DaniWeb Forum Index > Hardware and Software > Microsoft Windows > Windows NT / 2000 / XP

Windows NT / 2000 / XP RSS

Help with Hijack This! Log please? :)

•

Join Date: May 2004

Posts: 66

Reputation: SarahH is an unknown quantity at this point

Solved Threads: 0

SarahH

Offline

Junior Poster in Training

Help with Hijack This! Log please? :)

Oct 4th, 2005

Hello everyone! Well, I took your advice, and went ahead and reinstalled and reformated. Now I seem to be getting a lot of hits on my firewall for some reason.

I'm wondering if there is a virus on here that's nasty and keeps getting past my AV Scans, or some horrible spyware or something? So, I did a Hijack This! log for you masters to take a look at please!

I have BlackIce firewall, Norton AntiVirus, Microsoft Anti-Spyware, Spybot, and Adaware. These are all updated, and I just ran them today. And voila! Here is my log!

Logfile of HijackThis v1.99.1
Scan saved at 11:01:01 AM, on 10/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\MATLAB7\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1128319371\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1128319371\ee\AOLServiceHost.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\NukeNabber\nukenabber.exe
D:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - (no file)
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1128319371\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: nukenabber.lnk = C:\Program Files\NukeNabber\nukenabber.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1128032802640
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B7800B7-3CD3-41EE-A404-9827C8E194AA}: NameServer = 207.69.188.187 207.69.188.186
O20 - Winlogon Notify: WB - C:\PROGRA~1\WINDOW~4\fastload.dll
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

Thanks again you all! I love you guys, I always get great help here! <hugs>

Sarah

•

Join Date: Dec 2003

Posts: 6,439

Reputation: DMR will become famous soon enough

Solved Threads: 363

DMR

Offline

Wombat At Large

Re: Help with Hijack This! Log please? :)

Oct 4th, 2005

1. If the hits are being reported as coming from the outside world, that's normal; there are a lot of malicious programs and people out there trying random IPs and network ports to see if they can find a way into your system.
Do your firewall logs give you any specific details? If so, you might want to post some of them so that we can get a better idea of what the hits are all about.

2. There are a couple of loose ends in your HJT log; have it fix these entries:

R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - (no file)

"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing

Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.

However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.

•

Join Date: May 2004

Posts: 66

Reputation: SarahH is an unknown quantity at this point

Solved Threads: 0

SarahH

Offline

Junior Poster in Training

Re: Help with Hijack This! Log please? :)

Oct 4th, 2005

•

Originally Posted by DMR

1. If the hits are being reported as coming from the outside world, that's normal; there are a lot of malicious programs and people out there trying random IPs and network ports to see if they can find a way into your system.
Do your firewall logs give you any specific details? If so, you might want to post some of them so that we can get a better idea of what the hits are all about.

2. There are a couple of loose ends in your HJT log; have it fix these entries:

R3 - Default URLSearchHook is missing
O3 - Toolbar: (no name) - {01E69986-A054-4C52-ABE8-EF63DF1C5211} - (no file)

Thanks for the cleanup advice! Here are a lot of the hits that have happened today...

