Author Topic: help please virus ??  (Read 20298 times)

0 Members and 1 Guest are viewing this topic.

johannlynx

  • Guest
Re: help please virus ??
« Reply #15 on: May 06, 2007, 04:54:15 AM »
i wonder which of this things i have r not needed n can b deleted ??

those extra buttons.. n other things that i dunno why i have them..

mauserme

  • Guest
Re: help please virus ??
« Reply #16 on: May 06, 2007, 05:05:58 AM »
If you don't want the extra buttons we can remove them but first get TCPView and post a screen shot.  This will show us what programs are getting connections

http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx

mauserme

  • Guest
Re: help please virus ??
« Reply #17 on: May 06, 2007, 05:32:18 PM »
IP's in the range 207.138.0.0 - 207.138.255.255 belong to Global Crossing, a provider of Voip, RSS feeds, etc.  Here's a link to their home page

http://blogs.globalcrossing.com/

Do you recognize it?

The addresses ending in phx.gbl:1863 might be Windows Messenger connections but TCPView could help confirm this.

Infotronis

  • Guest
Re: help please virus ??
« Reply #18 on: May 06, 2007, 10:35:04 PM »
I like to use SpyBot S&D for cleaning from all the spywares and robots on my pc.

Search for it on http://www.spybot.com/ on any language you like, update it and give it a try.

And about the use of your processor, I have found that the last Microsoft MSN Live Messenger tends to do that but it is just for short times.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: help please virus ??
« Reply #19 on: May 06, 2007, 11:23:56 PM »
I like to use SpyBot S&D for cleaning from all the spywares and robots on my pc.
Sometimes it does not work and the updates are not that frequently.
I suggest AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).
The best things in life are free.

johannlynx

  • Guest
Re: help please virus ??
« Reply #20 on: May 07, 2007, 12:25:44 AM »
in the past 2 days something weird is happening
my firefox is closed by dr watson..
i dnt know why...
this thing appears

n if i allow or not.. my firefox windows get closed..

do i have something wrong???

n all the other things that get my lap top running so slow


Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67194
Re: help please virus ??
« Reply #21 on: May 07, 2007, 12:43:15 AM »
Maybe you should open a new thread for your problem...
If Firefox is being closed, genereally, is because some extension (add-on) is crashing it.
Maybe you can run Firefox (Safe Mode) from the Start Menu and then uninstall the latest extensions you've installed.

About Dr. Watson, it's a safe application trying to debug.
Anyway, it won't 'solve' the original problem of Firefox.

Do you use avast?
The best things in life are free.

johannlynx

  • Guest
Re: help please virus ??
« Reply #22 on: May 07, 2007, 07:33:37 AM »
yes i have avast...
well the biggest problem is not that my firefox is closing..
is all the things above... that i have connections from i dunno who is this ppl n i dunno why
n my lap top is so slow most of the time when i open some applications running at 100%
n i dunno what it can b...

mauserme

  • Guest
Re: help please virus ??
« Reply #23 on: May 07, 2007, 01:15:35 PM »
Well, SDFix did remove this

C:\DOCUME~1\Lynx\LOCALS~1\Temp\setup.exe

so something was going on.  See if you can upload the backup copy to Virus Total for analysis (BTW, you will want to delete that file ater we're done with this process)

http://www.virustotal.com/en/indexf.html

Do you recognize the Gobal Crossing site I posted above?

And what about TCPView.  That's going to be the easiest way to see what's connecting to the internet.  Its just an enhanced version of NetStat ...


johannlynx

  • Guest
Re: help please virus ??
« Reply #24 on: May 08, 2007, 04:05:29 AM »
sorry sometimes i dnt reply to all the questions ..dunno why i dnt see all the comments u post.  :-\
i checked twice this weekend n i thought no one had replied  ???

ok as u said i uploaded that file to virustotal
n u were right there was something bad.. now should i delete the backup?
here is the image


