Spyware mostly gone, but cpu running 90-100%, etc

Hoping the MG guys can help. Have had major problems with spyware, your general removal guide was extremely helpful, have completed all steps, got rid of about:blank, leadermarkets, aurora, etc but still some lingering problems. When I boot up it takes mucho time for computer to respond, hard drive light flashes like Xmas, cpu running at 90-100% nonstop, etc. Something is still resident evil, appreciate any help. I am psuedo-technical, familiar with taskmgr, regedit, etc but not smart enough to know what's bad in my HJT log.

 

http://www.majorgeeks.com/images/grenade.gif Download HijackThis 1.99.1

http://www.majorgeeks.com/images/grenade.gif Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

http://www.majorgeeks.com/images/grenade.gif Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the ZIP file as your backups will not be safely stored.

http://www.majorgeeks.com/images/grenade.gifBefore running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

http://www.majorgeeks.com/images/grenade.gifRun HijackThis and save your log file.

http://www.majorgeeks.com/images/grenade.gif Post your log as an ATTACHMENT to your next post. (Do NOT copy/paste the log into your post as it will be removed).

http://www.majorgeeks.com/images/grenade.gifNeed help with HJT? See this thread: NO HIJACK THIS LOG FILES BEFORE READING THIS: HJT Tutorial & LOG File Posting

 

thanks for the quick reply, here's the log file.

 

Fisrt, download ABIremover and save it to a location like C:\ABIremove

NOW:
Reboot into Safe Mode, be sure you have ALL browsers closed while running this removal tool.

Next, start the ABIRemover.exe, press install, wait (explorer window will disapear)


On REBOOT please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsp3.dll (file missing)
O2 - BHO: (no name) - {AC109D01-32D6-4EB5-8300-D3C5EBAC7C83} - (no file)

O4 - HKLM\..\Run: [Visual Element Fx] C:\WINDOWS\System32\X1002142005.exe
O4 - HKLM\..\Run: [Visual Element FX5] C:\Documents and Settings\All Users\Application Data\X2FF\xde36251.exe
O4 - HKLM\..\Run: [Sysnet] C:\\snuninst.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\krpzka.exe
O4 - HKLM\..\Run: [rt2Q36O] pcdinv.exe
O4 - HKLM\..\Run: [imzsawv] c:\windows\system32\ojhjvpr.exe

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Navigate to and DELETE the following if they should remain:

C:\Documents and Settings\All Users\Application Data\X2FF ←–– Delete this whole folder if it exist!

C:\WINDOWS\System32\X1002142005.exe

C:\WINDOWS\System32\pcdinv.exe

C:\WINDOWS\System32\ojhjvpr.exe

C:\WINDOWS\System32\krpzka.exe

C:\WINDOWS\System\blank.htm

C:\WINDOWS\svcproc.exe

C:\WINDOWS\Nail.exe

C:\snuninst.exe

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.
Note: Dont forget to update Spybot S&D by selecting "Search For Updates"

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.


Reboot to Normal Windows , Scan with HijackThis and attach the new log.
Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now.

Good Luck!

 

All went smoothly, here are results:

The following entries or files were not there to remove, presumably they were fixed by scan of ABIremover or otherwise.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm -- I had already reset my home page

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\nsp3.dll (file missing) -- but there was a very similar "no file" listing

O4 - HKLM\..\Run: [imzsawv] c:\windows\system32\ojhjvpr.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

C:\WINDOWS\System32\ojhjvpr.exe

C:\WINDOWS\System32\krpzka.exe

C:\WINDOWS\System\blank.htm

C:\WINDOWS\svcproc.exe

C:\WINDOWS\Nail.exe

C:\snuninst.exe

When I ran Spybot no threats were found.

Bottom Line: things are running MUCH better, it seemed to take quite a while to finish booting, hard drive chugging for 2+ min, but once got past that the cpu was no longer maxed out, normal 5-10% when inactive. Overall, huge success, Thank You ! I have attached Hijack log as requested, let me know if you see anything else I should clean (no file comment above)?

 

Download Pocket KillBox
(Don't run it yet)


Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled

Now scan with HijackThis and Check the Boxes for the following:

O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - (no file)

O4 - HKLM\..\Run: [judukgo] c:\windows\system32\ulbase.exe

Make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner


Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\System32\ulbase.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.


