Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with sqh I guess

  • Please log in to reply
5 replies to this topic

#1 Shadowhunter


  • Members
  • 3 posts
  • Local time:02:19 PM

Posted 17 December 2010 - 07:34 PM

I was browsing the web the other day and noticed that my computer kept getting slower and slower :blink: , taking longer than usual to load Msn or firefox :blink: all of a sudden my process tab on task manager is full of sqh.exe processes :blink:...Ive never heard of that so ive no idea how to fix it...I'd be really thankful if someone could help me here :thumbsup:

Pd: sorry about my grammar :oopsign:

DDS (Ver_10-12-12.02) - FAT32x86
Run by PC at 18:55:11.99 on 17/12/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.34.3082.18.1012.158 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Archivos de programa\Autodesk\3ds Max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe
C:\Archivos de programa\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Archivos de programa\Archivos comunes\InstallShield\UpdateService\isuspm.exe
C:\Archivos de programa\CyberLink\PowerDVD\PDVDServ.exe
C:\Archivos de programa\Archivos comunes\Real\Update_OB\realsched.exe
C:\Archivos de programa\Archivos comunes\Nokia\MPlatform\NokiaMServer.exe
C:\Archivos de programa\Archivos comunes\Java\Java Update\jusched.exe
C:\Archivos de programa\ESET\ESET NOD32 Antivirus\egui.exe
D:\mIgUeL\Programas\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Archivos de programa\PC Connectivity Solution\ServiceLayer.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Archivos de programa\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Documents and Settings\PC\xwqug.exe
C:\Archivos de programa\Mozilla Firefox\firefox1.exe
C:\Archivos de programa\Windows Media Player\wmplayer.exe
C:\Documents and Settings\PC\Escritorio\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com.pe/
uSearch Page = hxxp://search.localstrike.com.ar/
mDefault_Page_URL = hxxp://search.localstrike.com.ar/
mDefault_Search_URL = hxxp://search.localstrike.com.ar/
mSearch Page = hxxp://search.localstrike.com.ar/
mStart Page = hxxp://search.localstrike.com.ar/
mWindow Title =
mWinlogon: SFCDisable=-99 (0xffffff9d)
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\archivos de programa\archivos comunes\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\archivos de programa\real\realplayer\rpbrowserrecordplugin.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\archivos de programa\archivos comunes\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\archivos de programa\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\archivos de programa\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - d:\miguel\programas\nokia\midpx\jadinvoker\MidpInvoker.dll
TB: Kwyshell MidpX: {ebe9e2b5-b526-48bc-ad46-687263edcb0e} - d:\miguel\programas\nokia\midpx\jadinvoker\MidpInvoker.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [<NO NAME>]
uRun: [PC Suite Tray] "d:\miguel\programas\nokia\nokia pc suite 7\PCSuite.exe" -onlytray
uRun: [JP595IR86O] c:\docume~1\pc\config~1\temp\Sqh.exe
uRun: [haoay] c:\documents and settings\pc\haoay.exe /o
uRun: [buoufo] c:\documents and settings\pc\buoufo.exe /B
uRun: [wiiafid] c:\documents and settings\pc\wiiafid.exe /R
uRun: [qeaemaz] c:\documents and settings\pc\qeaemaz.exe /f
uRun: [xwqug] c:\documents and settings\pc\xwqug.exe /K
mRun: [ISUSPM Startup] "c:\archivos de programa\archivos comunes\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\archivos de programa\archivos comunes\installshield\updateservice\issch.exe" -start
mRun: [ISUSPM] "c:\archivos de programa\archivos comunes\installshield\updateservice\isuspm.exe" -scheduler
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [RemoteControl] "c:\archivos de programa\cyberlink\powerdvd\PDVDServ.exe"
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [LanguageShortcut] "c:\archivos de programa\cyberlink\powerdvd\language\Language.exe"
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [VirtualCloneDrive] "d:\miguel\programas\virtualclonedrive\VCDDaemon.exe" /s
mRun: [QuickTime Task] "c:\archivos de programa\quicktime\QTTask.exe" -atboottime
mRun: [TkBellExe] "c:\archivos de programa\archivos comunes\real\update_ob\realsched.exe" -osboot
mRun: [NokiaMServer] c:\archivos de programa\archivos comunes\nokia\mplatform\NokiaMServer /watchfiles startup
mRun: [SunJavaUpdateSched] "c:\archivos de programa\archivos comunes\java\java update\jusched.exe"
mRun: [egui] "c:\archivos de programa\eset\eset nod32 antivirus\egui.exe" /hide /waitservice
mRun: [Adobe Reader Speed Launcher] "c:\archivos de programa\adobe\reader 10.0\reader\Reader_sl.exe"
mRun: [Adobe ARM] "c:\archivos de programa\archivos comunes\adobe\arm\1.0\AdobeARM.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
mPolicies-system: EnableLUA = 0 (0x0)
IE: E&xportar a Microsoft Excel - c:\archiv~1\micros~2\office11\EXCEL.EXE/3000
IE: Link to &MidpX - d:\miguel\programas\nokia\midpx\jadinvoker\extent\jad_wrap.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\archivos de programa\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\archiv~1\micros~2\office11\REFIEBAR.DLL
Trusted Zone: sd61.bc.ca\fslactivities
DPF: {140E4DF8-9E14-4A34-9577-C77561ED7883} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.1.71.0.cab
DPF: {474F00F5-3853-492C-AC3A-476512BBC336} - hxxp://picasaweb.google.com/s/v/e/37.09/HboD-mApHAo/uploader2.cab
DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - hxxp://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
DPF: {50983909-93ED-461B-B7F3-E58358FDCA99} - hxxp://crazycombi.kaybo.com/activex/FHLActiveX.cab
DPF: {5727FF4C-EF4E-4d96-A96C-03AD91910448} - hxxp://www.srtest.com/srl_bin/sysreqlab_ind.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1237397584078
DPF: {7EED9A13-A696-46E3-8888-09CDE606B3D1} - hxxp://a69.g.akamai.net/n/69/10688/v1/img5.allocine.fr/acmedia/skin/allocinev5/plugins/videoDL.cab
DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows-i586.cab
DPF: {CF84DAC5-A4F5-419E-A0BA-C01FFD71112F} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_intel_4.3.1.0.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxps://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} - hxxp://content.systemrequirementslab.com.s3.amazonaws.com/global/bin/srldetect_cyri_4.3.1.0.cab
Notify: !SASWinLogon - c:\archivos de programa\superantispyware\SASWINLO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\archivos de programa\superantispyware\SASSEH.DLL
IFEO: Arex.exe - "d:\miguel\programas\locker\AppLocker.exe" /locked:Ares
IFEO: Ares.exe - "d:\miguel\programas\locker\AppLocker.exe" /locked:Ares
Hosts: www.avg.com
Hosts: www.pandasecurity.com
Hosts: www.spywareinfo.com
Hosts: 12.es
Hosts: wwwp4.pichincha.com

