Avast WEBforum
Other => Viruses and worms => Topic started by: johannlynx on May 03, 2007, 05:28:22 PM
-
lately my internet connection is working so slow
i called my internet company to complain n they made me
do a netstat n i seem to have many connections established
even when im doing nothing.. they said i have virus..
i just formated n i still have those connections i dunno waht to do
this is the first netstat i did
(http://img239.imageshack.us/img239/4204/cmdtd2.png)
then i closed all possible programs running even firewall, antispyware n antivirus
(http://img119.imageshack.us/img119/5595/cmdnogp0.png)
then i did it again unplugging the internet but those connection were still
(http://img63.imageshack.us/img63/1337/nointernetge2.png)
r those connections established by a virus ?? if so then what shall i do i just formated
i thought that would get rid of them.. n my internet connection is so slow im paying for 700k n each time i test my speed is 170 to 250 k ... n my internet company dont give me
further assistance
i also did a scan with hijackthis here is the report
Logfile of HijackThis v1.99.1
Scan saved at 9:58:57 PM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
D:\Software\Nueva carpeta\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
hope some one can help me.. i cant understand what can b establishing the connections
n why my internet is getting so slow..
i would appreciate ur help
thanks
-
First you don't appear to bave avast installed on your system and this a support forum for avast users.
Seconf the Localhost entries aren't connecting to the internet they are locations on your system, usually a proxy to be able to scan something like inbound or outbound email, I have know knowledge of CA's anti-virus so I don't know if they use localhost ports.
You could do a reverse whois lookup on the ip addresses.
Netstat doesn't show what applications are using the ports so it may be best to check your firewall logs to see what the activity is.
-
Besides having the "wrong" antivirus, do you know the IP in this line
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
Its registered to Associação Rede Nacional de Ensino e Pesquisa which I think is in Brazil.
-
i had avast..
but i wanted to try this one..
just curious..
i had the professional version
but so much ppl told me it doesnt stop all virus..
im not sure..
well im just checking...
n about the ip
what does it mean that is registered in to brazil??
n that thing that i didnt understand??
right now im in colombia..
n portugues is not our language ..
can u plse xplain me...
n dnt get mad
i will b back to avast..
when i joined this forum i had it..
but i wanted to try.. n well this far i prefer avast than my new one..
but i've used it for only 5 days
-
but so much ppl told me it doesnt stop all virus./
Give me a name of the perfect software and I'll congratulate you... there isn't... there isn't a perfect antivirus...
Although I can bet you avast is one of the best ones 8)
what does it mean that is registered in to brazil??
What do you mean? Are you a brazilian like me?
right now im in colombia..
n portugues is not our language ..
Download and install the Spanish version of avast not the Portuguese (Brazil) one.
The is a registration page (to get the free key) that is on Spanish too (I hope).
-
The reason this was mentioned is because the 017 entries are usually associated with your ISP.
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
If this is not your ISP then it is suspicious, that is why mauserme did the reverse lookup I mentioned. "Its registered to Associação Rede Nacional de Ensino e Pesquisa which I think is in Brazil."
So somehow I doubt it is your ISP as you are in Colombia and not Brazil.
But, for the other IP address, 200.75.78.78, I get this:
Checking IP: 200.75.78.78...
Name: coleonyx.epm.net.co
IP: 200.75.78.78
So do either of those names ring a bell with you ?
-
yep epm is my internet provicer
but about the other one i dunno what is it...
n worries me i just formated n well
to have problems is not nice..
can u plse guide me what can i do thx
........................................................
i just did a reverse look up checking my dns n everything
well one is from epm n its ok the other has a problem n i dnt understand why
my prefered dns is 200.13.249.101
200.13.249.101 resolves to
"dnscache.une.net.co"
Top Level Domain: "net.co"
une is the same company as epm
but i dnt understand why in the log file it has another number
200.132.249.101 instead of 200.13.249.101 why one more number??
about avast if spanish or english..
i will get back to the one i had in english..
i dnt really like the programs in spanish..
but yep it exist in spanish..
i think avast is available in several languages :)
-
can u plse guide me what can i do thx
To do what? Reformat the computer? Why?
-
i had avast..
but i wanted to try this one..
just curious..
