal tool to get the scraps.

I used the Norton Removal tool, restarted, then installed MSE. No change in activity or noise.

This http://www.sevenforums.com/tutorials...ndows-7-a.html tutorial will help, for now concentrate on #'s 3-Startups and 7- process monitor for now.

Before you disable any startups remove Norton, and install MSE do all the necessary reboots. then take a snip of the startups in msconfig. as shown how to get there in step 3.
We can then advise which ones to disable.

In step #3, it says "uncheck everything in msconfig>startup except AV:" There were several items in startup--but only two were checked:

1) Microsoft Security Client (Is that what they mean by AV?)
2) ISUSPM

So is it even necessary that I complete step 3? Past experience in making changes has not worked out favorably for the most part.

See if that calms your machine down, but I still want you to download/install and run process monitor in step #7 and take a snip of that.

Step #7 process monitor--the link to download always says 'webpage cannot be found'. After several attempts I quit trying.

Is your "older machine" and the Compaq one and the same? Did you have Norton on it/them?

Yes the older machine is a Compaq and I had Norton 360 on it as well. No reading/writing noises on it--unless there was an obvious reason.

Just type/copy/paste Content.IE5 into the Start Orb Search box.

Don't know what the Start Orb Search box refers to. When I type 'Content.IE5' in my Start>Search box it just points me back to this forum.

I really appreciate all the time and effort you folks are spending on this issue--but so far nothing has changed.

 

[Anak]

That's okay rc, it can get a little complicated, so I'm working up a tutorial to show you later.
Your questions from previous post are in green, my replies are black. I omitted some of your replies/questions and just answered, but still followed the intent of your reply.

Okay, on the changeover from Norton to MSE.

For; several items in startup--but only two were checked:
1) Microsoft Security Client (Is that what they mean by AV?)
2) ISUSPM

1) Leave the Microsoft Security Client checked, and yes that is what it means by AV (Anti-virus).
2.)You can either leave it or uncheck ISUSPM. It's usage is explained here: ISUSPM Startup - ISUSPM.exe - Program Information

So is it even necessary that I complete step 3? If you uncheck #2 you will at least have to reboot to make sure the change "took".
If you leave it, no, you don't have to finish step 3.


Step #7 process monitor--the link to download always says 'webpage cannot be found'. After several attempts I quit trying.
Strange, it works for me. What browser are you using?
This is the same link, try it from here: https://blogs.technet.com/b/askperf...ing-with-process-monitor.aspx?Redirected=true

Do you still have, and use the Compaq?

The Start Orb rb: Search box is exactly what you used, just different terminology.

The problem with not being able to complete the link to Process Monitor, and the continued HDD activity has me a little concerned, as we need that process monitor.

Have you ran a Full scan with MSE yet? If not do so. Follow the removal process if it does find anything.

Even if you have or if MSE hasn't found anything, I would like you to download and install the free versions of Malwarebytes, and Superantispyware If either asks you if you want to try their paid trials say no and continue the installations.

Check that both are up to date, then run full scans. Follow the removal process's if they do find anything, and post results, good or bad in next reply.

 

[rcan1015]

Steve,

Step #7 process monitor--the link to download always says 'webpage cannot be found'. After several attempts I quit trying.
Strange, it works for me. What browser are you using? IE9.
This is the same link, try it from here: https://blogs.technet.com/b/askperf...ing-with-process-monitor.aspx?Redirected=true
I follow the link to "Troubleshooting with Process Monitor" but when I try step #1--'Download Process Monitor', it says the webpage cannot be found. HTTP 400. I've tried several times.

Do you still have, and use the Compaq? I'm keeping it as a back up--but it is older, slower, has less RAM, and a low quality video card. But, it still does well on Excel and Word and email--a lot of what I use computers for!

The Start Orb rb: Search box is exactly what you used, just different terminology.

The problem with not being able to complete the link to Process Monitor, and the continued HDD activity has me a little concerned, as we need that process monitor.

Have you ran a Full scan with MSE yet? If not do so. Follow the removal process if it does find anything.
I've only run a Quick scan. I'll start a full scan when I'm done with this post. I don't suppose it matters that I perform the full scan prior to obtaining the Process Monitor.

Even if you have or if MSE hasn't found anything, I would like you to download and install the free versions of Malwarebytes, and Superantispyware If either asks you if you want to try their paid trials say no and continue the installations.

I'll try those after the full scan.

