help please virus ??

lately my internet connection is working so slow
i called my internet company to complain n they made me
do a netstat n i seem to have many connections established
even when im doing nothing… they said i have virus…
i just formated n i still have those connections i dunno waht to do

this is the first netstat i did

http://img239.imageshack.us/img239/4204/cmdtd2.png

then i closed all possible programs running even firewall, antispyware n antivirus

http://img119.imageshack.us/img119/5595/cmdnogp0.png

then i did it again unplugging the internet but those connection were still

http://img63.imageshack.us/img63/1337/nointernetge2.png

r those connections established by a virus ?? if so then what shall i do i just formated
i thought that would get rid of them… n my internet connection is so slow im paying for 700k n each time i test my speed is 170 to 250 k … n my internet company dont give me
further assistance

i also did a scan with hijackthis here is the report

Logfile of HijackThis v1.99.1
Scan saved at 9:58:57 PM, on 5/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
D:\Software\Nueva carpeta\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [cctray] “C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe”
O4 - HKLM..\Run: [CAVRID] “C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe”
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MsnMsgr] “C:\Program Files\MSN Messenger\MsnMsgr.Exe” /background
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip..{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip..{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip..{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

hope some one can help me… i cant understand what can b establishing the connections
n why my internet is getting so slow…
i would appreciate ur help
thanks

First you don’t appear to bave avast installed on your system and this a support forum for avast users.

Seconf the Localhost entries aren’t connecting to the internet they are locations on your system, usually a proxy to be able to scan something like inbound or outbound email, I have know knowledge of CA’s anti-virus so I don’t know if they use localhost ports.

You could do a reverse whois lookup on the ip addresses.

Netstat doesn’t show what applications are using the ports so it may be best to check your firewall logs to see what the activity is.

Besides having the “wrong” antivirus, do you know the IP in this line

O17 - HKLM\System\CCS\Services\Tcpip..{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78

Its registered to Associação Rede Nacional de Ensino e Pesquisa which I think is in Brazil.

i had avast…
but i wanted to try this one…
just curious…
i had the professional version
but so much ppl told me it doesnt stop all virus…
im not sure…
well im just checking…

n about the ip
what does it mean that is registered in to brazil??
n that thing that i didnt understand??
right now im in colombia…
n portugues is not our language …
can u plse xplain me…
n dnt get mad
i will b back to avast…
when i joined this forum i had it…
but i wanted to try… n well this far i prefer avast than my new one…
but i’ve used it for only 5 days

Give me a name of the perfect software and I’ll congratulate you… there isn’t… there isn’t a perfect antivirus…
Although I can bet you avast is one of the best ones 8)

What do you mean? Are you a brazilian like me?

Download and install the Spanish version of avast not the Portuguese (Brazil) one.
The is a registration page (to get the free key) that is on Spanish too (I hope).

The reason this was mentioned is because the 017 entries are usually associated with your ISP.

O17 - HKLM\System\CCS\Services\Tcpip..{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78

If this is not your ISP then it is suspicious, that is why mauserme did the reverse lookup I mentioned. “Its registered to Associação Rede Nacional de Ensino e Pesquisa which I think is in Brazil.”

So somehow I doubt it is your ISP as you are in Colombia and not Brazil.

But, for the other IP address, 200.75.78.78, I get this:
Checking IP: 200.75.78.78…
Name: coleonyx.epm.net.co
IP: 200.75.78.78

So do either of those names ring a bell with you ?

yep epm is my internet provicer
but about the other one i dunno what is it…
n worries me i just formated n well
to have problems is not nice…
can u plse guide me what can i do thx


i just did a reverse look up checking my dns n everything
well one is from epm n its ok the other has a problem n i dnt understand why
my prefered dns is 200.13.249.101

200.13.249.101 resolves to
dnscache.une.net.co
Top Level Domain: “net.co
une is the same company as epm
but i dnt understand why in the log file it has another number

200.132.249.101 instead of 200.13.249.101 why one more number??

about avast if spanish or english…
i will get back to the one i had in english…
i dnt really like the programs in spanish…
but yep it exist in spanish…
i think avast is available in several languages :slight_smile:

To do what? Reformat the computer? Why?

