Help Needed!! please.

[tarung1793]

hi all,
i am having problem with my system,
The problem: The system freezes randomly, takes longer to boot now, and chrome.exe make calls to random address, and a process with the name of "system" and description NT Kernel and System, that hogs CPU usage(taking CPU usage to 90% sometimes) and sometimes svchost.exe taking upto 250MB of memory.

Specs: Intel i7, 2nd gen. 4GB RAM i already have KIS 2012 installed and performed a full system scan, removed some infections but no effect.

What may be causing this on the system and what i can do about it??

KIS log:

Code:

HEUR:Exploit.Script.Generic	Quarantined	04-08-2011 13:15:11	
HEUR:Exploit.Script.Generic	Deleted	04-08-2011 13:15:17	
HEUR:Trojan.Script.Generic	Quarantined	04-08-2011 13:15:08	
HEUR:Trojan.Script.Generic	Deleted	04-08-2011 13:15:14	
HEUR:Trojan.Win32.Generic	Quarantined	04-08-2011 13:13:38	
HEUR:Trojan.Win32.Generic	Disinfected	04-08-2011 13:13:38	
HEUR:Trojan.Win32.Generic	Deleted	04-08-2011 13:15:05	
HEUR:Trojan.Win32.Generic	Deleted	04-08-2011 13:15:05	
HEUR:Trojan.Win32.Generic	Deleted	04-08-2011 13:14:59	
HEUR:Trojan.Win32.Generic	Deleted	04-08-2011 13:14:59	
HEUR:Trojan.Win32.Generic	Deleted	04-08-2011 13:13:17	
HEUR:Trojan.Win32.Generic	Disinfected	04-08-2011 13:13:17	
Type: Trojan program (7)	
Exploit.JS.Aurora.a	Quarantined	04-08-2011 13:15:09	
Exploit.JS.Aurora.a	Deleted	04-08-2011 13:15:16	
Packed.Win32.Krap.bj	Deleted	02-08-2011 18:31:26	
Trojan-Banker.Win32.Bancos.lda	Inactive	04-08-2011 00:38:23	
Trojan-Banker.Win32.Bancos.lda	Inactive	04-08-2011 00:27:25	
Trojan-Clicker.Win32.Agent.ryc	Deleted	04-08-2011 13:19:48	
Trojan-Clicker.Win32.Agent.ryc	Disinfected	04-08-2011 14:09:47

calls made by chrome.exe:

Code:

 chrome.exe - radrywziqe:80 error : Could not connect through proxy #### - Proxy server cannot establish a connection with the target, status code 404
[08.04 14:20:58] chrome.exe - hvssxzzuzt:80 error : Could not connect through proxy #### - Proxy server cannot establish a connection with the target, status code 404
[08.04 14:20:58] chrome.exe - hvssxzzuzt:80 error : Could not connect through proxy #### - Proxy server cannot establish a connection with the target, status code 404
[08.04 14:20:58] chrome.exe - radrywziqe:80 error : Could not connect through proxy #### - Proxy server cannot establish a connection with the target, status code 404
[08.04 14:20:59] chrome.exe - vzkikbykot:80 error : Could not connect through proxy #### - Proxy server cannot establish a connection with the target, status code 404
[08.04 14:20:59] chrome.exe - vzkikbykot:80 error : Could not connect through proxy #### - Proxy server cannot establish a connection with the target, status code 404

HijackThis Log, with only one chrome window(only one Tab open):

Code:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 14:25:59, on 04-08-2011
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v8.00 (8.00.7601.17514)
Boot mode: Normal

Running processes:
C:\Program Files (x86)\HP SimplePass 2011\TouchControl.exe
C:\Program Files (x86)\HP SimplePass 2011\BioMonitor.exe
C:\Program Files (x86)\Proxifier\Proxifier.exe
C:\Program Files (x86)\Belvedere\Belvedere.exe
C:\Program Files (x86)\PhraseExpress\phraseexpress.exe
C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe
C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
F:\Program Files\hqtray.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\AppData\Local\Google\Chrome\Application\chrome.exe
C:\Users\TarunG\Downloads\HijackThis.exe
C:\Windows\SysWOW64\DllHost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: IEVkbdBHO - {59273AB4-E7D3-40F9-A1A8-6FA9CCA1862C} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MIF5BA~1\Office14\GROOVEEX.DLL
O2 - BHO: TSBHO Class - {8590886E-EC8C-43C1-A32C-E4C2B0B6395B} - C:\Program Files (x86)\HP SimplePass 2011\IEBHO.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MIF5BA~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Microsoft Web Test Recorder 10.0 Helper - {DDA57003-0068-4ed2-9D32-4D1EC707D94D} - G:\Program Files (x86)\Microsoft Visual Studio 10.0\Common7\IDE\PrivateAssemblies\Microsoft.VisualStudio.QualityTools.RecorderBarBHO100.dll
O2 - BHO: link filter bho - {E33CF602-D945-461A-83F0-819F76A199F8} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll
O4 - HKLM\..\Run: [AVP] "C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe"
O4 - HKLM\..\Run: [HPOSD] C:\Program Files (x86)\Hewlett-Packard\HP On Screen Display\HPOSD.exe

Any help on what should i try, or what more info should i provide??

