Author Topic: help please virus ??  (Read 20287 times)

0 Members and 1 Guest are viewing this topic.

johannlynx

  • Guest
help please virus ??
« on: May 03, 2007, 05:28:22 PM »
lately my internet connection is working so slow
i called my internet company to complain n they made me
do a netstat n i seem to have many connections established
even when im doing nothing.. they said i have virus..
i just formated n i still have those connections i dunno waht to do

this is the first netstat i did


then i closed all possible programs running even firewall, antispyware n antivirus


then i did it again unplugging the internet but those connection were still


r those connections established by a virus ?? if so then what shall i do i just formated
i thought that would get rid of them.. n my internet connection is so slow im paying for 700k n each time i test my speed is 170 to 250 k ... n my internet company dont give me
further assistance

i also did a scan with hijackthis here is the report

Logfile of HijackThis v1.99.1
Scan saved at 9:58:57 PM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
D:\Software\Nueva carpeta\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


hope some one can help me.. i cant understand what can b establishing the connections
n why my internet is getting so slow..
i would appreciate ur help
thanks

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: help please virus ??
« Reply #1 on: May 03, 2007, 05:59:07 PM »
First you don't appear to bave avast installed on your system and this a support forum for avast users.

Seconf the Localhost entries aren't connecting to the internet they are locations on your system, usually a proxy to be able to scan something like inbound or outbound email, I have know knowledge of CA's anti-virus so I don't know if they use localhost ports.

You could do a reverse whois lookup on the ip addresses.

Netstat doesn't show what applications are using the ports so it may be best to check your firewall logs to see what the activity is.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: help please virus ??
« Reply #2 on: May 03, 2007, 08:26:19 PM »
Besides having the "wrong" antivirus, do you know the IP in this line

O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78

Its registered to Associação Rede Nacional de Ensino e Pesquisa which I think is in Brazil.

johannlynx

  • Guest
Re: help please virus ??
« Reply #3 on: May 04, 2007, 12:18:12 AM »
i had avast..
but i wanted to try this one..
just curious..
i had the professional version
but so much ppl told me it doesnt stop all virus..
im not sure..
well im just checking...

n about the ip
what does it mean that is registered in to brazil??
n that thing that i didnt understand??
right now im in colombia..
n portugues is not our language ..
can u plse xplain me...
n dnt get mad
i will b back to avast..
when i joined this forum i had it..
but i wanted to try.. n well this far i prefer avast than my new one..
but i've used it for only 5 days

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: help please virus ??
« Reply #4 on: May 04, 2007, 12:54:45 AM »
but so much ppl told me it doesnt stop all virus./
Give me a name of the perfect software and I'll congratulate you... there isn't... there isn't a perfect antivirus...
Although I can bet you avast is one of the best ones 8)

what does it mean that is registered in to brazil??
What do you mean? Are you a brazilian like me?

right now im in colombia..
n portugues is not our language ..
Download and install the Spanish version of avast not the Portuguese (Brazil) one.
The is a registration page (to get the free key) that is on Spanish too (I hope).
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: help please virus ??
« Reply #5 on: May 04, 2007, 01:08:06 AM »
The reason this was mentioned is because the 017 entries are usually associated with your ISP.

O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78

If this is not your ISP then it is suspicious, that is why mauserme did the reverse lookup I mentioned. "Its registered to Associação Rede Nacional de Ensino e Pesquisa which I think is in Brazil."

So somehow I doubt it is your ISP as you are in Colombia and not Brazil.

But, for the other IP address, 200.75.78.78, I get this:
Checking IP: 200.75.78.78...
Name:      coleonyx.epm.net.co
IP:      200.75.78.78

So do either of those names ring a bell with you ?

