Computer Restart Anytime Bcz of Virus

  • premsoni0143
  • Banned
  • Banned
  • premsoni0143
  • Posts: 30

Post 3+ Months Ago

Dear All,

Below is my HiJieck Log, please help me to solve this Restarting Problem which is bcz of Trojen or Virus.

I have tried Quick Heal Live CD , Command line scanner and using Trend Micro Anti Virus still can not solve this problem. It can not detect.

Also I have tried EScan Live CD , Feb updated. no effect still.

Also used , House Cell , but still in the meanwhile processing, restart Computer.

Logfile of HijackThis v1.99.1
Scan saved at 9:48:03 AM, on 6/14/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zorpia Notifier\Zorpia Notifier.exe
C:\Documents and Settings\Jatin_soni\Application Data\winlogon\winlogon.exe
C:\Documents and Settings\Jatin_soni\Application Data\932681587.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\All Users\Application Data\QuestScan\questscan137.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Reliance Netconnect - Broadband+\bin\MonServiceUDisk.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\QuestScan\questscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Tencent\QQIntl\Bin\QQ.exe
C:\Program Files\Tencent\QQIntl\Bin\TXPlatform.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go (dot) microsoft (dot) come/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go (dot) microsoft (dot) come/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go (dot) microsoft (dot) come/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go (dot) microsoft (dot) come/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www (dot)rcom (dot) co (dot)in/Communications/rcom/RNetconnect/9374475247.html
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: ShopperReports - {100EB1FD-D03E-47fd-81F3-EE91287F9465} - (no file)
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Documents and Settings\Jatin_soni\Local Settings\Application Data\ConduitEngine\ldrConduitEngine.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O2 - BHO: uTorrentBar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL ""
O4 - HKLM\..\Run: [OE] "C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe"
O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jatin_soni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [winlogon.exe] C:\Documents and Settings\Jatin_soni\Application Data\winlogon\winlogon.exe
O4 - HKCU\..\Run: [TProtect] C:\Documents and Settings\Jatin_soni\Application Data\932681587.exe
O4 - Startup: Zorpia Notifier.lnk = C:\Program Files\Zorpia Notifier\Zorpia Notifier.exe
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: QQ - C:\Program Files\Tencent\QQIntl\Bin\AddEmotion.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShopperReports3\bin\3.0.517.0\ShopperReports.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShopperReports3\bin\3.0.517.0\ShopperReports.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O11 - Options group: [INTERNATIONAL] International
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BA8878B-2BE5-4D7C-BE0A-B8D4221EC9CE}: NameServer = 218.248.255.212 218.248.241.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Trend Micro Solution Platform (Amsp) - Unknown owner - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Microsoft SharePoint Workspace Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" /auditservice (file missing)
O23 - Service: QuestScan Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\QuestScan\questscan137.exe" "C:\Program Files\QuestScan\questscan.dll" mozanejej wuwoyicom (file missing)
O23 - Service: TeamViewer 5 (TeamViewer5) - Unknown owner - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe" -service (file missing)
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: Apache Tomcat 6 (Tomcat6) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6 (file missing)
O23 - Service: UDisk Monitor - Unknown owner - C:\Program Files\Reliance Netconnect - Broadband+\bin\MonServiceUDisk.exe
O23 - Service: VMware Agent Service (ufad-ws60) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe



Thanks & Regards
Jatin
Jr. IT Technical Help Desk
India
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • premsoni0143
  • Banned
  • Banned
  • premsoni0143
  • Posts: 30

Post 3+ Months Ago

Directory of C:\Documents and Settings\Jatin_soni\Application Data

06/05/2011 01:02 PM 115,712 056999350.exe
06/05/2011 01:02 PM 115,712 062504927.exe
06/05/2011 01:02 PM 115,712 084424007.exe
06/05/2011 01:02 PM 115,712 154788733.exe
06/05/2011 01:02 PM 115,712 218787704.exe
06/05/2011 01:02 PM 115,712 235703842.exe
06/05/2011 01:02 PM 115,712 241366855.exe
06/05/2011 01:02 PM 115,712 327956398.exe
06/05/2011 01:02 PM 115,712 400495780.exe
06/05/2011 01:02 PM 115,712 427702927.exe
06/05/2011 01:02 PM 115,712 430152218.exe
06/05/2011 01:02 PM 115,712 433860283.exe
06/05/2011 01:02 PM 115,712 453218005.exe
06/05/2011 01:02 PM 115,712 457379366.exe
06/05/2011 01:02 PM 115,712 511708047.exe
06/05/2011 01:02 PM 115,712 512045189.exe
06/05/2011 01:02 PM 115,712 561637843.exe
06/05/2011 01:02 PM 115,712 697980148.exe
06/05/2011 01:02 PM 115,712 756560397.exe
06/05/2011 01:02 PM 115,712 762283672.exe
06/05/2011 01:02 PM 115,712 770806148.exe
06/05/2011 01:02 PM 115,712 775592305.exe
06/05/2011 01:02 PM 115,712 812771512.exe
HOW DO I DELETED THEM ?
Answer : attrib –s –h –r *.exe
Del /f /s /q *.exe
But still in Task Manager, one process shown and it is Virus which will reboot my system soon, I knew it .
C:\Documents and Settings\Jatin_soni\Application Data>attrib -h -s 869546551.exe
C:\Documents and Settings\Jatin_soni\Application Data>del /f /s /q 869546551.exe
C:\Documents and Settings\Jatin_soni\Application Data\869546551.exe
Access is denied.