Time, Event, Intruder, Count
10/4/2005 5:52:59 PM, TCP_Probe_SQL, ROBERT-8107CAF3, 2
10/4/2005 5:51:43 PM, TCP_Probe_MSRPC, YOUR-US67PI6LUV, 1
10/4/2005 5:51:35 PM, TCP_Probe_Gnutella, adsl-2-84-104.mia.bellsouth.net, 45
10/4/2005 5:50:58 PM, TCP_Probe_MSRPC, dialup-4.240.48.176.Dial1.Phoenix1.Level3.net, 3
10/4/2005 5:50:04 PM, TCP_Probe_MSRPC, dialup-4.240.156.5.Dial1.Phoenix1.Level3.net, 2
10/4/2005 5:46:07 PM, TCP_Probe_Other, B-MAN, 5
10/4/2005 5:44:50 PM, TCP_Probe_NetBIOS, dialup-4.240.123.224.Dial1.Phoenix1.Level3.net, 2
10/4/2005 5:39:47 PM, TCP_Probe_MSRPC, dialup-4.240.198.12.Dial1.Phoenix1.Level3.net, 2
10/4/2005 5:31:44 PM, TCP_Probe_Gnutella, adsl-69-235-202-37.dsl.irvnca.pacbell.net, 3
10/4/2005 5:31:21 PM, TCP_Probe_NetBIOS, dialup-4.240.150.206.Dial1.Phoenix1.Level3.net, 2
10/4/2005 5:28:19 PM, TCP_Probe_MSRPC, MIREYA-VXN28WS2, 1
10/4/2005 5:25:19 PM, TCP_Probe_Other, pool-151-199-116-76.roa.east.verizon.net, 4
10/4/2005 5:24:14 PM, TCP_Probe_MSRPC, dialup-4.240.75.112.Dial1.Phoenix1.Level3.net, 4
10/4/2005 5:20:13 PM, UDP_Probe_Other, cpe-66-25-1-127.houston.res.rr.com, 4
10/4/2005 5:20:12 PM, TCP_Probe_Gnutella, cpe-66-25-1-127.houston.res.rr.com, 6
10/4/2005 5:19:19 PM, TCP_Probe_MSRPC, dialup-4.240.12.132.Dial1.Phoenix1.Level3.net, 3
10/4/2005 5:18:17 PM, TCP_Probe_HTTP, PC823010993216, 2
10/4/2005 5:17:52 PM, TCP_Probe_MSRPC, dialup-4.240.183.220.Dial1.Phoenix1.Level3.net, 1
10/4/2005 5:17:52 PM, TCP_Probe_MSRPC, dialup-4.240.15.20.Dial1.Phoenix1.Level3.net, 2
10/4/2005 5:15:25 PM, TCP_Probe_MSRPC, dialup-4.239.252.47.Dial1.Philadelphia1.Level3.net, 1
10/4/2005 5:12:40 PM, TCP_Probe_NetBIOS, LENNYM, 2
10/4/2005 5:06:17 PM, TCP_Probe_NetBIOS, RETIRED-I53K7DN, 2
10/4/2005 5:00:06 PM, TCP_Probe_NetBIOS, dialup-4.240.48.45.Dial1.Phoenix1.Level3.net, 2
10/4/2005 4:56:54 PM, TCP_Probe_MSRPC, ool-44c30032.dyn.optonline.net, 2
10/4/2005 4:55:50 PM, TCP_Probe_NetBIOS, BRENT-XB381RSFA, 1
10/4/2005 4:54:12 PM, TCP_Probe_MSRPC, YOUR-W92P4BHLZG, 1
10/4/2005 4:48:56 PM, TCP_Probe_MSRPC, BRENT-XB381RSFA, 2
10/4/2005 4:45:35 PM, TCP_Probe_SQL, dialup-4.240.48.45.Dial1.Phoenix1.Level3.net, 2
10/4/2005 4:41:59 PM, TCP_Probe_MSRPC, HOME-Z3WRRIHNZV, 2
10/4/2005 4:38:39 PM, SQL_SSRP_StackBo, LUMEN1, 1
10/4/2005 4:38:39 PM, SQL_SSRP_Slammer_Worm, LUMEN1, 1
