Solved Disk Usage shows 99% for 10 min each time I boot laptop

Dell Vostro 1520 laptop computer (intel...
September 29, 2016 at 16:56:35
Specs: Windows 10, 4 G
My Dell laptop has been operating on Window 10. In recent days, each time I turn on the laptop, Disk Usage showed 99% about 10 minutes then back down to level below 20%
I killed many start up process. However, when I started up my laptop, Disk Usage was around 95% to 100% with processes in turn Microsoft Compatibility, Antimalware Service Executable, Window Modules Installer Worker, then they winded down and later System, Service Host Network Service,...were up so that and Disk Usage had stayed around 80% to 100%
And I did full scan Window Defender with result no threat but Disk Usage had stayed around 80% to 100%

Although currently it did not make my laptop too slow, I doubt my laptop got virus or malware.

Please instruct me how to remove the virus?

I'd appreciate your instructions.

Best Regards,

Truc C. Nguyen


See More: Disk Usage shows 99% for 10 min each time I boot laptop

Reply ↓  Report •


✔ Best Answer
October 1, 2016 at 14:39:41
I've sent a message to Johnw. It obviously depends on whether he is available, so watch this space.

Derek

Always pop back and let us know the outcome - thanks



#1
September 29, 2016 at 18:54:39
Run these small freebies for starters in the order given:

AdwCleaner:
https://toolslib.net/downloads/view...
(blue "Download Now" button on right).
Download and "Save" the file somewhere. Go to the saved file then double click it to run the program. Use the "Scan" button, followed by the "Clean" button.

Junkware Removal Tool (JRT)
https://www.malwarebytes.org/junkwa...
(blue Download button).
Download and "Save" the file somewhere. Go to the saved file then double click it to run JRT. It might appear to have stopped at times or flash the screen but sit tight until it has finished.

MalwareBytes:
https://www.malwarebytes.org/
(use the "download" button rather than the "buy" button).
Install and Run the program but before running the Scan go to "Settings > Detection and Protection" and put a checkmark in "Scan for rootkits". Quarantine anything it finds.

Please copy/paste the logs on here.

Always pop back and let us know the outcome - thanks


Reply ↓  Report •

#2
September 29, 2016 at 23:52:33
Nothing unusual what you describe. The processes you list are more or less the same in other versions of Windows. The virus-scanner will take longer over time as you load more apps/data. I see that on the Win 10, 8,7 systems I'm running here.

Assuming you have a classic Hard disk (5200 rpm?), if you want it to fly, change to an SSD and your system is up & running in no time making your CPU sweat!


Reply ↓  Report •

#3
September 30, 2016 at 05:52:43
Derek and Sluc,

Seems likely this happened when I had big updates automatically from Window 10. It took me one and a half hour to update when I started up the laptop.

I also try to run tools from Derek tonight on Window 10. I will let you know later

Thank you for your responses

Truc C. Nguyen


Reply ↓  Report •

Related Solutions

#4
September 30, 2016 at 11:11:01
Yep, those big updates could easily be the cause.

Always pop back and let us know the outcome - thanks


Reply ↓  Report •

#5
September 30, 2016 at 14:03:01
Derek,

Below are results after running AdwCleaner. Do I need to continue running JRT? Thanks

AdwCleaner v6.020 - Logfile created 30/09/2016 at 16:54:56
# Updated on 14/09/2016 by ToolsLib
# Database : 2016-09-30.1 [Server]
# Operating System : Windows 10 Home (X64)
# Username : timot - MRMONEY-MSLUCKY
# Running from : C:\Users\timot\Documents\Virus Tools\adwcleaner_6.020.exe
# Mode: Clean
# Support : https://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

[-] Folder deleted: C:\ProgramData\475c903b-1d76-480a-8fbd-1a0a8fb7e4eb
[-] Folder deleted: C:\Users\timot\AppData\Local\WebBar
[-] Folder deleted: C:\Users\timot\AppData\Roaming\UpdaterEX
[-] Folder deleted: C:\Program Files\WebBar