I tried to END TASK but my system restarted again . so I think and start XP in SAFE MODE .
Then same place I went and delete this File by same way shown below .
C:\Documents and Settings\Jatin_soni\Application Data>attrib -r -s -h 869546551.exe
C:\Documents and Settings\Jatin_soni\Application Data>del /f /s /q 869546551.exe
Deleted file - C:\Documents and Settings\Jatin_soni\Application Data\869546551.exe

BUT AGAIN : after restart PC, I found new process started byself, so please help me to find where it’s creating from ?
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6807
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Take a look at combofix. I have yet to have combofix not fix something.

http://www.bleepingcomputer.com/combofi ... e-combofix
  • WritingBadCode
  • Graduate
  • Graduate
  • User avatar
  • Posts: 214
  • Loc: Sweden

Post 3+ Months Ago

I suggest you format your computer.
  • premsoni0143
  • Banned
  • Banned
  • premsoni0143
  • Posts: 30

Post 3+ Months Ago

WritingBadCode wrote:
I suggest you format your computer.


I know that FORMAT PC , but this solution I do not want to use .
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6807
  • Loc: Martinsburg, WV

Post 3+ Months Ago

WritingBadCode wrote:
I suggest you format your computer.


That is one of the worst solutions to ever suggest. Any PC can be cleaned if you know what you are doing. Formatting should be the absolute last thing you should do. I've had PC's so infected you couldn't do anything but look at your desktop, any attempt at opening anything was futile as you would get bombarded with ads and messages telling you the administrator disabled that feature. It took several hours but the PC was back up and running as good as ever.

premsoni, did you try combofix yet?
  • premsoni0143
  • Banned
  • Banned
  • premsoni0143
  • Posts: 30

Post 3+ Months Ago

No Mr. Grinch2171,

I did not use it bcz I read that ComboFix must use with the supervison of it's supervisor. else can create a big problem.
So I am waiting for someone's good answer.
And I have posted same this Topic on that another website which was recommanded to me before in this post.

grinch2171 wrote:
WritingBadCode wrote:
I suggest you format your computer.


That is one of the worst solutions to ever suggest. Any PC can be cleaned if you know what you are doing. Formatting should be the absolute last thing you should do. I've had PC's so infected you couldn't do anything but look at your desktop, any attempt at opening anything was futile as you would get bombarded with ads and messages telling you the administrator disabled that feature. It took several hours but the PC was back up and running as good as ever.

premsoni, did you try combofix yet?
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6807
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Run combofix, seriously, it will fix your problem.
  • premsoni0143
  • Banned
  • Banned
  • premsoni0143
  • Posts: 30

Post 3+ Months Ago

please before Run comboFix, give me some detail how to use it ?
I do not want something my important I will loose.

grinch2171 wrote:
Run combofix, seriously, it will fix your problem.
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6807
  • Loc: Martinsburg, WV

Post 3+ Months Ago

Read over the link I posted.

Start here:
http://www.bleepingcomputer.com/combofi ... mbofix#use
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

Restart your computer and run it in Safe Mode
Run ComboFix in Safe Mode
Post the prepared logfile here

I've never had ComboFix fix something it shouldn't have... every time I ran ComboFix, nothing happened to any of my files.
  • WritingBadCode
  • Graduate
  • Graduate
  • User avatar
  • Posts: 214
  • Loc: Sweden

Post 3+ Months Ago

grinch2171 wrote:
WritingBadCode wrote:
I suggest you format your computer.


That is one of the worst solutions to ever suggest. Any PC can be cleaned if you know what you are doing.



I don't agree that the solution was a bad one (before he said that he wanted something else that is). A format would probably be his safest bet, but maby not the most practical.