Check that both are up to date, then run full scans. Follow the removal process's if they do find anything, and post results, good or bad in next reply.[/QUOTE]

 

[Anak]

Okay, it happened to me. here is the monitor's utility page, see if you can download it from there, it'll be right at the top of the page: Process Monitor then you can still use the troubleshooter guide.
I'll mention this to the tutorial writer greg.

No it doesn't matter, but if you have any malware it would be better to clean before running the monitor.

 

[rcan1015]

Okay, it happened to me. here is the monitor's utility page, see if you can download it from there, it'll be right at the top of the page: Process Monitor then you can still use the troubleshooter guide.
I'll mention this to the tutorial writer greg.

No it doesn't matter, but if you have any malware it would be better to clean before running the monitor.

Well, I ran the full scan with MSE. It took a while to scan over one million items, but found 'no threats'.
I ran Malwarebyte full scan and 1 object was detected (Trojan.Dropper) and eliminated.
Finally I ran SuperAntiSpyware full scan and it found and eliminated 89 tracking cookies.
I saved the screen dumps of the results as well as the SuperAntiSpyware scan log--although I don't see
what help they could be.

I don't believe those actions have had any effect on the noise/activity level so far.

This took several hours and I think I'll quit for the night. I'll try to download the Process Monitor when I get home tomorrow afternoon.

Thanks,
Richard

 

[Anak]

Okay with the MSE scan. You do have the Real-Time-Scanner turned on don't you?

That Trojan.Dropper is pretty serious, is your son a gamer?

TrojanDropper:Win32/Tarcloin is a trojan dropper that stealthily installs BitCoin mining applications onto your computer.

The trojan dropper is a game launcher for games including The Sims 3 and Assassin's Creed III, but also silently drops Trojan:Win32/Tarcloin.A, Trojan:Win32/Tarcloin.B and Trojan:Win32/Tarcloin.A!cfg onto your computer.

Your computer may perform extremely slowly, and may report high CPU usage in the Windows Task Manager (right-click the Taskbar and select Task Manager, then select the Performance tab)

Source: Encyclopedia entry: TrojanDropper:Win32/Tarcloin - Learn more about malware - Microsoft Malware Protection Center

Even though this is a report on Tarcloin, all droppers act the same way. You may want to advise your son to check his new machine, and to be careful what he downloads.

That's normal for Superantispyware (SAS) to catch a high amount of tracking cookies. A tool that I have found to be useful is: SpywareBlaster by Brightfort it will help control those cookies, and more.

All four of these tools are free, but except for MSE, the last three only run when you want them to (on-demand).

Because we found one Trojan, I would like you to run: How to remove malware belonging to the family Rootkit.Win32.TDSS (aka Tidserv, TDSServ, Alureon)? | TDSKiller
Follow removal instructions if anything is found.

~ ~~ ~~~ ~~~ ~~ ~​

At this point I would like you to run a SFC /scannow to check your system files. Use Option One or Option Two; Steps one and two.
If any integrity violations are found, but SFC could not repair all, reboot machine and run again, run at least three times to repair.
If at this point SFC still can't repair all files go to Option Three, create and post the .CBS log.

A forced Defrag would also be a good move: http://www.sevenforums.com/tutorials/11733-disk-defragmenter-open-use.html Option one, step 4 or Option Two or Three.

Try to D/L Process Monitor and let it run to observe.

You could also take a break here and run the machine for a few days to see if it has calmed down.

~ ~~ ~~~ ~~~ ~~ ~
​

In searching for Trojan Dropper removal tools I found this well laid out plan of attack: How do I remove the Trojan.Dropper/SVCHost-Fake.Process - Microsoft Community

The next ones you could try and stand out to me are HitmanPro, Privex, and Nortons Power Eraser all the links are in that thread.

~ ~~ ~~~ ~~~ ~~ ~​

Your situation is similar to what I had to go through with my niece's laptop only hers was worse. If we can't get yours to calm down we may have to do a System Recovery for your Asus.

This is The Support Page for the CM1630

This is The Download Page for the CM1630

How to do a System Recovery for Asus CM1630:

• Use the Download link to retrieve the manual.
• You will have to select the OS you have (32bit or 64bit) to proceed.
• Go to the bottom and click on Manual.
• Scroll down to the next to last entry for CM1630 user's manual(English) click on the Global link, and save .zip file to convenient location (Desktop?), I scanned my copy for malware, MBAM didn't find any. I did not use the Global (DLM) because Asus wanted me to also D/L a manager that I did not want, and you take a risk with D/L'ing malware with P2P.
• Extract File.
• Open PDF and go to Chapter 6: Recovering Your System.

