# Windows 10 "System" ~35% utilization



## Hashhash (Feb 15, 2016)

Windows 10 has been working great for me, until a week ago I realized my Thinkpad T430s started heating up. When I check utilization, I find that "System" is taking up ~35% of CPU utilization. This doesn't change when I close all applications. The only solution is to restart the PC, it acts up again for some odd reason. Anybody else experiencing this / with solutions for this issue?


----------



## flavallee (May 12, 2002)

Can you provide images of the "Performance" and "Startup" tabs?

Are you using that laptop on a hard flat surface?

--------------------------------------------------------------


----------



## Hashhash (Feb 15, 2016)

laptop is on a hard flat surface. Plase find screenshots of "Performance" and "Startup" tabs


----------



## flavallee (May 12, 2002)

These startup entries can be disabled:
*AcroTray
Evernote Clipper
Everything
Google Chrome
Spotify
SpotifyWebHelper
Sticky Notes
Update*

--------------------------------------------------------

*121* is a LOT of running processes, so that's going to affect overall speed and performance.
I also suspect your computer is infected.

--------------------------------------------------------


----------



## Hashhash (Feb 15, 2016)

What are your recommendations to scanning and getting rid of the infection?


----------



## flavallee (May 12, 2002)

You can start by doing the following:

Go here, then click the "Download Now @ Bleeping Computer" button to download and save *AdwCleaner.exe* to your desktop.
If you get a warning that this file is unsafe, ignore the warning.
Close all open windows first, then double-click *AdwCleaner.exe* to load its main window.
Click the "Scan" button, then allow the scanning process to finish.
Several seconds may pass before the scanning process starts, so be patient.
Click the "Logfile" button.
When the log appears, save it.
Return here to your thread, then copy-and-paste the ENTIRE log here.
After you submit the log, close AdwCleaner. 
If a warning appears, click "Yes".

--------------------------------------------------------------


----------



## Hashhash (Feb 15, 2016)

Here is the AdwCleaner logfile:
---

# AdwCleaner v5.033 - Logfile created 15/02/2016 at 14:35:50
# Updated 07/02/2016 by Xplode
# Database : 2016-02-15.1 [Server]
# Operating system : Windows 10 Pro (x64)
# Username : Hash - HASH-THINKPAD
# Running from : C:\Users\Hash\Downloads\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****

Service Found : sssvc

***** [ Folders ] *****

Folder Found : C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen

***** [ Files ] *****

File Found : C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_kbfnbcaeplbcioakkpcpgfkobkghlhen_0.localstorage
File Found : C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Local Storage\chrome-extension_kbfnbcaeplbcioakkpcpgfkobkghlhen_0.localstorage-journal
File Found : C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage
File Found : C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Local Storage\hxxp_st.chatango.com_0.localstorage-journal

***** [ DLL ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

Key Found : HKLM\SOFTWARE\Classes\CLSID\{117270FA-48AC-45BB-9171-B63D1B42A910}
Value Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID [{79F768ED-0B12-42EF-8257-36751A0ECF3A}]

***** [ Web browsers ] *****

[C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : kbfnbcaeplbcioakkpcpgfkobkghlhen

########## EOF - C:\AdwCleaner\AdwCleaner[S1].txt - [1615 bytes] ##########


----------



## flavallee (May 12, 2002)

Close all open windows first, then double-click *AdwCleaner.exe* to load its main window.
Click "Options", then uncheck all entries in the list.
Click the "Scan" button, then allow the scanning process to finish.
Several seconds may pass before the scanning process starts, so be patient.
Click the "Cleaning" button, then click "OK".
Allow the cleaning process to finish.
When it's finished, click "OK" in each window that appears.
The computer will restart.
When the log appears during restart, save it.
Return here to your thread, then copy-and-paste the ENTIRE log here.

-----------------------------------------------------------

Download and save and then install the free version of
*Malwarebytes Anti-Malware 2.2.0.1024
SUPERAntiSpyware 6.0.1212*
Make sure to uncheck and decline to install any extras, such as toolbars and homepages, they may offer.
Make sure to uncheck and decline to use the "Pro" or "Trial" version, if it's offered.
After they're installed, DON'T do anything else with them yet.
I'll give you detailed instructions for setting them up and using them.

