Virtual Memory Low - could be related to Virtumundo Virus?

Hello everyone! I am new to this forum and I joined recently to ask for your help. Recently, I noticed that my Dell PC (600M) has been getting these StopGuard and Win anti-virus pop-ups whenever I log in to the Internet. I ran Norton Anti-Virus 2003 and found the "hostx.exe" trojan. I deleted the file manually as it was only quarantined by Norton (is there a diff between deleting and quarantine?).

Since last Tuesday however, the problem got worse. I began getting Virtual Memory Low (will increase memory size) warnings which causes my laptop to run really slow. I ran into a help article from your website and followed those steps: Disabling System Restore, Running Ad-Aware SE with VX2 Cleaner Plug-IN, CCleaner,Ad-aware and Spybot. I was able to delete some "errors" like Cydoor, Virtumundo and others. However, the Virtual Memory issue still remains.

I ran Skybot again this afternoon and found DSO Exploints and ALTEvents.ALTEvents in my system. I didn't do anything and decided to run Hijack This (from what I gather from other threads, I have no other choice).
=(

I can't use the pc as it's running really slow. If it helps, I noticed in the Task Manager that I have this process that's taking up really a lot of the resources (diskxml.exe). 1.16GB and up PF Usage recording! And it just keeps on going up from there.

Somewhere during the Skybot or Ad-Aware SE run, I saw some files: mxksid.tmp, mxksid.ini and mxksid.bak2 which appear to be spelled backwards. Is this related or not? It's not showing up in the Hijack report though.

I'd just like to know what should be done and uninstalled to get these problems out forever. I have Kazaa and WinMX installed in my system (are these the cause?)

I hope I've been able to recall and jot everything down here to give you guys more information. I hope we can find a solution to my problem. Thanks so much for your help!

 

Hi joeigurl,

You have a Stopguard infection. These have been known to shutdown IE.

Please extract HijackThis to its own folder C:\Program Files\HijackThis and post a fresh log. Once you post the log, you MUST NOT reboot because the Stopguard files mutate on reboot.

I'll check back.

Best,
PP

 

Hello! Here's a fresh copy of the log. Some funny looking names I noticed:
wuauclt.exe
diskxml.exe
bakacc.exe

I'm not sure if there are other "invalid" files there. Looking forward to your help! Thanks!

 

Additional information:

I have a Dell laptop Pentium M 1400MHz and 512 MB of RAM. But the paging file is running up to 1.6GB already. Some forums mention about increasing the memory but I still believe it is related to the Trojan/virus/StopGuard. What do you think?

 

Hi Joeigurl,
There were a number of things on your old log that needed to be dealt with. I am tied up right now, but will post a workthrough for you by this evening. Don't worry - We'll fix you up

wuauclt.exe - is OK. Windows Automatic Updates
diskxml.exe - is one of the Stopguard entries - They have changed a few times already.

Hang in there and DO NOT REBOOT and I will post instructions this evening.

Best,
PP

 

Thanks Phil! I'll try to hang on until it's closing time at work (around 6pm). At such time, I may be forced to shut down my laptop. Please let me know if you will need a new log tonight. Thanks so much for your help in advance! I appreciate it =)

 

Hi Joeigurl,

You have a ton of stuff running that is probably responsible for eating much of your resources. But, I’ll leave the removal of those items up to you and stick to the malware on your computer.
I STRONGLY recommend that you get rid of KAZAA – I’ll have you remove some Kazaa related add-ons below.

Anyhoo, shall we get started? Print out these instructions so you can operate with all browser windows closed. Some of these steps can be a bit repetitive, but Stopguard can be a tough bugger to remove - Yours doesn't look too bad though

Make sure System Restore is OFF

Enable the Viewing of Hidden Files as per these instructions:
http://forums.majorgeeks.com/showthread.php?goto=newpost&t=37650

Make sure you know how to boot into SAFE MODE (but don’t do it yet) as per these instructions:
http://forums.majorgeeks.com/showthread.php?t=31668

NOW:
Please look in Add or Remove Programs and, if you see them, REMOVE:
My Way
My Search
MyBar
Altnet

NEXT:
Look in C: > WINDOWS > PREFETCH & Delete diskxml.exe If it is easier, you can go ahead and delete all of the files in the Prefetch Folder. ( Do Not Delete The Prefetch Folder Itself)

NEXT:
Run HijackThis and Check the Boxes for the following entries:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost

R3 - URLSearchHook: (no name) - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)