***** [ Files ] *****

***** [ DLL ] *****

***** [ WMI ] *****

***** [ Shortcuts ] *****

***** [ Scheduled Tasks ] *****

***** [ Registry ] *****

[-] Key deleted: HKU\S-1-5-21-3146283584-3349612830-1043305185-1001\Software\PRODUCTSETUP
[-] Key deleted: HKU\S-1-5-21-3146283584-3349612830-1043305185-1001\Software\UpdaterEX
[-] Key deleted: HKU\S-1-5-21-3146283584-3349612830-1043305185-1001\Software\Wincy
[#] Key deleted on reboot: HKCU\Software\PRODUCTSETUP
[#] Key deleted on reboot: HKCU\Software\UpdaterEX
[#] Key deleted on reboot: HKCU\Software\Wincy
[#] Key deleted on reboot: [x64] HKCU\Software\PRODUCTSETUP
[#] Key deleted on reboot: [x64] HKCU\Software\UpdaterEX
[#] Key deleted on reboot: [x64] HKCU\Software\Wincy
[-] Key deleted: [x64] HKLM\SOFTWARE\WebBar
[-] Key deleted: HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
[-] Key deleted: HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\chrome-64-bit.en.softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dotomi.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\driverupdate.net
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\iad-usadmm.dotomi.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\media-dc6.msg.dotomi.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.driverupdate.net
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\chrome-64-bit.en.softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dotomi.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\driverupdate.net
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iad-usadmm.dotomi.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\media-dc6.msg.dotomi.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
[-] Key deleted: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.driverupdate.net
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\castplatform.com
[#] Key deleted on reboot: [x64] HKCU\Software\Microsoft\Internet Explorer\DOMStorage\cdn.castplatform.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\chrome-64-bit.en.softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\dotomi.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\driverupdate.net
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\iad-usadmm.dotomi.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\media-dc6.msg.dotomi.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\www.driverupdate.net
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\chrome-64-bit.en.softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\dotomi.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\driverupdate.net
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\iad-usadmm.dotomi.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\media-dc6.msg.dotomi.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\softonic.com
[#] Key deleted on reboot: [x64] HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.driverupdate.net
[-] Value deleted: HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION [wb.exe]
[-] Value deleted: HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION [WeatherBug.exe]
[#] Value deleted on reboot: HKCU\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\FEATURECONTROL\FEATURE_BROWSER_EMULATION [wb.exe]


***** [ Web browsers ] *****

[-] [C:\Users\MsLuc\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: aol.com
[-] [C:\Users\MsLuc\AppData\Local\Google\Chrome\User Data\Default\Web data] [Search Provider] Deleted: ask.com


*************************

:: "Tracing" keys deleted
:: Winsock settings cleared

*************************

C:\AdwCleaner\AdwCleaner[C0].txt - [9013 Bytes] - [30/09/2016 16:54:56]
C:\AdwCleaner\AdwCleaner[S0].txt - [8771 Bytes] - [30/09/2016 16:53:01]

########## EOF - C:\AdwCleaner\AdwCleaner[C0].txt - [9159 Bytes] ##########

Truc C. Nguyen


Reply ↓  Report •

#6
September 30, 2016 at 14:10:50
After using only this tool, Disk Usage down to 5% in Task Manager. Fantastic!!! Do I need run JRT? Thanks,

Truc C. Nguyen


Reply ↓  Report •

#7
September 30, 2016 at 17:12:52
Yep, do the other two and paste the logs - thx.

Always pop back and let us know the outcome - thanks


Reply ↓  Report •

#8
September 30, 2016 at 17:31:23
Results of JRT run

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Junkware Removal Tool (JRT) by Malwarebytes
Version: 8.0.8 (09.20.2016)
Operating System: Windows 10 Home x64
Ran by timot (Administrator) on Fri 09/30/2016 at 20:24:34.61
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


File System: 2

Successfully deleted: C:\WINDOWS\system32\Tasks\PCDEventLauncherTask (Task)
Successfully deleted: C:\WINDOWS\system32\Tasks\PCDoctorBackgroundMonitorTask (Task)

Registry: 2

Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146} (Registry Key)
Successfully deleted: HKCU\Software\Microsoft\Internet Explorer\SearchScopes\{5F60F5C5-B9CC-48D3-B672-97EF10E543B4} (Registry Key)

Truc C. Nguyen


Reply ↓  Report •

#9
September 30, 2016 at 18:31:07
MBM Scan Logs

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 9/30/2016
Scan Time: 8:38 PM
Logfile: MBM Scan Log.txt
Administrator: Yes

Version: 2.2.1.1043
Malware Database: v2016.10.01.01
Rootkit Database: v2016.09.26.02
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: timot

