help please virus ??

[johannlynx]

yep my zone alarm is working again

this is the new log

Logfile of HijackThis v1.99.1
Scan saved at 3:56:04 AM, on 5/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Winamp\winamp.exe
D:\Software\analyze\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [taskmanager] taskmgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[mauserme]

Since you first posted a HJT log this line has been added and needs to be investigated

O4 - HKCU\..\Run: [taskmanager] taskmgr.exe

Please open an Explorer window (not Internet Explorer) and, at the top, click Tools>Folder Options>View.  Make sure that Show Hidden Files and Folders is checked and Hide Extensions For Known File Types & Hide Protected Operating System Files are both not checked.

Now open the Windows search function and search for all instances of taskmgr.exe.  Any that are found should be uploaded to Virus Total for analysis and the results posted in your next response

http://www.virustotal.com/en/indexf.html


EDIT:  Regarding that SUNP0113.jpg file in D:\\My Recieved Files, is it something you knowingly downloaded?  Is it an image you hope to keep or will it be OK if we do some cleaning?

[johannlynx]

dnt worry about that taskmanager.exe
i just went to HKLM n in run i created a string to start the taskmanager when i turn on the comp
i want it always there.. cuz when is minimized i notice if my computer is running many process so if i see that the tray icon is full
i click it n check what is taking all my resources

this is why i think my computer has something..here i was running winamp n messenger. not using the cam just those 2
n my computer was running at 100%


here the same but i closed winamp .. only messenger ..only one chat.. n no camera..
n still running at 99%



 

  Regarding that SUNP0113.jpg file in D:\\My Recieved Files, is it something you knowingly downloaded?  Is it an image you hope to keep or will it be OK if we do some cleaning?

yep is n image a friend send me in the messenger i have no problem if i loose that image or the other images. .. but i hope is not to format D:// cuz i have 12 gigas of japanese learning material n i dnt wanna loose them.. i have no problem if we have to format C://

[mauserme]

. .. but i hope is not to format D:// cuz i have 12 gigas of japanese learning material n i dnt wanna loose them.. i have no problem if we have to format C://

I wasn't thinking about a reformat at all.  Its hardly ever necessary.

In the Task manager click on the Processes tab and click "CPU" twice to put the highest usage at the top of the list.  See if you can get a screen shot when you're at or near 100%.

[johannlynx]

i will try to get the screenshot as soon as i can
today my gf didnt come online so i didnt use messenger...
nor used any other program..

u know u were right i stopped the bonjour stuff
n now my computer is not so slow.. i noticed today when i was using the windows media classic
usually when i use it my computer spends so much process n today wasnt spending so much

u know now that i think when my computer gets so slow.. n i check the process running..
all spends a little.. svchost n all the application n process take a little.. even the taskmanager..
i didnt thought the taskmanager could take process some times i've seen it taking 25%
same windows media  n all that can run

i will try to post the screenshot soon n i will telling if my comp keeps better as soon as i notice
thx

[johannlynx]

here the pictures that i was requested .. sorry for taking so long..
but i couldnt use so much the computer lately..
thx for everything

[mauserme]

It looks like its almost all Windows Live Messenger (msnmsgr.exe) using your cycles.  If that only happens when you've opened the program then there's little you can do about it.