Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Virtual Memory Damaged By Malware?

  • Please log in to reply
1 reply to this topic

#1 spanks


  • Members
  • 1 posts
  • Local time:12:43 AM

Posted 19 August 2008 - 10:33 PM

Hello everyone, hopefully somone can help me with this this problem.

Short version: Antivirus XP (possibly others) has weakened my Windows to near unusability, by limiting the system resources/ virtual memory somehow (I have only been able to open Task Manager, Regedit, Windows Explorer, and HijackThis).

Long version: Okay, so the first weird thing was spoolsv.exe, which was filling up my harddrive. By the time I had installed an antivirus program, ntvdm.exe was eating at my CPU, but this was easily fixed. I think the antivirus program must have been infected, because then I got signs of Antivirus XP (popups,wallpaper,shortcuts). It wouldn't let me update a different antivirus program, so eventually I shutdown my laptop.

Here's the worrisome bit: When I start it up in normal mode, it takes ages and eventually just gets to the blue wallpaper. Nothing can be opened except Task Manager (Ctrl+alt+Delete) and from here I can see my files are still there, but I can't open any programs (that I suspect use too much memory). So I can't open/install any of the usual antivirus programs. Even System Restore won't open properly! In safe mode, Windows Explorer barely works, but crashes and logs out every minute or so.

All the while, icon graphics are disappearing, and I'm getting messages such as:
Low on Virtual Memory.
System Resources too low.
Out of Memory.
Parser Message.
And others that don't even have text.

The latest HijackThis almost completes a scan but gives me this error:
mod_Main_StartScan() Error #14 - Out of string space.
(I can give you the partial log if you like)
Luckily, HijackThis version 1.99.1 did work (the only other working program so far is Regedit) so here is the log:

Scan saved at 4:00:56 PM, on 19/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O1 - Hosts: auto.search.msn.com
O1 - Hosts: auto.search.msn.es
O2 - BHO: QXK Olive - {14FA812F-A03D-4ACE-A134-EC65959D1546} -

O2 - BHO: (no name) - {28D5CFF1-56B7-40C6-94D6-99FCA38A194F} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-

B461-4BC5-8870-4C09146192CA} - C:\Program

O2 - BHO: (no name) - {34A4E25E-3CE2-4AA2-A992-0B5BA68B712E} - C:\WINDOWS\system32

O2 - BHO: (no name) - {64C079F1-99B9-4329-AB94-715197057F07} - C:\WINDOWS\system32

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

O2 - BHO: {9d88c5bc-4c9b-1adb-4274-e25e9e6c4e79} - {97e4c6e9-e52e-4724-bda1-

b9c4cb5c88d9} - C:\WINDOWS\system32\evgcpr.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program

Files\Free Download Manager\iefdm2.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-

90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: rafbsvnx - {C1BA55E4-0DD3-4F21-A036-94F6DEEB9F89} -

O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06

O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdnxp.exe] C:\WINDOWS\system32\kdnxp.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide

O4 - HKLM\..\Run: [\SUE1C4.exe] C:\Windows\SUE1C4.exe
O4 - HKLM\..\Run: [\SUE1C5.exe] C:\Windows\SUE1C5.exe
O4 - HKLM\..\Run: [\SUE1C6.exe] C:\Windows\SUE1C6.exe
O4 - HKLM\..\Run: [\SUE1C7.exe] C:\Windows\SUE1C7.exe
O4 - HKLM\..\Run: [\SUE1C8.exe] C:\Windows\SUE1C8.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [2629165f] rundll32.exe "C:\WINDOWS\system32\lpxnultj.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search &

Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3894] command /c del "C:\WINDOWS\system32

O4 - HKLM\..\RunOnce: [SpybotDeletingC4428] cmd /c del "C:\WINDOWS\system32\kdnxp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk =

C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1

O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program

Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1

O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1

O20 - AppInit_DLLs: evgcpr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yayyXPgE - C:\WINDOWS\SYSTEM32\yayyXPgE.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

O21 - SSODL: tsxngabr - {3B8CB3D0-CE9E-4A48-8EF1-186D592108CA} -

O21 - SSODL: vtqnxfko - {21EA940D-7A49-4471-9AA6-32E671137C8D} -

O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1

\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1

\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program


Btw, I copied it onto USB and am typing this from another computer. However, I don't think I can reliably copy big files.
Also, can I use HijackThis to fix the problem? If I can't find a small enough virus removal program, I'm thinking I might have to do this manually somehow- deleting appropriate files/registry or maybe doing something with the paging file?
Are the actual system files damaged, or is the virus just making it look like that? I'm wondering if getting rid of the virus will automatically fix the system, or will I have to do something else?

BC AdBot (Login to Remove)



#2 kahdah


  • Security Colleague
  • 11,138 posts
  • Gender:Male
  • Location:Florida
  • Local time:01:43 AM

Posted 07 September 2008 - 08:54 AM

Hello spanks

Welcome to BleepingComputer :thumbsup:
You are very infected with the Virutmonde adware.

See if you are able to do the following:
If you have to, boot into Safe Mode and run it from there.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.
Please see here for additional details
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

New HijackThis log.

Please do not pm for help, post it in the forums instead.

If I am helping you and have not responded for 48 hours please send me a pm as I don't always get notifications.

My help is always free, however, if you would like to make a donation to me for the help I have provided please click here Posted Image

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users