Computer Restart Anytime Bcz of Virus

Dear All,

Below is my HiJieck Log, please help me to solve this Restarting Problem which is bcz of Trojen or Virus.

I have tried Quick Heal Live CD , Command line scanner and using Trend Micro Anti Virus still can not solve this problem. It can not detect.

Also I have tried EScan Live CD , Feb updated. no effect still.

Also used , House Cell , but still in the meanwhile processing, restart Computer.

Logfile of HijackThis v1.99.1
Scan saved at 9:48:03 AM, on 6/14/2011
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\DivX\DivX Update\DivXUpdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Zorpia Notifier\Zorpia Notifier.exe
C:\Documents and Settings\Jatin_soni\Application Data\winlogon\winlogon.exe
C:\Documents and Settings\Jatin_soni\Application Data\932681587.exe
C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiWatchDog.exe
C:\Program Files\Trend Micro\AMSP\coreFrameworkHost.exe
C:\Program Files\Trend Micro\UniClient\UiFrmWrk\uiSeAgnt.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Documents and Settings\All Users\Application Data\QuestScan\questscan137.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe
C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
C:\Program Files\Reliance Netconnect - Broadband+\bin\MonServiceUDisk.exe
C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
C:\WINDOWS\system32\vmnat.exe
C:\WINDOWS\system32\vmnetdhcp.exe
C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
C:\Program Files\QuestScan\questscan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Tencent\QQIntl\Bin\QQ.exe
C:\Program Files\Tencent\QQIntl\Bin\TXPlatform.exe
C:\Program Files\Mozilla Firefox\plugin-container.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go (dot) microsoft (dot) come/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go (dot) microsoft (dot) come/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go (dot) microsoft (dot) come/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go (dot) microsoft (dot) come/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www (dot)rcom (dot) co (dot)in/Communications/rcom/RNetconnect/9374475247.html
R3 - URLSearchHook: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: ShopperReports - {100EB1FD-D03E-47fd-81F3-EE91287F9465} - (no file)
O2 - BHO: Trend Micro NSC BHO - {1CA1377B-DC1D-4A52-9585-6E06050FAC53} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
O2 - BHO: Conduit Engine - {30F9B915-B755-4826-820B-08FBA6BD249D} - C:\Documents and Settings\Jatin_soni\Local Settings\Application Data\ConduitEngine\ldrConduitEngine.dll
O2 - BHO: Increase performance and video formats for your HTML5 <video> - {326E768D-4182-46FD-9C16-1449A49795F4} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: Use the DivX Plus Web Player to watch web videos with less interruptions and smoother playback on supported sites - {593DDEC6-7468-4cdd-90E1-42DADAA222E9} - C:\Program Files\DivX\DivX Plus Web Player\npdivx32.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: TmBpIeBHO - {BBACBAFD-FA5E-4079-8B33-00EB9F13D4AC} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O2 - BHO: uTorrentBar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: uTorrentBar Toolbar - {bf7380fa-e3b4-4db2-af3e-9d8783a45bfc} - C:\Program Files\uTorrentBar\prxtbuTo0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Trend Micro Titanium] C:\Program Files\Trend Micro\Titanium\UIFramework\uiWinMgr.exe -set Silent "1" SplashURL ""
O4 - HKLM\..\Run: [OE] "C:\Program Files\Trend Micro\Titanium\plugin\TMAS\TMAS_OE\TMAS_OEMon.exe"
O4 - HKLM\..\Run: [Trend Micro Client Framework] "C:\Program Files\Trend Micro\UniClient\UiFrmWrk\UIWatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Google Update] "C:\Documents and Settings\Jatin_soni\Local Settings\Application Data\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [winlogon.exe] C:\Documents and Settings\Jatin_soni\Application Data\winlogon\winlogon.exe