Note: multiple HOSTS entries found. Please refer to Attach.txt

============= SERVICES / DRIVERS ===============

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [2009-2-6 106208]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2009-2-6 93336]
R1 SASDIFSV;SASDIFSV;c:\archivos de programa\superantispyware\sasdifsv.sys [2009-3-23 9968]
R1 SASKUTIL;SASKUTIL;c:\archivos de programa\superantispyware\SASKUTIL.SYS [2009-3-23 74480]
R2 ekrn;ESET Service;c:\archivos de programa\eset\eset nod32 antivirus\ekrn.exe [2009-2-6 727720]
R2 mi-raysat_3dsmax2010_32;mental ray 3.7 Satellite for Autodesk 3ds Max 2010 32-bit 32-bit;c:\archivos de programa\autodesk\3ds max 2010\mentalray\satellite\raysat_3dsmax2010_32server.exe [2009-3-12 86016]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe [2010-3-18 130384]
S2 Service Controler;Service Controler; [x]
S2 SSHNAS;SSHNAS;c:\windows\system32\svchost.exe -k netsvcs [2004-8-19 14336]
S2 TBFTPSyncService;TurboFTP Sync Service;c:\archivos de programa\turboftp\tftpsvc.exe [2008-9-15 1052672]
S3 Ambfilt;Ambfilt;c:\windows\system32\drivers\Ambfilt.sys [2010-2-22 1684736]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2009-1-15 10976]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [2010-8-28 137344]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [2010-8-28 8320]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2005-8-2 32512]
S3 npggsvc;nProtect GameGuard Service;c:\windows\system32\gamemon.des -service --> c:\windows\system32\GameMon.des -service [?]
S3 PAC207;i-Look 110;c:\windows\system32\drivers\PFC027.SYS [2008-11-2 507264]
S3 SASENUM;SASENUM;c:\archivos de programa\superantispyware\SASENUM.SYS [2009-3-23 7408]
S3 SoRa1;SoRa1;\??\d:\miguel\programas\sora engine\sora23.sys --> d:\miguel\programas\sora engine\SoRa23.sys [?]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache;c:\windows\microsoft.net\framework\v4.0.30319\wpf\WPFFontCache_v0400.exe [2010-3-18 753504]
S3 XDva221;XDva221;\??\c:\windows\system32\xdva221.sys --> c:\windows\system32\XDva221.sys [?]
S3 XDva286;XDva286;\??\c:\windows\system32\xdva286.sys --> c:\windows\system32\XDva286.sys [?]
S3 XDva294;XDva294;\??\c:\windows\system32\xdva294.sys --> c:\windows\system32\XDva294.sys [?]
S3 XDva297;XDva297;\??\c:\windows\system32\xdva297.sys --> c:\windows\system32\XDva297.sys [?]
S3 XDva306;XDva306;\??\c:\windows\system32\xdva306.sys --> c:\windows\system32\XDva306.sys [?]
S3 XDva309;XDva309;\??\c:\windows\system32\xdva309.sys --> c:\windows\system32\XDva309.sys [?]
S3 XDva336;XDva336;\??\c:\windows\system32\xdva336.sys --> c:\windows\system32\XDva336.sys [?]
S3 XDva344;XDva344;\??\c:\windows\system32\xdva344.sys --> c:\windows\system32\XDva344.sys [?]

