Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

PC is slow, I am afraid I am infected


  • This topic is locked This topic is locked
12 replies to this topic

#1 NuStyle

NuStyle

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:42 AM

Posted 21 March 2012 - 07:02 AM

Hello,

Since a couple of weeks my pc is getting really slow, sometimes I even have to give a hard reset because the system doesn't respond.
Also sometimes a process pops up called "Setup.exe" eating a lot of RAM and freezing my pc. I did several of scans (Got Avast Free, Scanned with MalwareBytes AntiMalwere, SpyBot Search & Destroy and did some online scans) but all scans show no infection. Still, I don't trust my PC at the moment, could you please take a look at my HJT log.

With regards and thanks in advice !

HJT Log:
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 13:00:14, on 21-3-2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.99\GoogleCrashHandler.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HiJackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.poony.info/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.nl/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://79.143.176.188:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: Windows Live Aanmelden - Help - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [avast5] "C:\Program Files\Alwil Software\Avast5\avastUI.exe" /nogui
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [tsnpstd3] C:\WINDOWS\tsnpstd3.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
O4 - HKLM\..\Run: [nwiz] C:\Program Files\NVIDIA Corporation\nview\nwiz.exe /installquiet
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Netwerkservice')
O4 - HKUS\S-1-5-21-1547161642-1383384898-1606980848-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'UpdatusUser')
O4 - HKUS\S-1-5-21-1547161642-1383384898-1606980848-1004\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'UpdatusUser')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N (User 'Default user')
O4 - Startup: YoWindow.lnk = C:\Program Files\YoWindow\yowindow.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O8 - Extra context menu item: Download met MiPony - file://C:\Program Files\MiPony\Browser\IEContext.htm
O8 - Extra context menu item: E&xporteren naar Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O15 - Trusted Zone: http://software.kuaiche.com
O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253201572093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253201564390
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset.com/special/eos/OnlineScanner.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4A33FD70-D71D-4F73-9B55-7F18BBE6D64F}: NameServer = 192.168.1.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEDA58FE-564D-42F4-A220-906B9FF14266}: NameServer = 192.168.1.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updateservice (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update-service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

--
End of file - 10726 bytes

BC AdBot (Login to Remove)

 


#2 NuStyle

NuStyle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:42 AM

Posted 21 March 2012 - 07:55 AM

I removed SB S&D from my system and reinstalled it, it finally found & removed some stuff (guess my pc is indeed infected with some stuff):

- Microsoft.WindowsSecurityCenter_disabled
- Microsoft.WindowsSecurityCenter.AntiVirusOverride
- Microsoft.WindowsSecurityCenter.FirewallOverride
- PBHotbar.ShoppingReport
- Zango
- DoubleClick

#3 NuStyle

NuStyle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:42 AM

Posted 23 March 2012 - 11:59 AM

Sorry, I really don't want to bump my topic but it's getting worse since today.

My PC freezes a lot of times (like: once every 15 minutes), the only thing I can do about this is a hard reset. Also my harddrive is starting to make funny noises since today (it's buzzing like it's too busy with writing files).
Also, I've found a special hidden account yesterday somewhere inside my XP with all given rights... but I can't seem to find it back today. (I thought I found the account when I was looking for Shared Folders, but I really can't seem to find the special user account back)

I am really concerned. Plus, the last few days I've been reading a lot over here and noticed HJT isnt accurate anymore so I will post an DDS scan over here.

After my scan with Spybot 2 days ago, Setup.exe hasn't returned in my Taskbar, but still my CPU is at 100% for a lot of times, programs doesn't respond / mouse pointer is terrible slow / Screen flashes sometimes.

Again, I really don't want to bump.. I just want to give more accurate details and the right logs.