[tarung1793]

Code:

O4 - HKLM\..\Run: [StartCCC] "c:\Program Files (x86)\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [VMware hqtray] "F:\Program Files\hqtray.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamgui.exe" /starttray
O4 - HKCU\..\Run: [Proxifier] "c:\program files (x86)\proxifier\proxifier.exe" aut
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Startup: Rainmeter.lnk = C:\Program Files\Rainmeter\Rainmeter.exe
O4 - Global Startup: Belvedere.lnk = C:\Program Files (x86)\Belvedere\Belvedere.exe
O4 - Global Startup: PhraseExpress.lnk = C:\Program Files (x86)\PhraseExpress\phraseexpress.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MIF5BA~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MIF5BA~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: &Virtual Keyboard - {4248FE82-7FCB-46AC-B270-339F08212110} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\ievkbd.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: URLs c&heck - {CCF151D8-D089-449F-A5A4-D9909053F20F} - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\klwtbbho.dll
O9 - Extra button: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe" (file missing)
O9 - Extra 'Tools' menuitem: Fiddler2 - {CF819DA3-9882-4944-ADF5-6EF17ECF3C6E} - "C:\Program Files (x86)\Fiddler2\Fiddler.exe" (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxernsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: f:\program files\vsocklib.dll
O10 - Unknown file in Winsock LSP: f:\program files\vsocklib.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1B75D07-399A-4FF8-A468-E19F8010AB69}: NameServer = 172.31.1.1,172.31.1.130
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Program Files\IDT\WDM\AESTSr64.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AMD External Events Utility - Unknown owner - C:\Windows\system32\atiesrxx.exe (file missing)
O23 - Service: Kaspersky Anti-Virus Service (AVP) - Kaspersky Lab ZAO - C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe
O23 - Service: Dragon Service (DragonSvc) - Nuance Communications, Inc. - C:\Program Files (x86)\Common Files\Nuance\dgnsvc.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: TrueSuiteService (FPLService) - HP - C:\Program Files (x86)\HP SimplePass 2011\TrueSuiteService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: HP Quick Synchronization Service (HPDrvMntSvc.exe) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\HPDrvMntSvc.exe
O23 - Service: HP Software Framework Service (hpqwmiex) - Hewlett-Packard Company - C:\Program Files (x86)\Hewlett-Packard\Shared\hpqWmiEx.exe
O23 - Service: HP Service (hpsrv) - Unknown owner - C:\Windows\system32\Hpservice.exe (file missing)
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: KMService - Unknown owner - C:\Windows\system32\srvany.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files (x86)\WinPcap\rpcapd.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Sandboxie Service (SbieSvc) - SANDBOXIE L.T.D - C:\Program Files\Sandboxie\SbieSvc.exe
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\stlang64.dll,-10101 (STacSV) - IDT, Inc. - C:\Program Files\IDT\WDM\STacSV64.exe
O23 - Service: VMware Agent Service (ufad-ws60) - VMware, Inc. - F:\Program Files\vmware-ufad.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: Intel(R) Management and Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - F:\Program Files\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\Windows\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files (x86)\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\Windows\system32\vmnat.exe
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\Wat\WatUX.exe,-601 (WatAdminSvc) - Unknown owner - C:\Windows\system32\Wat\WatAdminSvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 13619 bytes

[INDRANIL]

Download Hitman Pro (activate pro for removing infection) & MalwareBytes Anti-Malware make a scan post log here. Clean your temp file.

You have many missing files. After cleaning the threat fix those missing files. like

"C:\Program Files (x86)\Fiddler2\Fiddler.exe" (file missing)
"C:\Program Files (x86)\Fiddler2\Fiddler.exe" (file missing)

Also your reset your LSP. Also look at the name server NameServer = 172.31.1.1,172.31.1.130 is it your default ?? If no then change it too,

O10 - Unknown file in Winsock LSP: c:\windows\system32\prxernsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\prxerdrv.dll
O10 - Unknown file in Winsock LSP: f:\program files\vsocklib.dll
O10 - Unknown file in Winsock LSP: f:\program files\vsocklib.dll

[tarung1793]

Already tried malware Bytes, it found nothing,,
Currently doing Hitman Pro.

[INDRANIL]

Hmm clean your temp files too and reset LSP netsh winsock reset type it in cmd.

[tarung1793]

Hitman pro just showed some cookies,

[Raymond]

After KIS detected some trojans and deleting them, your system is still unstable?

[tarung1793]

after cleaning the system, it was good but until two restarts only, after that system started getting froze again, had to cold restart 3-4 times, (mainly, WMP could not start and Task manager unresponsive and then whole system froze); now again working good, seems like i am victim to some botnet?,

EDIT: also my computer never shuts down, it just keeps on saying "shutting down".

[Bluedot]

Back up your files and do a clean install.

[tarung1793]

Back up your files and do a clean install.

.
That will be last option, any thing else i should try?