No problem - we all try different programs from time to time. I was making a joke earlier :)
2 Tech - If you don't mind would you look at this site and see if you can tell what its all about?
http://www.rnp.br/rnp/
This is the one that 200.132.249.101 resolves to. It scans clean with Dr. Web and I've been to the site several times with no ill effects. It seems innocent enough but I can't get it to translate well enough for me to read it.
2 johannlunx - Please download the free version of SuperAntiSpyware, install it and scan
http://www.superantispyware.com/
Make sure to do a complete system scan and quarantine if anything is found. Then post the log it produces.
-
i have a question if i download the superantispyware
can it have conflict with the antispyware i already have?
i use zonealarm as my firewall n this version includes antispyware...
well im back to avast :) today i had some problems with the antivirus i was testing
was taking so much of my resources ... n well that is not good for me...
n well avast is the best one i have had this far n that doesnt takes all my resources
about that ip from brasil i dnt understand ...why i have it.. n is really similar to my dns
only with one number of diference
n well i formated .. im not sure of the word in english .. i formated c:\
2 days ago n installed again the xp
i wonder if this fast i can have a spyware ir something...
is really weird
i made a new log file plse can u keep guiding me thx .. n check i got avast again 8)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Software\analize\analyse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--------------------------------------------------------------------------------------------------------------------------
hehe i just tried to fix the ip stuff with hijackthis n well it deleted my preferred dns server n the alternative dns server hehe
i couldnt surf .. well now i know is those r my dns but why that one has one more number than it really has..
n in avast i notived i have some file missing.. is this normal??
what shall i do ??
thx :)
-
hehe i just tried to fix the ip stuff with hijackthis n well it deleted my preferred dns server n the alternative dns server hehe
i couldnt surf .. well now i know is those r my dns but why that one has one more number than it really has..
Well, as I said, it seems innocent ...
Please don't assume that my asking questions means I'm suspicious of something. I just need information sometimes. Is your internet connection OK or are you using a different computer now?
A couple more questons:
Is this HijackJackThis renamed to analyze.exe?
D:\Software\analize\analyse.exe
And this line was not present in your first log
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
It looks like a HotMail login. Did you just install that?
n well i formated .. im not sure of the word in english .. i formated c:\
2 days ago n installed again the xp
i wonder if this fast i can have a spyware ir something...
is really weird
If you mean you wiped the drive clean and reinstalled the operating system "format" is the correct word. And honestly, other than the light weight sort of spyware that some manufactures install on new PCs it seems unlikely anything unwanted would survive reinstallation (and I don't see any of the things like WeatherBug that manufacturers do sometimes install).
Still, you have a slow internet and a tech support guy saying you're infected. This may just be an excuse for a poor connection but it can't hurt to check a few things.
i have a question if i download the superantispyware
can it have conflict with the antispyware i already have?
i use zonealarm as my firewall n this version includes antispyware...
The free version of SuperAntispyware does not provide real time protection so there should be no conflict.
After that scan download TCPView and post a screen shot of the connections (I would like to see what programs are involved)
http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx
EDIT: Those missing avast! files are OK - its a glitch with HijackThis. If you look at the running processes section you will see they are actually there.
-
but so much ppl told me it doesnt stop all virus./
Give me a name of the perfect software and I'll congratulate you... there isn't... there isn't a perfect antivirus...
Although I can bet you avast is one of the best ones 8)
what does it mean that is registered in to brazil??
What do you mean? Are you a brazilian like me?
right now im in colombia..
n portugues is not our language ..
Download and install the Spanish version of avast not the Portuguese (Brazil) one.
The is a registration page (to get the free key) that is on Spanish too (I hope).
sorry i didnt want to b impolite not replying to ur question
im not from brazil im from colombia..
i used to have avast professional in english.. i was just testing..
but that one i was testing was not as i thought n u r right
there's no perfect software.. i was just curious n well the best way to learn is trying or testing..
but well now im back to avast :)
i dnt like the spanish version.. i usually download programs in english or french.. i like more those languages :)
-
Is your internet connection OK or are you using a different computer now?
it deleted my dns ...but i had them so i just set them again.. so im working from my laptop again..
is this HijackJackThis renamed to analyze.exe?
D:\Software\analize\analyse.exe
yep i renamed it cuz i read that sometimes that name is used to hide malwares.. in the page of hijack they sugest it n in majorgeek
And this line was not present in your first log
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
It looks like a HotMail login. Did you just install that?
well i dunno .. as far as i know i havent installed anything.. i just check my mail no more..
i dnt like things that hotmail have to offer..
n now the wga is bugging me.. even though my xp is original.. that wga i notice tries to do many things..
n change things.. the firewall tells me..
