lately my pc hangs up at the slithest CPU usage after opening an infected file, for example when I switch with alt-tab to another open application
after 30 sec orso it goes back to normal
I dont know which file it was or with which virus it is infected

I am using NOD32

I scanned with spyware doctor, ad-aware, spybot, Panda online scan and found NOTHING but my pc still hangs up at the slithest thing i do

here is my hijackthis log:




Logfile of HijackThis v1.99.1
Scan saved at 23:08:50, on 15-1-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\uTorrent\utorrent.exe
C:\PROGRA~1\Lavasoft\Ad-Aware SE Professional\Ad-Watch.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Opera\Opera.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Panda ActiveScan - {653D93AF-C741-4e5e-8C1B-59BA43F93E16} - http://www.pandasoftware.com/activescan (file missing)
O9 - Extra button: Onderzoek - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\Microsoft Office\OFFICE11\REFIEBAR.DLL
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe





Thanks in advance

Welcome to the forum, if you still need help and are not receiving it elsewhere, I will take a look to see what I can do.
Please make sure you have reviewed and followed all of these instructions:
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288

It's hard to proceed with no information about the "infected file", since nothing is reporting it in the online scans, run your NOD32 and let me know what it finds.

HJT is showing nothing but an out of date Java program, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
That you should address before that get's you infected.

If you still have issues, please try to provide me with more information about this infected file. Follow the directions in the link:
http://forums.security-central.us/showthread.php?t=3165
Delete or at least quarantine anything the program locates and post the scan results along with a new HJT log and and information you think will help. I would also like any error messages you are receiving when Windows hangs, post those word for word.

Thanks

Hi pskelly,


I scanned with NOD32 and it found nothing

By accident I saw those 2 files in C:\Windows\System32
mxxxxxxxxk.exe
and
mxxxxxxxxk (no extension)

I deleted them manually because neither the online scan or NOD32 could not find them, removing mxxxxxxxxk.exe was no problem but the other file (without extension) kept appearing and appearing but after a restart it was renamed to mxxxxxxxxk.$$$
after deleting it, it did'nt came back
after deleting those 2 files my pc did not hang up anymore like it did before
Also i didnt got any errors/messages when the pc hang up


After deleting those files I scanned again with:
kaspersky online scan
NOD32
Panda online scan
Found Nothing

Before I deleted those 2 files the iexplore.exe was running automaticly on the background at startup but I could end it at process list at CTRL+ALT+DEL
after deleting those 2 files i don't see the iexplore.exe anymore in the process list running on the background


I also found the infected file that was executed and scanned it with:
virusscan jotti.org
and
virustotal.com


here are the logs of those scans:

virusscan jotti.org

MD5 1ceae2ea83ba608b4aa9e1e932476c62
Packers detected: -

Scan taken on 19 Jan 2007 23:41:22 (GMT)
AntiVir Found HEUR/Crypted
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VirusBuster Found nothing
VBA32 Found Backdoor.Hupigon.4 (paranoid heuristics) (probable variant)



virustotal.com

Antivirus Version Update Result
AntiVir 7.3.0.26 01.19.2007 HEUR/Crypted
Authentium 4.93.8 01.19.2007 no virus found
Avast 4.7.936.0 01.18.2007 no virus found
AVG 386 01.19.2007 no virus found
BitDefender 7.2 01.19.2007 no virus found
CAT-QuickHeal 9.00 01.19.2007 no virus found
ClamAV devel-20060426 01.19.2007 no virus found
DrWeb 4.33 01.20.2007 no virus found
eSafe 7.0.14.0 01.19.2007 no virus found
eTrust-InoculateIT 23.73.118 01.20.2007 no virus found
eTrust-Vet 30.3.3336 01.19.2007 no virus found
Ewido 4.0 01.19.2007 no virus found
Fortinet 2.82.0.0 01.19.2007 suspicious
F-Prot 3.16f 01.19.2007 no virus found
F-Prot4 4.2.1.29 01.19.2007 no virus found
Ikarus T3.1.0.27 01.09.2007 no virus found
Kaspersky 4.0.2.24 01.20.2007 no virus found
McAfee 4943 01.19.2007 no virus found
Microsoft 1.1904 01.19.2007 no virus found
NOD32v2 1991 01.19.2007 no virus found
Norman 5.80.02 01.19.2007 no virus found
Panda 9.0.0.4 01.19.2007 no virus found
Prevx1 V2 01.20.2007 Covert.Sys.Exec
Sophos 4.13.0 01.19.2007 no virus found
Sunbelt 2.2.907.0 01.12.2007 VIPRE.Suspicious
TheHacker 6.0.3.151 01.19.2007 no virus found
UNA 1.83 01.19.2007 no virus found
VBA32 3.11.2 01.19.2007 suspected of Backdoor.Hupigon.4 (paranoid heuristics)
VirusBuster 4.3.19:9 01.19.2007 no virus found

Aditional Information
File size: 1658880 bytes
MD5: 1ceae2ea83ba608b4aa9e1e932476c62
SHA1: d744cf40e612a79c542ee335c8399efa43397d6b
packers: Themida
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=204557218143
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.