You say computers can normally be cleaned IF THE PERSON KNOWS WHAT HE/SHE IS DOING - I belive you! But would anyone who knows what he/she is doing have to ask for help? I don't think so.
  • premsoni0143
  • Banned
  • Banned
  • premsoni0143
  • Posts: 30

Post 3+ Months Ago

Ok , at finally let me try ComboFix to Fix my Problem.

Another thing is, Does ComboFix will run in cmd mode after reboot ? bcz I have broadband internet connection and ComboFix needs active internet connection . But I can make active internet only after I am in graphical interface and make connection.

or ComboFix will run in Graphical interface ?
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

WritingBadCode wrote:
grinch2171 wrote:
WritingBadCode wrote:
I suggest you format your computer.


That is one of the worst solutions to ever suggest. Any PC can be cleaned if you know what you are doing.



I don't agree that the solution was a bad one (before he said that he wanted something else that is). A format would probably be his safest bet, but maby not the most practical.

You say computers can normally be cleaned IF THE PERSON KNOWS WHAT HE/SHE IS DOING - I belive you! But would anyone who knows what he/she is doing have to ask for help? I don't think so.

So you format your computer after every infection you get? Even if that infection could be cleaned up by simply running an application?

You also think that Bill Gates never asks questions? Or you would have thought that they knew what they were doing when they were creating Windows Vista?

I think you should rethink that statement.


And if you don't know what you are doing, you would obviously ask for help and receive help. Imaging that every time you call tech support to help fix your computer the only answer you ever get is "Format your computer" because since your asking, you don't know what you are doing, and since you don't know what you are doing you can't figure out how to follow directions from those that do.
  • premsoni0143
  • Banned
  • Banned
  • premsoni0143
  • Posts: 30

Post 3+ Months Ago

My Dear Helpers,

Do not argu so much . Different people has different thinking.

so just let everyone thinks freely.

After use ComboFix, I will post log and if I will get solution or not, also will let u know.

Thanks.
Jatin
  • WritingBadCode
  • Graduate
  • Graduate
  • User avatar
  • Posts: 214
  • Loc: Sweden

Post 3+ Months Ago

Bogey wrote:
So you format your computer after every infection you get? Even if that infection could be cleaned up by simply running an application?


I never gets (noticeable) infections (anything that a antivirus would be able to spot at least). But yes as long as I have a windows CD and in the rare case I spot an active infection I would probably go for the format.


Bogey wrote:
You also think that Bill Gates never asks questions? Or you would have thought that they knew what they were doing when they were creating Windows Vista?

I think you should rethink that statement.


And if you don't know what you are doing, you would obviously ask for help and receive help. Imaging that every time you call tech support to help fix your computer the only answer you ever get is "Format your computer" because since your asking, you don't know what you are doing, and since you don't know what you are doing you can't figure out how to follow directions from those that do.


Of course everyone asks questions. I ask a lot about programming and I appreciate all the help I can get. I think learning is good but when it comes to private information people should stay away from gambling but that is their choice of course, I'm just curious how someone who don't know what to look for, cant spot altered files, don't have a clue about all the files that is running, can't locate hidden startups don't understand the registry well etc, can judge if their system is clean or not, maybe someone can tell me?

While the computer may stop restarting he could still have an active infection how does one tell? While the antivirus say the computer is clean HE CAN STILL HAVE AN INFECTION. It happens all the time. A format is a easy way and probably most secure way for those who isn't windows experts.

I'm not saying my solution was the only and is a perfect solution. I can see why someone would want other solutions than a format but it is one of many options. Since he explicitly asks for an other solution then fine. My solution was just one among others.
  • premsoni0143
  • Banned
  • Banned
  • premsoni0143
  • Posts: 30

Post 3+ Months Ago

Dear All,

Good News .. I think my Problem is solved after using ConboFix (hehe.. I was not able to use internet in safe mode so can not download Windows Recovery Consol ..)

please check below is Log file generated and let me know if anything else I have to do.