Quote
Do you recognize the Gobal Crossing site I posted above?
no i dunno what is that page.. i have never seen it before

this is the tcp log 

[System Process]:0   TCP   johannly-157f5a:3736   localhost:12080   TIME_WAIT   
[System Process]:0   TCP   johannly-157f5a:3737   207.138.234.65:http   TIME_WAIT   
[System Process]:0   TCP   johannly-157f5a:3730   65.54.170.19:https   TIME_WAIT   
[System Process]:0   TCP   johannly-157f5a:3732   207.68.178.239:http   TIME_WAIT   
[System Process]:0   TCP   johannly-157f5a:3734   65.54.170.19:https   TIME_WAIT   
firefox.exe:748   TCP   johannly-157f5a:1297   localhost:1298   ESTABLISHED   
firefox.exe:748   TCP   johannly-157f5a:1298   localhost:1297   ESTABLISHED   
firefox.exe:748   TCP   johannly-157f5a:1299   localhost:1300   ESTABLISHED   
firefox.exe:748   TCP   johannly-157f5a:1300   localhost:1299   ESTABLISHED   
firefox.exe:748   TCP   johannly-157f5a:3684   ag-in-f104.google.com:http   ESTABLISHED   
firefox.exe:748   TCP   johannly-157f5a:3699   207.138.234.67:http   ESTABLISHED   
firefox.exe:748   TCP   johannly-157f5a:3703   207.138.234.66:http   ESTABLISHED   
firefox.exe:748   TCP   johannly-157f5a:3704   207.138.234.66:http   ESTABLISHED   
lsass.exe:680   UDP   johannly-157f5a:isakmp   *:*      
lsass.exe:680   UDP   johannly-157f5a:4500   *:*      
mDNSResponder.exe:2044   UDP   johannly-157f5a:1025   *:*      
mDNSResponder.exe:2044   UDP   johannly-157f5a:5353   *:*      
msnmsgr.exe:2984   TCP   johannly-157f5a:2658   by1msg5276713.phx.gbl:1863   ESTABLISHED   
msnmsgr.exe:2984   TCP   johannly-157f5a:3679   by2msg1104403.phx.gbl:1863   ESTABLISHED   
msnmsgr.exe:2984   UDP   johannly-157f5a:1053   *:*      
msnmsgr.exe:2984   UDP   johannly-157f5a:1055   *:*      
msnmsgr.exe:2984   UDP   johannly-157f5a:7329   *:*      
msnmsgr.exe:2984   UDP   johannly-157f5a:26154   *:*      
msnmsgr.exe:2984   UDP   johannly-157f5a:discard   *:*      
msnmsgr.exe:2984   TCP   johannly-157f5a:3738   by2msg2263512.phx.gbl:1863   ESTABLISHED   
svchost.exe:1040   UDP   johannly-157f5a:1399   *:*      
svchost.exe:1040   UDP   johannly-157f5a:1303   *:*      
svchost.exe:1040   UDP   johannly-157f5a:1400   *:*      
svchost.exe:1040   UDP   johannly-157f5a:1034   *:*      
svchost.exe:1040   UDP   johannly-157f5a:1402   *:*      
svchost.exe:1040   UDP   johannly-157f5a:1040   *:*      
svchost.exe:1040   UDP   johannly-157f5a:1302   *:*      
svchost.exe:1156   UDP   johannly-157f5a:1900   *:*      
svchost.exe:1156   UDP   johannly-157f5a:1900   *:*      
svchost.exe:932   UDP   johannly-157f5a:ntp   *:*      
svchost.exe:932   UDP   johannly-157f5a:1045   *:*      
svchost.exe:932   UDP   johannly-157f5a:ntp   *:*      
System:4   TCP   johannly-157f5a:microsoft-ds   johannly-157f5a:0   LISTENING   
System:4   TCP   johannly-157f5a:netbios-ssn   johannly-157f5a:0   LISTENING   
System:4   UDP   johannly-157f5a:microsoft-ds   *:*      
System:4   UDP   johannly-157f5a:netbios-dgm   *:*      
System:4   UDP   johannly-157f5a:netbios-ns   *:*      

i wonder if everything is ok

mauserme

  • Guest
Re: help please virus ??
« Reply #25 on: May 08, 2007, 04:48:18 AM »
Two hits on Virus Total really isn't definitive.  Let's not rush into deletion.

That mDNSResponder.exe in your TCPView read out is part of iTunes' Bonjour Service.  It sets up a P2P file sharing connection, quite possibly without your knowledge, and is reported by some to use near 100% CPU (this process is listed in your HijackThis log but I didn't pay much attention to it until seeing TCPView).

Is this is service you installed on purpose and, if you did, is it something you want to keep?

EDIT:  Adobe CS3 also uses Bonjour technology.  Do you have and of the Creative Suite programs?
« Last Edit: May 08, 2007, 05:01:45 AM by mauserme »

johannlynx

  • Guest
Re: help please virus ??
« Reply #26 on: May 08, 2007, 07:10:24 AM »
wow i didnt know it was...
that bonjour is a part of photoshop.. cs3..
shall i uninstall it??  :o

in this past days im also getting advices like this


this one was cuz i tried to click the link below to go to my received files n see a picture..
i dnt understand why it happens...

can i just uninstall the bonjour stuff with out uninstalling photoshop??
can b that bonjour the one that makes my computer run so slow then..
n about SDfix.. then shall or not delete the back up files ???