=============== Created Last 30 ================

2010-12-17 23:24:29 -------- d-----w- c:\windows\system32\drivers\nss\0207030.022
2010-12-17 23:24:29 -------- d-----w- c:\windows\system32\drivers\NSS
2010-12-17 23:24:28 -------- d-----w- c:\archivos de programa\Norton Security Scan
2010-12-17 23:24:26 -------- d-----w- c:\archivos de programa\NortonInstaller
2010-12-17 23:20:39 223232 ----a-w- c:\windows\Srinib.exe
2010-12-17 23:20:24 310784 ----a-w- c:\windows\system32\sshnas21.dll
2010-12-17 23:20:10 61440 --sh--r- c:\documents and settings\pc\xwqug.exe
2010-12-16 21:01:29 225331 ----a-w- c:\documents and settings\pc\nuireg.exe
2010-12-16 20:57:38 -------- d-sh--w- C:\FOUND.000
2010-12-15 22:20:53 263034 ----a-w- c:\documents and settings\pc\kikan.exe
2010-12-15 22:15:08 263034 ----a-w- c:\documents and settings\pc\ziedet.exe
2010-12-15 21:37:57 263034 ----a-w- c:\documents and settings\pc\taajon.exe
2010-12-15 20:51:08 378880 ----a-w- c:\windows\Srinia.exe
2010-11-22 06:58:01 -------- d-----w- c:\docume~1\pc\config~1\datosd~1\Unity

==================== Find3M ====================

2008-04-14 02:18:28 1384479 --sh--r- c:\windows\system32\msvbvm60.dll

============= FINISH: 18:56:34.71 ===============

Attached Files

BC AdBot (Login to Remove)


#2 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • Gender:Male
  • Location:@localhost
  • Local time:02:19 PM

Posted 27 December 2010 - 05:46 PM

hi Shadowhunter,

Sorry for the delay. Your post is several days old. If you still need help post back.

How Can I Reduce My Risk to Malware?

#3 Shadowhunter

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:19 PM

Posted 09 January 2011 - 02:35 PM

Yes please =)

#4 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • Gender:Male
  • Location:@localhost
  • Local time:02:19 PM

Posted 09 January 2011 - 07:22 PM

Wow, its been awhile. We will start with malwarebytes and go from there:

Please download the free version of Malwarebytes to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform FULL SCAN, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click *Remove Selected.*

*A restart of your computer may be required to remove some items. If prompted please restart your computer to complete the fix.*

When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
Post the log in your reply.

How Can I Reduce My Risk to Malware?

#5 Shadowhunter

  • Topic Starter

  • Members
  • 3 posts
  • Local time:02:19 PM

Posted 10 January 2011 - 05:03 AM

Malwarebytes' Anti-Malware

Database version: 5494

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

10/01/2011 05:03:09 AM
mbam-log-2011-01-10 (05-03-09).txt

Scan type: Full scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 330876
Time elapsed: 31 minute(s), 20 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#6 shelf life

shelf life

  • Malware Response Team
  • 2,688 posts
  • Gender:Male
  • Location:@localhost
  • Local time:02:19 PM

Posted 10 January 2011 - 07:13 PM

Nothing there. We will get another download to use. Its called combofix. there is a guide to read first. Read through the guide and apply the directions on your own machine: Post the combofix log in your reply.
Guide to using Combofix

How Can I Reduce My Risk to Malware?

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users