[SOLVED] High level of data usage in uninstalled processes on PC

DR M said:
It's not a malware relate issue, so I prefer to reply here instead in the Security Arrena, especially since there are already several replies here.
Click to expand...

VERY good to know.
DR M said:
It seems that you had GOG Galaxy installed. Now, it's not shown in the Installed Programs list, however there are a lot of remnants. Please confirm that GOG is not installed now.
Click to expand...
Its not installed. Will double check later today.
DR M said:
Errors are also shown regarding Nord VPN. I suggest to uninstall it now. In case you need it, you can install it later again.

I will be waiting for your reply regarding GOG and Nord, before I give you a fix to try.
Click to expand...
Will uninstall Nord later today and will definitely get back to you.

Thanks Dr M
 
Just saw your question above. Yes, it's always good to restart after you uninstall a program. I'll check the logs and let you know if a restart it is needed.
 
OK, please do the following to run an FRST fix:

FRST fix

NOTICE: This script was written specifically for this user. Running it on another machine may cause damage to your operating system
  • Select the entire contents of the code box below, from the "Start::" line to "End::", including both lines. Right-click and select "Copy ". No need to paste anything to anywhere.
Code: 
Start::
CreateRestorePoint:
CloseProcesses:
CustomCLSID: HKU\S-1-5-21-1187891039-2213116806-2605294233-1001_Classes\CLSID\{4e6f7264-5650-4e00-0000-000000000000}\localserver32 -> "C:\Program Files\NordVPN\NordVPN.exe" -ToastActivated => No File
HKU\S-1-5-21-1187891039-2213116806-2605294233-1001\...\StartupApproved\Run: => "NordVPN"
HKU\S-1-5-21-1187891039-2213116806-2605294233-1001\...\StartupApproved\Run: => "GogGalaxy"
FirewallRules: [{B698E63B-DD88-494B-B094-E71CBB72996E}] => (Allow) c:\program files\microsoft onedrive\23.147.0716.0001\filecoauth.exe => No File
FirewallRules: [{93C7E7AD-60C8-48D5-B59C-0AC504867607}] => (Allow) c:\program files\microsoft onedrive\23.147.0716.0001\filecoauth.exe => No File
FirewallRules: [{11ADB5D3-BEB5-43C4-B72B-179433075F1C}] => (Allow) c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.14326.21514.0_x64__8wekyb3d8bbwe\hxoutlook.exe => No File
FirewallRules: [{8F428DAE-C37D-4A01-9E7D-67F0B0F66638}] => (Allow) c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.14326.21514.0_x64__8wekyb3d8bbwe\hxoutlook.exe => No File
FirewallRules: [{A4B57DDE-4A84-4F21-A4B5-59EFAB21A445}] => (Allow) c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.14326.21514.0_x64__8wekyb3d8bbwe\hxtsr.exe => No File
FirewallRules: [{E7C99301-8D02-4CC7-8B9A-0B764A00D32C}] => (Allow) c:\program files\windowsapps\microsoft.windowscommunicationsapps_16005.14326.21514.0_x64__8wekyb3d8bbwe\hxtsr.exe => No File
FirewallRules: [{128F7DC5-9D00-4F16-AD04-DD62C6CBDCFE}] => (Allow) c:\program files\windowsapps\7340robertdurfee.networkusage_3.1.8.0_x64__ygerwv1yqg9j8\networkusage.exe => No File
FirewallRules: [{6343887A-C939-4F0C-922C-4E434F21CBC5}] => (Allow) c:\program files\windowsapps\7340robertdurfee.networkusage_3.1.8.0_x64__ygerwv1yqg9j8\networkusage.exe => No File
FirewallRules: [{9A2A6933-110F-40C2-A5E6-BD2939A6EB70}] => (Allow) c:\program files (x86)\bravesoftware\update\braveupdate.exe => No File
FirewallRules: [{4CBAEDF4-42B4-4E2F-BB03-86A772EE5CBB}] => (Allow) c:\program files (x86)\bravesoftware\update\braveupdate.exe => No File
FirewallRules: [{5ACF7B4E-B801-43BA-9E16-1B686A73FC1C}] => (Allow) c:\users\clang\appdata\local\temp\{ec7dd2f1-42a2-446f-a5b2-b773cfaaf5d1}\c080d051.exe => No File
FirewallRules: [{68864D9F-D0D6-4021-9EA8-F7459544C49D}] => (Allow) c:\users\clang\appdata\local\temp\{ec7dd2f1-42a2-446f-a5b2-b773cfaaf5d1}\c080d051.exe => No File
FirewallRules: [{C4675E1A-FEA4-47F4-BC41-93F2865508F4}] => (Allow) c:\users\clang\appdata\local\temp\{1a4ba14d-f84b-4ea8-b2eb-306d4a0fa310}\02c516a8.exe => No File
FirewallRules: [{57E94907-5A2E-4D6A-9358-94D39433B66C}] => (Allow) c:\users\clang\appdata\local\temp\{1a4ba14d-f84b-4ea8-b2eb-306d4a0fa310}\02c516a8.exe => No File
