assvr.exe consuming memory

I'm new to this forum, but it seems Ya'll might be able to help. There is a file in task manager that I am confident should not be there ...assvr.exe .

I have tried getting rid of it with Hijack This, to no avail. Here is my log. Can somebody please help? Thanks.

Okay, I saw the note about not posting logs until asked, so I removed it. I did provide it as a link, however.

 

Hi Epicardium,

assvr.exe is indeed bad. It looks like it is part of a Virtumundo infection. Try running this tool:
Symantec Trojan.Vundo Removal Tool

Also, please move HijackThis to a safe folder - C:\Program Files\ HijackThis.
Please run the above tool. Then, attach a fresh log & somebody will take a look when they get a chance.

PP

 

I apologize. I mispoke. The file is consuming CPU(~80%), not memory (or, very little). It is a PIII 550 MHz, 640 MB Ram
Running XP Professional SP1 . Used to have SP2, but it caused a few problems on this slow machine.

 

My above post still applies

 

Thanks PP. I have run fixvundo twice. The first time, it cleaned 5 files , then the problem persisted so I ran it again (in safe mode) and it says it didn't find anything. I will try again and post a new log.

-Epicardium

 

Re: assvr.exe consuming CPU

Okay; I ran the virus tool, but it said it did not find the virus. Here is the latest log.

 

Hi Epicardium,

I've copied and pasted my generic fix for Stopguard/Virtumundo-related malware infections. Be aware that this particular Malware mutates on reboot, so if you have rebooted subsequent to attaching your HJT Log, the file names may have changed.

PLEASE NOTE that the tough part is nailing that pesky running process that always springs back to life. To do this, I use the Delete a File on Reboot option in HijackThis. If you do this successfully, that process will be Deleted before it ever gets a chance to run! This should work every time. Please make sure to enter the correct path for the file to be deleted. If, for some reason, you are not able to delete the file in question, please try again before posting back.

ANYHOO:
Please print out these instructions so that you can operate with All Browser Windows CLOSED. Please follow the instructions very carefully - Do them in the exact order given.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

FIRST:
Look in C: > WINDOWS > PREFETCH & Delete assvr.exe ( or any assvr or rvssa entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

ALSO: take a look inside the C:\WINDOWS\Web Folder for any backups ( assvr.bak, etc. . . ) – Note that they will probably be Hidden Files – Delete the ones that allow you to do so.

NOW:
Run HijackThis and Check the Boxes for the Following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.isearch.com/index.php?app=SE&affjump=1&affiliate=ODQ6NTo5&Terms=

O2 - BHO: (no name) - {68132581-10F2-416E-B188-4E648075325A} - C:\DOCUME~1\paul\LOCALS~1\Temp\rvssa.dat

O4 - HKLM\..\Run: [*xmlnet] C:\WINDOWS\xmlnet.exe

O4 - HKLM\..\RunOnce: [*assvr] C:\WINDOWS\Web\assvr.exe rerun

O16 - DPF: Win32 Classes -

Click FIX and then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, Enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Web\assvr.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files), use Windows Explorer to run a search of your computer for:

bkinst
assvr
rvssa
xmlnet
tenlmx

and DELETE the related files. (We especially want to get rid of assvr.ini & .assvrdat & assvr.bak AND rvssa.ini & rvssa.dat & rvssa.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL. So, when you find these, search the associated folders carefully for any hidden remnants!

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

*** Also, AFTER you get cleaned up, swing by Windows Updates and get Updated.

Best luck
PP

 

Will do it, but it's going to take some time. I'll be sure to do everything you mentioned & report back. Thanks!

 

Praise the Lord! I think we nailed that thing. I had to go through the process with HT a couple of times. As it turns out, the file it needed to delete on reboot was c:\Windows\Web\rvssa.tmp
Once I figured that out, it was smooth sailing. I am greatly indebted to you, as I would have never figured that out on my own. I have one more quick question. Now I have:
Ad-aware SE
S&D
Spyware Blaster
HijackThis
and CCleaner

Should I be using them all?

-Epicardium

P.S. please take a quick look at my new log.

 

The computer is running better than before I got the virus!
Probably due to CCleaner

 

All except HijackThis. Remember to use Spybot's Immunize feature and to Internet Update all of them regularly.

Your HJT Log looks good! Happy I could help

PP