Short version: Antivirus XP (prossibly others) has weakened my Windows to near unusability, by limiting the system resources/ virtual memory somehow (I have only been able to open Task Manager, Regedit, Windows Explorer, and HijackThis).

Long version: Okay, so the first weird thing was spoolsv.exe, which was filling up my harddrive. By the time I had installed an antivirus program, ntvdm.exe was eating at my CPU, but this was easily fixed. I think the antivirus program must have been infected, because then I got signs of Antivirus XP (popups,wallpaper,shortcuts). It wouldn't let me update a different antivirus program. so eventually I shutdown my laptop.

Here's the worrisome bit: When I start it up in normal mode, it takes ages and eventually just gets to the blue wallpaper. Nothing can be opened except Task Manager (Ctrl+alt+Delete) and from here I can see my files are still there, but I can't open any programs (that I suspect use too much memory). So I can't open/install any of the usual antivirus programs. Even System Restore won't open properly! In safe mode, Windows Explorer barely works, but crashes and logs out every minute or so.

All the while, icon graphics are disappearing, and I'm getting messages such as:
Low on Virtual Memory.
System Resources too low.
Out of Memory.
Parser Message.
And others that don't even have text.


The latest HijackThis almost completes a scan but gives me this error:
mod_Main_StartScan() Error #14 - Out of string space.
(I can give you the partial log if you like)
Luckily, HijackThis version 1.99.1 did work (the only other working program so far is Regedit) so here is the log:

Scan saved at 4:00:56 PM, on 19/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://global.acer.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: QXK Olive - {14FA812F-A03D-4ACE-A134-EC65959D1546} -

C:\WINDOWS\twmxbsqrpeg.dll
O2 - BHO: (no name) - {28D5CFF1-56B7-40C6-94D6-99FCA38A194F} - (no file)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-

B461-4BC5-8870-4C09146192CA} - C:\Program

Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {34A4E25E-3CE2-4AA2-A992-0B5BA68B712E} - C:\WINDOWS\system32

\yayyXPgE.dll
O2 - BHO: (no name) - {64C079F1-99B9-4329-AB94-715197057F07} - C:\WINDOWS\system32

\byXRigEV.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: {9d88c5bc-4c9b-1adb-4274-e25e9e6c4e79} - {97e4c6e9-e52e-4724-bda1-

b9c4cb5c88d9} - C:\WINDOWS\system32\evgcpr.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program

Files\Free Download Manager\iefdm2.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-

90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: rafbsvnx - {C1BA55E4-0DD3-4F21-A036-94F6DEEB9F89} -

C:\WINDOWS\rafbsvnx.dll
O4 - HKLM\..\Run: [LaunchApp] Alaunch
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\CPLBCL53.EXE
O4 - HKLM\..\Run: [RemoteControl] C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06

\bin\jusched.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe

bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common

Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdnxp.exe] C:\WINDOWS\system32\kdnxp.exe
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide

/waitservice
O4 - HKLM\..\Run: [\SUE1C4.exe] C:\Windows\SUE1C4.exe
O4 - HKLM\..\Run: [\SUE1C5.exe] C:\Windows\SUE1C5.exe
O4 - HKLM\..\Run: [\SUE1C6.exe] C:\Windows\SUE1C6.exe
O4 - HKLM\..\Run: [\SUE1C7.exe] C:\Windows\SUE1C7.exe
O4 - HKLM\..\Run: [\SUE1C8.exe] C:\Windows\SUE1C8.exe
O4 - HKLM\..\Run: [Antivirus] C:\Program Files\VAV\vav.exe
O4 - HKLM\..\Run: [2629165f] rundll32.exe "C:\WINDOWS\system32\lpxnultj.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search &

Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA3894] command /c del "C:\WINDOWS\system32

\kdnxp.exe"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4428] cmd /c del "C:\WINDOWS\system32\kdnxp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: Run Nintendo Wi-Fi USB Connector Registration Tool.lnk =

C:\Program Files\WiFiConnector\NintendoWFCReg.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501}

- C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1

\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1

\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program

Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1

\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1

\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - AppInit_DLLs: evgcpr.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: yayyXPgE - C:\WINDOWS\SYSTEM32\yayyXPgE.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} -

C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: tsxngabr - {3B8CB3D0-CE9E-4A48-8EF1-186D592108CA} -

C:\WINDOWS\tsxngabr.dll
O21 - SSODL: vtqnxfko - {21EA940D-7A49-4471-9AA6-32E671137C8D} -

C:\WINDOWS\vtqnxfko.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1

\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - C:\PROGRA~1

\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32

\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation -

C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe

Btw, I copied it onto USB and am typing this from another computer. However, I don't think I can reliably copy big files.
Also, can I use HijackThis to fix the problem? If I can't find a small enough virus removal program, I'm thinking I might have to do this manually somehow- deleting appropriate files/registry or maybe doing something with the paging file?
Are the actual system files damaged, or is the virus just making it look like that? I'm wondering if getting rid of the virus will automatically fix the system, or will I have to do something else?

Hi and welcome to the forums here at G2G!

Your system is pretty badly infected, but we can hopefully get you cleaned up without too much trouble....just some work.

Do me a favor before you post any more logs and turn off word wrap in Notepad. Click Format and uncheck Word Wrap.

Please download SDFix and save it to your Desktop.

You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Double click on SDFix.exe. It should automatically extract a folder called SDFix to your system drive (usually C:\). Please reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, a menu with options should appear;
• Select the first option, to run Windows in Safe Mode, then press "Enter".
• Choose your usual account.

• Open the SDFix folder and double click on RunThis.bat to start the script.
• Type Y and press Enter to begin the script.
• It will start cleaning your PC and then prompt you to press any key to Reboot.
• Press any key to restart the PC.
• Your system will take longer than normal to restart as the fixtool will be removing files.
• When the desktop loads the Fixtool will complete the removal and display Finished.
• Press any key to end the script and to load your desktop icons.
• A text file should automatically open, so please copy the contents and post them here.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Please, never rename Combofix unless instructed.
2. Close any open browsers.
3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   -----------------------------------------------------------
   
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
     
     -----------------------------------------------------------
   
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
   
   
   -----------------------------------------------------------
4. Double click on combofix.exe & follow the prompts.
5. When finished, it will produce a report for you.
6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Hi,

Did you still need help here? Please let me know.

Thanks,
Dave

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.