No problem - we all try different programs from time to time. I was making a joke earlier :slight_smile:

2 Tech - If you don’t mind would you look at this site and see if you can tell what its all about?

http://www.rnp.br/rnp/

This is the one that 200.132.249.101 resolves to. It scans clean with Dr. Web and I’ve been to the site several times with no ill effects. It seems innocent enough but I can’t get it to translate well enough for me to read it.

2 johannlunx - Please download the free version of SuperAntiSpyware, install it and scan

http://www.superantispyware.com/

Make sure to do a complete system scan and quarantine if anything is found. Then post the log it produces.

i have a question if i download the superantispyware
can it have conflict with the antispyware i already have?
i use zonealarm as my firewall n this version includes antispyware…

well im back to avast :slight_smile: today i had some problems with the antivirus i was testing
was taking so much of my resources … n well that is not good for me…
n well avast is the best one i have had this far n that doesnt takes all my resources

about that ip from brasil i dnt understand …why i have it… n is really similar to my dns
only with one number of diference
n well i formated … im not sure of the word in english … i formated c:\
2 days ago n installed again the xp
i wonder if this fast i can have a spyware ir something…
is really weird

i made a new log file plse can u keep guiding me thx … n check i got avast again 8)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\taskmgr.exe
D:\Software\analize\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing
O17 - HKLM\System\CCS\Services\Tcpip..{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip..{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip..{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.132.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


hehe i just tried to fix the ip stuff with hijackthis n well it deleted my preferred dns server n the alternative dns server hehe
i couldnt surf … well now i know is those r my dns but why that one has one more number than it really has…
n in avast i notived i have some file missing… is this normal??
what shall i do ??
thx :slight_smile:

Well, as I said, it seems innocent …

Please don’t assume that my asking questions means I’m suspicious of something. I just need information sometimes. Is your internet connection OK or are you using a different computer now?

A couple more questons:

Is this HijackJackThis renamed to analyze.exe?

D:\Software\analize\analyse.exe

And this line was not present in your first log

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033

It looks like a HotMail login. Did you just install that?

If you mean you wiped the drive clean and reinstalled the operating system “format” is the correct word. And honestly, other than the light weight sort of spyware that some manufactures install on new PCs it seems unlikely anything unwanted would survive reinstallation (and I don’t see any of the things like WeatherBug that manufacturers do sometimes install).

Still, you have a slow internet and a tech support guy saying you’re infected. This may just be an excuse for a poor connection but it can’t hurt to check a few things.

The free version of SuperAntispyware does not provide real time protection so there should be no conflict.

After that scan download TCPView and post a screen shot of the connections (I would like to see what programs are involved)

http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx

EDIT: Those missing avast! files are OK - its a glitch with HijackThis. If you look at the running processes section you will see they are actually there.

sorry i didnt want to b impolite not replying to ur question
im not from brazil im from colombia…
i used to have avast professional in english… i was just testing…
but that one i was testing was not as i thought n u r right
there’s no perfect software… i was just curious n well the best way to learn is trying or testing…
but well now im back to avast :slight_smile:
i dnt like the spanish version… i usually download programs in english or french… i like more those languages :slight_smile:

Is your internet connection OK or are you using a different computer now?
it deleted my dns ...but i had them so i just set them again.. so im working from my laptop again..
is this HijackJackThis renamed to analyze.exe?

D:\Software\analize\analyse.exe


yep i renamed it cuz i read that sometimes that name is used to hide malwares… in the page of hijack they sugest it n in majorgeek

And this line was not present in your first log

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033

It looks like a HotMail login. Did you just install that?


well i dunno … as far as i know i havent installed anything… i just check my mail no more…
i dnt like things that hotmail have to offer…

n now the wga is bugging me… even though my xp is original… that wga i notice tries to do many things…
n change things… the firewall tells me…

If you mean you wiped the drive clean and reinstalled the operating system "format" is the correct word. And honestly, other than the light weight sort of spyware that some manufactures install on new PCs it seems unlikely anything unwanted would survive reinstallation (and I don't see any of the things like WeatherBug that manufacturers do sometimes install).