Here is a new HIJACKTHIS log:

Logfile of HijackThis v1.99.1
Scan saved at 0:15:14, on 20-1-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Opera\Opera.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: IeCatch2 Class - {A5366673-E8CA-11D3-9CD9-0090271D075B} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: FlashFXP Helper for Internet Explorer - {E5A1691B-D188-4419-AD02-90002030B8EE} - C:\PROGRA~1\FlashFXP\IEFlash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O8 - Extra context menu item: Ontvang alles met FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Ontvang met FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O16 - DPF: {233C1507-6A77-46A4-9443-F871F945D258} (Shockwave ActiveX Control) -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
O20 - AppInit_DLLs: MsgPlusLoader.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\wpdshserviceobj.dll
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe



Thank you very much I really appriciate your help :bigthumb:

Thanks for returning you information and the feedback. Looks like you killed whatever it was. Let's clean a little like this:

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

TeaTimer will block the changes, use the information in the link to turn it off until you are finished:
http://russelltexas.com/malware/teatimer.htm

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(none of this is malware, just trash)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O9 - Extra button: (no name) - AutorunsDisabled - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

You should be good to go. That is a link to a good free trial scan I posted above if you want to check for stuff HJT can not see.

Thanks:bigthumb:

Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
















I have to assume you wish me to do my best to assure your computer is as clean as possible.
This is a lot of information you have posted, I will do my best to help you with your questions. Let's look at the Soybot information first.
This should explain a lot of it for you:
Why does Spybot-S&D flag changes in the Windows Security Center?
http://www.safer-networking.org/en/faq/46.html
http://www.safer-networking.org/en/faq/index.html
http://forums.spybot.info/showthread.php?t=250

Avenue A., Inc. <<< for now let's call that a cookie. We can revisit that issue a little later.

Now let's open your Spybot program and I have to assume you have the newest version 1.4 and all of your data bases are up to date.
had to recovery anything.

Kaspersky also appears to be seeing stuff in Ad-aware, some of the stuff like skins which are protected are not really bad, but it is picking up junk in the Quarantine areas. Open Ad-aware, and agin I am assumeing you have the newest version. Now click on the lock at the top right of the interface. Highlite and delete everything in there.
It is also picking up stuff in System Restore and to my knowledge it can not delete that stuff, the only way to clean the System Restore files, and we may have to do this again later to be sure, is like this. And you can follow these directions:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Now some of the stuff Kaspersky actually remove for you, so I will look at the HJT log now.

Let's take a moment to read this:
http://www.sophos.com/virusinfo/analyses/trojkeylogat.html
and under the Advanced tab:
The file <Windows folder>\svchost.exe is registered as a new system driver service named "Fast User Switching Compatibil", with a display name of "FastUserSwitchingCompatibil" and a startup type of automatic, so that it is started automatically during system startup. Registry entries are created under:
HKLM\SYSTEM\CurrentControlSet\Services\Fast User Switching Compatibil\

O23 - Service: Windows Driver Framework - Unknown owner - C:\WINDOWS\svchost.exe (file missing) <<< you can forget the (file missing), that is a glitch. You would have to browse to that file to upload it for scanning.

Let's try to remove it like this:

Make sure all viewing all files and folder is enabled:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Disable the offending Service
Click Start > Run and type services.msc
Scroll down to Windows Driver Framework and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type Windows Driver Framework and press OK.
OK any prompts, close HijackThis, and restart your computer.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O23 - Service: Windows Driver Framework - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:



Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Make sure you have removed all items in Spybot "Recovery", all items in Ad-Aware "Quarantine" and that you have followed the instructions to clean the System Restore foles. Now run another Kaspersky scan and post it alone with a new HJT log.

Thanks

thanks for your reply and sorry for my late reply,

I have formatted my pc and had some problems with the internet
now my pc is formatted im sure its clean already so no need to post hijackthis log or antivirus log and don't need to bother you anymore heh? :p:

I really appriciate your help

thanks for everything

As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.