-----------------------------------------------------------


----------



## Hashhash (Feb 15, 2016)

Okay, it removed a file called "ssvc"
But after deletion I did notice some erratic behavior from the CPU

Here is the logfile:

--
# AdwCleaner v5.033 - Logfile created 16/02/2016 at 09:39:55
# Updated 07/02/2016 by Xplode
# Database : 2016-02-15.1 [Server]
# Operating system : Windows 10 Pro (x64)
# Username : Hash - HASH-THINKPAD
# Running from : C:\Users\Hash\Downloads\AdwCleaner.exe
# Option : Scan
# Support : http://toolslib.net/forum

***** [ Services ] *****

***** [ Folders ] *****

Folder Found : C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Extensions\kbfnbcaeplbcioakkpcpgfkobkghlhen

***** [ Files ] *****

***** [ DLL ] *****

***** [ Shortcuts ] *****

***** [ Scheduled tasks ] *****

***** [ Registry ] *****

***** [ Web browsers ] *****

[C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences] [Extension] Found : kbfnbcaeplbcioakkpcpgfkobkghlhen

########## EOF - C:\AdwCleaner\AdwCleaner[S4].txt - [820 bytes] ##########


----------



## flavallee (May 12, 2002)

Have you completed the second part of post #8?

---------------------------------------------------------------


----------



## Hashhash (Feb 15, 2016)

Hi, I have completed that. Please advise


----------



## flavallee (May 12, 2002)

Start Malwarebytes Anti-Malware.
Click "Settings". then click "Detection and Protection".
Make sure all 3 squares in "Detection Options" are checked.
Make sure "Treat detections as malware" is selected in both boxes.
Click "Scan", then select "Threat Scan", then click "Start Scan".
If it wants to update the definition files first, allow it to do so. 
If problems are found during the scan, the number of "Detected Objects" will be listed.
When the scan is finished, make sure to select and quarantine EVERYTHING in the list.
If you're prompted to restart the computer to complete the process, do so.
Start Malwarebytes Anti-Malware again.
Click "History - Application Logs".
Double-click on the most recent scan log entry.
When the next window appears, click on the most recent scan log entry.
Select "Export - Text File", then name it *mbam*, then save it on the desktop.
Return here, then copy-and-paste its ENTIRE contents here.

---------------------------------------------------------------------

Start SUPERAntiSpyware.
Click "System Tools".
Click "Preferences", then uncheck "Run in the background (system tray)", then click "Done".
Click "Advanced Settings", then uncheck "Follow shortcuts (*.lnk) during scan", then click "OK - Done".
Click "Click here to check for updates".
When the definition files have updated, click "OK".
Click "Scan This Computer", then click "Quick Scan".
If problems are found during the scan, the number of them will be highlighted in red.
When the scan is finished, click "Continue".
Make sure that EVERYTHING in the list is selected, then click "Continue".
When the removal process is complete, click "Continue".
If you're prompted to restart to finish the removal process, do so.
Start SUPERAntiSpyware again.
Click "System Tools", then click "Scan Logs".
Select the most current scan log, then click on its magnifying glass icon so it can open and be viewed, then save it on the desktop.
Return here, then copy-and-paste its ENTIRE contents here.

----------------------------------------------------------------------


----------



## Hashhash (Feb 15, 2016)

Hi, please find my two logs:

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 2/16/2016
Scan Time: 3:02 PM
Logfile:
Administrator: Yes

Version: 2.2.0.1024
Malware Database: v2016.02.16.06
Rootkit Database: v2016.02.08.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 10
CPU: x64
File System: NTFS
User: Hash

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 395197
Time Elapsed: 11 min, 28 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 3
PUP.Optional.Amonetize, HKLM\SOFTWARE\CLASSES\dream.capture.1, Quarantined, [590d74ed0e8b2d09961c3f6b26dc45bb],
PUP.Optional.Amonetize, HKLM\SOFTWARE\WOW6432NODE\CLASSES\dream.capture.1, Quarantined, [6df9afb266337eb83082a00add25eb15],
PUP.Optional.Amonetize, HKLM\SOFTWARE\CLASSES\WOW6432NODE\dream.capture.1, Quarantined, [6df9afb266337eb83082a00add25eb15],