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 360952
Time Elapsed: 32 min, 42 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 2
PUP.Optional.MicrofastPC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microfast_Daily, Delete-on-Reboot, [2cd99202485295a19f4c9b0e06fda759],
PUP.Optional.MicrofastPC, HKLM\SOFTWARE\MICROSOFT\WINDOWS NT\CURRENTVERSION\SCHEDULE\TASKCACHE\TREE\Microfast_LogOn, Delete-on-Reboot, [7d886c28e4b6c373fcef7c2d2ed5867a],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 4
PUP.Optional.WinYahoo, C:\Users\timot\AppData\Local\{1C5F2A03-38F7-46BB-556F-635371079FCB}, Quarantined, [2cd9e5af722842f44582cff459aa02fe],
PUP.Optional.MicrofastPC, C:\Users\timot\AppData\Roaming\MicrofastPC, Quarantined, [16efefa513871e1819839c1ba75b3ec2],
PUP.Optional.MicrofastPC, C:\Users\timot\AppData\Roaming\MicrofastPC\Backup, Quarantined, [16efefa513871e1819839c1ba75b3ec2],
PUP.Optional.MicrofastPC, C:\Users\timot\AppData\Roaming\MicrofastPC\BackupStartup, Quarantined, [16efefa513871e1819839c1ba75b3ec2],

Files: 20
PUP.Optional.InstallCore, C:\Users\timot\Downloads\Google_Chrome_Setup.exe, Quarantined, [f213751f8119f83e838095a8ee13916f],
PUP.Optional.DigiServ, C:\Users\timot\Downloads\adobe_flash_player (1).exe, Quarantined, [986d34609a0095a18fa4098dc83cc43c],
PUP.Optional.DigiServ, C:\Users\timot\Downloads\adobe_flash_player.exe, Quarantined, [976e5c38eab01125141fa0f6f90b7789],
PUP.Optional.OpenCandy, C:\Users\timot\Downloads\cdbxp_setup_4.5.6.5931.exe, Quarantined, [877eade75644ed49484b87c7cb37748c],
PUP.Optional.MicrofastPC, C:\Windows\System32\Tasks\Microfast_Daily, Quarantined, [d82d880c74268caa628655548c7741bf],
PUP.Optional.MicrofastPC, C:\Windows\System32\Tasks\Microfast_LogOn, Quarantined, [c83d8b09b6e42e088e5a7a2f7390c739],
PUP.Optional.WinYahoo, C:\Users\timot\AppData\LocalLow\Microsoft\Internet Explorer\Services\Wincy.ico, Quarantined, [52b3dabafb9f999df29a368d14efdd23],
PUP.Optional.WinYahoo, C:\Users\timot\AppData\Local\{1C5F2A03-38F7-46BB-556F-635371079FCB}\nado, Quarantined, [2cd9e5af722842f44582cff459aa02fe],
PUP.Optional.WinYahoo, C:\Users\timot\AppData\Local\{1C5F2A03-38F7-46BB-556F-635371079FCB}\info.dat, Quarantined, [2cd9e5af722842f44582cff459aa02fe],
PUP.Optional.WinYahoo, C:\Users\timot\AppData\Local\{1C5F2A03-38F7-46BB-556F-635371079FCB}\install.log, Quarantined, [2cd9e5af722842f44582cff459aa02fe],
PUP.Optional.WinYahoo, C:\Users\timot\AppData\Local\{1C5F2A03-38F7-46BB-556F-635371079FCB}\Sqlite3.dll, Quarantined, [2cd9e5af722842f44582cff459aa02fe],
PUP.Optional.WinYahoo, C:\Users\timot\AppData\Local\{1C5F2A03-38F7-46BB-556F-635371079FCB}\uninst.dat, Quarantined, [2cd9e5af722842f44582cff459aa02fe],
PUP.Optional.MicrofastPC, C:\Users\timot\AppData\Roaming\MicrofastPC\ApplicationPaths.dat, Quarantined, [16efefa513871e1819839c1ba75b3ec2],
PUP.Optional.MicrofastPC, C:\Users\timot\AppData\Roaming\MicrofastPC\COMAndActiveXControls.dat, Quarantined, [16efefa513871e1819839c1ba75b3ec2],
PUP.Optional.MicrofastPC, C:\Users\timot\AppData\Roaming\MicrofastPC\FileExtensions.dat, Quarantined, [16efefa513871e1819839c1ba75b3ec2],
PUP.Optional.MicrofastPC, C:\Users\timot\AppData\Roaming\MicrofastPC\Fonts.dat, Quarantined, [16efefa513871e1819839c1ba75b3ec2],
PUP.Optional.MicrofastPC, C:\Users\timot\AppData\Roaming\MicrofastPC\HelpFiles.dat, Quarantined, [16efefa513871e1819839c1ba75b3ec2],
PUP.Optional.MicrofastPC, C:\Users\timot\AppData\Roaming\MicrofastPC\MRUList.dat, Quarantined, [16efefa513871e1819839c1ba75b3ec2],
PUP.Optional.MicrofastPC, C:\Users\timot\AppData\Roaming\MicrofastPC\SharedDLLs.dat, Quarantined, [16efefa513871e1819839c1ba75b3ec2],
PUP.Optional.MicrofastPC, C:\Users\timot\AppData\Roaming\MicrofastPC\UninstallEntries.dat, Quarantined, [16efefa513871e1819839c1ba75b3ec2],