10/4/2005 4:26:02 PM, TCP_Probe_MSRPC, dialup-4.240.45.22.Dial1.Phoenix1.Level3.net, 1
10/4/2005 4:21:52 PM, SQL_SSRP_StackBo, dal-opssrvr.bcst.yahoo.com, 1
10/4/2005 4:21:52 PM, SQL_SSRP_Slammer_Worm, dal-opssrvr.bcst.yahoo.com, 1
10/4/2005 4:21:05 PM, TCP_Probe_MSRPC, YOUR-US67PI6LUV, 1
10/4/2005 4:15:27 PM, TCP_Probe_Gnutella, adsl-2-84-228.mia.bellsouth.net, 21
10/4/2005 4:11:15 PM, TCP_Probe_NetBIOS, TOMOKO, 2
10/4/2005 4:09:40 PM, TCP_Probe_MSRPC, dialup-4.240.156.194.Dial1.Phoenix1.Level3.net, 2
10/4/2005 4:02:10 PM, TCP_Probe_MSRPC, dialup-4.240.242.56.Dial1.Phoenix1.Level3.net, 2
10/4/2005 4:01:50 PM, TCP_Probe_MSRPC, dialup-4.240.204.73.Dial1.Phoenix1.Level3.net, 2
10/4/2005 4:00:58 PM, TCP_Probe_SQL, dialup-4.239.48.120.Dial1.Philadelphia1.Level3.net, 2
10/4/2005 3:54:07 PM, TCP_Probe_MSRPC, TOMOKO, 2
10/4/2005 3:41:14 PM, TCP_Probe_MSRPC, dialup-4.240.168.121.Dial1.Phoenix1.Level3.net, 1
10/4/2005 3:38:23 PM, TCP_Probe_MSRPC, THRAT-MWJ73653E, 2
10/4/2005 3:37:39 PM, TCP_Probe_MSRPC, dialup-4.240.156.99.Dial1.Phoenix1.Level3.net, 2
10/4/2005 3:36:22 PM, TCP_Probe_MSRPC, DARBALIC-YSNF2S, 2
10/4/2005 3:33:49 PM, TCP_Probe_NetBIOS, dialup-4.237.32.180.Dial1.NewYork1.Level3.net, 3
10/4/2005 3:33:25 PM, TCP_Probe_HTTP, dialup-4.237.32.180.Dial1.NewYork1.Level3.net, 6
10/4/2005 3:32:39 PM, TCP_Probe_Other, dialup-4.237.32.180.Dial1.NewYork1.Level3.net, 15
10/4/2005 3:32:27 PM, TCP_Probe_NetBIOS, dialup-4.240.156.99.Dial1.Phoenix1.Level3.net, 2
10/4/2005 3:30:33 PM, TCP_Probe_MSRPC, dialup-4.240.147.92.Dial1.Phoenix1.Level3.net, 1
10/4/2005 3:30:32 PM, TCP_Probe_Gnutella, adsl-2-84-184.mia.bellsouth.net, 27
10/4/2005 3:30:18 PM, TCP_Probe_MSRPC, dialup-4.237.32.180.Dial1.NewYork1.Level3.net, 3
10/4/2005 3:00:27 PM, TCP_Probe_NetBIOS, HOME, 2
10/4/2005 2:58:22 PM, TCP_Probe_MSRPC, dialup-4.240.24.129.Dial1.Phoenix1.Level3.net, 2
10/4/2005 2:57:59 PM, TCP_Probe_MSRPC, VALUED-A4DE119D, 2
10/4/2005 2:51:08 PM, TCP_Probe_SQL, dialup-4.240.48.27.Dial1.Phoenix1.Level3.net, 2
10/4/2005 2:46:35 PM, TCP_Probe_MSRPC, DARBALIC-YSNF2S, 2
10/4/2005 2:43:26 PM, TCP_Probe_MSRPC, dialup-4.240.117.45.Dial1.Phoenix1.Level3.net, 2
10/3/2005 2:37:43 PM, TCP_Probe_MSRPC, MENESES-W5EGV8D, 1
10/3/2005 2:34:47 PM, TCP_Probe_SQL, dialup-4.240.48.27.Dial1.Phoenix1.Level3.net, 2