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 10
PUP.Optional.EasyDriverPro, C:\Users\Hash\AppData\Local\Temp\awhC654.tmp, Quarantined, [c3a31051257472c4064512bf2ad76a96],
PUP.Optional.CouponMarvel, C:\Users\Hash\AppData\Local\Temp\awh9932.tmp, Quarantined, [afb71150fa9fc57120ecabec25dcc43c],
PUP.Optional.CouponMarvel, C:\Users\Hash\AppData\Local\Temp\awhA2F9.tmp, Quarantined, [2541a5bccbcecd69d834f89f61a0a060],
CrackTool.Agent, C:\Users\Hash\Desktop\Downloads\Office_2016_16_0_4266_1003_x86_x64_EN_RU_Install_v3_2_by_Ratiborus\Office KMS Activator 2016 Ultimate 1.1 - AppzDam.zip, Quarantined, [84e263fe0693e3532ac34fb6c045e21e],
PUP.Optional.BestPriceNinja, C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.bestpriceninja.com_0.localstorage, Quarantined, [b2b4520f980150e6129354fd08fc6d93],
PUP.Optional.BestPriceNinja, C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Local Storage\http_pstatic.bestpriceninja.com_0.localstorage-journal, Quarantined, [95d1da874257df57b5f0ff5235cf7e82],
PUP.Optional.CrossRider, C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d19tqk5t6qcjac.cloudfront.net_0.localstorage, Quarantined, [74f24a17d1c89b9b2ec270e96c98837d],
PUP.Optional.CrossRider, C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_d19tqk5t6qcjac.cloudfront.net_0.localstorage-journal, Quarantined, [94d265fc5d3cb3839d53df7a0df77c84],
PUP.Optional.HDApp, C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_hdapp1008-a.akamaihd.net_0.localstorage, Quarantined, [24424e13118887af53ac1b3f8f7518e8],
PUP.Optional.HDApp, C:\Users\Hash\AppData\Local\Google\Chrome\User Data\Default\Local Storage\https_hdapp1008-a.akamaihd.net_0.localstorage-journal, Quarantined, [67ff7be63267c67000ffc09ac3416a96],

Physical Sectors: 0
(No malicious items detected)

(end)


----------



## flavallee (May 12, 2002)

I tried to copy-and-paste your SAS log here, but it's too large and wasn't accepted.
It looks like all 924 threats it found are "adware tracking cookies" and nothing more serious.
I'm going to assume you selected and removed all of them.

--------------------------------------------------------------

It looks like the accumulation of temp files needs to be cleaned out, so do the following next.

Go here, then click the "Download Now @ Author's Site" button to download and save *TFC.exe* (Temp File Cleaner by OldTimer) to your desktop.
After it's downloaded and saved, close all open windows.
Double-click it to load its main window.
Click the "Start" button.
If there are a large number of temp files or if there are multiple user accounts, the temp file deletion process may appear to freeze and may take a few minutes, so don't interfere with or abort it.
After it's finished, restart the computer.
Advise how many temp files in MB's were found and deleted.

--------------------------------------------------------------

Now that AdwCleaner and MBAM and SAS and TFC have been used, is your computer running and better and faster?

--------------------------------------------------------------


----------



## Hashhash (Feb 15, 2016)

Yes, it has been running great since! I'm not so happy about installing all these applications. Would appreciate any recommendation for the lightest weight application to monitor and prevent future infections from arising!
Thank you


----------



## flavallee (May 12, 2002)

> Yes, it has been running great since!


I'm glad to hear that. 


> I'm not so happy about installing all these applications.


*AdwCleaner* and *TFC* do not install and do not run in the background. 
You can get rid of them simply by deleting them from the desktop.
I wouldn't do that though because they should be kept and put to use at least once a month.

*Malwarebytes Anti-Malware* and *SUPERAntiSpyware* do install and do place entries in the startup list and/or services list.
They don't need to run in the background though, so I'll give you instructions for disabling those entries.
They also should be kept and put to use at least once a month.

These are the same 4 apps that I use in my computers and in the ones that I service.

-------------------------------------------------------------

Type *MSCONFIG* in the search or run box, then press the Enter key.
When the System Configuration window appears, select the Startup tab.
Uncheck any entries that are associated with Malwarebytes Anti-Malware and/or SUPERAntiSpyware.
After you're done, click Apply - OK/Close - Exit Without Restart.

Type *SERVICES.MSC* in the search or run box, then press the Enter key.
When the Services window appears, expand it so you can see its list more clearly.
Double-click each entry, one at a time, that begins with *MBAM* and *SAS*.
Change "Startup Type" to Manual, then click Apply.

After you're done with both the startup and services lists, restart the computer.

-------------------------------------------------------------


----------



## flavallee (May 12, 2002)

I forgot you're using Windows 10 and not Windows 7, so accessing the System Configuration "Startup" tab and disabling an entry is done differently.
When you click the "Startup" tab, you need to click the Task Manager link and then click the "Startup" tab.
You then click on and highlight an entry to disable it.

--------------------------------------------------------------


----------



## Hashhash (Feb 15, 2016)

Seriously, thank you


----------



## flavallee (May 12, 2002)

> Seriously, thank you


I'm not sure what you meant by that comment.

--------------------------------------------------------------


----------