This System Recovery step is only preliminary until we see how your machine is reacting.

 

[rcan1015]

Anak,

For MSE, I have the Real-time Protection: On.

I ran the TDSKiller and it found 'no threats'.

I ran SFC /scannow from an Elevated Command Prompt (never heard about it before) and it said 'Windows Resource Protection did not find any integrity violations'.

Then I scheduled and ran scandisk. No issues.

Then I ran disk defrag even though it only was 2% fragmented.

Yes, my son seemed to constantly be playing online games--and he always had the computer running.

Thanks for all the help. I think I'll call it a day and review your other suggestions tomorrow.

Richard

 

[Anak]

Okay Richard, been a long day for me too.

Park your machine like you like, get back to it when you can and see how it likes being clean.

I remember a time when my Dad (bless his soul), couldn't understand where I was coming from, but he left me room to grow. Parents have a way of knowing....

Your welcome, take your time. It sounds like you might be able to D/L Process Monitor now and let it run to see if it can find anything.

Oh, by the way I'm including a file tellin' about how to do that Multiple Quotes thing, hope it makes sense. I have Libre Office, but you should still be able to open it...

I scanned it for malware before I shipped, and zipped it with 7's zipper so all you should have to do is right click on it and "Extract All", but I wouldn't blame you if you checked it for malware first, there's an old sayin'....
"I know your my brother, but I'm still goin' to check".

 

[rcan1015]

Anak,

See if that calms your machine down, but I still want you to download/install and run process monitor in step #7 and take a snip of that.

The newest link to Process Monitor worked fine. It is 'showing' over 2,000,000 events--but I have no clue what I am looking at or looking for. Should I even be online while it is running? A lot of the processes seemed to involve Internet Explorer. You mentioned taking a snip of it--but I don't know what to take a snip of?

Thanks,
Richard

 

[Anak]

It depends if you need to be online or not. When do you notice the increased HDD activity?

A snip would be counter-productive, instead:
If online run Process Monitor (PM) while online and save the report/file as .csv
If idling run PM while offline and nothing else open, save file as .csv
In either case .zip the .csv file before uploading.


Have all activity buttons pressed as in area 1
Then save at area 2

   Information

When Save dialog opens:
Leave Events to Save: as is.
Under Format: click on the Comma separated values (csv) radio button.
Select destination (Desktop?)
Click OK.

To zip a File or Folder:
Right click on file.
Go to "Send To" then select Compressed (zipped) folder.
.zip folder is usually created near original file/folder.

Be advised, the .csv file will be approximately 20 to 30MB, zipped 1.5MB
Mine was 24.3, and 1.4 respectively

To compare your 2M; I'm running online creating this post with FireFox (FF) open to three tabs and I'm at 1.4M.

 

[rcan1015]

OK Anak, I let the Process Monitor run for hours while I was outside working. I had closed the other windows and I don't know if it was ever going to quit. It seemed to stay at 82% for a long, long time even though the number of events continued to go up. When I finally needed the computer, I stopped the Monitor and saved it--over 8 million events and a 815 MB logfile. It zipped to 55 MB--but I'm not sure what the size limitation is for uploading to the forum. I'm unclear what the Process Monitor was doing and why it never seemed to complete its scan. It looked like it would continue to find more events as long as it was running. Anyway, do you still want the file even though it is incomplete and really large?

Thanks

 

[Anak]

It only completes when you stop it.

55MB is too large, if you go to the area where you upload attachments it shows you the size limitations, and for .zip it is 8.3MB.

Just let it run at idle for a half hour, stop, see what the file size is, and if its under the limit .zip an ship.

EDIT:
I'm not sure if we discussed this before, but I would like to see a snip of your Startup Programs.

Follow this tutorial: http://www.sevenforums.com/tutorials/1401-startup-programs-change.html
Use Method Three or Method Five if you have CCleaner then take your snip.

It will allow us to see if there are any programs that do not need to run at startup.
Reference: Black Viper’s Windows 7 Service Pack 1 Service Configurations | Black Viper | www.blackviper.com

 

[rcan1015]

Anak,

OK, after fourth attempt I got a reasonable size .zip file. Hope it makes sense to somebody. Every time I ran Process Monitor, it seemed to generate a completely different set of events.View attachment 261925

As far as the snip of Startup Programs, I just used msconfig to get a list. Hope that's what you wanted.