After you have completed ALL of the above, reboot into normal windows and attach a fresh HJT log.

 

Followed all steps. Deleted first item using HijackThis. Dd not see ulbase.exe to delete it, and it did not show in blue in KillBox but I ran Delete on Reboot for it just to be sure. Attached is log file.

 

The Nail.exe is back, and a few others are back. You must not reboot as these files are mutating as different names.

Download ABIremover and save it to a location like C:\ABIremove

NOW:
Reboot into Safe Mode, be sure you have ALL browsers closed while running this removal tool.

Next, start the ABIRemover.exe, press install, wait (explorer window will disapear)

Reboot directly and again reboot into Safe Mode


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [rnlvvl] c:\windows\system32\wcwbyxh.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NOW:
Click Start > Run > type services.msc and Click OK

Locate System Startup Service (SvcProc) and RightClick on it to bring up the Service Properties Window.
First: Stop the service by clicking the Stop Button.
Next: Disable it by changing the Startup Type to Disabled and click Apply

NEXT:
Run CCleaner


Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\System32\wcwbyxh.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\systb.dll into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\wupdt.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\svcproc.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\Nail.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now Allow killbox to reboot your system. After you have rebooted and windows has loaded, attach a fresh HJT log.

 

Sorry for delay, travelling. Followed all instructions, not all files were there to remove, but after one cycle I noticed that Nail.exe was back in HJT scan so I did it all over again, here is log after 2nd time around.

 

Fisrt, download ABIremover and save it to a location like C:\ABIremove

NOW:
Reboot into Safe Mode, be sure you have ALL browsers closed while running this removal tool.

Next, start the ABIRemover.exe, press install, wait (explorer window will disapear)

Reboot into normal mode and attach a fresh HJT log.

 

Ran ABIremover in safe mode, attached is HJT log afterward. FYI, while I was working Norton automatically deleted the following:

"Source: C:\Program Files\Internet Explorer\svchost.exe
Click for more information about this threat : Download.Trojan"

 

Download Pocket KillBox
(Don't run it yet)

Please boot into Safe Mode with the Viewing of Hidden Files & Folders Enabled


Now scan with HijackThis and Check the Boxes for the following:

Make sure All Browser Windows are Closed when you Click FIX.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: Band Class - {01F44A8A-8C97-4325-A378-76E68DC4AB2E} - C:\WINDOWS\systb.dll (file missing)

O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file)

O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [lpovraw] c:\windows\system32\vbkscr.exe

Again, make sure All Browser Windows are Closed when you Click FIX.

NEXT:
Run CCleaner

Then, as an added precaution, Go to Start > Run and type: cleanmgr and then click OK. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.



Locate PocketKillbox

Now, Copy and Paste C:\WINDOWS\wupdt.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click NO.

Now, Copy and Paste C:\WINDOWS\System32\vbkscr.exe into the box – If it exists, it will show up in Blue. Check the option to Delete on Reboot and Click the Red X and Yes to the confirmation message. A message will ask if you want to reboot now – Click YES.

Now Allow Killbox to reboot your system, after you have rebooted and windows has loaded procede with the remaining step.

FINAL STEP

Reset Web Settings & Default Security Settings:


To Reset Web Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.

If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK


To Default Security Settings:
Right click on your desktop Internet Explorer icon and select Properties. Then click the Security Tab and click Default Level for Internet, Local Intranet, Trusted Sites, and Restricted Sites.

After you have completed ALL of the above, post a fresh HJT log.

 

Followed all instructions, all of the Hijack items were present, but neither of the Killbox items showed up in blue (deleted anyway, in case). Attached is latest log.

 

Your HJT log is clean!

Are you having any further problems?

 

Things have been better for the last few of our posts, but definitely wanted to get rid of everything you could find. I truly appreciate everything you've done for me, I have already told quite a few friends about your great website. Thanks so much, Major Geeks rule!

PS I now have Norton Internet Security and SpyWare Blaster running at all times, and all the other tools for removal, let me know if you think there is anything else I should do.

 

Glad things are running better

You should see this article on How to Protect yourself from malware!