Physical Sectors: 0
(No malicious items detected)


(end)

Thank you

Truc C. Nguyen


Reply ↓  Report •

#10
October 1, 2016 at 04:22:21
Derek,

After running all tools that you had shown, Disk Usage goes up to 100% when start up and it quickly goes down to 30% after 1 minute.

I think my laptop returned to normal.

Thank you so much

Truc C. Nguyen


Reply ↓  Report •

#11
October 1, 2016 at 12:50:37
Good to hear - those three are excellent tools.

However your computer might not yet be properly clean. This would require the assistance of a more specialist helper (Johnw) and entail running more programs. Let us know on here if you wish to take it further and if so I can see if Johnw is available.

Always pop back and let us know the outcome - thanks


Reply ↓  Report •

#12
October 1, 2016 at 14:05:05
Derek,

I like to have Johnw to help me to clean my laptop properly. Thanks for your help.

Truc C. Nguyen


Reply ↓  Report •

#13
October 1, 2016 at 14:39:41
✔ Best Answer
I've sent a message to Johnw. It obviously depends on whether he is available, so watch this space.

Derek

Always pop back and let us know the outcome - thanks


Reply ↓  Report •

#14
October 1, 2016 at 17:35:15
Hi Truc, next step.

Please download Farbar Recovery Scan Tool and save it onto your Desktop. If your default download location is not the Desktop, drag it out of it's location onto the Desktop.
http://www.bleepingcomputer.com/dow...
If we have to run Farbar more than once, refer this SS.
http://i.imgur.com/yUxNw0j.gif
Note: You need to run the version compatible with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.
Double-click to run it. When the tool opens click Yes to disclaimer.
Press Scan button.
It will make a log (FRST.txt) on the Desktop.
The first time the tool is run, it makes also another log (Addition.txt)
The logs are large, upload them using Zippy ( No account/registration needed ) or upload to a site of your choosing. Give us the links please.
http://www.zippyshare.com/
Instructions on how to use ZippyShare.
http://i.imgur.com/naG6t2T.gif
http://i.imgur.com/Vi9ZdIh.gif
http://i.imgur.com/1IZu5kP.gif


Reply ↓  Report •

#15
October 1, 2016 at 18:19:13
Johnw,

When I click on FRST64 or FRST A banner pops up
Windows protected your PC
Windows SmartScreen prevented an unrecognized app from starting. Running this app might put your PC at risk.
More Info

and below is "Don't run" button

Truc C. Nguyen


Reply ↓  Report •

#16
October 1, 2016 at 18:24:12
"Running this app might put your PC at risk."
False positive Truc.

Reply ↓  Report •

#17
October 1, 2016 at 18:55:07
If you haven't worked it out, open IE & turn off SmartScreen Filter.
http://windows.microsoft.com/en-AU/...

Reply ↓  Report •

#18
October 1, 2016 at 18:55:46
Johnw,

How do I run it? Must I "run it anyway"?

Truc C. Nguyen


Reply ↓  Report •

#19
October 1, 2016 at 19:13:48
http://www83.zippyshare.com/v/64rNn...
http://www83.zippyshare.com/v/dJS18...

Thank you Johnw,

Truc C. Nguyen


Reply ↓  Report •

#20
October 1, 2016 at 19:48:08
Ok, got them, back in about 5 hrs after I do some stuff for myself.