DDS Log:

.
DDS (Ver_2011-08-26.01) - NTFSx86
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_31
Run by Administrator at 17:52:52 on 2012-03-23
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2047.1513 [GMT 1:00]
.
AV: avast! Antivirus *Enabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
============== Running Processes ===============
.
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast5\avastUI.exe
C:\WINDOWS\vsnpstd3.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Update\1.3.21.111\GoogleCrashHandler.exe
svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\Documents and Settings\Administrator\Local Settings\Application Data\Google\Chrome SxS\Application\chrome.exe
C:\WINDOWS\system32\NOTEPAD.EXE
.
============== Pseudo HJT Report ===============
.
uStart Page = hxxp://www.google.nl/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.poony.info/
uInternet Connection Wizard,ShellNext = hxxp://www.google.nl/
uInternet Settings,ProxyServer = hxxp://79.143.176.188:3128
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Java™ Plug-In SSV Helper: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre6\bin\ssv.dll
BHO: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
BHO: Windows Live Aanmelden - Help: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: avast! WebRep: {8e5e2654-ad2d-48bf-ac2d-d17f00898d06} - c:\program files\alwil software\avast5\aswWebRepIE.dll
TB: {D4027C7F-154A-4066-A1AD-4243D8127440} - No File
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [Google Update] "c:\documents and settings\administrator\local settings\application data\google\update\GoogleUpdate.exe" /c
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [MSPY2002] c:\windows\system32\ime\pintlgnt\ImScInst.exe /SYNC
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [avast5] "c:\program files\alwil software\avast5\avastUI.exe" /nogui
mRun: [AdobeCS4ServiceManager] "c:\program files\common files\adobe\cs4servicemanager\CS4ServiceManager.exe" -launchedbylogin
mRun: [snpstd3] c:\windows\vsnpstd3.exe
mRun: [tsnpstd3] c:\windows\tsnpstd3.exe
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit -login
mRun: [nwiz] c:\program files\nvidia corporation\nview\nwiz.exe /installquiet
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [APSDaemon] "c:\program files\common files\apple\apple application support\APSDaemon.exe"
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [nltide_3] rundll32 advpack.dll,LaunchINFSectionEx nLite.inf,C,,4,N
dRunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32
StartupFolder: c:\docume~1\admini~1\menust~1\progra~1\opstar~1\yowindow.lnk - c:\program files\yowindow\yowindow.exe
StartupFolder: c:\docume~1\alluse~1\menust~1\progra~1\opstar~1\blueto~1.lnk - c:\program files\toshiba\bluetooth toshiba stack\TosBtMng.exe
dPolicies-explorer: ForceClassicControlPanel = 1 (0x1)
IE: Download met MiPony - file://c:\program files\mipony\browser\IEContext.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
Trusted Zone: kuaiche.com\software
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {1E54D648-B804-468d-BC78-4AFFED8E262F} - hxxp://www.nvidia.com/content/DriverDownload/srl/3.0.0.4/srl_bin/sysreqlab_nvd.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scanner/sources/en/scan8/oscan8.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1253201572093
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1253201564390
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0031-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_31-windows-i586.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
TCP: Interfaces\{4A33FD70-D71D-4F73-9B55-7F18BBE6D64F} : NameServer = 192.168.1.1
TCP: Interfaces\{BEDA58FE-564D-42F4-A220-906B9FF14266} : NameServer = 192.168.1.1
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
.
================= FIREFOX ===================
.
FF - ProfilePath - c:\documents and settings\administrator\application data\mozilla\firefox\profiles\1b3rbgty.default\
FF - plugin: c:\documents and settings\administrator\local settings\application data\google\update\1.3.21.111\npGoogleUpdate3.dll
FF - plugin: c:\documents and settings\all users\application data\zylom\zylomgamesplayer\npzylomgamesplayer.dll
FF - plugin: c:\program files\adobe\reader 9.0\reader\air\nppdf32.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\update\1.2.183.29\npGoogleOneClick8.dll
FF - plugin: c:\program files\google\update\1.3.21.57\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.65\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.69\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.79\npGoogleUpdate3.dll
FF - plugin: c:\program files\google\update\1.3.21.99\npGoogleUpdate3.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npdeployJava1.dll
FF - plugin: c:\program files\java\jre6\bin\plugin2\npjp2.dll
FF - plugin: c:\program files\microsoft silverlight\4.1.10111.0\npctrlui.dll
FF - plugin: c:\program files\mozilla firefox\plugins\np_gp.dll
.
---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
============= SERVICES / DRIVERS ===============
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [2011-3-6 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [2010-11-20 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2010-11-20 20696]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast5\AvastSvc.exe [2010-11-20 44768]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-6-17 652360]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\nvidia corporation\nvidia updatus\daemonu.exe [2011-5-3 2253120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-6-17 20464]
S2 gupdate;Google Updateservice (gupdate);c:\program files\google\update\GoogleUpdate.exe [2011-4-30 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\admini~1\locals~1\temp\cpuz130\cpuz_x32.sys --> c:\docume~1\admini~1\locals~1\temp\cpuz130\cpuz_x32.sys [?]
S3 cpuz135;cpuz135;\??\c:\windows\temp\cpuz135\cpuz135_x32.sys --> c:\windows\temp\cpuz135\cpuz135_x32.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [2012-3-22 23456]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\google\update\GoogleUpdate.exe [2011-4-30 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2012-3-21 40776]
S3 rt2870;Sweex Wireless USB Adapter Driver;c:\windows\system32\drivers\rt2870.sys [2010-7-10 722432]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys [2010-8-14 7290]
.
=============== Created Last 30 ================
.
2012-03-22 16:35:57 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2012-03-22 16:35:57 -------- d-----w- c:\documents and settings\administrator\local settings\application data\eSupport.com
2012-03-21 20:10:22 -------- d-----w- c:\documents and settings\all users\application data\SecTaskMan
2012-03-21 20:10:12 -------- d-----w- c:\program files\Security Task Manager
2012-03-21 11:58:37 388096 ----a-r- c:\documents and settings\administrator\application data\microsoft\installer\{45a66726-69bc-466b-a7a4-12fcba4883d7}\HiJackThis.exe
2012-03-21 11:58:34 -------- d-----w- c:\program files\Trend Micro
2012-03-21 11:38:06 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-21 11:38:06 -------- d-----w- c:\documents and settings\all users\application data\Spybot - Search & Destroy
2012-03-21 09:30:55 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-18 19:39:22 -------- d-----w- c:\documents and settings\administrator\local settings\application data\stellarium
2012-03-18 19:37:57 -------- d-----w- c:\documents and settings\administrator\application data\Stellarium
2012-03-18 19:37:09 -------- d-----w- c:\program files\Stellarium
2012-03-01 17:47:45 -------- d-----w- c:\program files\Wakfu
2012-02-27 19:41:03 -------- d-----w- c:\windows\pss
2012-02-27 12:16:42 -------- d--h--r- c:\documents and settings\administrator\Onlangs geopend
.
==================== Find3M ====================
.
2012-03-16 20:44:09 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-07 00:15:19 41184 ----a-w- c:\windows\avastSS.scr
2012-03-07 00:03:51 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-02-17 10:44:29 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-17 10:44:29 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:57:36 1860224 ----a-w- c:\windows\system32\win32k.sys
2012-01-23 15:36:53 285176 ----a-w- c:\windows\system32\nvdrsdb1.bin
2012-01-23 15:36:53 1 ----a-w- c:\windows\system32\nvdrssel.bin
2012-01-23 15:36:49 285176 ----a-w- c:\windows\system32\nvdrsdb0.bin
2012-01-11 19:07:15 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20:19 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-12-29 12:26:35 98304 ----a-w- c:\windows\DUMP5aa3.tmp
.
============= FINISH: 17:57:28,70 ===============

