1972 Veteran, I Need Some Assistance

I did the Read Me First, was told the scans showed nothing, to come here. As for my system Vista Business, FF 52.6.0, system supposedly up to date, despite not supported. (Not updated because anything newer makes several of my programs non-functional). Symptoms: System hangs, found the computer had turned itself back on twice recently, (now I turn my modem/router off too). CAD files disappeared. Regular svchost.exe pgm operation, causing 50% CPU (and thus FF crashes). I did cmd: netstat -n and tried looking up some of the 28 IPs in one occurrence. Some were "no record found" 52.3.85.14 , at least one was listed related to all kinds of bad things suspected 72.21.91.29. I wouldn't think MS would be sending constant updates to a defunct OS, but that's "how it might appear" in Task Manager. I did type out the IPs.. but need a recommendation for a good site to look them up, as half of the suggestions by google look bogus, or want money.. and checking ONE.. 31.13.65.36 (Facebook Ireland?) had a pop-up come on my screen in Russian. I don't USE face book, or any IM pgms that I know of.
Malware said to post here.. but.. uh.. there just seems to be way too much "non-normal stuff" for there not to be a underlying problem. HELP would be greatly appreciated. MG have always been super helpful.. but "nothing found" appears to be incorrect! THX

 

I'll see if I can attach a text file with the IPs associated with one instance. (I don't know how to get a print out of the list of IPs generated by netstat -n.. I had to type them in from a screen shot. My question on this, would be why would I have 28 different IPs connected at a time when I have a svchost.exe showing something like 8xx,xxx K of memory in use (under that process).. and 50% CPU, for LONG periods. What are they sending, or receiving from my computer? Or how do I determine who or what is accessing, what program? I can only remember this kind of system clog, when I had updates off for a while, and then turned it back on. At current, I believe Windows says updates are current.. and I have the security set to notify me, if more arrive. Where would I see the notices? Anyway, this has only been happening often.. more recently (2 weeks?). But cad files disappeared. Computer comes on by its self. I did reset FF, but now some pop-ups. Including one IM box, in Russian.. asking me to submit via email. Is it safe to put adBlock back on?

 

I've seen you're running Avast along with Malwarebytes. There is a risk that they conflict with each other which can make your system behaving weird. Tim may know it better though.
For things like Russian popups I always helped out using JRT in my neighborhood. An unstable system and popups like that might not be related.

 

I just got a email.. it was flagged by a spam blocker, but the source ip is 217.60.40.128, which looks to be IRAN. Said Invoice included, in a zip file. And listed as from my internet provider.. and it was addressed to my email, (not a block of 12). I could send a text file showing the source in ascii. I don't get those kinds of emails.. since.. NEVER.

 

GermanOne.. thanks for the reply. I've been using Avast and MWB Prem for quite some time. And there had been a few rare cases, which they (apparently) fixed, and everything seems to be running fine. I have new symptoms (Ie, svchost, lots of mem used, long clogs). If MWB or Avast update, they tell me, let me pick when, and happens in very short amount of time. This is not the case for whatever is happening now.

I didn't see your reply before I posted my last one. I could be wrong (and have been before).. but suddenly I am seeing some pretty weird stuff, and the computer in general seems to be much slower.. despite having cleaned up some PDFs I'd saved to my Desktop.

 

JRT replaced by AdwCleaner, which was the first thing to be run (as I recall) on the Read Me Malware removal proceedure. Or do you re-run it.. "whenever"?

 

I found February, 10th as installation of MWB in your logs. That's why I thought it would be installed recently. But could also only be an update ... If they however conflict then you may see the fight as a high CPU usage. Unfortunately so many services run in svchost processes which really makes it hard to say what the culprit is. But you may know that AVs run as service.

I never found malware in PDFs even though it's possible. Adobe Reader X should already protect you from exploiting though.

I'm really surprized you get that few spam emails. I get them all the time and a lot of them are tagged to come from the provider. I also get a lot of spam due to the fact that a website that I signed in was hacked and my data was spied (easy to recognize because they call me by my user name).

JRT is owned by MWB now but I don't think that AdwCleaner is its successor.

 

Good to know. Thanks Tim!

 

I have 2 mail accounts, w/about 1 spam a day on the big name, and the other has a great spam filter. I'm not sure if Avast monitors and blocks either or both? On occasion, the tray icon for MWB will not be present on boot up. And more recently, they did something stupid, which was some kind of major update mistake, and had the cpu pegged, and system memory melting. They fixed it, apologized, and everyone refreshed with the correction. I've had to reload it before.. but have used both together for several years.. but I'm not browsing gutters either. I would understand that with both AIS, and MWB that this computer won't be lightening. But I had no problems going to a on-line store. But all of a sudden, long winded svchost runs, and lots of mem consumed, on a regular basis. So whatever is happening now, is causing problems.