Still, you have a slow internet and a tech support guy saying you’re infected. This may just be an excuse for a poor connection but it can’t hurt to check a few things.


i havent called them again… u know i also decide to format cuz my laptop is running to slow… n well i dunno what it can b…
just using messenger my computer runs at 100%… n sometimes it works really slow…
what can it make my laptop run so slow… n sometimes i get blocked… n well i just format…
yesterday when i installed again my avast…
i found a malware but i know is not doing anything yet… is something im downloading… i knew it had something… but i havent run it
n i wont… but i need the other things that come with that… is a torrent… so i know it is not…

today i was checking my netstat
n i saw 2 things that i dnt understand why…

first

this thing that i dunno what it is had as well a connection established…

adsl190-024051136.dyn.etb.net.co

i know etb is n internet company from the capital of my country… but i dnt have anything with that company so i dnt understand why that connection

second

this ip had a connection established with me

64.215.158.8

i found this about this ip

Location: United States [City: Los Angeles, California]
OrgName: Global Crossing
OrgID: GBLX
Address: 14605 South 50th Street
City: Phoenix
StateProv: AZ
PostalCode: 85044-6471
Country: US

ReferralServer: rwhois://rwhois.gblx.net:4321

NetRange: 64.212.0.0 - 64.215.255.255
CIDR: 64.212.0.0/14
NetName: GBLX-11D
NetHandle: NET-64-212-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Allocation
NameServer: NAME.ROC.GBLX.NET
NameServer: NAME.PHX.GBLX.NET
NameServer: NAME.SNV.GBLX.NET
NameServer: NAME.JFK1.GBLX.NET
Comment: rwhois.gblx.net:4321 - THESE ADDRESSES ARE
Comment: NON-PORTABLE
RegDate:
Updated: 2003-10-31

RTechHandle: IA12-ORG-ARIN
RTechName: GBLX-IPADMIN
RTechPhone: +1-800-404-7714
RTechEmail: ipadmin@gblx.net

OrgAbuseHandle: GBLXA-ARIN
OrgAbuseName: GBLX-Abuse
OrgAbusePhone: +1-800-404-7714
OrgAbuseEmail: abuse@gblx.net

OrgNOCHandle: GBLXN-ARIN
OrgNOCName: GBLX-NOC
OrgNOCPhone: +1-800-404-7714
OrgNOCEmail: gc-noc@gblx.net

OrgTechHandle: IA12-ORG-ARIN
OrgTechName: GBLX-IPADMIN
OrgTechPhone: +1-800-404-7714
OrgTechEmail: ipadmin@gblx.net

why that ip had a conection with me… i checked 3 times n there was… when i see that what can i do to stop that connection ??

here is the result of the superantispyware
it found 2 threats n were 2 adware. tracking cookie

http://img155.imageshack.us/img155/5953/superantispywaresw1.jpg

i know u asked me for a log of the scanning but i dunno why i couldnt do it…
i clicke on it n nothing happened…
after that i also clicked in let me find what’s running in my computer but it didnt work either…

plse if u dnt mind can u xplain me how to stop those established connections i have
n what the next step… what else can b making my computer so slow…
n now my connection is not slow… i guess was a poor connection from the company…
the company is not good… cux they dnt have competence so they do anything they want :-
i hope another company comes soon … i wanna change

if u need me to do the antispyware again i will
well i will try now again…
n if i can do the log i’ll post it

thx :slight_smile: all the ppl in avast forum is so nice :wink:


about this

And this line was not present in your first log

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033

It looks like a HotMail login. Did you just install that?


can i delete all those things that i have like that… r they useful or just making my computer slower??

r this things useful… i dunno why i have them… can i delete them??

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O11 - Options group: [INTERNATIONAL] International*
O11 - Options group: [TABS] Tabbed Browsing

why did i got them?? ??? hehe

thx for helping… sorry for asking so much… im just too curious… i want my laptop to run the best it can…
n well at the same time i wanna learn as much as i can :slight_smile:

i did the scan again it said i had no harmful something…i dnt remember the word
but didnt let me do the log file either… :-\

Is it WGA Notifications, or does it just give you a file name?

Is it only your laptop that has a slow connection, or is it other computers too?

What was the name of the malware? What were you downloading?

No, don’t fix anything yet.

Well, I’m still not entirely sure your computer is infected with anything but lets try this.

Download SDFix and save it to your desktop.

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press “Enter”.
Choose your usual account.