O2 - BHO: myBar BHO - {0494D0D1-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O2 - BHO: CATLEvents Object - {3EC8E271-FAB9-418a-8A8E-65AEB4029E64} - C:\DOCUME~1\FOODFO~1\LOCALS~1\Temp\itnaavaj.dat (file missing)

O2 - BHO: CATLEvents Object - {6A06CDAD-9D2D-42A0-9C91-C0CF7CB9971B} - C:\DOCUME~1\FOODFO~1\LOCALS~1\Temp\lmxksid.dat

O2 - BHO: (no name) - {D714A94F-123A-45CC-8F03-040BCAF82AD6} - C:\WINDOWS\Downloaded Program Files\SbCIe028.dll

O3 - Toolbar: &SearchBar - {0494D0D9-F8E0-41ad-92A3-14154ECE70AC} - C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe –s

O4 - HKLM\..\Run: [P2P Networking] C:\WINDOWS\System32\P2P Networking\P2P Networking.exe /AUTOSTART

O4 - HKLM\..\Run: [*bakacc] C:\WINDOWS\bakacc.exe

O4 - HKLM\..\Run: [*diskxml] C:\WINDOWS\system\diskxml.exe

O9 - Extra button: Support - {3343DDE0-49D2-4665-9445-EDB07975D072} - http://www.comcastsupport.com (file missing) (HKCU)

O9 - Extra button: ComcastHSI - {3CA4E059-5264-4B30-98EE-FE4CFF85F7A4} - http://www.comcast.net (file missing) (HKCU)

O9 - Extra button: Help - {7500555E-7CD8-4D0E-B1E9-E60A40F338D5} - http://www.comcast.net/memberservices/ (file missing) (HKCU)

O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} (Web P2P Installer) -

O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep.com/get/k42037/sb028.cab

CLICK “FIX” and then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\system\diskxml.exe
and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click okay and DO NOT REBOOT AGAIN. Stay in safe mode and delete the associated .ini and .dat files for the bad program. ( diskxml.ini & diskxml.dat ) if they remain. Navigate to them, or run a search of your machine for them.

NEXT:
Navigate to and DELETE the following files if they remain:

C:\WINDOWS\bakacc.exe
C:\WINDOWS\system\diskxml.exe
C:\WINDOWS\System32\P2P Networking
C:\Program Files\MyWay
c:\program files\altnet

NEXT:
Run C Cleaner and Spybot SD again.

Open Internet Explorer. Click TOOLS > INTERNET OPTIONS and Click DELETE COOKIES. Then, Click DELETE FILES and check the box for ALL OFFLINE CONTENT and Click OK.

Open the C>WINDOWS>TEMP folder and delete all files and sub-folders if any remain.

Make sure Recycle bin is empty. Note that CCleaner should have done all of this, but it doesn’t hurt to check.

NOW:
Reboot to Normal Windows and attach a fresh HijackThis Log and we’ll see if this does the trick.


Looks like I just made it by 6PM In addition to the new log, let me know if you ran into any problems. I'll try to check back tonight.

Best luck,
PP

 

Sorry about the wrong link. See what happens when you make me hurry

Instructions for Safe Mode from the Tutorial (in case you don't know how to do it):
To boot into safe mode, restart your computer and tap the f8 key (after first black and white screen, but before the Windows splash screen) until you get to a black and white screen asking you what to do.

PP

 

Hi Chas,
I saw that too & thought about removing it along with the Kazaa related crap.
I wasn't sure if JoeiGurl wanted it or not. Where do you like to draw the line as to what you think a user wants on their machine? Or are you a "trash it all" type of guy?

JoeiGurl - If MSN Messenger Plus 3 is something you want to remove (& Chas is right - as usual - it is crapware) let me know & we'll deal with it after you finish what I already posted.

PP

 

Ok I'm back! Thanks guys! I definitely do not want any more system resource hugging software in my system so feel free to bash any and every software I have to delete

Here's the new log of HijackThis. Some notes I made along the way:

1. In the C:\WINDOWS\PREFETCH dir, there was no diskxml.exe BUT there was a DISKXML.EXE-1954F60D.pf. I deleted this file.

2. In the DELETE A FILE ON REBOOT option in HijackThis, I could not file the diskxml.exe file too so I just skipped the deletion step and rebooted the pc in safe mode.

