Options
HijackThis LOG - help!
Hi,
I have run HijackThis, and my home page and search seem ok. But someobody, in looking at my computer earlier, told me to run the DOS command netstat -an, and saw that various IPs were 'LISTENING', and one in particular, 0.0.0.0.2869, which seemed to be of huge concern to him. This means little to me, but I was worried because it is still there after having run HijackThis.
Anyhow, below is my Hijack this log, after having run it once. Please tell me if there is anthing else suspicious that I should remove.
Logfile of HijackThis v1.97.7
Scan saved at 2:23:58 PM, on 10/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SSH Communications Security\SSH Secure Shell\SshClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\username\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C972509-8A6E-BAF1-D1E8-7D5F4890A0EC} - C:\PROGRA~1\BALMCA~1\Ref 2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Cdrom Gram - {CE908801-C983-D3B9-36AA-603B269D8613} - C:\PROGRA~1\BALMCA~1\Ref 2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [FORDUMB] C:\PROGRA~1\FILENEWMOVE\HeckPlatform.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/18f62bcd33f8aa112115/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
I have run HijackThis, and my home page and search seem ok. But someobody, in looking at my computer earlier, told me to run the DOS command netstat -an, and saw that various IPs were 'LISTENING', and one in particular, 0.0.0.0.2869, which seemed to be of huge concern to him. This means little to me, but I was worried because it is still there after having run HijackThis.
Anyhow, below is my Hijack this log, after having run it once. Please tell me if there is anthing else suspicious that I should remove.
Logfile of HijackThis v1.97.7
Scan saved at 2:23:58 PM, on 10/05/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\WINDOWS\System32\basfipm.exe
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SSH Communications Security\SSH Secure Shell\SshClient.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\username\Desktop\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1C972509-8A6E-BAF1-D1E8-7D5F4890A0EC} - C:\PROGRA~1\BALMCA~1\Ref 2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Cdrom Gram - {CE908801-C983-D3B9-36AA-603B269D8613} - C:\PROGRA~1\BALMCA~1\Ref 2.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\Grisoft\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [FORDUMB] C:\PROGRA~1\FILENEWMOVE\HeckPlatform.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/18f62bcd33f8aa112115/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
0
Comments
Welcome to short-media.
Remove the following:
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {1C972509-8A6E-BAF1-D1E8-7D5F4890A0EC} - C:\PROGRA~1\BALMCA~1\Ref 2.dll
O3 - Toolbar: Cdrom Gram - {CE908801-C983-D3B9-36AA-603B269D8613} - C:\PROGRA~1\BALMCA~1\Ref 2.dll
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [FORDUMB] C:\PROGRA~1\FILENEWMOVE\HeckPlatform.exe
And then, you can get rid of the following unnecessary items to speed up your computer:
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Symantec Fax Starter Edition Port.lnk = C:\Program Files\Microsoft Office\Office\1033\OLFSNT40.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
A couple of suspicious items.
Boot up in SAFE MODE. Run HJT (make sure you have installed HJT into it's own folder, as it needs a place to save backups to.) Fix the following:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Sympatico
(You have competing start default pages, and the "Title" entry is not necessary.)
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
(Unless you knowingly use a Proxy Server, this is likely an extraneous entry. Check with your ISP as to whether or not you need a proxy override.)
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.dell.com/
(More extraneous Dell crap.)
O2 - BHO: (no name) - {1C972509-8A6E-BAF1-D1E8-7D5F4890A0EC} - C:\PROGRA~1\BALMCA~1\Ref 2.dll
O3 - Toolbar: Cdrom Gram - {CE908801-C983-D3B9-36AA-603B269D8613} - C:\PROGRA~1\BALMCA~1\Ref 2.dll
O4 - HKLM\..\Run: [FORDUMB] C:\PROGRA~1\FILENEWMOVE\HeckPlatform.exe
(Suspicious random file name structure. Likely spyware.)