#4 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:42 AM

Posted 24 March 2012 - 09:07 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
===

In my search for this service in bold
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys
most users do not need it and some have had difficulties with it.
Run msconfig and stop the Service. Any improvement or error message that a program needs it?
===

Please download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your Anti-Virus and Anti-Spyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Close any open browsers, and all other programs working. Make sure you save your file if working on a document.
  • Do not install any other programs until this if fixed.[/b]
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
  • Some Rookit infection may damage your boot sector. The Windows Recovery Console may be needed to restore it. Do not bypass this installation. You may regret it.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Note: If you have difficulty properly disabling your protection programs, refer to this link --> http://www.bleepingcomputer.com/forums/topic114351.html

Do not mouse click ComboFix's window while it's running. That may cause it to stall
===

Third party programs if not up to date can be the cause of infiltration an infection.

Please run this security check for my review.

Download Security Check by screen317 from here.
  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.
===

Note: If after running ComboFix you get this error message "Illegal operation attempted on a registry key that has been marked for deletion." when attempting to run a program all you need to do is restart the computer to reset the registry.

Please post the logs and let me know if the problem persists.

#5 NuStyle

NuStyle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:42 AM

Posted 24 March 2012 - 10:21 AM

Hello Nasdaq, thanks a lot for taking a look into my logs.
I will follow the steps you laid out.

- First
I couldn't find something called Samhid in my services, I did find "HID Input Service" but I don't know if that is the same one ?.

- Combofix
Combofix did install Recovery Console, scan did run without any stalling problems. Here comes de Log:


