So I realized I had a cocktail of viruses and downloaded Malwarebytes, NOD32, and Comodo as a firewall. I took out most of the malware with Malwarebytes (I need to rescan with MBAM, but NOD32 did a full scan and found nothing). The viruses I had seem to be gone. They was preventing me from visiting sites for anti-malware software, redirecting google links to "bestwebsearch", advertising anti-spyware all over, and even blocking MBAM from starting up (I had to rename it). Here's the problem now: something seems to be randomly hijacking certain processes and crashing my computer by saturating the memory usage. The processes affected so far were dllhost.exe (COM Surrogate), rundll32.exe, QLB controller, ieuser.exe, iexplorer.exe, and even the apps that run Comodo and NOD32 (both cases happened once and surprised me). I understand how that could happen to the DLL hosts, which are just surrogate hosts for a lot of other crap, but I don't understand how it took down the bigger apps. What keeps happening is if I don't monitor Task Manager, my computer will overload and crash (dllhost.exe was using 1.5Gb of memory at one point when my computer froze). The freezing only happened once; I've had about 20 page fault BSoD's today and another 10 random ones that were caused by something unknown (system file failures or something--not memory related). Even when I'm in safe mode all this still happens. Other symptoms are a popup on some websites (including this one) which appear to be Windows Admin permissions asking whether to allow or disallow a "windows protection tool" or something rather for the website (this may be legit since I disable Windows Firewall and Defender). I downloaded Hijack This from cnet, and when I pressed "run" to install it, my computer BSoD'd and crashed immediately. That happened twice, once in safe mode. When I start up and open TM really quickly, I see a Logitech Quickcam helper process (lvprcsrv.exe) open about 15 times (they all go away eventually) and rundll32 is open 3 times (this is before the desktop loads) and usually one instance starting exponentially increasing mem usage as stated above. Even when I have no significant programs open, I sometimes randomly spike around 50% aggregate CPU usage. With just Firefox and background software running I get to around 70-80%. Physical Memory is at 40% at minimum. This never used to happen, I could run After Effects and Sony Vegas at the same time! What it causing this and how do I make it stop??? Specs: HP Pavilion dv6000 Notebook Windows Vista Home Premium x32 Centrino Duo Core 2.0Ghz, 2GB RAM
Here are the 4 MBAM scans I ran. It seems like I couldn't get rid of everything. Perhaps something leftover is causing the problem? Scan #1 (Full Scan) Malwarebytes' Anti-Malware 1.39 Database version: 2421 Windows 6.0.6000 7/29/2009 10:15:20 AM mbam-log-2009-07-29 (10-15-20).txt Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|) Objects scanned: 446785 Time elapsed: 1 hour(s), 57 minute(s), 29 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 17 Registry Values Infected: 0 Registry Data Items Infected: 9 Folders Infected: 1 Files Infected: 15 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: \\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Delete on reboot. Registry Keys Infected: HKEY_CLASSES_ROOT\msvps.msvpsapp (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\vac.video (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{967a494a-6aec-4555-9caf-fa6eb00acf91} (Rogue.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{9692be2f-eb8f-49d9-a11c-c24c1ef734d5} (Rogue.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{b6a3935f-8fe4-49a4-b987-a1c09e53589f} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Interface\{ef94a58f-599b-4602-9c34-99683c5859b1} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{baba5bdb-4eff-48db-b443-679651d37128} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{a8954909-1f0f-41a5-a7fa-3b376d69e226} (Rogue.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\Typelib\{cdc0999c-999c-4ee1-875b-5c3542641768} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{31cbb13b-244d-4c44-aed5-dcad70f66281} (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{09571a4b-f1fe-4c60-9760-de6d310c7c31} (Malware.Packer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{345caa15-4f12-4a28-afe9-383625563a83} (Malware.Packer) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{f23b1f18-cb1a-47ed-a1fe-b60494a626d0} (Malware.Packer) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\videoaccesscodec (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\WinBlueSoft (Rogue.WinBlue) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\webvideo (Trojan.FakeAlert) -> Quarantined and deleted successfully. HKEY_CURRENT_USER\SOFTWARE\ColdWare (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{71147865-9f2b-4375-81ff-7040448863d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{7f82e9ea-52e0-4d8f-8d6e-3be7af6cbd09}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{71147865-9f2b-4375-81ff-7040448863d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{7f82e9ea-52e0-4d8f-8d6e-3be7af6cbd09}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{71147865-9f2b-4375-81ff-7040448863d3}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Tcpip\Parameters\Interfaces\{7f82e9ea-52e0-4d8f-8d6e-3be7af6cbd09}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.60,85.255.112.82 -> Quarantined and deleted successfully. Folders Infected: C:\Program Files\VideoAccessCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully. Files Infected: \\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Quarantined and deleted successfully. c:\$RECYCLE.BIN\s-1-5-21-2000531331-1063919592-926260219-1000\$RUXVCPX.tmp (Trojan.Dropper) -> Quarantined and deleted successfully. c:\Users\Matt\AppData\Local\Temp\11AC.tmp (Trojan.Agent) -> Quarantined and deleted successfully. c:\Users\Matt\AppData\Local\Temp\band.exe (Trojan.Dropper) -> Quarantined and deleted successfully. c:\Users\Matt\AppData\Local\Temp\E1D6.tmp (Trojan.Agent) -> Quarantined and deleted successfully. c:\Users\Matt\AppData\Local\Temp\~tmpb.exe (Trojan.Agent) -> Quarantined and deleted successfully. c:\program files\videoaccesscodec\install.ico (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\program files\videoaccesscodec\Uninstall.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Matt\local settings\temporary internet files\ijjistarter2.exe (Trojan.Agent) -> Quarantined and deleted successfully. C:\Windows\rs.txt (Malware.Trace) -> Quarantined and deleted successfully. c:\Windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Matt\AppData\Local\Temp\~tmpa.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Windows\main_Uninstaller.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot. C:\Users\Matt\readme.bat (Trojan.Downloader) -> Quarantined and deleted successfully. Scan #2: Malwarebytes' Anti-Malware 1.39 Database version: 2526 Windows 6.0.6000 7/29/2009 10:40:22 AM mbam-log-2009-07-29 (10-40-22).txt Scan type: Quick Scan Objects scanned: 92460 Time elapsed: 13 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 10 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\Windows\System32\comcat32.dll (Trojan.Tracur) -> Delete on reboot. \\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: c:\windows\system32\comcat32.dll -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Tracur) -> Data: system32\comcat32.dll -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: C:\Windows\System32\comcat32.dll (Trojan.Tracur) -> Delete on reboot. \\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Quarantined and deleted successfully. c:\Users\Matt\AppData\Local\Temp\base.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Users\Matt\AppData\Local\Temp\ras.exe (Rogue.AVCare) -> Quarantined and deleted successfully. c:\Users\Matt\AppData\Local\Temp\stat.exe (Trojan.TDSS) -> Quarantined and deleted successfully. c:\Users\Matt\AppData\Local\Temp\usage.exe (Trojan.TDSS) -> Quarantined and deleted successfully. c:\Windows\Temp\bas4675.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully. c:\Windows\Temp\ras3870.tmp (Rogue.AVCare) -> Quarantined and deleted successfully. c:\Windows\Temp\sta4C20.tmp (Trojan.TDSS) -> Quarantined and deleted successfully. C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot. Scan #3 Malwarebytes' Anti-Malware 1.39 Database version: 2526 Windows 6.0.6000 7/29/2009 11:34:58 AM mbam-log-2009-07-29 (11-34-58).txt Scan type: Quick Scan Objects scanned: 92181 Time elapsed: 6 minute(s), 46 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: \\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: \\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Quarantined and deleted successfully. C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot. Scan #4 Malwarebytes' Anti-Malware 1.39 Database version: 2526 Windows 6.0.6000 7/29/2009 12:55:58 PM mbam-log-2009-07-29 (12-55-58).txt Scan type: Quick Scan Objects scanned: 89131 Time elapsed: 8 minute(s), 6 second(s) Memory Processes Infected: 0 Memory Modules Infected: 1 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: \\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Delete on reboot. Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: \\?\globalroot\systemroot\System32\MSIVXqpdsyqpyvjbbbrlqyhibcrgsfkcddiiv.dll (Spyware.Agent) -> Quarantined and deleted successfully. C:\Windows\System32\MSIVXcount (Trojan.Agent) -> Delete on reboot.
Here's the Windows Admin Permission thing I was talking about, it pops up on random websites. What's the story on this?