10/3/2005 2:32:29 PM, TCP_Probe_Gnutella, adsl-2-84-184.mia.bellsouth.net, 3
10/3/2005 2:32:29 PM, TCP_Probe_MSRPC, dialup-4.240.246.95.Dial1.Phoenix1.Level3.net, 2
10/3/2005 2:30:16 PM, TCP_Probe_HTTP, PC823010993216, 2
10/3/2005 2:29:50 PM, TCP_Probe_MSRPC, dialup-4.240.201.45.Dial1.Phoenix1.Level3.net, 3
10/3/2005 2:25:48 PM, TCP_Probe_Gnutella, adsl-2-84-184.mia.bellsouth.net, 3
10/3/2005 2:25:38 PM, TCP_Probe_MSRPC, dialup-4.239.231.45.Dial1.Philadelphia1.Level3.net, 1
10/3/2005 2:25:27 PM, TCP_Probe_MSRPC, dialup-4.239.231.45.Dial1.Philadelphia1.Level3.net, 1
10/3/2005 1:40:00 PM, TCP_Probe_MSRPC, YOUR-6JNHHU0520, 2
10/3/2005 1:30:14 PM, TCP_Probe_SQL, HOME, 2
10/3/2005 1:16:59 PM, TCP_Probe_MSRPC, dialup-4.240.6.233.Dial1.Phoenix1.Level3.net, 2
10/3/2005 1:14:30 PM, TCP_Probe_MSRPC, dialup-4.240.198.206.Dial1.Phoenix1.Level3.net, 10
10/3/2005 1:06:56 PM, TCP_Probe_NetBIOS, dialup-4.240.247.103.Dial1.Phoenix1.Level3.net, 2
10/3/2005 1:05:59 PM, TCP_Probe_MSRPC, dialup-4.240.90.227.Dial1.Phoenix1.Level3.net, 5
10/3/2005 12:45:42 PM, TCP_Probe_MSRPC, dialup-4.240.199.150.Dial1.Phoenix1.Level3.net, 2
10/3/2005 12:43:30 PM, TCP_Probe_MSRPC, dialup-4.240.81.243.Dial1.Phoenix1.Level3.net, 1
10/3/2005 12:40:09 PM, TCP_Probe_NetBIOS, LENNYM, 2
10/3/2005 12:40:06 PM, TCP_Probe_SQL, MYFAMILY, 1
10/3/2005 12:39:26 PM, TCP_Probe_MSRPC, dialup-4.240.42.154.Dial1.Phoenix1.Level3.net, 4
10/3/2005 12:37:25 PM, TCP_Probe_MSRPC, 67-150-79-117.phnx.mdsg-pacwest.com, 2
10/3/2005 12:23:04 PM, TCP_Probe_MSRPC, 67-150-79-117.phnx.mdsg-pacwest.com, 2
10/3/2005 12:21:45 PM, TCP_Probe_MSRPC, dialup-4.240.105.236.Dial1.Phoenix1.Level3.net, 1
10/3/2005 12:20:37 PM, TCP_Probe_NetBIOS, COMPAQ-HOME, 2
10/3/2005 12:15:51 PM, TCP_Probe_MSRPC, ool-18b8c86e.dyn.optonline.net, 2
10/3/2005 12:09:44 PM, TCP_Probe_MSRPC, dialup-4.240.198.206.Dial1.Phoenix1.Level3.net, 2
10/3/2005 12:09:42 PM, TCP_Probe_MSRPC, dialup-4.240.201.64.Dial1.Phoenix1.Level3.net, 2
10/3/2005 11:59:56 AM, TCP_Probe_NetBIOS, RETIRED-I53K7DN, 2
10/3/2005 11:52:58 AM, TCP_Probe_MSRPC, dialup-4.240.78.199.Dial1.Phoenix1.Level3.net, 2
10/3/2005 11:52:40 AM, TCP_Probe_MSRPC, HOME-FT9RI5IDIS, 3
10/3/2005 11:43:09 AM, TCP_Probe_MSRPC, YOUR-US67PI6LUV, 2
10/3/2005 11:38:21 AM, TCP_Probe_MSRPC, dialup-4.240.78.199.Dial1.Phoenix1.Level3.net, 2