ComboFix 12-03-22.01 - Administrator 24-03-2012 15:53:19.1.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.31.1043.18.2047.1644 [GMT 1:00]
Gestart vanuit: c:\documents and settings\Administrator\Bureaublad\ComboFix.exe
AV: avast! Antivirus *Disabled/Updated* {7591DB91-41F0-48A3-B128-1A293FD8233D}
.
.
(((((((((((((((((((((((((((((((((( Andere Verwijderingen )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\Administrator\Application Data\app
c:\documents and settings\Administrator\Application Data\app\Jerakine_lang.dat
c:\documents and settings\Administrator\Application Data\app\Jerakine_lang_vesrion.dat
c:\documents and settings\Administrator\DelDD3.tmp
c:\documents and settings\Administrator\Local Settings\Application Data\.#
c:\documents and settings\All Users\Application Data\QuestScan
c:\documents and settings\All Users\Application Data\TEMP
c:\documents and settings\Default User\DelDD3.tmp
c:\documents and settings\UpdatusUser\DelDD3.tmp
c:\windows\system32\config\systemprofile\DelDD3.tmp
.
.
(((((((((((((((((((( Bestanden Gemaakt van 2012-02-24 to 2012-03-24 ))))))))))))))))))))))))))))))
.
.
2012-03-22 16:35 . 2012-03-22 16:35 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\eSupport.com
2012-03-22 16:35 . 2012-03-22 16:35 23456 ----a-w- c:\windows\system32\drivers\DrvAgent32.sys
2012-03-21 20:10 . 2012-03-22 16:04 -------- d-----w- c:\documents and settings\All Users\Application Data\SecTaskMan
2012-03-21 20:10 . 2012-03-21 20:10 -------- d-----w- c:\program files\Security Task Manager
2012-03-21 11:58 . 2012-03-21 11:58 388096 ----a-r- c:\documents and settings\Administrator\Application Data\Microsoft\Installer\{45A66726-69BC-466B-A7A4-12FCBA4883D7}\HiJackThis.exe
2012-03-21 11:58 . 2012-03-21 11:58 -------- d-----w- c:\program files\Trend Micro
2012-03-21 11:38 . 2012-03-21 12:52 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2012-03-21 11:38 . 2012-03-21 11:42 -------- d-----w- c:\program files\Spybot - Search & Destroy
2012-03-21 09:30 . 2012-03-21 09:31 40776 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2012-03-18 19:39 . 2012-03-18 19:39 -------- d-----w- c:\documents and settings\Administrator\Local Settings\Application Data\stellarium
2012-03-18 19:37 . 2012-03-18 19:38 -------- d-----w- c:\documents and settings\Administrator\Application Data\Stellarium
2012-03-18 19:37 . 2012-03-18 19:37 -------- d-----w- c:\program files\Stellarium
2012-03-01 17:47 . 2012-03-01 18:00 -------- d-----w- c:\program files\Wakfu
2012-02-27 12:16 . 2012-03-24 14:44 -------- d--h--r- c:\documents and settings\Administrator\Onlangs geopend
.
.
.
((((((((((((((((((((((((((((((((((((((( Find3M Rapport ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-03-16 20:44 . 2011-05-16 09:02 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2012-03-07 00:15 . 2010-11-20 16:43 41184 ----a-w- c:\windows\avastSS.scr
2012-03-07 00:15 . 2010-11-20 16:43 201352 ----a-w- c:\windows\system32\aswBoot.exe
2012-03-07 00:03 . 2011-03-06 12:55 612184 ----a-w- c:\windows\system32\drivers\aswSnx.sys
2012-03-07 00:03 . 2010-11-20 16:44 337880 ----a-w- c:\windows\system32\drivers\aswSP.sys
2012-03-07 00:02 . 2010-11-20 16:44 35672 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2012-03-07 00:01 . 2010-11-20 16:44 53848 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2012-03-07 00:01 . 2010-11-20 16:44 95704 ----a-w- c:\windows\system32\drivers\aswmon2.sys
2012-03-07 00:01 . 2010-11-20 16:44 89048 ----a-w- c:\windows\system32\drivers\aswmon.sys
2012-03-07 00:01 . 2010-11-20 16:44 20696 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2012-03-06 23:58 . 2010-11-20 16:44 24920 ----a-w- c:\windows\system32\drivers\aavmker4.sys
2012-02-17 10:44 . 2012-02-17 10:44 73728 ----a-w- c:\windows\system32\javacpl.cpl
2012-02-17 10:44 . 2010-06-30 08:39 472808 ----a-w- c:\windows\system32\deployJava1.dll
2012-02-03 09:57 . 2008-04-14 20:05 1860224 ----a-w- c:\windows\system32\win32k.sys
2012-01-11 19:07 . 2012-02-15 09:37 3072 ------w- c:\windows\system32\iacenc.dll
2012-01-09 16:20 . 2009-09-17 13:46 139784 ----a-w- c:\windows\system32\drivers\rdpwd.sys
