In need of help (HJT-log attached)

[jonii]

Hello,

this is my first post on these boards, so hi to all of you helpfull people

I have run out of ideas on how to clean my system, which the last months has been heavily burdened by spyware and trojans. I've always had the latest version of Panda AV on my system, but the little buggers still got through.

The most frequent troublemakers are Virtuomundo, Astakiller, Smitfraud (and a handfull of others). I run Ad-Aware and Spybot SnD (updated) pretty much daily, but the malware is recurrent.

I've run Ewido, Kapersky Online scan, and tried with two of the other online scans listed, which hasn't helped either.

I'll attach my latest HiJackThis log here, and my Ewido log. If you need any more just ask

so, thanks in advance guys, for any help with this.. hehe

 

[howard_hopkinso]

Hello and welcome to Techspot.

Go HERE and follow the instructions exactly.

Post fresh HJT and Ewido logs into this thread, only after doing the above.

Regards Howard :wave: :wave:

This thread is for the use of jonii only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jonii]

Hello,

I have followed those instructions EXACTLY now and here are the logs you requested (attached).

Perhaps it's needless to say after you see the logs, but my computer is still suffering from alot of the same symptomes. (100% processor usage for example).

I was however able to boot into safemode now, which I was not previously.

Thanks in advance, again!

 

[howard_hopkinso]

You might want to copy and paste these instructions into a notepad file. Then you can have the file open in safe mode, so you can follow the instructions easier.

Turn off system restore.(XP/ME only) See how here.> http://www.bleepingcomputer.com/forums/tutorial56.html

Boot into safe mode, under your normal user name(NOT THE ADMINISTRATOR ACCOUNT). See how here.> http://www.bleepingcomputer.com/forums/tutorial61.html

In Windows Explorer, turn on "Show all files and folders, including hidden and system". See how here.> http://www.bleepingcomputer.com/forums/tutorial62.html

Run HJT with no other programmes open(except notepad). Click the scan button. Have HJT fix the following, by placing a tick in the little box next to(if there).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = prosearching.com

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = prosearching.com

O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\System32\cvflxphq.dll (file missing)

O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O15 - Trusted Zone: http://locator.cdn.imageservr.com

O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)

Click on the fix checked button.

Close HJT.

Reboot into normal mode, turn system restore back on and rehide your protected OS files

Other than the above, your HJT log is clean.

You`re running a completely unpatched version of Windows. This is a huge security risk. You should run Windows updates and install at least service pack 1 and preferably service pack 2.

Can you let me know what process is using 100% cpu resources.

Regards Howard

This thread is for the use of jonii only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jonii]

Thanks so far Howard! Makes me glad to see some improvements

I'm aware of my Windows being unpatched, and that's the result of this computer being given to me, and apparently the installed version of windows is not patchable...

I'm not sure how to see which process it is that's using the resources, but when sorting the processes in the Task Manager in order of size under the CPU tab, Pavfires.exe is steadily between 90-100.

In order of memory usage the processes take up:
firefox.exe is top with 27k, followed by
svchost.exe (22k)
ewido.exe (21k)
Avengine.exe (21k)
nod32krn.exe (18k)
explorer.exe (17k)

in total the process' (33 of them) amount to 269 MB out of 1248 MB, and the CPU usage is still 100% pretty much all the time, even with all applications closed. It is however swaying alot right now. (40-100%)

In safe mode it was close to zero.

I also wonder if I need to keep Ewido, NOD32, or any other anti-spyware software running all the time?

My Panda Antivirus keeps on aksing me if I want to allow the processes to connect to the network. It also does this for Firefox.

Sorry if the info is redundant!

 

[howard_hopkinso]

Pavfires.exe is related to your Panda antivirus programme. Specifically it`s to do with the Panda firewall.

Why it`s using so many resources is a mystery.

Maybe uninstalling and reinstalling your antivirus programme will help. You shouldn`t be running more than one antivirus programme as this can cause problems. Uninstall whichever antivirus programme you don`t want.

Let me know how you get on.

Regards Howard

 

[jonii]

I will mate, after I've slept some.

Thanks for the tip. I always did think running 5-10 anti-spyware programs was abit overkill.

But since Panda doesn't protect against spyware, doest hat mean I should keep ewido or NOD running along with it?

Nn.

 

[howard_hopkinso]

Here`s what you need.

One antivirus programme and a separate firewall programme, if your antivirus programme doesn`t have one.

Ewido/SS&D/Ad-Aware se personal/Spyware Blaster.

That`s all you need.

Regards Howard

 

[jonii]

Uh-oh, they're back.

At least partially.
I tried rescanning my computer just now, with Ewido, and as you see in the log I had a few bad/critical objects again!

I've set up my system like you said, with Panda AV including firewall and Ewido anti spyware.

I'm waiting for a response from Panda regarding Pavfires.exe draining my CPU, and untill then I'm running the Windows firewall. Also, I'm behind a router.

What should I do against the new malware?
I followed the recommended actions from Ewido this time, after the scan, which was to quarantine one High risk objects, and delete 5 medium risk ones.

edited for spelling.

 

[howard_hopkinso]

The vundofix backups can all be deleted and are nothing to worry about.

The others are just tracking cookies and you shouldn`t be unduly worried about them. However, if you want to, you can block any individual cookie in firefox.

See HERE for further info.

If you`re still worried, please feel free to post a fresh HJT log.

Regards Howard

This thread is for the use of jonii only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.

 

[jonii]

I've attached a fresh HJT log here, just to be safe.

My system is still very slow however. The CPU usage is VERY high at all times still; like 70-80% now. Panda support adviced me to 1. uninstall PAV, 2. run winsockxpfix.exe which fixed some registry keys I think, and 3. Reinstall PAV+Firewall. This fixed the pavfrires.exe using 90-100% of my CPU. Still, the CPU usage is very high..

I noticed that when I disconnect my wireless Netgear card, the CPU usage drops down to 1%!
When I stick it back in, the CPU usage darts back to 70%+.

Have you got any idea what this could be or what a solution could be, or where else to turn?
I'm pretty close to breaking now.. so much time and effort spent on this lagging computer

 

[howard_hopkinso]

Your HJT log is still clean.

As far as your wireless Netgear card, maybe uninstalling and reinstalling the drivers will help. Also, check for updated drivers. If that doesn`t help, maybe there`s a conflict somewhere. This might be solved by trying a different wireless card.

You could also try completely uninstalling Panda and try different antivirus and firewall programmes.

The free AVG or Avast antivirus programmes and either the free Zonealarm or Kerio firewall programmes are very good. You can get them HERE, HERE, HERE and HERE.

Regards Howard

This thread is for the use of jonii only. Please don`t post your own virus/spyware problems in this thread. Instead, open a new thread in our security and the web forum.