FirewallRules: [{223725EA-C6FE-45F3-A471-0ED558148BC9}] => (Allow) c:\program files\windowsapps\microsoft.yourphone_1.23052.123.0_x64__8wekyb3d8bbwe\phoneexperiencehost.exe => No File
FirewallRules: [{419B7DC9-30F4-417D-BFBF-077C3F2B5ECD}] => (Allow) c:\program files\windowsapps\microsoft.yourphone_1.23052.123.0_x64__8wekyb3d8bbwe\phoneexperiencehost.exe => No File
FirewallRules: [{2AFE09A1-B827-49A8-B741-4BE17EC03236}] => (Allow) c:\program files\microsoft onedrive\onedrivestandaloneupdater.exe => No File
FirewallRules: [{43917227-A87A-4118-8F57-6FB600E36923}] => (Allow) c:\program files\microsoft onedrive\onedrivestandaloneupdater.exe => No File
FirewallRules: [{C76F8C21-65D0-4E0E-831A-6DD939EF167C}] => (Allow) c:\program files\microsoft onedrive\23.147.0716.0001\microsoft.sharepoint.exe => No File
FirewallRules: [{848DBC8B-9F4E-4C57-B22E-AF619E41318E}] => (Allow) c:\program files\microsoft onedrive\23.147.0716.0001\microsoft.sharepoint.exe => No File
FirewallRules: [{C52FFAAD-226D-4CA1-8210-0A6DB07926D4}] => (Allow) c:\program files\microsoft onedrive\23.147.0716.0001\onedrivesetup.exe => No File
FirewallRules: [{C5047B53-5CA2-4704-B8AE-D2F36880C774}] => (Allow) c:\program files\microsoft onedrive\23.147.0716.0001\onedrivesetup.exe => No File
FirewallRules: [{26BBD3C3-B1BA-45CD-9249-E453116C1E4F}] => (Allow) c:\program files (x86)\gog galaxy\galaxyclient.exe => No File
FirewallRules: [{8DECC23F-7ABE-4029-B438-F27E0CF23FB2}] => (Allow) c:\program files (x86)\gog galaxy\galaxyclient.exe => No File
FirewallRules: [{027ECD04-F286-4850-A4FF-D67757D24B3F}] => (Allow) c:\windows\temp\is-mkt8k.tmp\a5bxmtp4.tmp => No File
FirewallRules: [{BC6B0CEE-1616-475B-BF8A-85149B08D1E9}] => (Allow) c:\windows\temp\is-mkt8k.tmp\a5bxmtp4.tmp => No File
FirewallRules: [{9933D533-7531-4507-A9C8-1D310BFF6F9B}] => (Allow) c:\users\clang\saved games\downloads\frst64 (1).exe => No File
FirewallRules: [{3C7670EE-F94E-4527-BAFC-8B66FAE66369}] => (Allow) c:\users\clang\saved games\downloads\frst64 (1).exe => No File
FirewallRules: [{CAFCB3C3-41AA-4970-B192-EFC123F3345E}] => (Allow) c:\program files\nordvpn\nordvpn-service.exe => No File
FirewallRules: [{DE9BCDBA-2400-48C8-9A17-4BA2DCB210E6}] => (Allow) c:\program files\nordvpn\nordvpn-service.exe => No File
FirewallRules: [{533BBA0F-CC38-4AB9-9462-9C7CCDC360D4}] => (Allow) c:\users\clang\appdata\local\temp\iu-14d2o.tmp\_unins.tmp (nordvpn s.a. -> Nord Security)
FirewallRules: [{C44BEEAC-13A0-41DB-93FC-99A0A0E4BDB7}] => (Allow) c:\users\clang\appdata\local\temp\iu-14d2o.tmp\_unins.tmp (nordvpn s.a. -> Nord Security)
HKU\S-1-5-18\...\RunOnce: [InstallBootstrap] => "C:\ProgramData\NordUpdater\updates\q10rhsc1.exe" (No File)
Edge Extension: (No Name) -> AutoFormFill_5ED10D46BD7E47DEB1F3685D2C0FCE08 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\AutoFormFill [not found]
Edge Extension: (No Name) -> BookReader_B171F20233094AC88D05A8EF7B9763E8 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\BookViewer [not found]
Edge Extension: (No Name) -> LearningTools_7706F933-971C-41D1-9899-8A026EB5D824 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\LearningTools [not found]
Edge Extension: (No Name) -> PinJSAPI_EC01B57063BE468FAB6DB7EBFC3BF368 => C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\Assets\HostExtensions\PinJSAPI [not found]
S3 AKAI_ACV3_MIDI; \SystemRoot\system32\drivers\akaiacv3m.sys [X]
S3 tapnordvpn; C:\WINDOWS\System32\drivers\tapnordvpn.sys [49744 2021-06-13] (nordvpn s.a. -> The OpenVPN Project)
C:\Program Files\NordUpdater
C:\WINDOWS\System32\drivers\tapnordvpn.sys
C:\Users\clang\Doctor Web
C:\ProgramData\GOG.com
C:\Program Files (x86)\GOG Galaxy
cmd: netsh advfirewall reset
EmptyTemp:
End::
  • Right-click on FRST64 on your Desktop, to run it as administrator. When the tool opens, click "yes" to the disclaimer.[/*]
  • Press the Fix button once and wait.
  • FRST will process fixlist.txt
  • When finished, it will produce a log fixlog.txt on your Desktop.
  • Post the log in your next reply.
 