If you mean you wiped the drive clean and reinstalled the operating system "format" is the correct word. And honestly, other than the light weight sort of spyware that some manufactures install on new PCs it seems unlikely anything unwanted would survive reinstallation (and I don't see any of the things like WeatherBug that manufacturers do sometimes install).
Still, you have a slow internet and a tech support guy saying you're infected. This may just be an excuse for a poor connection but it can't hurt to check a few things.
i havent called them again.. u know i also decide to format cuz my laptop is running to slow.. n well i dunno what it can b..
just using messenger my computer runs at 100%.. n sometimes it works really slow..
what can it make my laptop run so slow.. n sometimes i get blocked.. n well i just format..
yesterday when i installed again my avast..
i found a malware but i know is not doing anything yet.. is something im downloading.. i knew it had something.. but i havent run it
n i wont.. but i need the other things that come with that.. is a torrent.. so i know it is not...
today i was checking my netstat
n i saw 2 things that i dnt understand why...
first
this thing that i dunno what it is had as well a connection established..
adsl190-024051136.dyn.etb.net.co
i know etb is n internet company from the capital of my country.. but i dnt have anything with that company so i dnt understand why that connection
second
this ip had a connection established with me
64.215.158.8
i found this about this ip
Location: United States [City: Los Angeles, California]
OrgName: Global Crossing
OrgID: GBLX
Address: 14605 South 50th Street
City: Phoenix
StateProv: AZ
PostalCode: 85044-6471
Country: US
ReferralServer: rwhois://rwhois.gblx.net:4321
NetRange: 64.212.0.0 - 64.215.255.255
CIDR: 64.212.0.0/14
NetName: GBLX-11D
NetHandle: NET-64-212-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NAME.ROC.GBLX.NET
NameServer: NAME.PHX.GBLX.NET
NameServer: NAME.SNV.GBLX.NET
NameServer: NAME.JFK1.GBLX.NET
Comment: rwhois.gblx.net:4321 - THESE ADDRESSES ARE
Comment: NON-PORTABLE
RegDate:
Updated: 2003-10-31
RTechHandle: IA12-ORG-ARIN
RTechName: GBLX-IPADMIN
RTechPhone: +1-800-404-7714
RTechEmail: ipadmin@gblx.net
OrgAbuseHandle: GBLXA-ARIN
OrgAbuseName: GBLX-Abuse
OrgAbusePhone: +1-800-404-7714
OrgAbuseEmail: abuse@gblx.net
OrgNOCHandle: GBLXN-ARIN
OrgNOCName: GBLX-NOC
OrgNOCPhone: +1-800-404-7714
OrgNOCEmail: gc-noc@gblx.net
OrgTechHandle: IA12-ORG-ARIN
OrgTechName: GBLX-IPADMIN
OrgTechPhone: +1-800-404-7714
OrgTechEmail: ipadmin@gblx.net
why that ip had a conection with me.. i checked 3 times n there was... when i see that what can i do to stop that connection ??
here is the result of the superantispyware
it found 2 threats n were 2 adware. tracking cookie
(http://img155.imageshack.us/img155/5953/superantispywaresw1.jpg)
i know u asked me for a log of the scanning but i dunno why i couldnt do it..
i clicke on it n nothing happened..
after that i also clicked in let me find what's running in my computer but it didnt work either...
plse if u dnt mind can u xplain me how to stop those established connections i have
n what the next step.. what else can b making my computer so slow..
n now my connection is not slow.. i guess was a poor connection from the company..
the company is not good... cux they dnt have competence so they do anything they want :-\
i hope another company comes soon .. i wanna change
if u need me to do the antispyware again i will
well i will try now again..
n if i can do the log i'll post it
thx :) all the ppl in avast forum is so nice ;)
--------------------------------------------------------------------------------------------------
about this
And this line was not present in your first log
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
It looks like a HotMail login. Did you just install that?
can i delete all those things that i have like that.. r they useful or just making my computer slower??
r this things useful.. i dunno why i have them.. can i delete them??
