|
|
|
re: trojan? remote access??
Tuesday, December 2, 2003 at 7:02 am
Windows Me Annoyances Discussion Forum
Posted by worm
(792 messages posted)
Hi Allegro,
There is nothing in your post that indicates cause for concern. Anybody disagree?
You could consider uninstalling Universal Plug & Play because that holds Port #5000
open, but it's a legitimate Windows application and nothing to be concerned about.
To uninstall it, do this:
1. Go to Start > Settings > Control Panel > Add/Remove Programs > Windows Setup (tab).
2. Scroll down to "Communications" and click that word. Make sure you don't remove
the checkmark to the left of it
3. Click the "Details" button and then scroll down to "Universal Plug & Play" and
remove the checkmark there. Click Apply/OK. Reboot if necessary.
If you're worried about outbound connections, got to Start > Run > type command
and click OK.
At the C:\Windows\Desktop prompt, type NETSTAT -AN
Any port listed with
a "LISTENING" state is something to be concerned about with the exception of Port
#1025 if you've got a firewall called Zone Alarm Pro installed.
On Tuesday, December 2, 2003 at 6:40 am, allegro wrote:
>This sucks. I think I'm being hacked/accessed.
>Here's my hijackthis log:
>
>StartupList report, 12/2/2003, 6:41:44 AM
>StartupList version: 1.52
>Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS1.9.7.EXE
>Detected: Windows ME (Win9x 4.90.3000)
>Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>* Using default options
>* Showing rarely important sections
>==================================================
>
>Running processes:
>
>C:\WINDOWS\SYSTEM\KERNEL32.DLL
>C:\WINDOWS\SYSTEM\MSGSRV32.EXE
>C:\WINDOWS\SYSTEM\SPOOL32.EXE
>C:\WINDOWS\SYSTEM\mmtask.tsk
>C:\WINDOWS\SYSTEM\MPREXE.EXE
>C:\WINDOWS\SYSTEM\SSDPSRV.EXE
>C:\WINDOWS\TASKMON.EXE
>C:\WINDOWS\SYSTEM\SYSTRAY.EXE
>C:\WINDOWS\SYSTEM\HIDSERV.EXE
>C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
>C:\PROGRAM FILES\THUNT\THGUARD.EXE
>C:\WINDOWS\SYSTEM\WMIEXE.EXE
>C:\WINDOWS\RunDLL.exe
>C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
>C:\WINDOWS\WINHLP32.EXE
>C:\WINDOWS\EXPLORER.EXE
>C:\WINDOWS\SYSTEM\MSTASK.EXE
>C:\WINDOWS\SYSTEM\STIMON.EXE
>C:\WINDOWS\SYSTEM\RNAAPP.EXE
>C:\WINDOWS\SYSTEM\TAPISRV.EXE
>C:\PROGRAM FILES\THUNT\TOOLS\AUTOSTART EXPLORER\AUTOSTARTEXPLORER.EXE
>C:\WINDOWS\SYSTEM\DDHELP.EXE
>C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
>C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
>C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
>C:\PROGRAM FILES\THUNT\TROJANHUNTER.EXE
>C:\PROGRAM FILES\THUNT\TOOLS\PROCESS VIEWER\PROCESSVIEWER.EXE
>C:\WINDOWS\DESKTOP\HIJACKTHIS1.9.7.EXE
>C:\WINDOWS\NOTEPAD.EXE
>
>--------------------------------------------------
>
>Autorun entries from Registry:
>HKLM\Software\Microsoft\Windows\CurrentVersion\Run
>
>ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
>TaskMonitor = C:\WINDOWS\taskmon.exe
>SystemTray = SysTray.Exe
>LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
>Hidserv = Hidserv.exe run
>HPScanPatch = C:\WINDOWS\SYSTEM\HPScanFix.exe
>hpsysdrv = c:\windows\system\hpsysdrv.exe
>Delay = C:\WINDOWS\delayrun.exe
>THGuard = "C:\PROGRAM FILES\THUNT\THGUARD.EXE"
>
>--------------------------------------------------
>
>Autorun entries from Registry:
>HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
>
>LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
>SchedulingAgent = mstask.exe
>*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
>SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
>
>--------------------------------------------------
>
>Autorun entries from Registry:
>HKCU\Software\Microsoft\Windows\CurrentVersion\Run
>
>Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
>
>--------------------------------------------------
>
>Enumerating Active Setup stub paths:
>HKLM\Software\Microsoft\Active Setup\Installed Components
>(* = disabled by HKCU twin)
>
>[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
>StubPath = regsvr32.exe /s /n /i:U shell32.dll
>
>[>PerUser_MSN_Clean] *
>StubPath = C:\WINDOWS\msnmgsr1.exe
>
>[PerUser_LinkBar_URLs] *
>StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L
>
>[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
>StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
>
>[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
>StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe
>
>--------------------------------------------------
>
>Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
>
>Shell=Explorer.exe
>SCRNSAVE.EXE=
>drivers=mmsystem.dll power.drv
>
>--------------------------------------------------
>
>Checking for EXPLORER.EXE instances:
>
>C:\WINDOWS\Explorer.exe: PRESENT!