2011-12-29 12:26 . 2009-09-17 15:25 98304 ----a-w- c:\windows\DUMP5aa3.tmp
2011-09-30 23:26 . 2011-03-21 17:29 134104 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Opstartpunten )))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Nota* lege verwijzingen & legitieme standaard verwijzingen worden niet getoond
REGEDIT4
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\00avast]
@="{472083B0-C522-11CF-8763-00608CC02F24}"
[HKEY_CLASSES_ROOT\CLSID\{472083B0-C522-11CF-8763-00608CC02F24}]
2012-03-07 00:15 123536 ----a-w- c:\program files\Alwil Software\Avast5\ashShell.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-06-21 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-06-21 126976]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 110592]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2008-04-14 208952]
"MSPY2002"="c:\windows\system32\IME\PINTLGNT\ImScInst.exe" [2008-04-14 59392]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2008-04-14 455168]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2011-03-06 611712]
"snpstd3"="c:\windows\vsnpstd3.exe" [2007-05-10 835584]
"tsnpstd3"="c:\windows\tsnpstd3.exe" [2009-06-30 339968]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2012-01-13 460872]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2012-01-02 843712]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2011-10-08 16744256]
"NvMediaCenter"="NvMCTray.dll" [2011-10-08 203072]
"nwiz"="c:\program files\NVIDIA Corporation\nview\nwiz.exe" [2011-10-08 1632360]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2011-10-24 421888]
"APSDaemon"="c:\program files\Common Files\Apple\Apple Application Support\APSDaemon.exe" [2011-09-27 59240]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2012-01-18 254696]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"ShowDeskFix"="shell32" [X]
"nltide_3"="advpack.dll" [2009-03-08 128512]
.
c:\documents and settings\All Users\Menu Start\Programma's\Opstarten\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]
.
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)
.
[HKLM\~\startupfolder\C:^Documents and Settings^Administrator^Menu Start^Programma's^Opstarten^YoWindow.lnk]
path=c:\documents and settings\Administrator\Menu Start\Programma's\Opstarten\YoWindow.lnk
backup=c:\windows\pss\YoWindow.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"DisableUnicastResponsesToMulticastBroadcast"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Google\\Google Earth\\plugin\\geplugin.exe"=
"c:\\Program Files\\Phoenix Viewer\\SLVoice.exe"=
"c:\\Program Files\\Java\\jre6\\bin\\java.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Mozilla Firefox\\plugin-container.exe"=
"c:\\WINDOWS\\system32\\java.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Program Files\\Firestorm-Release\\SLVoice.exe"=
"c:\\Program Files\\mIRC\\mirc.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NVIDIA Updatus\\daemonu.exe"=
"c:\\Program Files\\Winamp\\winamp.exe"=
"c:\\Program Files\\Common Files\\Apple\\Apple Application Support\\WebKit2WebProcess.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"39765:TCP"= 39765:TCP:FW
"39765:UDP"= 39765:UDP:FW1
"5353:TCP"= 5353:TCP:Adobe CSI CS4
"3306:TCP"= 3306:TCP:MySQL Server
.
R1 aswSnx;aswSnx;c:\windows\system32\drivers\aswSnx.sys [6-3-2011 13:55 612184]
R1 aswSP;aswSP;c:\windows\system32\drivers\aswSP.sys [20-11-2010 17:44 337880]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [20-11-2010 17:44 20696]
R2 MBAMService;MBAMService;c:\program files\Malwarebytes' Anti-Malware\mbamservice.exe [17-6-2010 12:25 652360]
R2 nvUpdatusService;NVIDIA Update Service Daemon;c:\program files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe [3-5-2011 21:29 2253120]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [17-6-2010 12:25 20464]
S2 gupdate;Google Updateservice (gupdate);c:\program files\Google\Update\GoogleUpdate.exe [30-4-2011 18:27 136176]
S3 cpuz130;cpuz130;\??\c:\docume~1\ADMINI~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys --> c:\docume~1\ADMINI~1\LOCALS~1\Temp\cpuz130\cpuz_x32.sys [?]