Reply ↓  Report •

#21
October 2, 2016 at 01:30:43
Copy & Paste the text in Blue below & save it into Notepad on your Desktop & name it fixlist.txt
NOTE: It is important that Notepad is used. The fix will not work if Word or some other program is used.
NOTE: It is important that both files, FRST64 and fixlist.txt are in the same location or the fix will not work.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system.

CreateRestorePoint:
emptytemp:
closeprocesses:
Task: {0A7CF4F5-8221-4D16-B7C8-A95A77FE9803} - System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => C:\Windows\TEMP\DeleteFolderTask.exe <==== ATTENTION
Task: {3584E1F7-C735-4333-9721-5B706B61AB92} - \Microfast_LogOn -> No File <==== ATTENTION
Task: {FD3B51F3-865F-4500-B508-C95C54ADD365} - \Microfast_Daily -> No File <==== ATTENTION
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL =
SearchScopes: HKU\S-1-5-21-3146283584-3349612830-1043305185-1001 -> DefaultScope {5F60F5C5-B9CC-48D3-B672-97EF10E543B4} URL =
BHO-x32: No Name -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> No File
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]

Open FRST64 and press the Fix button just once and wait.
If for some reason the tool needs a restart, please make sure you let the system restart normally. After that, let the tool complete its run.
When finished FRST will generate a log on the Desktop (Fixlog.txt). Please Copy & Paste the contents into your reply.
Refer these SS if needed.
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...
http://fs5.directupload.net/images/...


Reply ↓  Report •

#22
October 2, 2016 at 06:41:58
Johnw,

Below is the Fixlog.. After running the script and restarting the machine Disk Usage go to 100% on the process Service Host Local Service (Network Restrict) then down to 60% after 60 seconds Then I did reboot again, sometime Disk Usage go to 100% on the process Service Host Local Service (Network Restrict) then down 4%.in Task Manager

Disk Usage reaches 100% more than before. Now it is stable at 10% to 0%

Thank you

Fix result of Farbar Recovery Scan Tool (x64) Version: 30-09-2016
Ran by timot (02-10-2016 08:35:35) Run:1
Running from C:\Users\timot\Desktop
Loaded Profiles: timot (Available Profiles: timot & MsLuc)
Boot Mode: Normal
==============================================

fixlist content:
*****************
CreateRestorePoint:
emptytemp:
closeprocesses:
Task: {0A7CF4F5-8221-4D16-B7C8-A95A77FE9803} - System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => C:\Windows\TEMP\DeleteFolderTask.exe <==== ATTENTION
Task: {3584E1F7-C735-4333-9721-5B706B61AB92} - \Microfast_LogOn -> No File <==== ATTENTION
Task: {FD3B51F3-865F-4500-B508-C95C54ADD365} - \Microfast_Daily -> No File <==== ATTENTION
HKLM-x32\...\Run: [] => [X]
SearchScopes: HKLM -> {2f23ab71-4ac6-41f2-a955-ea576e553146} URL =
SearchScopes: HKU\S-1-5-21-3146283584-3349612830-1043305185-1001 -> DefaultScope {5F60F5C5-B9CC-48D3-B672-97EF10E543B4} URL =
BHO-x32: No Name -> {B69F34DD-F0F9-42DC-9EDD-957187DA688D} -> No File
R2 ibtsiva; %SystemRoot%\system32\ibtsiva [X]
*****************

Restore point was successfully created.
Processes closed successfully.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{0A7CF4F5-8221-4D16-B7C8-A95A77FE9803}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0A7CF4F5-8221-4D16-B7C8-A95A77FE9803}" => key removed successfully
C:\WINDOWS\System32\Tasks\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337 => moved successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\UninstallDDS-C960901F-CE14-4DE1-9729-1305F719A337" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Logon\{3584E1F7-C735-4333-9721-5B706B61AB92}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{3584E1F7-C735-4333-9721-5B706B61AB92}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microfast_LogOn => key not found.
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{FD3B51F3-865F-4500-B508-C95C54ADD365}" => key removed successfully
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{FD3B51F3-865F-4500-B508-C95C54ADD365}" => key removed successfully
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microfast_Daily => key not found.
HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\\ => value removed successfully
"HKLM\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{2f23ab71-4ac6-41f2-a955-ea576e553146}" => key removed successfully
HKCR\CLSID\{2f23ab71-4ac6-41f2-a955-ea576e553146} => key not found.
HKU\S-1-5-21-3146283584-3349612830-1043305185-1001\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\\DefaultScope => value removed successfully
"HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B69F34DD-F0F9-42DC-9EDD-957187DA688D}" => key removed successfully
HKCR\Wow6432Node\CLSID\{B69F34DD-F0F9-42DC-9EDD-957187DA688D} => key not found.
ibtsiva => service removed successfully