3. After rebooting in safe mode, I ran CCLeaner and Spybot SD and found these "errors":
ATLEvents.ALTLEvents
DSO Exploits

Totalling 5 items in error (2 or 3 registry key errors for each).

I didn't do any fixing at this point and decided to defer to the experts *hint hint*

Please let me know your thoughts. I'll delete the MSN Mgr Plus 3 right now. Thanks!

"Sorry about the wrong link. See what happens when you make me hurry"

PHIL: Sorry about that. I didn't mean to rush you =)

 

Hi Joiegurl,

Your log looks better.
The DSO exploit is a bug in SpybotSD. If your windows priority updates are up to date, you may ignore it. You may even configure Spybot to ignore it via Advanced Mode > Settings.

If you want to clean up some more, Fire up HijackThis and Check the Following Boxes:

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [VirusScan Online] c:\program files\mcafee.com\vso\mcvsshld.exe /disabled

O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"

O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe" /WinStart

Make sure ALL browser windows are closed when you click FIX.

Then navigate to and DELETE:
C:\Program Files\Messenger Plus! 3

Now, Reboot and attach one more HJT log & we'll see how it looks

NOTE:
I am removing the McAfee stuff since it looks lik you are using Norton. You should note that a lot of people find Norton to be a Resource Hog. There are some nice FREE alternatives here at MajorGeeks. Problem is, Norton can be a problem to uninstall. If you want more info, post a Norton Alternatives topic in the Software Forum.
You could also remove DVD Sentry if you want - It detects DVDs and plays them automatically.

I'll check back later

Best,

PP

 

Hi Phil! Thanks so much for all your help! Here's the log. A few more questions:

1. Do you recommend using the Firefox browser instead of IE?
2. What should I do for future prevention? (Eg. get a firewall, etc?)
3. I'm guessing I can turn on System Restore again after all these fixes right? Whenever I run HijackThis, does System Restore have to be on or off?

I can't thank you enough! THANKS AGAIN! =)

 

Hi Joeigurl,
Your HJT log looks good

Firefox is a safe option. However, it will not protect you from the crapware that comes bundled with stuff like Kazaa that you knowingly put on your machine.
A lot depends on your surfing habits. If you stay away from shady sites and don’t click on questionable ads, etc… you should be okay. I still use IE – I’ve got SpybotSD ‘s Immunization Feature activated and I keep it updated. I also use SpywareBlaster (you should as well! ) for some extra protection against ActiveX installs. Plus, I'm a safe surfer

You definitely need a firewall. I don’t use Norton, so I don’t know if the product you have includes a firewall (and I’m too lazy to check – Hey its Friday night. . . Cut me a break! ) There are some good FREE ones here at MajorGeeks. For opinions as to the best ones, I would encourage you to ask the Software Forum. You should also check out Chaslang’s Recommendations. They address your questions well:
How to Protect yourself from malware!

You may turn system restore back on if you want. It’s a good idea to wait a day or two to make sure everything is working okay. You should not be running HijackThis unless you are talking to one of us in this forum. That way you’ll have somebody to blame if something goes wrong!

You are most welcome! We are happy to help!

Your log is clean of malware. It is still pretty busy – Lots of business related entries, but your computer should be functioning better. I see one of the McAfee entries came back – Probably because I didn’t ask you to delete the file. It's not a big deal.

Anyhoo, You are good to go!

Happy Computing ,
PP

 

Hi PP!

Sorry I didn't have internet access over the weekend but I did do some hard disk defragging. Bad thing though, I noticed these 2 files shown in the fragmented files report:

Fragments File Size Files that cannot be defragmented
45 944 MB \WINDOWS\SYSTEM\lmxksid.bak2
126 963 MB \WINDOWS\SYSTEM\lmxksid.ini

This looks like the diskxml spelled backwards hehe I have a gut feeling this was supposed to get deleted too (funny we didn't see this in the HijackThis log though). Do i repeat the same process you asked me to do the last time?

I agree, I seem to have a lot of resources running (most of which, like the Comcast files, I'm not even sure I need but I can't find the uninstaller!). Oh well, it's another project hehe.

Please let me know your thoughts!

Thanks!
joei

 

Lucky you caught me - I'm not here that often these days! You must have missed this part in my longwinded instructions! Go ahead an delete those that you found - it looks like they have changed a bit.

Are you having more problems? If you want, you can post another log. The last one was clean, though. I'm really busy these days, but usually I find some time to check in in the late evening.

Best,
PP

 

All apologies, my friend. Must've slipped my mind

PP