I have ended the process about 5 or 6 times. Pretty sure if that was Avast doing a transfer, I'd see a notice or a pop up. But nothing "stops working" when I do that from a obvious POV. No warning messages that something terminated early. I'll try to do another netstat next time I see it. Anyone know how I can log the connected IPs instead of hand typing everyone into a text file?

 

Seven tabs on FF, and all processes shown, the cpu is tracking 4-16%. That is normal. When it goes to 100%, that's when the unknown activity is going on.

 

Do you use an ad blocker like uBlock Origin? I think that will block some of those IPs you see. Highly recommend uBO. You indicated you see the IPs even with the browser closed, but if they are open from browsing (probably and even a link to facebook in a page can contain a live link btw) it takes a while for them to cycle out of the system. They will eventually though.

I get more than a few Paypal copycat e-mails and then some from places that have attachments. It's creepy and I wish there were an answer for that. I think the ultimate source for these is the constant database breaches that have happened over the last 10 or so years. Data all over the place for crooks...

On svchost.exe, if I may, I would recommend turning off Windows updates (completely off) and rebooting. See if that alleviates the resource usage for one thing. Then you can work on that if it's the problem.

There are cryptominers that use the processor relentlessly and even through the browser with no software installed, but that isn't likely your issue (like a miner browser extension or something). The 50% is kind of tell tale for me of updates madness...

 

AtlBo,
Thx for the reply. I had uBlock O on FF. I am not certain if I had it enabled.. and then Tim suggested to reconfigure FF to "out of the box". I put my Avast PassWords back on, and will now try uB again. I was pleased with how well it worked, w/o changing anything from the original down load. (Should I?)

Agreed about database breaches. Talk about instilling confidence!
Will revise my update configuration.

And as for cryptominers, I did see "Web spiders" listed with some of the IPs I looked up. Can those addresses be included in a firewall setup? Currently just using the supplied Avast FW.. not at all sure of what it can do, or if other alternate FWs could be of help? Anyone?

 

Moriarty...
I'll gladly try anything.. wait let me revise that. It always makes me nervous to turn off the AV. And yet I'd do that before I'd turn off MWB. Do I need to turn off both, either, neither? Should I try running that if/when the svchost goes off.. or when things are at idle?

And as for Process Explorer or Autoruns.. does MG have a tutorial?

 

Any comments out there on ad Blockers recommendations? Looks like uBlock Origin is 2nd most popular on FF, and has recent update showing. I may have had uBlock before.. which is apparently (?) different from uB Origin?

 

Tweaking.com - svchost.exe Lookup Tool might help identify which Service(s) is the culprit.
http://www.majorgeeks.com/files/details/tweaking_com_svchost_exe_lookup_tool.html

 

Eldon and Dr..
Slowly poking deeper into this system. (Like a farm boy being dropped into NYC with a bent subway token). Questions:
I'd run Pro exp before.. uh, w/o a clue. "Help file" would not display either. This morning I read to extract all the files from the zip file and to then unblock the .chm. Did that, still won't display from procexp.exe. So I closed, and re-opened the program, still didn't work. I've been running it direct from "procexp.exe" on my desktop.. but do I need to delete or uninstall that first? And then reinstall from the unzipped folder goodies? LOTS of exe files there, but does it have a installer or shell? Nothing obvious to me, which one to run? Do I need to move the extracted folder first? Currently on C:\Users\New User\Desktop\SysinternalsSuite.

With uBlock Origin and Avast Passwords added back to FF, it's working. VLC, WPF, and Java Platform are all "Ask to Activate". Visiting the previously "congested" web site where FF would crash, now a line pops up, "A web page is slowing down your browser".. (Stop it/Wait options). Having not seen that before, I assume it's some video they are trying to run? I have not seen it elsewhere (yet). Maybe once I have Proc Exp working right, I'll be able to sort that out for certain. Java updated to 161, two old versions removed 131, 144. I set Win updates to OFF. And will dig into the links you provided.
Slowly I squirm... step by step...
MANY THANKS!!

 

Confused? Maybe. I'll not share my opinions of Bill G. I can't see thru my Windows! My Vector Graphics System B S-100 Z-80 @ 4 Mhz, in 1982, ran CP/M in 56k of ram, just fine. I could trouble shoot each board. Today, there are 56K of If/Then choices in any given DIRECTORY! The hard drive back then was 5 Mbytes, and NO WAY to fill it up! Progress.... ?

