Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Monday 3.3.2025 / 23:55
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > i don't know how to fix this...
Show topics
 
Forums
Forums
I don't know how to fix this...
  Jump to:
 
Posted Message
Shotmaker
Newbie
_ 		29. July 2009 @ 17:10 _ Link to this message    Send private message to this user   
So I realized I had a cocktail of viruses and downloaded Malwarebytes, NOD32, and Comodo as a firewall. I took out most of the malware with Malwarebytes (I need to rescan with MBAM, but NOD32 did a full scan and found nothing).

The viruses I had seem to be gone. They was preventing me from visiting sites for anti-malware software, redirecting google links to "bestwebsearch", advertising anti-spyware all over, and even blocking MBAM from starting up (I had to rename it).

Here's the problem now: something seems to be randomly hijacking certain processes and crashing my computer by saturating the memory usage. The processes affected so far were dllhost.exe (COM Surrogate), rundll32.exe, QLB controller, ieuser.exe, iexplorer.exe, and even the apps that run Comodo and NOD32 (both cases happened once and surprised me). I understand how that could happen to the DLL hosts, which are just surrogate hosts for a lot of other crap, but I don't understand how it took down the bigger apps.

What keeps happening is if I don't monitor Task Manager, my computer will overload and crash (dllhost.exe was using 1.5Gb of memory at one point when my computer froze). The freezing only happened once; I've had about 20 page fault BSoD's today and another 10 random ones that were caused by something unknown (system file failures or something--not memory related). Even when I'm in safe mode all this still happens. Other symptoms are a popup on some websites (including this one) which appear to be Windows Admin permissions asking whether to allow or disallow a "windows protection tool" or something rather for the website (this may be legit since I disable Windows Firewall and Defender). I downloaded Hijack This from cnet, and when I pressed "run" to install it, my computer BSoD'd and crashed immediately. That happened twice, once in safe mode. When I start up and open TM really quickly, I see a Logitech Quickcam helper process (lvprcsrv.exe) open about 15 times (they all go away eventually) and rundll32 is open 3 times (this is before the desktop loads) and usually one instance starting exponentially increasing mem usage as stated above.

Even when I have no significant programs open, I sometimes randomly spike around 50% aggregate CPU usage. With just Firefox and background software running I get to around 70-80%. Physical Memory is at 40% at minimum. This never used to happen, I could run After Effects and Sony Vegas at the same time!

What it causing this and how do I make it stop???


Specs: HP Pavilion dv6000 Notebook
Windows Vista Home Premium x32
Centrino Duo Core 2.0Ghz, 2GB RAM
[ + quote]
Shotmaker
Newbie
_ 		29. July 2009 @ 17:28 _ Link to this message    Send private message to this user   
Here are the 4 MBAM scans I ran. It seems like I couldn't get rid of everything. Perhaps something leftover is causing the problem?

Scan #1 (Full Scan)

Malwarebytes' Anti-Malware 1.39
Database version: 2421
Windows 6.0.6000

7/29/2009 10:15:20 AM
mbam-log-2009-07-29 (10-15-20).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|)
Objects scanned: 446785
Time elapsed: 1 hour(s), 57 minute(s), 29 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 17
Registry Values Infected: 0
Registry Data Items Infected: 9
Folders Infected: 1
Files Infected: 15