Thanks,
Richard

 

[Anak]

The startup snip was okay Richard, but I kept finding references to potentially masked rootkit files in process monitor.

In order to cut your losses trying to figure this out, and even if we did, that Asus wouldn't be right for all that had to be removed from it, I would suggest doing the System Recovery.

The only thing I would save from it would be any personal data you have created on it.
If you have programs that need product keys, use Belarc and or Speecy to retrieve them.


Quote from my earlier post:

Your situation is similar to what I had to go through with my niece's laptop only hers was worse. If we can't get yours to calm down we may have to do a System Recovery for your Asus.

This is The Support Page for the CM1630

This is The Download Page for the CM1630

How to do a System Recovery for Asus CM1630:

• Use the Download link to retrieve the manual.
• You will have to select the OS you have (32bit or 64bit) to proceed.
• Go to the bottom and click on Manual.
• Scroll down to the next to last entry for CM1630 user's manual(English) click on the Global link, and save .zip file to convenient location (Desktop?), I scanned my copy for malware, MBAM didn't find any. I did not use the Global (DLM) because Asus wanted me to also D/L a manager that I did not want, and you take a risk with D/L'ing malware with P2P.
• Extract File.
• Open PDF and go to Chapter 6: Recovering Your System.

 

[rcan1015]

Anak,
I downloaded the CM1630 manual and read Chapter 6. Could you explain a little bit about what happens with System Recovery? Will I have to re-install all my software again? Microsoft Office, games, A/V, etc? I'm trying to determine how much effort it's going to require after the Recovery so I can decide the best time to schedule it.

Thanks,
Richard

 

[rcan1015]

Anak,
Is there any security or privacy issues in having that Process Monitor logfile posted? Should access to it be disabled since you have reviewed it?
Thanks,
Richard

 

[Anak]

Anak,
I downloaded the CM1630 manual and read Chapter 6. Could you explain a little bit about what happens with System Recovery? Will I have to re-install all my software again? Microsoft Office, games, A/V, etc? I'm trying to determine how much effort it's going to require after the Recovery so I can decide the best time to schedule it.

Yes.


I don't know who purchased or used the machine first, but it sounds like your son did in post #19:

I just got this ASUS system a couple months ago from my son (when he decided to go for a Mac)

So you wouldn't be able to recall what it was like when your son first fired it up.
The Recovery Partition contains all the original software that Asus installed including the Operating System (OS).

If you go to: https://www.asus.com/Desktops/Essentio_CM1630/#specifications and scroll to the bottom you will see Software, and Utilities that are included in the recovery.
Some of this software is bloatware and you really don't need it if you already use something different.
Some of the utilities may not be needed.

What you will need to do is save any personal data you have created on it, and any programs you installed that need product keys, use Belarc and or Speecy to retrieve them.
If you have disks for the programs that's good.
If you downloaded (D/L) any, I hope you saved them in a special D/L folder, copy them also, but scan them for malware before you reinstall especially if you got anything from your son, you wouldn't want to reload anything bad. You would have to reload Malwarebytes again to do that.

What a System Recovery will do is first clean the HDD by formatting the HDD which means erasing everything on the HDD.

Then it will rebuild your HDD to its original condition, including the recovery drive.

It should look like the sample picture on page 6-16 in the manual.

Time varies, but should take less than 45minutes from start to finish.

EDIT:
That 45minutes is just for the recovery, figure maybe 15 to 30minutes extra for any additional programs.

Anak,
Is there any security or privacy issues in having that Process Monitor logfile posted? Should access to it be disabled since you have reviewed it?
Thanks,
Richard

There are some SIDs, and registry IDs, but these are usually unique to each machine, the only way to disable the log is to remove it.

To give you peace of mind go back to post #36 and click on edit, then the Go Advanced button, you will be taken to the reply editor.

Scroll down to where you attach files, you will see a Manage Attachments button, click on that.
When the next box opens you will see your file Logfile.zip with a remove button to the right, click on that give it a few seconds and it should be gone.

If you go back to your post you will see , if you want to clean up your post cut everything from the far left to far right bracket otherwise it will show in the saved post.


Please post back any further questions you may have before starting, and any after you've done the recovery i.e. removing bloatware, adding antivirus/malware products, anything.


Steve