Go to App History and choose Delete Usage History.

Restart.

Any change with Uninstalled Processes?
 
Go to Options and un-tick the Show history for all processes. Let me know if it is still there.
 
Well, I think we found it. :-)

By default, the option Show history for all processes is un-ticked, so the majority of us, do not see the Uninstalled processes instant. We see only what we call modern apps, or just apps, which are applications from the Microsoft Store.

If we select the specific option, however, and we are connected to the internet, we all see the Uninstalled processes instant using data. It's there. I tested it on my Windows 10 system as well as on my Virtual Machine. Mine, at this time, went already to 7,5 MB, and think that it's been more than a month to use this computer.

So... it's a common thing. What it is exactly, I'm not sure. But everyone can test it and see it there.
 
You can see an explanation by Ben N here, but that is not my area of qualification so I can't add something else. Perhaps uninstalling a specific program caused it, or it was the total result of uninstalling programs. Now it's not that much. Your results are normal.
 
Last edited:
DR M said:
Well, I think we found it. :-)

By default, the option Show history for all processes is un-ticked, so the majority of us, do not see the Uninstalled processes instant. We see only what we call modern apps, or just apps, which are applications from the Microsoft Store.

If we select the specific option, however, and we are connected to the internet, we all see the Uninstalled processes instant using data. It's there. I tested it on my Windows 10 system as well as on my Virtual Machine. Mine, at this time, went already to 7,5 MB, and think that it's been more than a month to use this computer.

