Spyware Problem, Virtual memory low

Welcome to Majorgeeks!

Please follow our standard cleaning procedures which are necessary for us to provide you support. Also there are steps included for installing, running, and posting HijackThis logs as attachments.

• Run ALL the steps in this Sticky thread READ & RUN ME FIRST Before Asking for Support
• Make sure you check version numbers and get all updates.
• Very Important: Make sure you tell us the results from running the tutorial...was anything found? Were you unable to complete any of the scans?...Were you unable to download any of the tools?...Did you do the on-line scans as suggested? etc.

• After doing ALL of the above you still have a problem make sure you have booted to normal mode and run the steps in the below link to properly use HijackThis and attach a log:

Downloading, Installing, and Running HijackThis

Make sure you also rename HijackThis.exe as suggested in the procedures. Use analyse.exe for the new name. This is very important due to some new infections going around.

​

• When you return to make your next post, make sure you attach the following logs and that you have run these scans in the following order too:
  • CounterSpy
  • AVG Antispyware log - ONLY IF NEEDED you were not able to run CounterSpy
  • Bitdefender - from step 6
  • Panda Scan - from step 6
  • runkeys.txt - the log from GetRunKey.bat
  • newfiles.txt - the log from ShowNew.bat
  • HijackThis

NOTE: You can only attach 3 files in a single message so it will require that you use two messages to attach all of these logs!

 

Please read the download page for GetRunKey completely. This is explained there. Also if you have the current version of GetRunKey, it even prints out the below message in the window explaining this:

NOTE: Ignore any error messages about not finding registry keys!


You need to allow the program to run thru to completion. Then attach the requested log.

You also need to run and attach the requested log from PandaActiveScan.

Also please install HijackThis properly! It does not belong in the below folder:
C:\backups\analyse.exe


Why are you running this PC with Zero protection!!!!

 

ZoneAlarm Free is only a firewall. It is not an antivirus or antispyware application and you do not have either of these. Yes you installed SuperAntispyware after your infection on May 31st but unless you purchase SuperAntiSpyware it provides not realtime protection to block malware. The free version is a scanner and removal tool which is only after the fact!

You ignored the notice in step 0 of the READ ME to not use MSconfig to control startups. You MUST be in normal startup mode and you are not. Due to this, my steps given below may not work properly or completely. Please get in normal startup mode now and do not use MSconfig anymore. You must do this now before continuing or it will complicate removal.

Did you knowingly download the stuff the Panda showed? Keyloggers and other items?

Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {3E0182B1-A373-41EB-BDC9-1DF6D6771E0F} - (no file)
O2 - BHO: (no name) - {73BA12CB-F801-41F7-B199-0474FB66D090} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing)

After clicking Fix, exit HJT.
Boot into safe mode and use Windows Explorer to delete the below if found:
C:\windows\system32\winuns32.dll
C:\windows\system32\ipmon.exe
C:\windows\ipmon.exe

Now run Ccleaner

Now reboot in normal mode

Now Copy the bold text below to notepad. Save it as fixME.reg to your desktop. Be sure the "Save as" type is set to "all files" Once you have saved it double click it and allow it to merge with the registry.

Now attach the below new logs and tell me how the above steps went.

1. GetRunKey
2. ShowNew
3. HJT

Make sure you tell me how things are working now!

 

You should be in Normal Startup in when you do step 0 of the READ ME and remain there. The not in HJT is just a reminder. You were not in normal startup while doing everything else including GetRunKey.

The FREE version of ZoneAlarm is only a firewall and it is not the Pro version. You must pay to get the pro version or you could download and install the Pro version and use it only for the duration of the trial period. It appears that you did install the Pro version not the free version. Yes there are multiple other versions of ZoneAlarm with AV, ZoneAlarm with Antispware, and even a full internet security suite with everything. The lastest free ZoneAlarm come with an internet security suite package which is why it is so large but you don't have to install the security suite which must be purchased after a small trial period.

All firewalls, antispyware, and antivirus tools will impact performance, but they will not normally consume 50% of the CPU unless an update is being done or they are running a scan. My final instructions (which I will post when I believe you are clean) will contain a list of free tools to use.

 

You did not answer my question about the keyloggers.

Uninstall the below old versions of software:
J2SE Runtime Environment 5.0 Update 11

Make sure you reboot after uninstalling the above!