O4 - HKCU\..\Run: [TProtect] C:\Documents and Settings\Jatin_soni\Application Data\932681587.exe
O4 - Startup: Zorpia Notifier.lnk = C:\Program Files\Zorpia Notifier\Zorpia Notifier.exe
O8 - Extra context menu item: + Offline &Explorer: Download the link - file://C:\Program Files\Offline Explorer Enterprise\Add_UrlO.htm
O8 - Extra context menu item: + Offline E&xplorer: Download the current page - file://C:\Program Files\Offline Explorer Enterprise\Add_AllO.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O8 - Extra context menu item: QQ - C:\Program Files\Tencent\QQIntl\Bin\AddEmotion.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ7.5 - {7578ADEA-D65F-4C89-A249-B1C88B6FFC20} - C:\Program Files\ICQ7.5\ICQ.exe
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: ShopperReports - Compare product prices - {C5428486-50A0-4a02-9D20-520B59A9F9B2} - C:\Program Files\ShopperReports3\bin\3.0.517.0\ShopperReports.dll (file missing)
O9 - Extra button: ShopperReports - Compare travel rates - {C5428486-50A0-4a02-9D20-520B59A9F9B3} - C:\Program Files\ShopperReports3\bin\3.0.517.0\ShopperReports.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O10 - Unknown file in Winsock LSP: c:\program files\vmware\vmware workstation\vsocklib.dll
O11 - Options group: [INTERNATIONAL] International
O17 - HKLM\System\CCS\Services\Tcpip\..\{7BA8878B-2BE5-4D7C-BE0A-B8D4221EC9CE}: NameServer = 218.248.255.212 218.248.241.2
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WINDOW~4\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: tmbp - {1A77E7DC-C9A0-4110-8A37-2F36BAE71ECF} - C:\Program Files\Trend Micro\AMSP\Module\20002\6.5.1234\6.5.1234\TmBpIe32.dll
O18 - Protocol: tmpx - {0E526CB5-7446-41D1-A403-19BFE95E8C23} - C:\Program Files\Trend Micro\AMSP\Module\20004\1.5.1464\6.6.1079\TmIEPlg.dll
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: Trend Micro Solution Platform (Amsp) - Unknown owner - C:\Program Files\Trend Micro\AMSP\coreServiceShell.exe" coreFrameworkHost.exe (file missing)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: Microsoft SharePoint Workspace Audit Service - Unknown owner - C:\Program Files\Microsoft Office\Office14\GROOVE.EXE" /auditservice (file missing)
O23 - Service: QuestScan Service - Unknown owner - C:\Documents and Settings\All Users\Application Data\QuestScan\questscan137.exe" "C:\Program Files\QuestScan\questscan.dll" mozanejej wuwoyicom (file missing)
O23 - Service: TeamViewer 5 (TeamViewer5) - Unknown owner - C:\Program Files\TeamViewer\Version5\TeamViewer_Service.exe" -service (file missing)
O23 - Service: TeamViewer 6 (TeamViewer6) - TeamViewer GmbH - C:\Program Files\TeamViewer\Version6\TeamViewer_Service.exe
O23 - Service: Apache Tomcat 6 (Tomcat6) - Unknown owner - C:\Program Files\Apache Software Foundation\Tomcat 6.0\bin\tomcat6.exe" //RS//Tomcat6 (file missing)
O23 - Service: UDisk Monitor - Unknown owner - C:\Program Files\Reliance Netconnect - Broadband+\bin\MonServiceUDisk.exe
O23 - Service: VMware Agent Service (ufad-ws60) - Unknown owner - C:\Program Files\VMware\VMware Workstation\vmware-ufad.exe" -d "C:\Program Files\VMware\VMware Workstation\\" -s ufad-p2v.xml (file missing)
O23 - Service: VMware Authorization Service (VMAuthdService) - VMware, Inc. - C:\Program Files\VMware\VMware Workstation\vmware-authd.exe
O23 - Service: VMware DHCP Service (VMnetDHCP) - VMware, Inc. - C:\WINDOWS\system32\vmnetdhcp.exe
O23 - Service: VMware USB Arbitration Service (VMUSBArbService) - VMware, Inc. - C:\Program Files\Common Files\VMware\USB\vmware-usbarbitrator.exe
O23 - Service: VMware NAT Service - VMware, Inc. - C:\WINDOWS\system32\vmnat.exe