So... it's a common thing. What it is exactly, I'm not sure. But everyone can test it and see it there.
Click to expand...
20230805_150113.jpg
Looked on my laptop .... And it's there also . Good to know.
 
Yes. It's a common item in Windows 10, when the option Show history for all processes is selected. Since the default option is showing history only for the modern apps installed, most of the people do not see it, so they don't get into thoughts.

The following tool will remove the tools we used as well as reset system restore points:

Download KpRm by kernel-panik and save it to your desktop.
  • Right-click kprm_(version).exe and select Run as Administrator.
  • Read and accept the disclaimer.
  • When the tool opens, ensure all boxes under Actions are checked.
  • Under Delete Quarantines select Delete Now, then click Run.
  • Once complete, click OK.
  • A log will open in Notepad titled kprm-(date).txt.
  • Please copy and paste its contents in your next reply.
 
Morning DR M ,
Below are the results.

# Run at 8/6/2023 7:39:27 AM
# KpRm (Kernel-panik) version 2.14.0
# Website https://kernel-panik.me/tool/kprm/
# Run by clang from C:\Users\clang\Saved Games\Downloads
# Computer Name: DESKTOP-N4NCUCI
# OS: Windows 10 X64 (19045) (10.0.19045.3208)
# Number of passes: 1

- Checked options -

~ Registry Backup
~ Delete Tools
~ Restore System Settings
~ UAC Restore
~ Delete Restore Points
~ Create Restore Point
~ Delete Quarantines

- Create Registry Backup -

~ [OK] Hive C:\WINDOWS\System32\config\SOFTWARE backed up
~ [OK] Hive C:\Users\clang\NTUSER.dat backed up

[OK] Registry Backup: C:\KPRM\backup\2023-08-06-07-39-27

- Delete Tools -


## AdwCleaner
[OK] C:\AdwCleaner deleted

## ESET Online Scanner
[OK] C:\Users\clang\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\ESET Online Scanner.lnk deleted
[OK] C:\Users\clang\AppData\Local\ESET\ESETOnlineScanner deleted

## FRST
[OK] C:\Users\clang\Desktop\Addition.txt deleted
[OK] C:\Users\clang\Desktop\Fixlog.txt deleted
[OK] C:\Users\clang\Desktop\FRST.txt deleted
[OK] C:\Users\clang\Desktop\FRST64 (1).exe deleted
[OK] C:\FRST deleted

## Kaspersky Virus Removal Tool
[OK] C:\Users\clang\Desktop\KVRT.exe deleted

- Restore System Settings -

[OK] Reset WinSock
[OK] FLUSHDNS
[OK] Hide Hidden file.
[OK] Show Extensions for known file types
[OK] Hide protected operating system files

- Restore UAC -

[OK] Set EnableLUA with default (1) value
[OK] Set ConsentPromptBehaviorAdmin with default (5) value
[OK] Set ConsentPromptBehaviorUser with default (3) value
[OK] Set EnableInstallerDetection with default (0) value
[OK] Set EnableSecureUIAPaths with default (1) value
[OK] Set EnableUIADesktopToggle with default (0) value
[OK] Set EnableVirtualization with default (1) value
[OK] Set FilterAdministratorToken with default (0) value
[OK] Set PromptOnSecureDesktop with default (1) value
[OK] Set ValidateAdminCodeSignatures with default (0) value

- Clear Restore Points -

~ [OK] RP named Scheduled Checkpoint created at 07/20/2023 02:43:31 deleted
~ [OK] RP named Windows Modules Installer created at 07/26/2023 18:41:04 deleted
~ [OK] RP named Installed HP Support Solutions Framework created at 07/31/2023 14:34:30 deleted
[OK] All system restore points have been successfully deleted

- Create Restore Point -

[OK] System Restore Point created

- Display System Restore Point -

~ RP named KpRm created at 08/06/2023 12:40:33

-- KPRM finished in 113.19s --
 

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top