ComboFix 11-06-15.02 - Administrator 06/16/2011 11:20:58.1.2 - x86 NETWORK
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1013.667 [GMT 5.5:30]
Running from: I:\ComboFix.exe
FW: Trend Micro Firewall Booster *Disabled* {3E790E9E-6A5D-4303-A7F9-185EC20F3EB6}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
c:\documents and settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
c:\documents and settings\All Users\Application Data\AMMYY
c:\documents and settings\All Users\Application Data\AMMYY\settings.bin
c:\documents and settings\All Users\Application Data\HBLiteSA
c:\documents and settings\All Users\Application Data\HBLiteSA\HBLiteSA.dat
c:\documents and settings\All Users\Application Data\HBLiteSA\HBLiteSA_kyf.dat
c:\documents and settings\All Users\Application Data\HBLiteSA\HBLiteSAAbout.mht
c:\documents and settings\All Users\Application Data\HBLiteSA\HBLiteSAau.dat
c:\documents and settings\All Users\Application Data\HBLiteSA\HBLiteSAEULA.mht
c:\documents and settings\All Users\Start Menu\Programs\Hotbar
c:\documents and settings\All Users\Start Menu\Programs\ShopperReports
c:\documents and settings\All Users\Start Menu\Programs\ShopperReports\About Us.lnk
c:\documents and settings\All Users\Start Menu\Programs\ShopperReports\Customer Support.lnk
c:\documents and settings\All Users\Start Menu\Programs\ShopperReports\ShopperReports Uninstall Instructions.lnk
c:\documents and settings\Jatin_soni\Application Data\012791416.exe
c:\documents and settings\Jatin_soni\Application Data\279516120.exe
c:\documents and settings\Jatin_soni\Application Data\405291786.exe
c:\documents and settings\Jatin_soni\Application Data\536164842.exe
c:\documents and settings\Jatin_soni\Application Data\785016970.exe
c:\documents and settings\Jatin_soni\Application Data\960393682.exe
c:\documents and settings\Jatin_soni\Application Data\AdVantage
c:\documents and settings\Jatin_soni\Application Data\HBLite
c:\documents and settings\Jatin_soni\Application Data\PriceGong
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\1.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\a.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\b.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\c.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\d.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\e.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\f.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\g.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\h.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\i.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\J.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\k.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\l.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\m.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\mru.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\n.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\o.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\p.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\q.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\r.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\s.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\t.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\u.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\v.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\w.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\x.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\y.xml
c:\documents and settings\Jatin_soni\Application Data\PriceGong\Data\z.xml
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\Firefox\cs\Config.xml
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\Firefox\cs\db\Aliases.dbs
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\Firefox\cs\db\Sites.dbs
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\Firefox\cs\dwld\WhiteList.xip
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\Firefox\cs\report\aggr_storage.xml
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\Firefox\cs\report\send_storage.xml
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\Firefox\cs\res1\WhiteList.dbs
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\IE\cs\Config.xml
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\IE\cs\db\Aliases.dbs
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\IE\cs\dwld\WhiteList.xip
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\IE\cs\report\aggr_storage.xml
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\IE\cs\report\send_storage.xml
c:\documents and settings\Jatin_soni\Application Data\ShopperReports3\IE\cs\res1\WhiteList.dbs
c:\documents and settings\Jatin_soni\Application Data\WinLogon
c:\documents and settings\Jatin_soni\Application Data\WinLogon\winlogon.exe
c:\documents and settings\Jatin_soni\WINDOWS
c:\downloads\Software\TorrentEasy-tbkresources-hacking-revealed-5cds-cbt-learnkey.exe
c:\program files\HBLite
c:\program files\HBLite\bin\11.0.363.0\firefox\extensions\install.rdf
c:\program files\ShopperReports3
c:\program files\ShopperReports3\bin\3.0.517.0\CnTNtcntr.dll
c:\program files\ShopperReports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions\chrome.manifest
c:\program files\ShopperReports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions\chrome\firefoxtoolbar.jar