In Safe Mode, double click SDFix.exe and install to the default location by clicking Install. The SDFix Folder will be extracted to %systemdrive% \ (Drive that contains the Windows directory - typically ‘C:\SDFix’) Open the SDFix folder in Safe Mode then double click the RunThis.bat file to start the fixtool. Type Y to begin the script.

It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot. Press any Key and it will restart the PC.
Your system will take longer that normal to restart as the fixtool will be running and removing files. When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

here it is as u requested
the log for SDFix

SDFix: Version 1.82

Run by Lynx - Mon 05/07/2007 - 8:05:33.39

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting…

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\DOCUME~1\Lynx\LOCALS~1\Temp\setup.exe - Deleted

Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

                             Final Check:

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:
:enabled:@xpsp2res.dll,-22019”
“C:\Program Files\uTorrent\uTorrent.exe”=“C:\Program Files\uTorrent\uTorrent.exe::Enabled:µTorrent"
“C:\Program Files\MSN Messenger\msnmsgr.exe”="C:\Program Files\MSN Messenger\msnmsgr.exe:
:Enabled:Windows Live Messenger 8.1”
“C:\Program Files\MSN Messenger\livecall.exe”=“C:\Program Files\MSN Messenger\livecall.exe::Enabled:Windows Live Messenger 8.1 (Phone)"
“C:\Program Files\Skype\Phone\Skype.exe”="C:\Program Files\Skype\Phone\Skype.exe:
:Enabled:Skype”
“C:\Program Files\Bonjour\mDNSResponder.exe”=“C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
“%windir%\Network Diagnostic\xpnetdiag.exe”=“%windir%\Network Diagnostic\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000"
“%windir%\system32\sessmgr.exe”="%windir%\system32\sessmgr.exe:
:enabled:@xpsp2res.dll,-22019”
“C:\Program Files\MSN Messenger\msnmsgr.exe”=“C:\Program Files\MSN Messenger\msnmsgr.exe::Enabled:Windows Live Messenger 8.1"
“C:\Program Files\MSN Messenger\livecall.exe”="C:\Program Files\MSN Messenger\livecall.exe:
:Enabled:Windows Live Messenger 8.1 (Phone)”

Remaining Files:

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

                             Finished

i also did the catch me … in case there was something else

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes …

scanning hidden services …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


n the hijack log
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
C:\Program Files\Combined Community Codec Pack\MPC\mplayerc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Software\analyze\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = localhost:12080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM..\Run: [IMJPMIG8.1] “C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE” /Spoil /RemAdvDef /Migration32
O4 - HKLM..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM..\Run: [ZoneAlarm Client] “C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O17 - HKLM\System\CCS\Services\Tcpip..{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS1\Services\Tcpip..{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O17 - HKLM\System\CS2\Services\Tcpip..{09DB9737-21CA-48F5-A49E-67749305B680}: NameServer = 200.13.249.101,200.75.78.78
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\wpdshserviceobj.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

do i have something ???

http://img201.imageshack.us/img201/9840/23kz8.jpg

here is my netstat at this moment…

do i have something bad??
well the problem of the connection seems that my internet company is slow…
but why my ocmputer runs at 100 % so often
just using the messenger or skype…
or sometimes running other applications…
can this b normal ???

i wonder which of this things i have r not needed n can b deleted ??

those extra buttons… n other things that i dunno why i have them…

If you don’t want the extra buttons we can remove them but first get TCPView and post a screen shot. This will show us what programs are getting connections

http://www.microsoft.com/technet/sysinternals/utilities/TcpView.mspx

IP’s in the range 207.138.0.0 - 207.138.255.255 belong to Global Crossing, a provider of Voip, RSS feeds, etc. Here’s a link to their home page

http://blogs.globalcrossing.com/

Do you recognize it?

The addresses ending in phx.gbl:1863 might be Windows Messenger connections but TCPView could help confirm this.

I like to use SpyBot S&D for cleaning from all the spywares and robots on my pc.

Search for it on http://www.spybot.com/ on any language you like, update it and give it a try.

And about the use of your processor, I have found that the last Microsoft MSN Live Messenger tends to do that but it is just for short times.

Sometimes it does not work and the updates are not that frequently.
I suggest AVG Antispyware. Some users recommend SUPERantispyware, Spyware Terminator and/or a-squared (take care about false positives).