=========== EmptyTemp: ==========

BITS transfer queue => 1924202 B
DOMStore, IE Recovery, AppCache, Feeds Cache, Thumbcache, IconCache => 17758411 B
Java, Flash, Steam htmlcache => 53551 B
Windows/system/drivers => 19946865 B
Edge => 33927789 B
Chrome => 809056044 B
Firefox => 0 B
Opera => 0 B

Temp, IE cache, history, cookies, recent:
Default => 0 B
ProgramData => 0 B
Public => 0 B
systemprofile => 0 B
systemprofile32 => 0 B
LocalService => 15452 B
NetworkService => -658 B
timot => 166037402 B
MsLuc => 25444 B

RecycleBin => 379482554 B
EmptyTemp: => 1.3 GB temporary data Removed.

================================


The system needed a reboot.

Truc C. Nguyen


Reply ↓  Report •

#23
October 2, 2016 at 08:44:49
Now Disk Usage is stable to 15 to 0%

Thank you so much Johnw

Truc C. Nguyen


Reply ↓  Report •

#24
October 2, 2016 at 09:46:58
Johnw,

Is anything more to run? Thanks,

Truc C. Nguyen


Reply ↓  Report •

#25
October 2, 2016 at 16:31:43
Next step Truc.

Extract from the FRST log.
"ProxyEnable: [S-1-5-21-3146283584-3349612830-1043305185-1001] => Proxy is enabled"

Run MiniToolBox.
http://www.softpedia.com/get/Securi...
http://www.bleepingcomputer.com/dow...
http://www.bleepingcomputer.com/dow...
http://download.bleepingcomputer.co...
Close any browsers that you have open.
Check > Select the following & then Click > GO.

Checkmark the following checkboxes.
[*]Flush DNS
[*]Reset IE Proxy Settings
[*]List Installed Programs

Copy & Paste the contents of the Result.txt log in your next post, or upload using Zippy.


Reply ↓  Report •

#26
October 2, 2016 at 16:58:24
Johnw,

Just ask you for sure. My OS is Window 10. The tool is working for Windows XP/Vista/7
Is that OK to run on Window 10? Thanks,

Truc C. Nguyen


Reply ↓  Report •

#27
October 2, 2016 at 17:08:56
"Is that OK to run on Window 10? Thanks"
Yep.

Reply ↓  Report •

#28
October 2, 2016 at 17:16:57
http://www111.zippyshare.com/v/xcjg...

Thanks,

Truc C. Nguyen


Reply ↓  Report •

#29
October 2, 2016 at 17:22:11
Ok, now to finish off.

Extract from the fixlog.
"EmptyTemp: => 1.3 GB temporary data Removed"
Here are temp file settings for a normal user.
All browsers, limit the cache to 50mb ( that's MB, not GB )
IE & Edge share the same setting.
Control Panel > Internet Options > General > Browsing history > Settings. Refer SS below.
http://fs5.directupload.net/images/...
Example for Firefox.
https://www.sitepoint.com/3-tweaks-...
Chrome is not so straight forward.
How to set Google Chrome cache to 50mb max temporary files.
With comps, there is always more than one way to do things, try this way.
Right click on the Google Chrome shortcut > Properties.
Copy & Paste this below after .exe" as per SS ( Screenshot )
NOTE: There is a space after .exe"
http://i.imgur.com/vgkU3X1.gif
--disk-cache-size=50000"
Click > Apply & then OK.

///////////////////////////////////////////

Extract from the FRST log.
Platform: Windows 10 Home Version 1607 (X64) Language: English (United States)

Make sure ALL your Regional and Language Options settings are Ok. They will be something similar to this, the main point being, you should have at least 3 places to make sure you have your country displayed.