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

johannlynx

  • Guest
Re: help please virus ??
« Reply #6 on: May 04, 2007, 02:52:22 AM »
yep epm is my internet provicer
but about the other one i dunno what is it...
n worries me i just formated n well
to have problems is not nice..
can u plse guide me what can i do thx

........................................................
i just did a reverse look up checking my dns n everything
well one is from epm n its ok the other has a problem n i dnt understand why
my prefered dns is 200.13.249.101

200.13.249.101 resolves to
"dnscache.une.net.co"
Top Level Domain: "net.co"
une is the same company as epm 
but i dnt understand why in the log file it has another number

200.132.249.101  instead of 200.13.249.101  why one more number??

about avast if spanish or english..
i will get back to the one i had in english..
i dnt really like the programs in spanish..
but yep it exist in spanish..
i think avast is available in several languages :)
« Last Edit: May 04, 2007, 03:09:32 AM by johannlynx »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: help please virus ??
« Reply #7 on: May 04, 2007, 03:13:52 AM »
can u plse guide me what can i do thx
To do what? Reformat the computer? Why?
The best things in life are free.

mauserme

  • Guest
Re: help please virus ??
« Reply #8 on: May 04, 2007, 05:09:09 AM »
i had avast..
but i wanted to try this one..
just curious..
No problem - we all try different programs from time to time.  I was making a joke earlier :)


2 Tech - If you don't mind would you look at this site and see if you can tell what its all about?

http://www.rnp.br/rnp/

This is the one that 200.132.249.101 resolves to.  It scans clean with Dr. Web and I've been to the site several times with no ill effects.  It seems innocent enough but I can't get it to translate well enough for me to read it. 


2 johannlunx - Please download the free version of SuperAntiSpyware, install it and scan

http://www.superantispyware.com/

Make sure to do a complete system scan and quarantine if anything is found.  Then post the log it produces. 

johannlynx

  • Guest
Re: help please virus ??
« Reply #9 on: May 04, 2007, 06:56:14 AM »
i have a question if i download the superantispyware
can it have conflict with the antispyware i already have?
i use zonealarm as my firewall n this version includes antispyware...

well im back to avast  :)  today i had some problems with the antivirus i was testing
was taking so much of my resources ... n well that is not good for me...
n well avast is the best one i have had this far n that doesnt takes all my resources

about that ip from brasil i dnt understand ...why i have it.. n is really similar to my dns
only with one number of diference
n well i formated .. im not sure of the word in english .. i formated c:\
2 days ago n installed again the xp
i wonder if this fast i can have a spyware ir something...
is really weird

i made a new log file  plse can u keep guiding me thx .. n check i got avast again  8)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Software\analize\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--------------------------------------------------------------------------------------------------------------------------
hehe i just tried to fix the ip stuff with hijackthis n well it deleted my preferred dns server n the alternative dns server hehe
i couldnt surf .. well now i know is those r my dns  but why that one has one more number than it really has..
n in avast i notived i have some file missing.. is this normal??
what shall i do ??
thx :)
« Last Edit: May 04, 2007, 07:20:47 AM by johannlynx »

mauserme

  • Guest
Re: help please virus ??
« Reply #10 on: May 04, 2007, 01:11:19 PM »
hehe i just tried to fix the ip stuff with hijackthis n well it deleted my preferred dns server n the alternative dns server hehe
i couldnt surf .. well now i know is those r my dns  but why that one has one more number than it really has..
Well, as I said, it seems innocent ...

Please don't assume that my asking questions means I'm suspicious of something.  I just need information sometimes.  Is your internet connection OK or are you using a different computer now?

A couple more questons:

Is this HijackJackThis renamed to analyze.exe?

D:\Software\analize\analyse.exe

And this line was not present in your first log

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033

It looks like a HotMail login.  Did you just install that?


n well i formated .. im not sure of the word in english .. i formated c:\
2 days ago n installed again the xp
i wonder if this fast i can have a spyware ir something...
is really weird
If you mean you wiped the drive clean and reinstalled the operating system "format" is the correct word.  And honestly, other than the light weight sort of spyware that some manufactures install on new PCs it seems unlikely anything unwanted would survive reinstallation (and I don't see any of the things like WeatherBug that manufacturers do sometimes install).

Still, you have a slow internet and a tech support guy saying you're infected. This may just be an excuse for a poor connection but it can't hurt to check a few things.


i have a question if i download the superantispyware
can it have conflict with the antispyware i already have?
i use zonealarm as my firewall n this version includes antispyware...
The free version of SuperAntispyware does not provide real time protection so there should be no conflict.