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
why did i got them?? ??? hehe
thx for helping... sorry for asking so much.. im just too curious.. i want my laptop to run the best it can..
n well at the same time i wanna learn as much as i can :)
-------------------------------------------------------------------------------------------------------------------------
i did the scan again it said i had no harmful something..i dnt remember the word
but didnt let me do the log file either... :-\
-
n now the wga is bugging me.. even though my xp is original.. that wga i notice tries to do many things..
n change things.. the firewall tells me..
Is it WGA Notifications, or does it just give you a file name?
u know i also decide to format cuz my laptop is running to slow.. n well i dunno what it can b..
Is it only your laptop that has a slow connection, or is it other computers too?
yesterday when i installed again my avast..
i found a malware but i know is not doing anything yet.. is something im downloading..
What was the name of the malware? What were you downloading?
r this things useful.. i dunno why i have them.. can i delete them??
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
No, don't fix anything yet.
plse if u dnt mind can u xplain me how to stop those established connections i have
n what the next step..
Well, I'm still not entirely sure your computer is infected with anything but lets try this.
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your desktop.
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log
-
here it is as u requested
the log for SDFix
SDFix: Version 1.82
Run by Lynx - Mon 05/07/2007 - 8:05:33.39
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Below files will be copied to Backups folder then removed:
C:\DOCUME~1\Lynx\LOCALS~1\Temp\setup.exe - Deleted
Removing Temp Files
ADS Check:
Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.
Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files:
---------------
Backups Folder: - C:\SDFix\backups\backups.zip
Checking For Files with Hidden Attributes:
Finished
---------------------------------------------------------------------------------------------
i also did the catch me ... in case there was something else
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
--------------------------------------------------------------------------------------------------
n the hijack log
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
C:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Software\analyze\analyse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
do i have something ???
(http://img201.imageshack.us/img201/9840/23kz8.jpg)
here is my netstat at this moment..
do i have something bad??
well the problem of the connection seems that my internet company is slow..
but why my ocmputer runs at 100 % so often
just using the messenger or skype..
or sometimes running other applications..
can this b normal ???
-
i wonder which of this things i have r not needed n can b deleted ??
those extra buttons.. n other things that i dunno why i have them..
-
If you don't want the extra buttons we can remove them but first get TCPView and post a screen shot. This will show us what programs are getting connections
http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx
-
IP's in the range 207.138.0.0 - 207.138.255.255 belong to Global Crossing, a provider of Voip, RSS feeds, etc. Here's a link to their home page
http://blogs.globalcrossing.com/
Do you recognize it?
The addresses ending in phx.gbl:1863 might be Windows Messenger connections but TCPView could help confirm this.
-
I like to use SpyBot S&D for cleaning from all the spywares and robots on my pc.
Search for it on http://www.spybot.com/ on any language you like, update it and give it a try.
And about the use of your processor, I have found that the last Microsoft MSN Live Messenger tends to do that but it is just for short times.
-
I like to use SpyBot S&D for cleaning from all the spywares and robots on my pc.
Sometimes it does not work and the updates are not that frequently.
I suggest AVG Antispyware (http://www.ewido.net/en/). Some users recommend SUPERantispyware (http://www.superantispyware.com), Spyware Terminator (http://www.spywareterminator.com/) and/or a-squared (http://www.emsisoft.com/en/software/free/) (take care about false positives).
-
in the past 2 days something weird is happening
my firefox is closed by dr watson..
i dnt know why...
this thing appears
(http://img488.imageshack.us/img488/7525/watsoneg5.jpg)
n if i allow or not.. my firefox windows get closed..
do i have something wrong???
n all the other things that get my lap top running so slow
-
Maybe you should open a new thread for your problem...
If Firefox is being closed, genereally, is because some extension (add-on) is crashing it.
Maybe you can run Firefox (Safe Mode) from the Start Menu and then uninstall the latest extensions you've installed.
About Dr. Watson, it's a safe application trying to debug.
Anyway, it won't 'solve' the original problem of Firefox.
Do you use avast?
-
yes i have avast...
well the biggest problem is not that my firefox is closing..
is all the things above... that i have connections from i dunno who is this ppl n i dunno why
n my lap top is so slow most of the time when i open some applications running at 100%
n i dunno what it can b...
-
Well, SDFix did remove this
C:\DOCUME~1\Lynx\LOCALS~1\Temp\setup.exe
so something was going on. See if you can upload the backup copy to Virus Total for analysis (BTW, you will want to delete that file ater we're done with this process)
http://www.virustotal.com/en/indexf.html
Do you recognize the Gobal Crossing site I posted above?