I had previously downloaded the suite (maybe years ago). And I had run Process Explorer only. I prefer using help files, when seeing something new, (because I hadn't done any other research, on it's use back then). When someone in this forum saw it in my Read Files they asked if I had used it? I only then remembered having it on my desktop. And running it, the Help file still would not load. I did a search on that topic (before reading your #20 post).. and realized why the Help file probably wasn't working. But when I did the extraction to FIND the procexp.chm.. I THEN saw all of the other programs. My "confusion" may be that I assumed they all functioned as one large tool box, and that it needed to be "installed". I'm guessing that is not the case? Just a collection of independent executable tools? But indeed some of the things I tried in Proc Exp (before reading your post and w/o a Help file).. didn't appear to function fully. So that was in part why I assumed that running ONLY processexplorer.exe from my Desktop, that other parts of it, were not also functional.

So to answer my own question. Apparently the exe and link can be deleted or ignored, and that I can simply goto the the Folder, and click on it there, (and then.. any of the other toys if/when I need them, and learn about them). I always try not to stick my fingers into unknown sockets.. been there, done that one as a kid.

Back to work for now, but will read the tutorial this evening. Again, thanks!

 

correction: reference processexplorer.exe should read procexp.exe above

 

It's very entertaining how a long thread can go so many different ways and end up way of topic.

 

PFC Justin
I would have assumed.. this conversation is between people who know.. and people who do not. Or... intelligent, informed, helpful volunteers, and one old guy. *I* am very thankful for folks like Moriarty! And all of the rest, here at MG, with their YEARS of assistance.

Why is this thread diverse? Here's a reason or two. Unsigned processes, files that disappear. Are updates good? Or do their cause crashes? Or, are they MALWARE? Or OS bloat only exceeded by this detail..."In Q3 2016 alone, 18 million new malware samples were captured. Panda Labs". Or to buy and LOAD that required AV and anti-malware.. only to read they may not work.. together. EVERYTHING I have googled says A) valid program, and B) could be malware. Or that my purchased software NO LONGER OPERATES in a new (improved?? BLOATED!!) OS. Great!

I have helped a ton of people on different forums, writing HOURS AND HOURS of replies to THEIR questions, when I was the one, who could provide answers for them. I served in Vietnam. And I did 4 more years as a elected county official (saving many from the full time dirty politicians).

If ya don't like the thread..

 

Please except my apologies. My comment was not all intended to be disrespectful but just lighthearted. I guess sometimes I need to learn when to just keep quiet.

 

Justin,
I saw the "wink" at the end of your comment. And my reply was probably out of line too. I've been in electronics my whole life, spy class electronics in the service, designed industrial controls, with embedded processors, and wrote assembler code later. But Windows is different, esp when stuff goes south. "Issues" have brought me here before.. and I'd run the scans.. and be good to go. This time, I wanted to get a better idea of the inner workings.. and talk about a can of worms?!?! That ups the frustration level a bit. No harm, no foul.. but if I asked every question I'd like answered, I'd probably need about 4 years of computer science! LOL.. to get started!

 

Tim,
Thanks for all. I'm not having the hangs as I did before, but will run the scan. I really am hoping to learn a few things, and the skills are here. I figured someone would boot me if this went on too long.
And btw.. Ellen was a Luddite friend.. seemed to be an appropriate handle,
Jerry

 

The instructions for Esets doesn't say to clean the files or not. Will attach the log. Two ere found, with one of those being in MG tools, so I know that doesn't need attention.

 

By the time you got your answer the answer would have changed.

 

Tim,
I still have the ESETs window open. Do I check, Clean or Do Not Clean for the second item that it found in my esetscan.txt? Or do you want me to run Zemana first?

 

Tim,
It found my FF homepage email log on.. as questionable?? But hey.. stranger things might happen. I did "X" out the name on the text. The other one may be valid.
Always.. thanks for the help!

 

I've killed updates from Windows, updated some other software, found these various infractions with scans. So.. I may need to just observe. FF is still quite slow at times.. but not a problem if it doesn't crash. I do think I have programs running, that I don't need, and maybe that would free up memory or reduce CPU usage. But I hope to learn more about Process Exp or other tools, to better understand what is going on "inside", to sort out unsigned mysterious stuff, or even taskmgr. I have not seen the long-winded svchost 50% cpu, which combined with FF had caused it to crash.

 

Sorry, I meant task scheduler. I can see where processor explorer is a very helpful tool. Got to do the tutorial. Thanks again for all of your help. Jerry