c:\program files\ShopperReports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions\components\BRNstFF.dll
c:\program files\ShopperReports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions\components\BRNstFF.xpt
c:\program files\ShopperReports3\bin\3.0.517.0\firefox\firefoxtoolbar\extensions\install.rdf
c:\program files\ShopperReports3\bin\3.0.517.0\link.ico
.
.
((((((((((((((((((((((((( Files Created from 2011-05-16 to 2011-06-16 )))))))))))))))))))))))))))))))
.
.
2011-06-15 13:17 . 2011-06-15 13:20 -------- d-----w- C:\bd_logs
2011-06-15 06:18 . 2011-06-16 05:40 -------- d-----w- c:\documents and settings\Administrator
2011-06-13 22:04 . 2011-06-13 22:04 -------- d-----w- c:\windows\FTPTEMP
2011-06-13 22:03 . 2011-06-13 22:03 -------- d-----w- c:\documents and settings\All Users\Application Data\MicroWorld
2011-06-12 10:15 . 2011-03-21 13:56 143872 ----a-w- c:\windows\system32\xvid.ax
2011-06-12 10:15 . 2011-03-19 15:06 240640 ----a-w- c:\windows\system32\xvidvfw.dll
2011-06-12 10:15 . 2011-03-19 15:04 650752 ----a-w- c:\windows\system32\xvidcore.dll
2011-06-12 10:15 . 2011-06-12 10:15 -------- d-----w- c:\program files\Xvid
2011-06-12 10:01 . 2011-06-14 04:04 -------- d-----w- c:\program files\QuestScan
2011-06-12 10:01 . 2011-06-14 03:00 -------- d-----w- c:\documents and settings\All Users\Application Data\QuestScan
2011-06-12 08:46 . 2011-06-16 04:41 -------- d-----w- c:\documents and settings\Jatin_soni\Application Data\vlc
2011-06-12 08:30 . 2011-06-12 10:41 -------- d-----w- c:\documents and settings\Jatin_soni\Local Settings\Application Data\Graboid
2011-06-12 08:30 . 2011-06-12 08:30 -------- d-----w- c:\documents and settings\Jatin_soni\Local Settings\Application Data\Geckofx
2011-06-12 08:25 . 2011-06-12 08:25 -------- d-----w- c:\program files\VideoLAN
2011-06-12 08:25 . 2011-06-12 08:29 -------- d-----w- c:\program files\Graboid
2011-06-12 06:06 . 2011-06-12 06:06 -------- d-----w- c:\documents and settings\Jatin_soni\Local Settings\Application Data\Stardock
2011-06-12 06:06 . 2011-06-12 06:06 -------- d-----w- c:\program files\Zorpia Notifier
2011-06-12 06:06 . 2011-06-12 06:06 -------- d-----w- c:\windows\Zorpia Notifier
2011-06-11 14:46 . 2011-06-11 14:46 -------- d-----w- c:\documents and settings\Jatin_soni\Application Data\DDMSettings
2011-06-11 14:41 . 2011-06-12 05:32 -------- d-----w- c:\documents and settings\Jatin_soni\Application Data\DivX
2011-06-11 14:39 . 2011-06-11 14:39 -------- d-----w- c:\program files\Common Files\DivX Shared
2011-06-11 14:31 . 2011-06-11 14:41 -------- d-----w- c:\program files\DivX
2011-06-11 14:27 . 2011-06-11 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\DivX
2011-06-08 06:28 . 2011-06-08 06:28 -------- d-----w- c:\program files\Apache Software Foundation
2011-06-08 06:12 . 2011-06-08 06:12 -------- d-----w- c:\documents and settings\Jatin_soni\Local Settings\Application Data\Sun
2011-06-05 03:56 . 2011-06-15 18:46 -------- d-----w- c:\documents and settings\Jatin_soni\Local Settings\Application Data\ConduitEngine
2011-06-05 03:56 . 2011-06-05 03:56 -------- d-----w- c:\program files\ConduitEngine
2011-06-05 03:56 . 2011-06-05 03:56 0 ----a-w- c:\windows\system32\ConduitEngine.tmp
2011-06-04 16:44 . 2011-06-04 16:44 -------- d-----w- c:\documents and settings\Jatin_soni\Local Settings\Application Data\Help
2011-05-30 08:20 . 2011-05-30 08:20 -------- d-----w- C:\Export
2011-05-30 05:30 . 2011-06-06 04:04 -------- d-----w- c:\documents and settings\Jatin_soni\Application Data\Offline Explorer
2011-05-30 05:27 . 2011-06-13 10:07 -------- d-----w- c:\program files\Offline Explorer Enterprise
2011-05-28 19:13 . 2011-05-28 19:13 -------- d-----w- C:\archive_db
2011-05-28 03:56 . 2011-05-28 03:56 -------- d-----w- c:\program files\DVD_Generator
2011-05-27 05:56 . 2011-05-27 05:56 -------- d-----w- c:\program files\microsoft (dot) net
2011-05-26 08:15 . 2011-05-26 08:15 -------- d-sh--w- c:\documents and settings\Jatin_soni\IECompatCache
2011-05-26 08:11 . 2011-05-26 08:11 -------- d-sh--w- c:\documents and settings\Jatin_soni\PrivacIE
2011-05-25 05:51 . 2011-05-25 05:51 -------- d-sh--w- c:\documents and settings\NetworkService\IETldCache
2011-05-25 05:51 . 2011-05-25 05:51 -------- d-sh--w- c:\documents and settings\Jatin_soni\IETldCache
2011-05-25 05:25 . 2011-05-25 05:29 -------- dc-h--w- c:\windows\ie8
2011-05-25 05:12 . 2011-05-25 05:12 -------- d-----w- c:\documents and settings\All Users\Application Data\Remote Manipulator Files
2011-05-24 02:55 . 2011-05-24 03:05 -------- d-----w- c:\program files\FBP - Facebook Blaster Pro
2011-05-22 06:53 . 2011-05-22 06:53 -------- d--h--w- c:\windows\PIF
2011-05-22 06:53 . 2011-05-22 07:03 -------- d-----w- c:\program files\Runtime Software
2011-05-20 02:17 . 2009-12-09 03:52 104704 ----a-w- c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys
2011-05-20 02:17 . 2011-05-20 02:17 -------- d-----w- c:\program files\Reliance Netconnect - Broadband+
2011-05-18 03:08 . 2011-05-18 03:08 -------- d-----w- c:\documents and settings\Jatin_soni\Application Data\TightVNC
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2011-06-13 03:02 . 2011-04-27 06:26 102400 ----a-w- c:\windows\RegBootClean.exe
2011-05-17 02:24 . 2011-05-17 02:24 404640 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-05-12 02:47 . 2011-05-12 02:47 295424 ----a-w- c:\windows\system32\bwmedia1.dll