And what about TCPView. That's going to be the easiest way to see what's connecting to the internet. Its just an enhanced version of NetStat ...
-
sorry sometimes i dnt reply to all the questions ..dunno why i dnt see all the comments u post. :-\
i checked twice this weekend n i thought no one had replied ???
ok as u said i uploaded that file to virustotal
n u were right there was something bad.. now should i delete the backup?
here is the image
(http://img515.imageshack.us/img515/7295/backupzipou1.jpg)
Do you recognize the Gobal Crossing site I posted above?
no i dunno what is that page.. i have never seen it before
this is the tcp log
[System Process]:0 TCP johannly-157f5a:3736 localhost:12080 TIME_WAIT
[System Process]:0 TCP johannly-157f5a:3737 207.138.234.65:http TIME_WAIT
[System Process]:0 TCP johannly-157f5a:3730 65.54.170.19:https TIME_WAIT
[System Process]:0 TCP johannly-157f5a:3732 207.68.178.239:http TIME_WAIT
[System Process]:0 TCP johannly-157f5a:3734 65.54.170.19:https TIME_WAIT
firefox.exe:748 TCP johannly-157f5a:1297 localhost:1298 ESTABLISHED
firefox.exe:748 TCP johannly-157f5a:1298 localhost:1297 ESTABLISHED
firefox.exe:748 TCP johannly-157f5a:1299 localhost:1300 ESTABLISHED
firefox.exe:748 TCP johannly-157f5a:1300 localhost:1299 ESTABLISHED
firefox.exe:748 TCP johannly-157f5a:3684 ag-in-f104.google.com:http ESTABLISHED
firefox.exe:748 TCP johannly-157f5a:3699 207.138.234.67:http ESTABLISHED
firefox.exe:748 TCP johannly-157f5a:3703 207.138.234.66:http ESTABLISHED
firefox.exe:748 TCP johannly-157f5a:3704 207.138.234.66:http ESTABLISHED
lsass.exe:680 UDP johannly-157f5a:isakmp *:*
lsass.exe:680 UDP johannly-157f5a:4500 *:*
mDNSResponder.exe:2044 UDP johannly-157f5a:1025 *:*
mDNSResponder.exe:2044 UDP johannly-157f5a:5353 *:*
msnmsgr.exe:2984 TCP johannly-157f5a:2658 by1msg5276713.phx.gbl:1863 ESTABLISHED
msnmsgr.exe:2984 TCP johannly-157f5a:3679 by2msg1104403.phx.gbl:1863 ESTABLISHED
msnmsgr.exe:2984 UDP johannly-157f5a:1053 *:*
msnmsgr.exe:2984 UDP johannly-157f5a:1055 *:*
msnmsgr.exe:2984 UDP johannly-157f5a:7329 *:*
msnmsgr.exe:2984 UDP johannly-157f5a:26154 *:*
msnmsgr.exe:2984 UDP johannly-157f5a:discard *:*
msnmsgr.exe:2984 TCP johannly-157f5a:3738 by2msg2263512.phx.gbl:1863 ESTABLISHED
svchost.exe:1040 UDP johannly-157f5a:1399 *:*
svchost.exe:1040 UDP johannly-157f5a:1303 *:*
svchost.exe:1040 UDP johannly-157f5a:1400 *:*
svchost.exe:1040 UDP johannly-157f5a:1034 *:*
svchost.exe:1040 UDP johannly-157f5a:1402 *:*
svchost.exe:1040 UDP johannly-157f5a:1040 *:*
svchost.exe:1040 UDP johannly-157f5a:1302 *:*
svchost.exe:1156 UDP johannly-157f5a:1900 *:*
svchost.exe:1156 UDP johannly-157f5a:1900 *:*
svchost.exe:932 UDP johannly-157f5a:ntp *:*
svchost.exe:932 UDP johannly-157f5a:1045 *:*
svchost.exe:932 UDP johannly-157f5a:ntp *:*
System:4 TCP johannly-157f5a:microsoft-ds johannly-157f5a:0 LISTENING
System:4 TCP johannly-157f5a:netbios-ssn johannly-157f5a:0 LISTENING
System:4 UDP johannly-157f5a:microsoft-ds *:*
System:4 UDP johannly-157f5a:netbios-dgm *:*
System:4 UDP johannly-157f5a:netbios-ns *:*
i wonder if everything is ok
-
Two hits on Virus Total really isn't definitive. Let's not rush into deletion.