10/3/2005 11:34:04 AM, TCP_Probe_NetBIOS, BARTON, 2
10/3/2005 11:32:46 AM, TCP_Probe_MSRPC, ABC, 4
10/3/2005 11:29:03 AM, TCP_Probe_NetBIOS, BARTON, 6
10/3/2005 11:25:53 AM, TCP_Probe_MSRPC, dialup-4.240.247.210.Dial1.Phoenix1.Level3.net, 2
10/3/2005 11:24:05 AM, TCP_Probe_MSRPC, AL, 2
10/3/2005 11:20:52 AM, TCP_Probe_Other, bpg.sayclub.jp, 2
10/3/2005 11:16:19 AM, TCP_Probe_NetBIOS, dialup-4.240.213.160.Dial1.Phoenix1.Level3.net, 4
10/3/2005 11:16:10 AM, TCP_Probe_NetBIOS, dialup-4.240.247.103.Dial1.Phoenix1.Level3.net, 2
10/3/2005 11:06:40 AM, TCP_Probe_MSRPC, dialup-4.240.42.154.Dial1.Phoenix1.Level3.net, 4
10/3/2005 10:58:26 AM, TCP_Probe_MSRPC, dialup-4.240.105.139.Dial1.Phoenix1.Level3.net, 2
10/3/2005 10:52:07 AM, TCP_Probe_MSRPC, VB-YMPOZYZOEICX, 2
10/3/2005 8:27:23 AM, TCP_Probe_MSRPC, dialup-4.240.168.243.Dial1.Phoenix1.Level3.net, 3
10/3/2005 8:19:36 AM, TCP_Probe_NetBIOS, STOVERS, 2
10/3/2005 8:19:04 AM, TCP_Probe_MSRPC, dialup-4.240.51.147.Dial1.Phoenix1.Level3.net, 2
10/3/2005 8:15:35 AM, TCP_Probe_SQL, dialup-4.239.147.169.Dial1.Philadelphia1.Level3.net, 2
10/3/2005 8:02:57 AM, TCP_Probe_NetBIOS, 216-230-94-29.client.cypresscom.net, 3
10/3/2005 7:53:44 AM, TCP_Probe_MSRPC, dialup-4.254.136.105.Dial1.Orlando1.Level3.net, 1
10/3/2005 7:49:51 AM, TCP_Probe_MSRPC, SHAWN-J1OHRBPG2, 3
10/3/2005 7:47:20 AM, TCP_Probe_MSRPC, dialup-4.240.232.229.Dial1.Phoenix1.Level3.net, 2
10/3/2005 5:10:47 AM, TCP_Probe_MSRPC, SHAWN-J1OHRBPG2, 3
10/3/2005 5:02:44 AM, TCP_Probe_MSRPC, 61.68.171.62, 1
10/3/2005 4:58:22 AM, SQL_SSRP_StackBo, 84.234.213.77, 1
10/3/2005 4:58:22 AM, SQL_SSRP_Slammer_Worm, 84.234.213.77, 1
10/3/2005 4:47:23 AM, SQL_SSRP_StackBo, MACHT, 1
10/3/2005 4:47:23 AM, SQL_SSRP_Slammer_Worm, MACHT, 1
10/3/2005 4:46:37 AM, TCP_Probe_MSRPC, dialup-4.240.78.161.Dial1.Phoenix1.Level3.net, 8
10/3/2005 4:34:34 AM, SQL_SSRP_StackBo, 0013D4176ECC, 1
10/3/2005 4:34:34 AM, SQL_SSRP_Slammer_Worm, 0013D4176ECC, 1
10/3/2005 4:20:55 AM, TCP_Probe_MSRPC, dialup-4.238.0.94.Dial1.Orlando1.Level3.net, 2
10/3/2005 4:20:35 AM, TCP_Probe_MSRPC, dialup-4.241.39.88.Dial1.SanDiego1.Level3.net, 3
10/3/2005 4:01:09 AM, TCP_Probe_NetBIOS, 211.110.133.187, 2
10/3/2005 3:42:34 AM, TCP_Probe_SQL, dialup-4.240.54.131.Dial1.Phoenix1.Level3.net, 2