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\msvps.msvpsapp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vac.video (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{967a494a-6aec-4555-9caf-fa6eb00acf91} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b6a3935f-8fe4-49a4-b987-a1c09e53589f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ef94a58f-599b-4602-9c34-99683c5859b1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{baba5bdb-4eff-48db-b443-679651d37128} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{cdc0999c-999c-4ee1-875b-5c3542641768} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{31cbb13b-244d-4c44-aed5-dcad70f66281} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{09571a4b-f1fe-4c60-9760-de6d310c7c31} (Malware.Packer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{345caa15-4f12-4a28-afe9-383625563a83} (Malware.Packer) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f23b1f18-cb1a-47ed-a1fe-b60494a626d0} (Malware.Packer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\videoaccesscodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\WinBlueSoft (Rogue.WinBlue) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{71147865-9f2b-4375-81ff-7040448863d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7f82e9ea-52e0-4d8f-8d6e-3be7af6cbd09}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{71147865-9f2b-4375-81ff-7040448863d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7f82e9ea-52e0-4d8f-8d6e-3be7af6cbd09}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{71147865-9f2b-4375-81ff-7040448863d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{7f82e9ea-52e0-4d8f-8d6e-3be7af6cbd09}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\VideoAccessCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Files Infected:
\\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\$RECYCLE.BIN\s-1-5-21-2000531331-1063919592-926260219-1000\$RUXVCPX.tmp (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Matt\AppData\Local\Temp\11AC.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Matt\AppData\Local\Temp\band.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
c:\Users\Matt\AppData\Local\Temp\E1D6.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
c:\Users\Matt\AppData\Local\Temp\~tmpb.exe (Trojan.Agent) -> Quarantined and deleted successfully.
c:\program files\videoaccesscodec\install.ico (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\program files\videoaccesscodec\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Matt\local settings\temporary internet files\ijjistarter2.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\rs.txt (Malware.Trace) -> Quarantined and deleted successfully.
c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Matt\AppData\Local\Temp\~tmpa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\main_Uninstaller.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.
C:\Users\Matt\readme.bat (Trojan.Downloader) -> Quarantined and deleted successfully.

Scan #2:

Malwarebytes' Anti-Malware 1.39
Database version: 2526
Windows 6.0.6000

7/29/2009 10:40:22 AM
mbam-log-2009-07-29 (10-40-22).txt

Scan type: Quick Scan
Objects scanned: 92460
Time elapsed: 13 minute(s), 56 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 10

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Windows\System32\comcat32.dll (Trojan.Tracur) -> Delete on reboot.
\\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\comcat32.dll -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\comcat32.dll -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Windows\System32\comcat32.dll (Trojan.Tracur) -> Delete on reboot.
\\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Quarantined and deleted successfully.
c:\Users\Matt\AppData\Local\Temp\base.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Users\Matt\AppData\Local\Temp\ras.exe (Rogue.AVCare) -> Quarantined and deleted successfully.
c:\Users\Matt\AppData\Local\Temp\stat.exe (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Users\Matt\AppData\Local\Temp\usage.exe (Trojan.TDSS) -> Quarantined and deleted successfully.
c:\Windows\Temp\bas4675.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\Windows\Temp\ras3870.tmp (Rogue.AVCare) -> Quarantined and deleted successfully.
c:\Windows\Temp\sta4C20.tmp (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

Scan #3

Malwarebytes' Anti-Malware 1.39
Database version: 2526
Windows 6.0.6000

7/29/2009 11:34:58 AM
mbam-log-2009-07-29 (11-34-58).txt

Scan type: Quick Scan
Objects scanned: 92181
Time elapsed: 6 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.

Scan #4

Malwarebytes' Anti-Malware 1.39
Database version: 2526
Windows 6.0.6000

7/29/2009 12:55:58 PM
mbam-log-2009-07-29 (12-55-58).txt

Scan type: Quick Scan
Objects scanned: 89131
Time elapsed: 8 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Delete on reboot.

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
\\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.
[ + quote]
Shotmaker
Newbie
_ 		29. July 2009 @ 17:39 _ Link to this message    Send private message to this user   
Here's the Windows Admin Permission thing I was talking about, it pops up on random websites. What's the story on this?


[ + quote]
Advertisement
_ 		__
 
_
AmyJones
Suspended permanently
_ 		23. November 2009 @ 07:21 _ Link to this message    Send private message to this user   
spam edited by ddp
[ + quote]

This message has been edited since posting. Last time this message was edited on 23. November 2009 @ 14:32
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > i don't know how to fix this...
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2025 by AfterDawn Ltd.

  IDG TechNetwork