I recommend also manually removing the actual DLL and EXE files from your hard drive, or if you want to be safe, you can also manually quarintine them by moving them to a Quarintine folder (one for EXE's, one for DLL's) and renaming the extension to .XXX.
Reboot in normal mode, run netstat again, and see what you get. Instead of Netstat, you can also use a free app called Active Ports to do the same thing right in Windows.
Come back and let us know how it looks after doing this.
Dexter...
C:\WINDOWS\System32\Hummbird\inetd32.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
You should boot into safe mode and manually delete those three files.
That entry is safe if you are using InstantCopy CD/DVD copying software from VOB/Pinnacle. See: http://www.windowsstartup.com/wso/detail.php?id=3090
It uses little resources so you can keep it active as well.
Dexter...
Proto Local Address Foreign Address State
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
(obtained when I run netstat -an in DOS)
Should I still be worried? Or do I need to talk to somebody here who knows our network well (my laptop connection is not supported at school.. for these very reasons I guess.)
I've only done the first one so far. Will let you know how it goes.
three manual EXE files suggested. I did not manually remove any other
EXEs or DLLs because I don't know which ones the Dexter meant for me to
delete.
This entry from netstat is now gone:
TCP 0.0.0.0:2869 0.0.0.0:0 LISTENING
but there are other 'LISTENING' entries. should i be worried about these?
(I replaced some numbers with XXX below)
Active Connections
Proto Local Address Foreign Address State
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1029 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3001 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3002 0.0.0.0:0 LISTENING
TCP 127.0.0.1:3003 0.0.0.0:0 LISTENING
TCP XXX.100.27.98:139 0.0.0.0:0 LISTENING
TCP XXX.100.27.98:3011 0.0.0.0:0 LISTENING
TCP XXX.100.27.98:3011 XXX.100.5.8:139 ESTABLISHED
TCP XXX.100.27.98:8750 0.0.0.0:0 LISTENING
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:500 *:*
UDP 0.0.0.0:1028 *:*
UDP 0.0.0.0:3008 *:*
UDP 127.0.0.1:123 *:*
UDP 127.0.0.1:1900 *:*
UDP XXX.100.27.98:123 *:*
UDP XXX.100.27.98:137 *:*
UDP XXX.100.27.98:138 *:*
UDP XXX.100.27.98:1900 *:*
UDP XXX.100.27.98:8264 *:*
UDP XXX.100.27.98:63756 *:*
Check the port number (the part after the : in the listing) against this list:
http://www.iana.org/assignments/port-numbers
IE, your TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING is listening on Port 1025, but is not connected to anything. According to IANA, 1025 is "network blackjack."
Any of these ports could potentially be exploited for malicious intent.
If you have a firewall, most of these will not be a problem, they are just services that are available for communication. Port 135 is a concern, because it is an RPC port, and the big Blaster worm from last summer used that as an exploit for it's damage. Disable the RPC service if you do not need it. But best of all, get a a good hardware firewall to protect you from unsolicited incoming port traffic.
Dexter...
PS - I just ran a netstat -an and have the following ports listening:
135, 139, 445, 1025, 1030, 1288, 1293, 1672, 1674, 3813, 3815, 3819, plu s a couple of others I won't list for security reasons. But behind a firewall, I am not concerned about any of those
C:\PROGRAM FILES\BALMCA~1\Ref 2.dll
C:\PROGRAM FILES\BALMCA~1\Ref 2.dll
C:\PROGRAM FILES\FILENEWMOVE\HeckPlatform.exe
For "BALMCA~1" look for a folder with the matching first letters "BALMCA."
Dexter...
Feel free to just stick around have fun and learn. We are more than just a tech site, we are a "community", with lots of great discussion on technical matters as well as non-tech topics in the Pub. But the best thing you can do is join our Folding For a Cure team. Folding is a distrubuted computing program where your computer's spare processing power can be put to work in the background, searching for the cure to many diseases. Click the links in my signature to learn more about this worthy cause, and consider joining the Short-Media folding team - currently ranked #9 in the world!
And welcome again to Short-Media, we hope you stick around and become part of our community
Dexter...