After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

Did you apply the fixME.reg patch? Did you receive a success message? At least on item from malware is still there. Try the patch again and tell me if you receive a success message. Attach a new log from GetRunKey afterwards.

We have a bunch more files to remove and one of them could prove difficult since it may be rootkit related. I will post another fix later. I have to run out for awhile right now.

 

Print the below instructions because at a point during them you MUST (this is can be critical) shutdown all browsers. I will tell you when to exit the browsers during the muti-part procedure.

Part 1 - Rootkit Scan

• Download GMER Rootkit Scanner from GMER
• Unzip it to your Desktop.
• Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.
• Click the Scan button and let the program do its work. It will produce a log.
• Copy the log using the Copy button
• Open Notepad and paste the log into a new text file (Using Ctrl + V), save it somewhere you can find it. Call it gmer.txt
• I will ask you to attach this log later.

Part 2 - Remove Malware Files

• Download this file - combofix.exe directly to your Desktop. Do not run it!
  • **Note: It is important that it is saved directly to your desktop**
• Open Notepad and copy/paste the text in the below quote box into it:
• Save the above as ComboFix-Do.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
• At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
• You should have the below icons on your Desktop (double click the thumbnail to expand it)
  

• Now refer to the above image and use your mouse to drag ComboFix-Do.txt on top of ComboFix.exe
• Follow the prompts.
• When it finishes, a log will be produced named c:\combofix.txt
• I will ask for this log below

Note:

Do not mouseclick combofix's window while it is running. That may cause it to stall.


Now attach the below new logs and tell me how the above steps went.

1. GMER log
2. ComboFix log
3. new GetRunKey
4. new ShowNew
5. new HJT

Make sure you tell me how things are working now!

 

Did you run ComboFix exactly as I requested by dragging the ComboFix-Do.txt file onto the ComboFix.exe??? Or did you just run ComboFix.exe by double clicking on it ?(this is what it looks like you did). You have to run the whole procedure over again from part 2 down. You don't need to run GMER again (not yet) or attach a log from it again.

 

Okay! My mistake! Sorry about that!. Let's create the file differently. Please use the previous instructions to create the file but use the below quote box info to create the file. Then drag this file over the ComboFix.exe per the previous instructions.

Now attach the below new logs and tell me how the above steps went.

1. ComboFix log
2. new GetRunKey
3. new ShowNew
4. new HJT

 

You do not appear to have the current version of ComboFix. It should be catching this C:\WINDOWS\system32\xpdx.sys.

Please download it to your Desktop again and then rerun the procedure to move the ComboFix-do.txt file onto the comboFix.exe file. Attach a new log when finished.

 

Yes this was the newer version that I needed you to run and it caught the malware that I wanted it to catch by running the procedure.

Now run the GMER procedure again so I can be sure the hidden process from xpdx.sys
was completely removed.

 

Okay that looks good.

How are things working?

Attach new logs from ShowNew and HJT as hopefully a final checkup.

 

Okay let's fix a couple minor things and remove two unnecessary startups!


Run HijackThis and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

After clicking Fix, exit HJT.


If you are not having any other malware problems, it is time to do our final steps which will include getting your system properly protected since you still are running without proper protection:

1. If we used Pocket Killbox during your cleanup, do the below
   • Run Pocket Killbox and select File, Cleanup, Delete All Backups
2. If we used ComboFix, you can delete the ComboFix.exe file, C:\ComboFix folder, C:\QooBox folder, and the C:\combofix.txt log that was created.
3. If we user SDFix you can delete all the SDFix related files and folders from your Desktop or whereever you installed it.
4. If we used VundoFix, you can delete the VundoFix.exe file and the C:\VundoFix Backups folder and C:\vundofix.txt log that was created.
5. If we had your run FixWareOut, you can delete the Fixwareout.exe file and the C:\fixwareout folder.
6. If we had you run Avenger, you can delete all files related to Avenger now.
7. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
8. You can delete the ShowNew.Zip and GetRunkey.Zip files and the files that you extracted from the ZIP files. You can also delete the C:\newfiles.txt and C:\runkeys.txt logs that were created
9. If you are running Windows XP or Windows ME, do the below:
   • go back to step 8 of the READ & RUN ME to Disable System Restore which will flush your Restore Points.
   • Then reboot and Enable System Restore to create a new clean Restore Point.
10. After doing the above, you should work thru the below link:
    • How to Protect yourself from malware!