That mDNSResponder.exe in your TCPView read out is part of iTunes' Bonjour Service. It sets up a P2P file sharing connection, quite possibly without your knowledge, and is reported by some to use near 100% CPU (this process is listed in your HijackThis log but I didn't pay much attention to it until seeing TCPView).
Is this is service you installed on purpose and, if you did, is it something you want to keep?
EDIT: Adobe CS3 also uses Bonjour technology. Do you have and of the Creative Suite programs?
-
wow i didnt know it was...
that bonjour is a part of photoshop.. cs3..
shall i uninstall it?? :o
in this past days im also getting advices like this
(http://img258.imageshack.us/img258/7751/problean1.png)
this one was cuz i tried to click the link below to go to my received files n see a picture..
i dnt understand why it happens...
can i just uninstall the bonjour stuff with out uninstalling photoshop??
can b that bonjour the one that makes my computer run so slow then..
n about SDfix.. then shall or not delete the back up files ???
??? what's next ???
thnx for ur time :)
-
Here's a link to a blog about this problem with Adobe CS3
http://blogs.adobe.com/jnack/2007/01/cs3_doesnt_inst.html
and a link to Adobe's removal procedure
http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=kb400982
If you read through the blog you'll see that removal can damage your LSP stack which will effectively kill your internet connection. Some users were able to repair this with LSPFix and I suggest you download this just in case
http://www.bleepingcomputer.com/files/lspfix.php
But instead of complete removal with the risk of needing to fix your connection I would like to try this instead
Click Start>Run
In the empty field type services.msc and click OK
In the window that opens find the Bonjour service. It will either be named Bonjour Service or $$Id_String1.6844F930_1628_4223_B5CC_5BB94B879762$$ (probably the latter).
When you locate the service, right click it and then click Properties. Change Startup Type to Disabled.
In the same window click the Recovery tab and change the First Failure, Second Failure, and Subsequent Failure fields to Take no Action.
Click OK.
Right click the service again and click Stop.
While this method does not remove Bonjour from your computer I believe it wall safely disable it without breaking other things. Its not technically malware so leaving it on your drive shouldn't be a problem, thought I must say i will proably never update my version of Photoshop after seeing this.
Give this a try and let me know if things improve.
-
i did as u asked me to
i found it like this
##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##
i did as u said n yes it was started .. now its disabled i will tell u if it improves..
today when i woke up something weird happened.. my firewall was disabled..
n was trying to start when i clicked the icons in the quick launch well i was trying to open the firefox..
same mistake as i posted above appeared well similar to this one.. but i was just trying to open firefox
(http://img258.imageshack.us/img258/7751/problean1.png)
then i tried to open my documents to check the tcp view but the same mistake appeared..
i tried to completely shutdown the firewall but it didnt let me..
then i click in restart my computer .. n it took so long to restart..
n when was closing .. was not the normal way it closes.. a small rectangle that said microsoft xp appeared
n well was not the normal way it closes...
i just did another hijack log file.. i dunno if can help find out if its the same or something new or what's going on
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
D:\Software\analyze\analyse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [taskmanager] taskmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
i did the log file before i disabled bonjour if u want me to do another one just let me know..
thanks for everything :)
------------------------------------------------------------------------------------------------------------------------------
i was just reading about the bonjour in the links u posted... then i opened my firewall (zonealarm) n i noticed that bonjour i had given
access to bonjour to get internet connection.. n it asked me to allow it to act as a server...
btw yesterday n today my connection is falling so often... but i dnt see what can b... the only new thing i installed that u havent told me to do is ... office 2007.. but i dnt like all the stuff it hs so i did it custom.. i only wanted word n power point..
after i installed it.. i checked in ccleaner n checking my start up .. n then i checked my programs.. n office had installed more things..
i tried to uninstall them with the ccleaner.. but i wonder if it could damage something.. :-\
n automatic updates from microsoft is trying to install me n update for outlook.. but i dnt have out look.. i dnt like it.. n i dnt want to install that update.. but that keeps bugging me.. to install it >:(
-------------------------------------------------------------------------------------------------------------------------------
now that i think there's another think that is happening lately so often.. past 2 o 3 days not sure..
my webcamera seems to get unplugged then plugged again n so on then a message appears .. new hardware found .. but doesnt work
... but im not touching it i didnt unplug it.. some times in a minute can get unplugged n plugged several times.. n well my cam had been working good.. ... when i try to make it work
doesnt work.. so i have to unplug the cable.. n plug again
-
i did the log file before i disabled bonjour if u want me to do another one just let me know..
thanks for everything :)
Please do.