10/3/2005 3:38:47 AM, TCP_Probe_MSRPC, dialup-4.240.54.131.Dial1.Phoenix1.Level3.net, 2
10/3/2005 3:24:46 AM, TCP_Probe_Other, ASte-Genev-Bois-151-1-48-183.w83-114.abo.wanadoo.fr, 2
10/3/2005 3:08:43 AM, TCP_Probe_NetBIOS, dialup-4.240.3.180.Dial1.Phoenix1.Level3.net, 2
10/3/2005 3:07:55 AM, TCP_Probe_MSRPC, dialup-4.241.39.45.Dial1.SanDiego1.Level3.net, 3
10/3/2005 2:55:37 AM, TCP_Probe_MSRPC, dialup-4.240.242.106.Dial1.Phoenix1.Level3.net, 2
10/3/2005 2:46:15 AM, SQL_SSRP_StackBo, opt-202-67-19-242.client.pikara.ne.jp, 1
10/3/2005 2:46:15 AM, SQL_SSRP_Slammer_Worm, opt-202-67-19-242.client.pikara.ne.jp, 1
10/3/2005 2:42:43 AM, TCP_Probe_MSRPC, dialup-4.239.75.144.Dial1.Philadelphia1.Level3.net, 2
10/3/2005 2:37:42 AM, TCP_Probe_MSRPC, dialup-4.240.242.88.Dial1.Phoenix1.Level3.net, 2
10/3/2005 2:33:21 AM, TCP_Probe_MSRPC, 4.43.46.13, 2
10/3/2005 2:08:49 AM, TCP_Probe_NetBIOS, 000342G, 2
10/3/2005 2:04:48 AM, TCP_Probe_MSRPC, dialup-4.241.39.45.Dial1.SanDiego1.Level3.net, 3
10/3/2005 1:57:30 AM, TCP_Probe_MSRPC, dialup-4.240.168.231.Dial1.Phoenix1.Level3.net, 8
10/3/2005 1:50:46 AM, TCP_Probe_MSRPC, dialup-4.240.33.237.Dial1.Phoenix1.Level3.net, 1
10/3/2005 1:49:47 AM, TCP_Probe_MSRPC, dialup-4.240.111.10.Dial1.Phoenix1.Level3.net, 4
10/3/2005 1:49:46 AM, TCP_Probe_MSRPC, dialup-4.242.177.102.Dial1.Seattle1.Level3.net, 3
10/3/2005 1:22:34 AM, TCP_Probe_MSRPC, YOUR-ZE8CXVR8TT, 1
10/3/2005 1:20:40 AM, TCP_Probe_MSRPC, HOME-MBDT1I1JP5, 2
10/3/2005 1:12:07 AM, All Proventia protection started, 0.0.0.0, 1
10/3/2005 12:58:46 AM, SQL_SSRP_StackBo, 220.224.15.33, 1
10/3/2005 12:58:46 AM, SQL_SSRP_Slammer_Worm, 220.224.15.33, 1
10/3/2005 12:55:34 AM, TCP_Probe_MSRPC, dialup-4.240.168.231.Dial1.Phoenix1.Level3.net, 1
10/3/2005 12:52:59 AM, TCP_Probe_MSRPC, ppp-68-91-20-131.dialup.elpstx.swbell.net, 3
10/3/2005 12:52:04 AM, TCP_Probe_MSRPC, 203.208.166.247, 2
10/3/2005 12:49:32 AM, TCP_Probe_MSRPC, dialup-4.240.27.76.Dial1.Phoenix1.Level3.net, 3
10/3/2005 12:43:34 AM, TCP_Probe_MSRPC, CPQ10443900021, 1
10/3/2005 12:40:10 AM, TCP_Probe_NetBIOS, dialup-4.239.219.130.Dial1.Philadelphia1.Level3.net, 2
10/3/2005 12:26:33 AM, TCP_Probe_MSRPC, dialup-4.240.198.12.Dial1.Phoenix1.Level3.net, 2
10/3/2005 12:12:27 AM, TCP_Probe_MSRPC, STOVERS, 1
10/3/2005 12:12:07 AM, TCP_Probe_NetBIOS, dialup-4.240.171.178.Dial1.Phoenix1.Level3.net, 2