Windows 10: Change or Add Another Language or Region.
http://www.tech-recipes.com/rx/5633...
http://i.imgur.com/gkPnT4j.gif
http://i.imgur.com/8J4WO6U.gif
http://i.imgur.com/gtwlzJo.gif
http://i.imgur.com/vSWwH00.gif

///////////////////////////////////////////

You are making the same mistakes as before Truc & you have had, more or less the same problems, I did ask you to install Unchecky in these posts.
http://www.computing.net/answers/wi...
http://www.computing.net/answers/se...
That now indicates, that as you have changed operating systems, you did not have a list of what to reinstall, you need to have a record of what programs you have installed. Use the list from the Addition log or the MiniToolBox Result.txt log. Manually add Unchecky to it.


Reply ↓  Report •

#30
October 2, 2016 at 17:58:06
Johnw,

Thank you so much your help

There are 2 more things
To set Google Chrome cache to 50mb max temporary files , I added
--disk-cache-size=50000" It popped up as below and I could not change this
http://www7.zippyshare.com/v/MM0svv...

"I did ask you to install Unchecky in these posts" What is Unchecky tou had asked me? I do not understand it. Can you explain it? Thanks,

Truc C. Nguyen


Reply ↓  Report •

#31
October 2, 2016 at 18:08:52
"I added
--disk-cache-size=50000" It popped up as below and I could not change this
http://www7.zippyshare.com/v/MM0svv...
You have not followed instructions, there is a space after .exe

"What is Unchecky tou had asked me? I do not understand it. Can you explain it?"
You have not clicked on the links I gave, so you can read & understand.

message edited by Johnw


Reply ↓  Report •

#32
October 2, 2016 at 18:15:39
EDIT: SORRY JOHN I OVERLAPPED

Re John's Unchecky links:

1. See response 54 in orange text here:
http://www.computing.net/answers/wi...

2. See response 40 in orange text here:
http://www.computing.net/answers/se...

Always pop back and let us know the outcome - thanks

message edited by Derek


Reply ↓  Report •

#33
October 2, 2016 at 18:19:34
"EDIT: SORRY JOHN I OVERLAPPED"
No problem Derek.

Reply ↓  Report •

#34
October 2, 2016 at 18:24:31
"You have not followed instructions, there is a space after .exe"

I got it Thanks

"You have not clicked on the links I gave, so you can read & understand"

I clicked them but They are too long to remember them:)

I got #54 of first link

You recommended
Use Unchecky to help prevent these third party installs. Nothing is perfect, the badies are always ahead of the goodies

I am going to download it now. How do I use It?

Truc C. Nguyen


Reply ↓  Report •

#35
October 2, 2016 at 18:30:35
"I clicked them but They are too long to remember them:)"
When you looking for something on a web page, hit Ctrl + F & in the Search/Find box, put in the keyword, in this case Unchecky.

"I am going to download it now. How do I use It?'
Double click on it & that's it.


Reply ↓  Report •

#36
October 2, 2016 at 18:40:15
You are specialist to know what tool in turn is using to remove malware and virus.

I will download Unchecky to protect the system.

Thank you for your and Derek's efforts to help me.

Truc C. Nguyen


Reply ↓  Report •

#37
October 2, 2016 at 19:02:38
Johnw:) Just ask you one more question before laeving

"You are making the same mistakes as before Truc & you have had, more or less the same problems, I did ask you to install Unchecky in these posts.
http://www.computing.net/answers/wi...
http://www.computing.net/answers/se...
That now indicates, that as you have changed operating systems, you did not have a list of what to reinstall, you need to have a record of what programs you have installed. Use the list from the Addition log or the MiniToolBox Result.txt log. Manually add Unchecky to it."

The second link are your assistance to my son's laptop. I will check his laptop when returning home and run Unchecky for him

After downloading Unchecky, it run at back ground. How do I manually add Unchecky to the Addition log or the MiniToolBox Result.txt log as your instruction?

Truc C. Nguyen


Reply ↓  Report •

#38
October 2, 2016 at 19:09:07
" How do I manually add Unchecky to the Addition log or the MiniToolBox Result.txt log as your instruction?"
You type or Copy & Paste the info in.
You now keep a record in a Safe place for yourself, I do not need it, it is for you.

Reply ↓  Report •

#39
October 2, 2016 at 19:12:50
Thank you so much

Truc C. Nguyen


Reply ↓  Report •

#40
October 3, 2016 at 03:59:14
Thanks John, nicely buttoned up between you.

Always pop back and let us know the outcome - thanks


Reply ↓  Report •


Ask Question