2011-05-12 02:47 . 2011-05-12 02:47 150016 ----a-w- c:\windows\system32\bwmedia.dll
2011-04-16 16:35 . 2011-04-16 16:50 341072 ----a-w- c:\windows\system32\drivers\TM_CFW.sys
2011-04-16 16:35 . 2011-04-16 16:37 92112 ----a-w- c:\windows\system32\drivers\tmtdi.sys
2011-04-16 16:35 . 2011-04-16 16:37 80464 ----a-w- c:\windows\system32\drivers\tmactmon.sys
2011-04-16 16:35 . 2011-04-16 16:37 64080 ----a-w- c:\windows\system32\drivers\tmevtmgr.sys
2011-04-16 16:35 . 2011-04-16 16:37 189520 ----a-w- c:\windows\system32\drivers\tmcomm.sys
2011-03-27 17:07 . 2011-03-27 17:07 73728 ----a-w- c:\windows\system32\javacpl.cpl
2011-03-27 17:07 . 2011-03-27 17:07 472808 ----a-w- c:\windows\system32\deployJava1.dll
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30F9B915-B755-4826-820B-08FBA6BD249D}]
2011-04-03 08:27 254760 ----a-w- c:\documents and settings\Jatin_soni\Local Settings\Application Data\ConduitEngine\ldrConduitEngine.dll
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
2011-03-28 16:22 176936 ----a-w- c:\program files\uTorrentBar\prxtbuTo0.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}"= "c:\program files\uTorrentBar\prxtbuTo0.dll" [2011-03-28 176936]
.
[HKEY_CLASSES_ROOT\clsid\{bf7380fa-e3b4-4db2-af3e-9d8783a45bfc}]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-11 131072]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-11 155648]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-11 131072]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-11 16132608]
"Trend Micro Titanium"="c:\program files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe" [2011-02-17 1111568]
"Trend Micro Client Framework"="c:\program files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe" [2011-02-10 116752]
.
c:\documents and settings\Jatin_soni\Start Menu\Programs\Startup\
Zorpia Notifier.lnk - c:\program files\Zorpia Notifier\Zorpia Notifier.exe [2007-5-2 1119744]
.
[HKLM\~\startupfolder\C:^Documents and Settings^Jatin_soni^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Jatin_soni\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
c:\windows\system32\dumprep 0 -k [X]
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DivXUpdate]
2011-03-21 18:56 1230704 ----a-w- c:\program files\DivX\DivX Update\DivXUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager - RCS]
2009-01-28 12:25 53248 ----a-w- c:\program files\Free Download Manager\fdmwi.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Update]
2011-03-06 10:50 136176 ----atw- c:\documents and settings\Jatin_soni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
2007-01-01 21:22 3739648 ----a-w- c:\program files\Google\Google Talk\googletalk.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ]
2011-04-24 10:08 124216 ----a-w- c:\program files\ICQ7.5\ICQ.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
2010-06-01 04:47 5252408 ----a-w- c:\program files\Yahoo!\Messenger\YahooMessenger.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 00:12 1695232 ------w- c:\program files\Messenger\msmsgs.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
2010-04-16 16:42 3872080 ----a-w- c:\program files\Windows Live\Messenger\msnmsgr.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2010-11-29 12:08 421888 ----a-w- c:\program files\QuickTime\QTTask.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2011-04-01 12:47 15145352 ----a-r- c:\program files\Skype\Phone\Skype.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
2007-07-11 04:07 1826816 ------r- c:\windows\SkyTel.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spark]
2007-11-14 07:22 434176 ----a-w- c:\program files\Spark\Spark.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-10-29 09:19 249064 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uTorrent]
2011-03-07 03:28 396152 ----a-w- c:\program files\uTorrent\uTorrent.exe
.
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WinVNC4"=2 (0x2)
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Microsoft Office\\Office14\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\ONENOTE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office14\\OUTLOOK.EXE"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TeamViewer\\Version5\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer.exe"=
"c:\\Program Files\\TeamViewer\\Version6\\TeamViewer_Service.exe"=
"c:\\Documents and Settings\\Jatin_soni\\Local Settings\\Application Data\\Google\\Google Talk Plugin\\googletalkplugin.exe"=
"c:\\Program Files\\VMware\\VMware Workstation\\vmware-authd.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\ICQ7.5\\ICQ.exe"=
"c:\\Program Files\\Tencent\\QQMusic\\QzoneMusic\\QzoneMusic.exe"=
.
R3 tmcfw;Trend Micro Common Firewall Service;c:\windows\system32\drivers\TM_CFW.sys [4/16/2011 10:20 PM 341072]
S2 Amsp;Trend Micro Solution Platform;c:\program files\Trend Micro\AMSP\coreServiceShell.exe [4/16/2011 10:06 PM 188272]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\microsoft (dot) net\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 1:16 PM 130384]
S2 QuestScan Service;QuestScan Service;c:\documents and settings\All Users\Application Data\QuestScan\questscan137.exe [6/14/2011 8:30 AM 45056]