S3 cpuz135;cpuz135;\??\c:\windows\TEMP\cpuz135\cpuz135_x32.sys --> c:\windows\TEMP\cpuz135\cpuz135_x32.sys [?]
S3 DrvAgent32;DrvAgent32;c:\windows\system32\drivers\DrvAgent32.sys [22-3-2012 17:35 23456]
S3 gupdatem;Google Update-service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [30-4-2011 18:27 136176]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [21-3-2012 10:30 40776]
S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys [14-8-2010 14:16 7290]
S4 sptd;sptd;c:\windows\system32\drivers\sptd.sys [13-6-2010 18:36 691696]
.
Inhoud van de 'Gedeelde Taken' map
.
2012-03-17 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2011-06-01 16:57]
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineCore.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-30 17:27]
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2011-04-30 17:27]
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1383384898-1606980848-500Core1cc6ef423be5fba.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-26 09:37]
.
2012-03-24 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1547161642-1383384898-1606980848-500UA.job
- c:\documents and settings\Administrator\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-06-26 09:37]
.
.
------- Bijkomende Scan -------
.
uStart Page = hxxp://www.google.nl/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.poony.info/
uInternet Connection Wizard,ShellNext = hxxp://www.google.nl/
uInternet Settings,ProxyServer = hxxp://79.143.176.188:3128
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: Download met MiPony - file://c:\program files\MiPony\Browser\IEContext.htm
IE: E&xporteren naar Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: kuaiche.com\software
TCP: Interfaces\{4A33FD70-D71D-4F73-9B55-7F18BBE6D64F}: NameServer = 192.168.1.1
TCP: Interfaces\{BEDA58FE-564D-42F4-A220-906B9FF14266}: NameServer = 192.168.1.1
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\1b3rbgty.default\
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: nglayout.initialpaint.delay - 600
FF - user.js: content.notify.interval - 600000
FF - user.js: content.max.tokenizing.time - 1800000
FF - user.js: content.switch.threshold - 600000
.
- - - - ORPHANS VERWIJDERD - - - -
.
WebBrowser-{D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
MSConfigStartUp-PSPVideoConverter_upgrade - c:\program files\E-Zsoft\PSPVideoConverter\PSPVideoConverter.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-03-24 16:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scannen van verborgen processen ...
.
scannen van verborgen autostart items ...
.
scannen van verborgen bestanden ...
.
Scan succesvol afgerond
verborgen bestanden: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"c:\program files\MySQL\MySQL Server 5.5\bin\mysqld\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.5\my.ini\" MySQL"
.
--------------------- VERGRENDELDE REGISTER SLEUTELS ---------------------
.
[HKEY_USERS\S-1-5-21-1547161642-1383384898-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c7,29,a0,1e,20,47,d9,45,99,62,d5,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,c7,29,a0,1e,20,47,d9,45,99,62,d5,\
.
[HKEY_USERS\S-1-5-21-1547161642-1383384898-1606980848-500\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{93AD7427-E3BB-30BB-00EC-BD2C7BF9111B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\h–€|˙˙˙˙¤•€|ů•9~*]
"3140110900063D11C8EF10054038389C"="C?\\WINDOWS\\system32\\FM20ENU.DLL"
.
--------------------- DLLs Geladen Onder Lopende Processen ---------------------
.
- - - - - - - > 'winlogon.exe'(1164)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
- - - - - - - > 'lsass.exe'(1268)
c:\program files\Common Files\Adobe\Adobe Drive CS4\AdobeDriveCS4_NP.dll
.
Voltooingstijd: 2012-03-24 16:04:43
ComboFix-quarantined-files.txt 2012-03-24 15:04
.
Pre-Run: 5.251.096.576 bytes beschikbaar
Post-Run: 5.937.238.016 bytes beschikbaar
.
WindowsXP-KB310994-SP2-Pro-BootDisk-NLD.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
.
- - End Of File - - B70AD1C0FBB873AE2297CA340AB88F03


