Spy sending data

[dochoa]

I have done an online scan, it clean some viruses, then update spybot, reboot in safe mode, I fixed everything but my pc is still sending data all over internet. I have done 2 reports with hj, one just before conecting adsl and one after... this new entry appears:

O17 - HKLM\System\CCS\Services\Tcpip\..\{ABF591E0-CE52-421B-AEF0-5027BFFAB8FD}: NameServer = 200.51.212.7 200.51.211.7


Here the complete log:


Logfile of HijackThis v1.99.1
Scan saved at 10:35:21 a.m., on 23/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\ARCHIV~1\SYMANT~1\VPTray.exe
C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [vptray] C:\ARCHIV~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zone Labs Client] C:\Archivos de programa\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - Startup: Speedy.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Consola de Sun Java - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Archivos de programa\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQLite\ICQLite.exe (file missing)
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Archivos de programa\ICQLite\ICQLite.exe (file missing)
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/S...in/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1109544353091
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/ms...downloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABF591E0-CE52-421B-AEF0-5027BFFAB8FD}: NameServer = 200.51.212.7 200.51.211.7
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\ARCHIV~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Archivos de programa\Archivos comunes\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\DefWatch.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Archivos de programa\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Archivos de programa\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

[pskelley]

Hola' dochoa, welcome to the forum. The HJT log you have posted has nothing but some clutter in it. Let's resolve the issue with this first:
O17 - HKLM\System\CCS\Services\Tcpip\..\{ABF591E0-CE52-421B-AEF0-5027BFFAB8FD}: NameServer = 200.51.212.7 200.51.211.7

This is what Whois says it is: http://whois.domaintools.com/200.51.212.7

Record Type: IP Address
Cached Whois: 2006-01-10
IP Location: Argentina - Buenos Aires - Buenos Aires - Telefonica De Argentina
Reverse DNS: dns0c.telefonica.com.ar
Blacklist Status: Currently Listed (history)

Whois Record


inetnum: 200.51.212/22
status: reallocated
owner: Telefonica de Argentina
ownerid: AR-TEAR7-LACNIC
responsible: Ferreira Teixeira
address: AV. ING. HUERGO - OBS. JUDICIALES, 723,
address: 1065 - Buenos Aires - CF
country: AR
phone: +54 11 4332-3484 []
owner-c: TEA
tech-c: TEA
created: 20030916
changed: 20030916
inetnum-up: 200.51.208/21
inetnum-up: 200.51/16

nic-hdl: TEA
person: TELEFONICA DE ARGENTINA
e-mail:
address: Defensa, 390, 5to piso
address: C1065AAF - Capital Federal - BA
country: AR
phone: +54 11 4332-5305 []
created: 20030618
changed: 20050928

Let me know if this information is correct for you, and I will proceed with removing the clutter and supply you with some great information to help you stay clean and safe online.

Gracias Fillipe

Thanks...pskelley
Safer Networking Forums

[tashi]

fyi pskelley

Previous topic.
http://forums.spybot.info/showthread.php?t=4566

[dochoa]

Telefonica is my internet provider here in Argentina.
So is correct that this entry appears when I start the connection ?

The main problem is that ZoneAlarm is blocking 100 inbound connections per minute. So everything gets very slow.

[pskelley]

Hello Dochoa, I will post instructions to remove the clutter in your HJT log. Once you do that, I would contact your ISP and have them look into this issue for you. I know that if Zone Alarm is blocking stuff, you may be blocking communication from your ISP? I have no way of know this, but they will.
I suggest you open Zone Alarm (assuming you use the free version) and to the right, near the top is an excellant tutorial and above it is "HELP", I would review all of that information so you will know how to see what these attempts are and where they are coming from. It takes a little effort to learn Zone Alarm, but once you get the settings like they should be, then turn off those prompts and let ZA do it's work in the background while you enjoy your computer. I also notice you are running Service Park #2. I wish to make sure you are aware it is not suggested you run two software firewalls at the same time. If you have the SP#2 firewall activated in the Security Center, I would read the instructions, you will find it should not be activated with Zone Alarm running. If you have other questions about your firewall, I suggest you register free and post them here: http://forums.zonelabs.com/


Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

Close all programs but HJT and all browser windows, then click on "Fix Checked"

(if you clean your Prefetch on a regular basis, you can pass these part, if not then I suggest you read the link and follow the instructions)

Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/art...efetch-XP.html

Optional >>> If you don't have a good cleaner, use this free one with these instructions:
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Gracias...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

[dochoa]

OK, I have followed all the steps, everything is clean. Thank u a lot.

By the way I wanted you to know that I'm only using ZoneAlarm firewall, the XP SP2 firewall is disabled.

I've also been reading the zonealarm help, it recommends that if so many conexions are being blocked then change the security level from "high" to "medium", I did that.

Althoug the bocked connections are more less, it still blocks tcp connections on ports 445, 135, 139 and udp 137 from users of my internet provider.

Everything is running relative "normal" I think...

[tashi]

As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the thread.

Glad we could help.