S2 TeamViewer6;TeamViewer 6;c:\program files\TeamViewer\Version6\TeamViewer_Service.exe [4/15/2011 3:13 PM 2280312]
S2 tmevtmgr;tmevtmgr;c:\windows\system32\drivers\tmevtmgr.sys [4/16/2011 10:07 PM 64080]
S2 UDisk Monitor;UDisk Monitor;c:\program files\Reliance Netconnect - Broadband+\bin\MonServiceUDisk.exe [5/20/2011 7:47 AM 512000]
S2 vmci;VMware vmci;c:\windows\system32\drivers\vmci.sys [10/22/2009 5:00 AM 70704]
S2 VMUSBArbService;VMware USB Arbitration Service;c:\program files\Common Files\VMware\USB\vmware-usbarbitrator.exe [10/22/2009 3:47 AM 563760]
S3 Microsoft SharePoint Workspace Audit Service;Microsoft SharePoint Workspace Audit Service;c:\program files\Microsoft Office\Office14\GROOVE.EXE [3/25/2010 10:25 AM 30969208]
S3 osppsvc;Office Software Protection Platform;c:\program files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE [1/9/2010 9:37 PM 4640000]
S3 Tomcat6;Apache Tomcat 6;c:\program files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe [2/3/2011 12:34 AM 74240]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\microsoft (dot) net\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 1:16 PM 753504]
S3 ztemtusbser;ZTEMT Legacy Serial Communication;c:\windows\system32\drivers\CT_ZTEMT_U_USBSER.sys [5/20/2011 7:47 AM 104704]
S4 TeamViewer5;TeamViewer 5;c:\program files\TeamViewer\Version5\TeamViewer_Service.exe [1/12/2010 8:27 PM 185640]
.
--- Other Services/Drivers In Memory ---
.
*NewlyCreated* - MNMSRVC
.
Contents of the 'Scheduled Tasks' folder
.
2011-06-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 07:04]
.
2011-06-15 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-448539723-1606980848-1003Core.job
- c:\documents and settings\Jatin_soni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-06 10:50]
.
2011-06-16 c:\windows\Tasks\GoogleUpdateTaskUserS-1-5-21-1085031214-448539723-1606980848-1003UA.job
- c:\documents and settings\Jatin_soni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe [2011-03-06 10:50]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google (dot) come/
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office14\EXCEL.EXE/3000
IE: Se&nd to OneNote - c:\progra~1\MICROS~2\Office14\ONBttnIE.dll/105
IE: {{7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - c:\program files\ICQ7.5\ICQ.exe
LSP: c:\program files\VMware\VMware Workstation\vsocklib.dll
TCP: Interfaces\{7BA8878B-2BE5-4D7C-BE0A-B8D4221EC9CE}: NameServer = 218.248.255.212 218.248.241.2
TCP: Interfaces\{D439F32A-F67F-4B2E-BEE0-E2651FBE6AF4}: NameServer = 218.248.255.212,218.248.255.135
FF - ProfilePath - c:\documents and settings\Administrator\Application Data\Mozilla\Firefox\Profiles\g384o2mu.default\
FF - prefs.js: keyword.URL - hxxp://www.questscan (dot) com/?tmp=nemo_results_removelink&prt=QstscanPB&keywords=
FF - Ext: Default: {972ce4c6-7e08-4474-a285-3208198ce6fd} - c:\program files\Mozilla Firefox\extensions\{972ce4c6-7e08-4474-a285-3208198ce6fd}
FF - Ext: Java Console: {CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0015-0000-0022-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
FF - Ext: Java Console: {CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA} - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0024-ABCDEFFEDCBA}
FF - Ext: QuestScan: {F0E1168A-B4B5-484C-B77E-0D28E6B64096} - c:\program files\Mozilla Firefox\extensions\{F0E1168A-B4B5-484C-B77E-0D28E6B64096}
FF - Ext: Java Quick Starter: jqs (at) sun (dot) com - c:\program files\Java\jre6\lib\deploy\jqs\ff
FF - Ext: Trend Micro NSC Firefox Extension: {22C7F6C6-8D67-4534-92B5-529A0EC09405} - c:\program files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\firefoxextension
FF - Ext: DivX Plus Web Player HTML5 &lt;video&gt;: {23fcfd51-4958-4f00-80a3-ae97e717ed8b} - c:\program files\DivX\DivX Plus Web Player\firefox\html5video
FF - Ext: DivX HiQ: {6904342A-8307-11DF-A508-4AE2DFD72085} - c:\program files\DivX\DivX Plus Web Player\firefox\wpa
.
.
------- File Associations -------
.
txtfile=c:\windows\notepad.exe %1
.
- - - - ORPHANS REMOVED - - - -
.
HKLM-Run-SunJavaUpdateSched - c:\program files\Java\jre6\bin\jusched.exe
MSConfigStartUp-NBAgent - c:\program files\Nero\Nero 10\Nero BackItUp\NBAgent.exe
MSConfigStartUp-SoftGridTray - c:\program files\Microsoft Application Virtualization Client\SFTTray.exe
MSConfigStartUp-Software Informer - c:\program files\Software Informer\softinfo.exe
MSConfigStartUp-TorrentEasy_cac8ce097f075e89d8e6d6065b702f3abab940b8 - c:\downloads\Software\TorrentEasy-tbkresources-hacking-revealed-5cds-cbt-learnkey.exe
MSConfigStartUp-TProtect - c:\documents and settings\Jatin_soni\Application Data\870028480.exe
AddRemove-HBLiteSA - c:\program files\HBLite\bin\11.0.363.0\HBLiteUninstaller.exe
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer (dot) net
Rootkit scan 2011-06-16 11:26
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-1085031214-448539723-1606980848-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,2b,4f,78,99,63,23,4f,b5,60,d1,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,3c,2b,4f,78,99,63,23,4f,b5,60,d1,\
.
Completion time: 2011-06-16 11:29:12
ComboFix-quarantined-files.txt 2011-06-16 05:59
.
Pre-Run: 3,821,457,408 bytes free
Post-Run: 4,523,962,368 bytes free
.
- - End Of File - - 8C58892750806D9E79A804207139664F
  • premsoni0143
  • Banned
  • Banned
  • premsoni0143
  • Posts: 30