- Security Check
Also did run without any problems, Logfile:


Results of screen317's Security Check version 0.99.32
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:

avast! Free Antivirus
Antivirus up to date! (On Access scanning disabled!)
```````````````````````````````
Anti-malware/Other Utilities Check:

Spybot - Search & Destroy
CCleaner
Java™ 6 Update 31
Adobe Flash Player 11.1.102.62
Adobe Reader 9 Adobe Reader out of date!
Mozilla Firefox (7.0.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent

Malwarebytes' Anti-Malware mbamservice.exe
Alwil Software Avast5 AvastSvc.exe
Alwil Software Avast5 avastUI.exe
``````````End of Log````````````

#6 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:42 AM

Posted 24 March 2012 - 10:35 AM

I couldn't find something called Samhid in my services, I did find "HID Input Service" but I don't know if that is the same one ?.

Not the same.

Read about it:
http://smallvoid.com/article/winnt-services-hidserv.html


Rename the file samhid.sys to samhid.sys.old

Restart the computer normally.

====

Get the latest version of the Adobe Reader.
http://get.adobe.com/reader/
Before your download I suggest you unckeck the box on the top right "Include in your download" this is not required. While the installation is in progress you can also deny the installation of any other programs that may be suggested.

When installed remove your old version of the Reader using the Add/Remove Programs applet if present.

Please let me know if the problem persists.

#7 NuStyle

NuStyle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:42 AM

Posted 24 March 2012 - 11:00 AM

Found the samhid.sys file in my System32\Drivers folder and renamed the file to: samhid.sys.old

Updated Adobe Reader to version 10.1.0


I havent heard my Harddrive making any funny noises today, also my system seems to be a lot faster. I can open up 3 Tabs now in Chrome without the browser crashing. So... so far everything seems fine ! :)

I did read a lot of reports over here the last few days and noticed that I have a Proxy in my HJT Logfile and I have a really bad site in the same HJT log. I haven't touched these 2 because I wanted to wait until someone who knows what he/she is doing could help me.

With regards :)

#8 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:42 AM

Posted 24 March 2012 - 12:38 PM

To remove the proxy with HijackThis.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://79.143.176.188:3128

Click on Fix Checked when finished and exit HijackThis.

Restart the computer normally.
===

p.s.
You can remove any of the RO, R1 items the same time. Nothing else.
If you have any difficulties let me know.

===

When all is well and you wish to remove this entry completely

S3 samhid;samhid;c:\windows\system32\drivers\samhid.sys

Execute this fix.

Run Notepad and copy the following text into a new file:

sc config samhid start= disabled
sc stop samhid
sc delete samhid


Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Locate remove.bat on the Desktop and double-click on it to run it. A DOS box will open and close, that is normal.
If any errors errors encountered please post.
When done you can delete the remove.bat file.

p.s. On a Vista/Windows7 Operating System run the remove.bat file as Administrator.

Delete the renamed file.
samhid.sys.old

Restart the computer normally.
===

If all is well:

Time for some housekeeping

The following will implement some cleanup procedures as well as reset System Restore points:

Click Start > Run and copy/paste the following bold text into the Run box and click OK:

ComboFix /Uninstall
===

Delete the other tools we used.