Thanks & Regards
Jatin
Jr. IT Technical Help Desk
India

Directory of C:\Documents and Settings\Jatin_soni\Application Data

06/05/2011 01:02 PM 115,712 056999350.exe
06/05/2011 01:02 PM 115,712 062504927.exe
06/05/2011 01:02 PM 115,712 084424007.exe
06/05/2011 01:02 PM 115,712 154788733.exe
06/05/2011 01:02 PM 115,712 218787704.exe
06/05/2011 01:02 PM 115,712 235703842.exe
06/05/2011 01:02 PM 115,712 241366855.exe
06/05/2011 01:02 PM 115,712 327956398.exe
06/05/2011 01:02 PM 115,712 400495780.exe
06/05/2011 01:02 PM 115,712 427702927.exe
06/05/2011 01:02 PM 115,712 430152218.exe
06/05/2011 01:02 PM 115,712 433860283.exe
06/05/2011 01:02 PM 115,712 453218005.exe
06/05/2011 01:02 PM 115,712 457379366.exe
06/05/2011 01:02 PM 115,712 511708047.exe
06/05/2011 01:02 PM 115,712 512045189.exe
06/05/2011 01:02 PM 115,712 561637843.exe
06/05/2011 01:02 PM 115,712 697980148.exe
06/05/2011 01:02 PM 115,712 756560397.exe
06/05/2011 01:02 PM 115,712 762283672.exe
06/05/2011 01:02 PM 115,712 770806148.exe
06/05/2011 01:02 PM 115,712 775592305.exe
06/05/2011 01:02 PM 115,712 812771512.exe
HOW DO I DELETED THEM ?
Answer : attrib –s –h –r *.exe
Del /f /s /q *.exe
But still in Task Manager, one process shown and it is Virus which will reboot my system soon, I knew it .
C:\Documents and Settings\Jatin_soni\Application Data>attrib -h -s 869546551.exe
C:\Documents and Settings\Jatin_soni\Application Data>del /f /s /q 869546551.exe
C:\Documents and Settings\Jatin_soni\Application Data\869546551.exe
Access is denied.

I tried to END TASK but my system restarted again . so I think and start XP in SAFE MODE .
Then same place I went and delete this File by same way shown below .
C:\Documents and Settings\Jatin_soni\Application Data>attrib -r -s -h 869546551.exe
C:\Documents and Settings\Jatin_soni\Application Data>del /f /s /q 869546551.exe
Deleted file - C:\Documents and Settings\Jatin_soni\Application Data\869546551.exe

BUT AGAIN : after restart PC, I found new process started byself, so please help me to find where it’s creating from ?

Take a look at combofix. I have yet to have combofix not fix something.

http://www.bleepingcomputer.com/combofi ... e-combofix

I suggest you format your computer.

I know that FORMAT PC , but this solution I do not want to use .

That is one of the worst solutions to ever suggest. Any PC can be cleaned if you know what you are doing. Formatting should be the absolute last thing you should do. I've had PC's so infected you couldn't do anything but look at your desktop, any attempt at opening anything was futile as you would get bombarded with ads and messages telling you the administrator disabled that feature. It took several hours but the PC was back up and running as good as ever.

premsoni, did you try combofix yet?

No Mr. Grinch2171,

I did not use it bcz I read that ComboFix must use with the supervison of it's supervisor. else can create a big problem.
So I am waiting for someone's good answer.
And I have posted same this Topic on that another website which was recommanded to me before in this post.

Run combofix, seriously, it will fix your problem.

please before Run comboFix, give me some detail how to use it ?
I do not want something my important I will loose.

Read over the link I posted.

Start here:
http://www.bleepingcomputer.com/combofi ... mbofix#use

Restart your computer and run it in Safe Mode
Run ComboFix in Safe Mode
Post the prepared logfile here

I've never had ComboFix fix something it shouldn't have... every time I ran ComboFix, nothing happened to any of my files.

I don't agree that the solution was a bad one (before he said that he wanted something else that is). A format would probably be his safest bet, but maby not the most practical.

You say computers can normally be cleaned IF THE PERSON KNOWS WHAT HE/SHE IS DOING - I belive you! But would anyone who knows what he/she is doing have to ask for help? I don't think so.

Ok , at finally let me try ComboFix to Fix my Problem.

Another thing is, Does ComboFix will run in cmd mode after reboot ? bcz I have broadband internet connection and ComboFix needs active internet connection . But I can make active internet only after I am in graphical interface and make connection.

or ComboFix will run in Graphical interface ?

So you format your computer after every infection you get? Even if that infection could be cleaned up by simply running an application?

You also think that Bill Gates never asks questions? Or you would have thought that they knew what they were doing when they were creating Windows Vista?

I think you should rethink that statement.


And if you don't know what you are doing, you would obviously ask for help and receive help. Imaging that every time you call tech support to help fix your computer the only answer you ever get is "Format your computer" because since your asking, you don't know what you are doing, and since you don't know what you are doing you can't figure out how to follow directions from those that do.

My Dear Helpers,

Do not argu so much . Different people has different thinking.

so just let everyone thinks freely.

After use ComboFix, I will post log and if I will get solution or not, also will let u know.

Thanks.
Jatin