After that scan download TCPView and post a screen shot of the connections (I would like to see what programs are involved)

http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx


EDIT:  Those missing avast! files are OK - its a glitch with HijackThis.  If you look at the running processes section you will see they are actually there.


« Last Edit: May 04, 2007, 01:44:04 PM by mauserme »

johannlynx

  • Guest
Re: help please virus ??
« Reply #11 on: May 05, 2007, 06:47:11 AM »
but so much ppl told me it doesnt stop all virus./
Give me a name of the perfect software and I'll congratulate you... there isn't... there isn't a perfect antivirus...
Although I can bet you avast is one of the best ones 8)

what does it mean that is registered in to brazil??
What do you mean? Are you a brazilian like me?

right now im in colombia..
n portugues is not our language ..
Download and install the Spanish version of avast not the Portuguese (Brazil) one.
The is a registration page (to get the free key) that is on Spanish too (I hope).
sorry i didnt want to b impolite not replying to ur question
im not from brazil im from colombia..
i used to have avast professional in english.. i was just testing..
but that one i was testing was not as i thought n u r right
there's no perfect software.. i was just curious n well the best way to learn is trying or testing..
but well now im back to avast :)
i dnt like the spanish version.. i usually download programs in english or french.. i like more those languages :)

johannlynx

  • Guest
Re: help please virus ??
« Reply #12 on: May 05, 2007, 07:06:36 AM »
Quote
Is your internet connection OK or are you using a different computer now?
it deleted my dns ...but i had them so i just set them again.. so im working from my laptop again..
Quote
is this HijackJackThis renamed to analyze.exe?

D:\Software\analize\analyse.exe
yep i renamed it cuz i read that sometimes that name is used to hide malwares.. in the page of hijack they sugest it n in majorgeek

Quote
And this line was not present in your first log

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033

It looks like a HotMail login.  Did you just install that?
well i dunno .. as far as i know i havent installed anything.. i just check my mail no more..
i dnt like things that hotmail have to offer..

n now the wga is bugging me.. even though my xp is original.. that wga i notice tries to do many things..
n change things.. the firewall tells me..

Quote
If you mean you wiped the drive clean and reinstalled the operating system "format" is the correct word.  And honestly, other than the light weight sort of spyware that some manufactures install on new PCs it seems unlikely anything unwanted would survive reinstallation (and I don't see any of the things like WeatherBug that manufacturers do sometimes install).

Still, you have a slow internet and a tech support guy saying you're infected. This may just be an excuse for a poor connection but it can't hurt to check a few things.

i havent called them again.. u know i also decide to format cuz my laptop is running to slow.. n well i dunno what it can b..
just using messenger my computer runs at 100%.. n sometimes it works really slow..
what can it make my laptop run so slow.. n sometimes i get blocked.. n well i just format..
yesterday when i installed again my avast..
i found a malware but i know is not doing anything yet.. is something im downloading.. i knew it had something.. but i havent run it
n i wont.. but i need the other things that come with that.. is a torrent.. so i know it is not...

today i was checking my netstat
n i saw 2 things that i dnt understand why...

first

this thing that i dunno what it is had as well a connection established..

adsl190-024051136.dyn.etb.net.co

i know etb is n internet company from the capital of my country.. but i dnt have anything with that company so i dnt understand why that connection



second

this ip had a connection established with me

64.215.158.8

i found this about this ip

Location: United States [City: Los Angeles, California]
OrgName:    Global Crossing
OrgID:      GBLX
Address:    14605 South 50th Street
City:       Phoenix
StateProv:  AZ
PostalCode: 85044-6471
Country:    US

ReferralServer: rwhois://rwhois.gblx.net:4321

NetRange:   64.212.0.0 - 64.215.255.255
CIDR:       64.212.0.0/14
NetName:    GBLX-11D
NetHandle:  NET-64-212-0-0-1
Parent:     NET-64-0-0-0-0
NetType:    Direct Allocation
NameServer: NAME.ROC.GBLX.NET
NameServer: NAME.PHX.GBLX.NET
NameServer: NAME.SNV.GBLX.NET
NameServer: NAME.JFK1.GBLX.NET
Comment:    rwhois.gblx.net:4321 - THESE ADDRESSES ARE
Comment:    NON-PORTABLE
RegDate:   
Updated:    2003-10-31