Surf Safely, and Think Prevention!
===

#9 NuStyle

NuStyle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:42 AM

Posted 24 March 2012 - 01:53 PM

Hi,

I have deleted these 2 lines in HJT, the other ones looks like the standard Windows lines so I kept them there.
Removed:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.poony.info/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://79.143.176.188:3128

I also removed the samhid file by making and executing the .bat file and removing it afterwards from the System32\Drivers Folder.

Everything still seems fine so far but I have a couple of questions.

- Since I turned off my AV, and turned it back on after ComboFix it isnt starting up when Windows opens... so I have to start my AV by hand everytime I start a fresh Windows session ?

- Was the special 'hidden' user account I've found, also deleted in the prev. fixes ? I still can't find the account back but I guess I found it when I was checking the rights on Sharing Folders.

- Also, I had a bad site in the logs "Trusted Zone: kuaiche.com\software" is this also deleted with the prev. fixes ?

- What is the best AV out there at the moment ? I am running Avast! Free for like 3 years now and still happy about Avast! but just want to know if maybe something better is out there

EDIT:

Just found out my Notepad doesn't remember the Automatische Terugloop / Word Wrap, so I have to change this everytime I open a new Notepad document.

And I got one small other question, I always used the build in Firewall from Windows XP because I just don't know what to do about this security section. Is it safe to continue using the XP Firewall ? Or am I better of with installing a Third-Party Firewall ? Which Firewall is the best ?

Edited by NuStyle, 24 March 2012 - 03:19 PM.


#10 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:42 AM

Posted 25 March 2012 - 08:37 AM

Since I turned off my AV, and turned it back on after ComboFix it isnt starting up when Windows opens... so I have to start my AV by hand everytime I start a fresh Windows session ?


If you do not have an option to get the program to start when you boot the system you may have to reinstall the program.
Check the options/settings of the programs.
===

We have no problem in recommending the free AVG. Keep it if you like it.

===

"Trusted Zone: kuaiche.com\software"
Trusted sites are becoming problematic. Any site can be compromised.
By setting it in the Trusted zone anything you download from that site will be seen as trusted by your virus protection software, even if it contains known malware.
Your call if you want to re establish it.
===

Just found out my Notepad doesn't remember the Automatische Terugloop / Word Wrap, so I have to change this everytime I open a new Notepad document.

This is a first for me.
It may be some language/preference issues.
Run ComboFix again and see this is fixed.
==

You may be interested in the NotePad++ free open source program
http://notepad-plus-plus.org/

If you decide to try it and keep it, you can rename NotePad.exe to NotePad.old and rename NotePad++.exe to NotePad.exe.
When you run the Start > run box and type Notepad the Notepad++ will be activated.
===

#11 NuStyle

NuStyle
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:42 AM

Posted 25 March 2012 - 10:55 AM

I will try the stuff you posted :)

But just now the Setup.EXE is again showing up in my processes and again eating a lot of RAM (672.000) and making my PC freeze again :(
The path were the file is located is: C:\Documents & Settings\Administrator\Local Settings\temp\CR_1224.tmp\setup.exe

I tried to scan the file on VirusTotal, outcome: https://www.virustotal.com/file/9259e4f94b14d654f4da5d667e484755ee880abfc3d9b09e0be9113ec995e5e7/analysis/1332690528/

Some Google-fu didn't bring any results what the file could be, is it a legit file ? Or are there still some bugs hidden in my system ?

Edit, another strange folder: C:\Documents and Settings\Administrator\Local Settings\temp\CRX_75DAF8CB7768

Edited by NuStyle, 25 March 2012 - 11:00 AM.


#12 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:42 AM

Posted 25 March 2012 - 12:35 PM

Temporary folders are and should be used temporary.

C:\Documents & Settings\Administrator\Local Settings\temp\CR_1224.tmp\setup.exe
C:\Documents and Settings\Administrator\Local Settings\temp\CRX_75DAF8CB7768


I would delete all the files and folders in that temp folder.
Keep them in your recycle bin just in case some application needs it.

Restart the computer.

If by any chance some other similar files or folders are created let me know.

#13 nasdaq

nasdaq

  • Malware Response Team
  • 38,766 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:08:42 AM

Posted 31 March 2012 - 08:21 AM

Are you still with me?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users