Resources are Burning Busy...

Malware has gotten me again. I was doing mundane stuff on Sunday afternoon when I got "Not enough virtual memory" warning from windows. I was running nothing and the computer has 1 gig of memory. A quick check of CPU said 95%. When I reboot in normal mode, something takes ahold of the processor and sends it on a trip -- 100% and nothing else will run -- I have no internet access because I can't get DSL started. I'll went to the library to get the "Read and Run this First" guide which I will get started with tonight. Hopefully someone here can help me get control of my computer again.

 

Sorry for the cryptic, unfinished message. I posted that message at the public library with only a couple more minutes of use available to me for the computer I was using.

My computer: (Gateway Tower - P4 2.53Ghz - Windows XP Home - 1GB RAM) The trouble began when I rebooted after getting a “Low Virtual Memory” Error from windows; I got the sign-in screen and then, once the desktop wallpaper showed up, the icons took forever to come up. The mouse/cursor would move around the screen but trying to grab anything in the tray (including Start) would give me an hourglass. It wouldn’t let me select any icons on the desktop either (or if it did, once or twice, the resultant window would freeze). The task manager showed 40+ processes running and the CPU was pegged at 100%. I tried shutting down what appeared to be causing the CPU load but I got “Access Denied”.

I couldn’t get (Earthlink’s Total Access – my provider) Internet software to work in Safe Mode so I went to a friend’s house and printed your “Read This First Guide” and downloaded the tools that it said I needed. I went home and got started. I couldn’t get Counterspy to run – I did get AVG Anti-spy and the log is attached. I tried numerous times to get anything to run in normal mode but to no avail. I figured that since Hijack This and your two programs Getrunkey and Shownew are small and probably execute quickly, even though I couldn’t do a scan from Bitdefender or Panda, maybe if I showed you what I had, you could suggest a way to get me some functionality back under Normal mode. I started shutting down all the processes running under task manager and I shut down some part of Norton and it gave me an error (something about ‘illegal call’ and then a warning about a 60 second shutdown which somehow either directly or indirectly interrupted the processor hijack). I ran Hijack This and got a logfile. On the next reboot, I clicked on ‘owner’ login and then got the Task Mgr. up and waited for the ‘crap’ to start loading. When a svchost.exe file looked like it wanted 90%+ of the processor I canned it and lo and behold I “got some of my computer back.” I was able to log onto the Internet and ran the Bitdefender Scan that found 2 Trojans and a Haxdoor and removed them – don’t know if they were the problem. I tried to scan from Panda but for whatever reason, the website is not giving scans – tried several times. I went back and did a new Getrunkey and Shownew log and a new Hijack This log as well.

I’m scared as hell to shut anything down because I hate that feeling of fighting the beast to get it back up and running. Could you take a look and see if there is anything else glaring that could be waiting to bite or worse, reinfect?

 

The other files I have. (I couldn't get Panda)

Thanks for your help.

 

P.S. One more thing -- My Norton 2006 IS expired last week. I am thinking of changing to PC-Cillin from Trend. Do you have any suggestions or opinions or advise?

 

Computer works but that svchost.exe still starts up and sets the process to working on whatever.

 

Thank you.

 

Still have the "runaway process". I rebooted after running Avenger before running 'Getrunkeys' but it seems that the process: Svchost.exe takes all available unused processor access -- I know you said it isn't the problem but rather a symptom. 'Getrunkeys' window came up but it couldn't complete the scan for keys with that process running. I had to shut down the runaway Svchost.exe. I tried changing the priority to Low but it denied me access so I shut it down which it let me do. Next, I will, as you suggested, get rid of my expired Norton IS 2006 (hungry crap -- it wouldn't run on my laptop -- 500 Meg was not enough memory I guess - ha -- and try some of your suggestions hoping that it may be the cause of the problem. That wouldn't surprise me in the least.

 

Oooops. Sorry, I forgot to run CC. I will first.

 

I downloaded AVG Free and A-squared to my desktop. I already had Zone Alarm for a firewall. I checked for Windows updates and installed the few that were there. Then, I uninstalled Norton IS 2006 by their method (windows program uninstall from control panel); then I ran the Norton Uninstaller 'helper'; then I rebooted. Rogue process still there -- I shut it down. Then I uninstalled Windows Defender; then I rebooted. Rogue Process still there -- I shut it down. Then I installed AVG Free and checked for updates. Then I installed A Squared and checked for updates. Then I rebooted. Rogue process still there -- I shut it down. Then I ran A squared scan -- wow! still found a bunch of stuff all of which I quantantined. I saved a file that I am attaching. Then, I rebooted. Rogue process still there -- I shut it down. I shot two digital photos (instead of screen shots cause I didn't want to disturb anthing) that I will attach -- the rogue process is always in the same approximate location in the list of processes which would appear to be about 6th or so from the bottom which I would assume to be 6th loaded. Any suggestions?

 

Here es a photo of the task manager with the svchost.exe (rogue process) at full tilt. The other shot shows the history bar for cpu usage -- unlike the past where it went to 100%, there are several spikes before it goes into orbit.

 

The process in your image "svchost.exe" is a valid system process. That it completely normal.

Your logs are clean. If you are not having any other malware problems, it is time to do our final steps:

1. If you used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If you used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, C:\WINDOWS\nircmd.exe, and the C:\combofix.txt log that was created.
3. If you used SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If you used SmitFraudFix, you can delete all files and folders related to it now including the c:\rapport.txt log.
5. If you used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
6. If you had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
7. If you had you run Avenger, you can delete all files related to Avenger now.
8. If you had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
9. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
10. If you are running Windows XP or Windows ME, do the below:
    • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
    • Then reboot and Enable System Restore to create a new clean Restore Point.
11. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!

 

Thanks You For All Your Help! You Guys Are Terrific! :cool

I still have to shut down the one svchost.exe each time I boot my computer or I have absolutely no functionality so even though it may be a 'normal process' it is not acting normally.

 

Based on the picture you attached, it appears your OS hasn't finished loading fully.

Is that during the initial boot or is that after it's been running a while?

 

The photo I sent was taken a couple of minutes after rebooting. Today, as an experiment, I booted up, brought task manager up and left everything else alone. When I got back. everything was as I left it. The 'rogue' svchost.exe was running at 100%. This was about seven hours later. I shut it down and I was back in business.

 

I've never seen one stay at 100%, usually it goes back and forth.

Let's try this one scan just to confirm it's nothing malicious.

Running Kaspersky Online Scanner

 

I set up Kapersky to scan last night. Attached is the log as requested. Also, I had forgotten that AVG also scheduled to scan last night and removed two files: patches containing Trojan-PSW Online Games-FIY. that were attached in a patch to extend a trial version of Proshow Producer (no opportunity produce a file to show you). Thanks for your continued support.

 

Kapersky scan.

 

Locate and delete the folder C:\avenger.

Everything looks good, I don't think this is malware related.

I would post this in the Software Forum.

 

I very much appreciate your help.

 

Your Welcome!

Surf Safely!