10/3/2005 12:10:01 AM, TCP_Probe_MSRPC, dialup-4.240.240.51.Dial1.Phoenix1.Level3.net, 2
10/2/2005 11:58:00 PM, TCP_Probe_SQL, RETIRED-I53K7DN, 2
10/2/2005 11:51:09 PM, TCP_Probe_Other, 211.105.94.34, 3
10/2/2005 11:45:40 PM, TCP_Probe_MSRPC, BA, 2
10/2/2005 11:37:45 PM, TCP_Probe_MSRPC, dialup-4.240.27.76.Dial1.Phoenix1.Level3.net, 6
10/2/2005 11:36:50 PM, TCP_Probe_MSRPC, dialup-4.240.54.49.Dial1.Phoenix1.Level3.net, 2
10/2/2005 11:29:51 PM, TCP_Probe_MSRPC, dialup-4.242.108.6.Dial1.Seattle1.Level3.net, 3
10/2/2005 11:27:52 PM, TCP_Probe_MSRPC, dialup-4.240.99.198.Dial1.Phoenix1.Level3.net, 3
10/2/2005 11:27:52 PM, TCP_Probe_MSRPC, dialup-4.240.6.251.Dial1.Phoenix1.Level3.net, 8
10/2/2005 11:25:04 PM, TCP_Probe_MSRPC, dialup-4.240.147.210.Dial1.Phoenix1.Level3.net, 4
10/2/2005 11:25:03 PM, TCP_Probe_MSRPC, dialup-4.240.123.45.Dial1.Phoenix1.Level3.net, 1
10/2/2005 11:22:15 PM, TCP_Probe_NetBIOS, dialup-4.240.245.240.Dial1.Phoenix1.Level3.net, 4
10/2/2005 11:20:44 PM, TCP_Probe_NetBIOS, SAMANTA-LOAT30N, 2
10/2/2005 11:17:04 PM, TCP_Probe_NetBIOS, dialup-4.240.12.254.Dial1.Phoenix1.Level3.net, 2
10/2/2005 11:14:16 PM, TCP_Probe_MSRPC, dialup-4.240.171.40.Dial1.Phoenix1.Level3.net, 4
10/2/2005 11:10:57 PM, TCP_Probe_MSRPC, dialup-4.237.50.54.Dial1.NewYork1.Level3.net, 3
10/2/2005 11:08:22 PM, TCP_Probe_MSRPC, dialup-4.240.93.151.Dial1.Phoenix1.Level3.net, 2
10/2/2005 11:06:05 PM, TCP_Probe_MSRPC, dialup-4.240.156.180.Dial1.Phoenix1.Level3.net, 3
10/2/2005 11:02:13 PM, TCP_Probe_MSRPC, PLANET-EARTH, 2
10/2/2005 10:55:46 PM, TCP_Probe_MSRPC, dialup-4.240.123.172.Dial1.Phoenix1.Level3.net, 2
10/2/2005 10:49:58 PM, TCP_Probe_NetBIOS, dialup-4.240.244.204.Dial1.Phoenix1.Level3.net, 1
10/2/2005 10:48:52 PM, TCP_Probe_SQL, PINO-EB4XU77L5I, 2
10/2/2005 10:44:26 PM, TCP_Probe_MSRPC, dialup-4.240.171.201.Dial1.Phoenix1.Level3.net, 6
10/2/2005 10:39:02 PM, TCP_Probe_MSRPC, dialup-4.240.242.194.Dial1.Phoenix1.Level3.net, 4
10/2/2005 10:34:45 PM, TCP_Probe_MSRPC, dialup-4.240.120.202.Dial1.Phoenix1.Level3.net, 2
10/2/2005 10:32:44 PM, TCP_Probe_MSRPC, HOME-C2XNLH4BN6, 2
10/2/2005 10:27:45 PM, TCP_Probe_MSRPC, dialup-4.240.18.161.Dial1.Phoenix1.Level3.net, 2
10/2/2005 10:21:19 PM, TCP_Probe_MSRPC, dialup-4.240.129.57.Dial1.Phoenix1.Level3.net, 2