 ??? what's next  ???

thnx for ur time :)

mauserme

  • Guest
Re: help please virus ??
« Reply #27 on: May 08, 2007, 01:58:15 PM »
Here's a link to a blog about this problem with Adobe CS3

http://blogs.adobe.com/jnack/2007/01/cs3_doesnt_inst.html

and a link to Adobe's removal procedure

http://www.adobe.com/cfusion/knowledgebase/index.cfm?id=kb400982

If you read through the blog you'll see that removal can damage your LSP stack which will effectively kill your internet connection.  Some users were able to repair this with LSPFix and I suggest you download this just in case

http://www.bleepingcomputer.com/files/lspfix.php

But instead of complete removal with the risk of needing to fix your connection I would like to try this instead

Click Start>Run

In the empty field type services.msc and click OK

In the window that opens find the Bonjour service.  It will either be named Bonjour Service or $$Id_String1.6844F930_1628_4223_B5CC_5BB94B879762$$ (probably the latter).

When you locate the service, right click it and then click Properties.  Change Startup Type to Disabled.

In the same window click the Recovery tab and change the First Failure, Second Failure, and Subsequent Failure fields to Take no Action.

Click OK.

Right click the service again and click Stop.


While this method does not remove Bonjour from your computer I believe it wall safely disable it without breaking other things.  Its not technically malware so leaving it on your drive shouldn't be a problem, thought I must say i will proably never update my version of Photoshop after seeing this.

Give this a try and let me know if things improve.
« Last Edit: May 08, 2007, 02:00:30 PM by mauserme »

johannlynx

  • Guest
Re: help please virus ??
« Reply #28 on: May 08, 2007, 05:29:10 PM »
i did as u asked me to
i found it like this
##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##
i did as u said n yes it was started .. now its disabled  i will tell u if it improves..
today when i woke up something weird happened.. my firewall was disabled..
n was trying to start when i clicked the icons in the quick launch well i was trying to open the firefox..
same mistake as i posted above appeared well similar to this one.. but i was just trying to open firefox



then i tried to open my documents to check the tcp view but the same mistake appeared..
i tried to completely shutdown the firewall but it didnt let me..
then i click in restart my computer .. n it took so long to restart..
n when was closing .. was not the normal way it closes.. a small rectangle that said microsoft xp appeared
n well was not the normal way it closes...

i just did another hijack log file..  i dunno if can help find out if its the same or something new or what's going on

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
D:\Software\analyze\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [taskmanager] taskmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

i did the log file before i disabled  bonjour  if u want me to do another one just let me know..
thanks for everything  :)

------------------------------------------------------------------------------------------------------------------------------

i was just reading about the bonjour in the links u posted... then i opened my firewall (zonealarm) n i noticed that bonjour i had given
access to bonjour to get internet connection.. n it asked me to allow it to act as a server...

btw  yesterday n today my connection is falling so often... but i dnt see what can b... the only new thing i installed that u havent told me to do is ...  office 2007.. but i dnt like all the stuff it hs so i did it custom.. i only wanted word n power point..
after i installed it.. i checked in ccleaner n checking my start up .. n then i checked my programs.. n office had installed more things..
i tried to uninstall them with the ccleaner.. but i wonder if it could damage something..   :-\

n automatic updates from microsoft is trying to install me n update for outlook.. but i dnt have out look.. i dnt like it.. n i dnt want to install that update.. but that keeps bugging me.. to install it  >:(
-------------------------------------------------------------------------------------------------------------------------------
now that i think there's another think that is happening lately so often.. past 2 o 3 days not sure..
my webcamera seems to get unplugged then plugged again n so on then a message appears .. new hardware found .. but doesnt work
...  but im not touching it i didnt unplug it.. some times in a minute can get unplugged n plugged several times.. n well my cam had been working good.. ...  when i try to make it work
doesnt work.. so i have to unplug the cable.. n plug again
« Last Edit: May 08, 2007, 08:55:38 PM by johannlynx »

mauserme

  • Guest
Re: help please virus ??
« Reply #29 on: May 08, 2007, 09:08:31 PM »
i did the log file before i disabled  bonjour  if u want me to do another one just let me know..
thanks for everything  :)
Please do. 

... then i opened my firewall (zonealarm) n i noticed that bonjour i had given
access to bonjour to get internet connection.. n it asked me to allow it to act as a server...
Is Zone Alarm functioning again?