... then i opened my firewall (zonealarm) n i noticed that bonjour i had given
access to bonjour to get internet connection.. n it asked me to allow it to act as a server...
Is Zone Alarm functioning again?
-
yep my zone alarm is working again
this is the new log
Logfile of HijackThis v1.99.1
Scan saved at 3:56:04 AM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\winamp.exe
D:\Software\analyze\analyse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [taskmanager] taskmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
-
Since you first posted a HJT log this line has been added and needs to be investigated
O4 - HKCU\..\Run: [taskmanager] taskmgr.exe
Please open an Explorer window (not Internet Explorer) and, at the top, click Tools>Folder Options>View. Make sure that Show Hidden Files and Folders is checked and Hide Extensions For Known File Types & Hide Protected Operating System Files are both not checked.
Now open the Windows search function and search for all instances of taskmgr.exe. Any that are found should be uploaded to Virus Total for analysis and the results posted in your next response
http://www.virustotal.com/en/indexf.html
EDIT: Regarding that SUNP0113.jpg file in D:\\My Recieved Files, is it something you knowingly downloaded? Is it an image you hope to keep or will it be OK if we do some cleaning?
-
dnt worry about that taskmanager.exe
i just went to HKLM n in run i created a string to start the taskmanager when i turn on the comp
i want it always there.. cuz when is minimized i notice if my computer is running many process so if i see that the tray icon is full
i click it n check what is taking all my resources
this is why i think my computer has something..here i was running winamp n messenger. not using the cam just those 2
n my computer was running at 100%
(http://img19.imageshack.us/img19/866/winqs2.png)
here the same but i closed winamp .. only messenger ..only one chat.. n no camera..
n still running at 99%
(http://img465.imageshack.us/img465/2088/cahtmz2.jpg)
Regarding that SUNP0113.jpg file in D:\\My Recieved Files, is it something you knowingly downloaded? Is it an image you hope to keep or will it be OK if we do some cleaning?
yep is n image a friend send me in the messenger i have no problem if i loose that image or the other images. .. but i hope is not to format D:// cuz i have 12 gigas of japanese learning material n i dnt wanna loose them.. i have no problem if we have to format C://
-
. .. but i hope is not to format D:// cuz i have 12 gigas of japanese learning material n i dnt wanna loose them.. i have no problem if we have to format C://
I wasn't thinking about a reformat at all. Its hardly ever necessary.
In the Task manager click on the Processes tab and click "CPU" twice to put the highest usage at the top of the list. See if you can get a screen shot when you're at or near 100%.
-
i will try to get the screenshot as soon as i can
today my gf didnt come online so i didnt use messenger...
nor used any other program..
u know u were right i stopped the bonjour stuff
n now my computer is not so slow.. i noticed today when i was using the windows media classic
usually when i use it my computer spends so much process n today wasnt spending so much
u know now that i think when my computer gets so slow.. n i check the process running..
all spends a little.. svchost n all the application n process take a little.. even the taskmanager..
i didnt thought the taskmanager could take process some times i've seen it taking 25%
same windows media n all that can run
i will try to post the screenshot soon n i will telling if my comp keeps better as soon as i notice
thx
-
here the pictures that i was requested .. sorry for taking so long..
but i couldnt use so much the computer lately..
thx for everything
(http://img512.imageshack.us/img512/1425/problemst6.png)
(http://img523.imageshack.us/img523/7197/100vz2.jpg)
(http://img167.imageshack.us/img167/5650/101kw2.jpg)
(http://img135.imageshack.us/img135/5174/111up1.jpg)
(http://img521.imageshack.us/img521/1526/112iz8.jpg)
(http://img255.imageshack.us/img255/3790/113iu7.jpg)
(http://img502.imageshack.us/img502/750/114vc0.jpg)
-
It looks like its almost all Windows Live Messenger (msnmsgr.exe) using your cycles. If that only happens when you've opened the program then there's little you can do about it.