Unfortunately, I really don't know how to read the logs

. I get options when I right click these though: Block forever, block for an hour, allow forever, allow for an hour, things like that.

•

Join Date: Dec 2003

Posts: 6,439

Reputation: DMR will become famous soon enough

Solved Threads: 363

DMR

Offline

Wombat At Large

Re: Help with Hijack This! Log please? :)

Oct 5th, 2005

Those log entries are indicating probes/connection attempts from the outside world; they aren't indicative of activity by malicious programs on your computer. If your firewall software is sucessfully blocking these queries, you should be OK.

In addition to a firewall, you can tighten up your security even more by making configuration changes to Windows' services (system-level programs which provide certain functions). Windows, by default, runs more than a few unnecessary and potentially vulnerable services, so it's a good idea from a security standpoint to limit some of these services or disable them entirely. This isn't something that you should do if you're not familiar with services though, as modifying the wrong services can cause all sorts of trouble.

A list of suggested service settings which will secure your computer more thoroughly can be found here:
http://www.tweakhound.com/xp/security/page_3.htm

•

Join Date: May 2004

Posts: 66

Reputation: SarahH is an unknown quantity at this point

Solved Threads: 0

SarahH

Offline

Junior Poster in Training

Re: Help with Hijack This! Log please? :)

Oct 5th, 2005

•

Originally Posted by DMR

Those log entries are indicating probes/connection attempts from the outside world; they aren't indicative of activity by malicious programs on your computer. If your firewall software is sucessfully blocking these queries, you should be OK.

In addition to a firewall, you can tighten up your security even more by making configuration changes to Windows' services (system-level programs which provide certain functions). Windows, by default, runs more than a few unnecessary and potentially vulnerable services, so it's a good idea from a security standpoint to limit some of these services or disable them entirely. This isn't something that you should do if you're not familiar with services though, as modifying the wrong services can cause all sorts of trouble.

A list of suggested service settings which will secure your computer more thoroughly can be found here:
http://www.tweakhound.com/xp/security/page_3.htm

Okay, so you're saying since the attacks/probes are showing up in my firewall list, then that means they *are* being blocked?

Sorry, I'm new to the whole firewall thing

. This was given to me by a friend with no instructions

•

Join Date: May 2004

Posts: 66

Reputation: SarahH is an unknown quantity at this point

Solved Threads: 0

SarahH

Offline

Junior Poster in Training

Re: Help with Hijack This! Log please? :)

Oct 5th, 2005

Oh, also, here is an updated Hijack This! Log. Did I get it all out?

Logfile of HijackThis v1.99.1
Scan saved at 4:51:21 AM, on 10/5/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\MATLAB7\webserver\bin\win32\matlabserver.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\NukeNabber\nukenabber.exe
C:\Program Files\AnalogX\MaxMem\maxmem.exe
C:\Program Files\WindowBlinds\wbload.exe
D:\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: nukenabber.lnk = C:\Program Files\NukeNabber\nukenabber.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1128032802640
O17 - HKLM\System\CCS\Services\Tcpip\..\{6B7800B7-3CD3-41EE-A404-9827C8E194AA}: NameServer = 207.69.188.187 207.69.188.186
O20 - Winlogon Notify: WB - C:\PROGRA~1\WINDOW~4\fastload.dll
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: MATLAB Server (matlabserver) - Unknown owner - C:\MATLAB7\webserver\bin\win32\matlabserver.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe

•

Join Date: Dec 2003

Posts: 6,439

Reputation: DMR will become famous soon enough

Solved Threads: 363

DMR

Offline

Wombat At Large

Re: Help with Hijack This! Log please? :)

Oct 5th, 2005

1. Your log is clean now.

2. Somewhere in the BlackIce firewall program you should be able to find a graphical view of the connection attempts which will tell you if the attempts were successfully blocked or not (each event should have a small alert icon next to it). The text log reports some info on the connection attempts, but not the actions taken.