Post 3+ Months Ago

Dear Mr. "WritingBadCode " and other Helpers,

First I am very thankful that you show me the way to solve the problem, atlast it's done as you said with myself.

please let me say something, I am not the person who does not know anything about O.S. , I am also IT Support Engineer and working from last 8 months+ .

If I decide only way to Format so it means I am stopping myself from learning something new and it's last solution when U have tired from All.

I checked myself everything and if you can see,so just go back and see my 2nd post, where I posted the steps I have taken.And also i have writen that in 1st post, that what I have taken steps that I have used Quick Heal Latest Boot Scan with Emergency CD , Quick Heal command line scanner , E-Scan Live Cd scanner , Bit defender live cd scanner , etc..

So please if you don't interest to learn something so do nto come to stop others or teach worst solution. I am sorry if I have spoken something more.

I wish to have my own IT support friends team which will deal online direct in free of charge soon. Finding team members for it.

Thanks & Regards
Jatin
It Technical Support Engineer
India
  • grinch2171
  • Moderator
  • Genius
  • User avatar
  • Posts: 6807
  • Loc: Martinsburg, WV

Post 3+ Months Ago

You can run ComboFix in regular mode. It is not a necessity to run it in Safe Mode. So if you want to be double sure you are clean, run it again.
  • Bogey
  • Genius
  • Genius
  • Bogey
  • Posts: 8388
  • Loc: USA

Post 3+ Months Ago

Seems like it cleaned a lot of junk there :)

c:\windows\RegBootClean.exe

Not sure if that was deleted or not but it's listed under Find3M Report and Google tells me its Malware

Post Information

  • Total Posts in this topic: 20 posts
  • Users browsing this forum: No registered users and 107 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.