RTechHandle: IA12-ORG-ARIN
RTechName:   GBLX-IPADMIN
RTechPhone:  +1-800-404-7714
RTechEmail:  ipadmin@gblx.net

OrgAbuseHandle: GBLXA-ARIN
OrgAbuseName:   GBLX-Abuse
OrgAbusePhone:  +1-800-404-7714
OrgAbuseEmail:  abuse@gblx.net

OrgNOCHandle: GBLXN-ARIN
OrgNOCName:   GBLX-NOC
OrgNOCPhone:  +1-800-404-7714
OrgNOCEmail:  gc-noc@gblx.net

OrgTechHandle: IA12-ORG-ARIN
OrgTechName:   GBLX-IPADMIN
OrgTechPhone:  +1-800-404-7714
OrgTechEmail:  ipadmin@gblx.net

why that ip had a conection with me.. i checked 3 times n there was... when i see that what can i do to stop that connection ??


here is the result of the superantispyware
it found 2 threats n were 2 adware. tracking cookie


i know u asked me for a log of the scanning but i dunno why i couldnt do it..
i clicke on it n nothing happened..
after that i also clicked in let me find what's running in my computer but it didnt work either...

plse if u dnt mind can u xplain me how to stop those established connections i have
n what the next step.. what else can b making my computer so slow..
n now my connection is not slow.. i guess was a poor connection from the company..
the company is not good... cux they dnt have competence so they do anything they want  :-\
i hope another company comes soon .. i wanna change

if u need me to do the antispyware again i will
well i will try now again..
n if i can do the log i'll post it

thx  :) all the ppl in avast forum is so nice  ;)

--------------------------------------------------------------------------------------------------

about this
Quote
And this line was not present in your first log

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033

It looks like a HotMail login.  Did you just install that?
can i delete all those things that i have like that.. r they useful or just making my computer slower??

 r this things useful.. i dunno why i have them.. can i delete them??

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing

why did i got them??  ??? hehe

thx for helping... sorry for asking so much.. im just too curious.. i want my laptop to run the best it can..
n well at the same time i wanna learn as much as i can :)
-------------------------------------------------------------------------------------------------------------------------
i did the scan again it said i had no harmful something..i dnt remember the word
but didnt let me do the log file either...  :-\ 
« Last Edit: May 05, 2007, 07:36:41 AM by johannlynx »

mauserme

  • Guest
Re: help please virus ??
« Reply #13 on: May 05, 2007, 03:32:13 PM »
n now the wga is bugging me.. even though my xp is original.. that wga i notice tries to do many things..
n change things.. the firewall tells me..
Is it WGA Notifications, or does it just give you a file name?


u know i also decide to format cuz my laptop is running to slow.. n well i dunno what it can b..
Is it only your laptop that has a slow connection, or is it other computers too?


yesterday when i installed again my avast..
i found a malware but i know is not doing anything yet.. is something im downloading..
What was the name of the malware?  What were you downloading?



 r this things useful.. i dunno why i have them.. can i delete them??

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing

No, don't fix anything yet.

plse if u dnt mind can u xplain me how to stop those established connections i have
n what the next step..
Well, I'm still not entirely sure your computer is infected with anything but lets try this.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install.  The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically 'C:\SDFix') Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool.  Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.  Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files.  When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log


johannlynx

  • Guest
Re: help please virus ??
« Reply #14 on: May 06, 2007, 04:36:07 AM »
here it is as u requested
the log for SDFix


SDFix: Version 1.82

Run by Lynx - Mon 05/07/2007 -  8:05:33.39

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\Lynx\LOCALS~1\Temp\setup.exe - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



                                 Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:µTorrent"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:


                                 Finished


---------------------------------------------------------------------------------------------
i also did the catch me ... in case there was something else

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


--------------------------------------------------------------------------------------------------

n the hijack log
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
C:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Software\analyze\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip\..\{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


do i have something ???



here is my netstat at this moment..

do i have something bad??
well the problem of the connection seems that my internet company is slow..
but why my ocmputer runs at 100 % so often
just using the messenger or skype..
or sometimes running other applications..
can this b normal ???