>
>C:\Explorer.exe: not present
>C:\WINDOWS\Explorer\Explorer.exe: not present
>C:\WINDOWS\System\Explorer.exe: not present
>C:\WINDOWS\System32\Explorer.exe: not present
>C:\WINDOWS\Command\Explorer.exe: not present
>C:\WINDOWS\Fonts\Explorer.exe: not present
>
>--------------------------------------------------
>
>C:\WINDOWS\WININIT.BAK listing:
>(Created 26/11/2003, 18:6:40)
>
>[rename]
>C:\WINDOWS\SYSTEM\ssdpapi.dll=C:\WINDOWS\SYSTEM\ssdpapi.001
>C:\WINDOWS\SYSTEM\ssdpsrv.exe=C:\WINDOWS\SYSTEM\ssdpsrv.001
>C:\WINDOWS\SYSTEM\upnp.dll=C:\WINDOWS\SYSTEM\upnp.001
>
>--------------------------------------------------
>
>C:\AUTOEXEC.BAT listing:
>
>SET windir=C:\WINDOWS
>SET winbootdir=C:\WINDOWS
>SET COMSPEC=C:\WINDOWS\COMMAND.COM
>SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
>SET PROMPT=$p$g
>SET TEMP=C:\WINDOWS\TEMP
>SET TMP=C:\WINDOWS\TEMP
>
>--------------------------------------------------
>
>C:\WINDOWS\DOSSTART.BAT listing:
>
>mscdex.exe /d:IDECD000 /L:M
>
>--------------------------------------------------
>
>Checking for superhidden extensions:
>
>.lnk: HIDDEN! (arrow overlay: yes)
>.pif: HIDDEN! (arrow overlay: yes)
>.exe: not hidden
>.com: not hidden
>.bat: not hidden
>.hta: not hidden
>.scr: not hidden
>.shs: HIDDEN!
>.shb: HIDDEN!
>.vbs: not hidden
>.vbe: not hidden
>.wsh: not hidden
>.scf: HIDDEN! (arrow overlay: NO!)
>.url: HIDDEN! (arrow overlay: yes)
>.js: not hidden
>.jse: not hidden
>
>--------------------------------------------------
>
>Enumerating Task Scheduler jobs:
>
>PCHealth Scheduler for Data Collection.job
>
>--------------------------------------------------
>
>Enumerating ShellServiceObjectDelayLoad items:
>
>WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
>UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
>
>--------------------------------------------------
>End of report, 5,906 bytes
>Report generated in 0.046 seconds
>
>Command line options:
> /verbose - to add additional info on each section
> /complete - to include empty sections and unsuspicious data
> /full - to include several rarely-important sections
> /force9x - to include Win9x-only startups even if running on WinNT
> /forcent - to include WinNT-only startups even if running on Win9x
> /forceall - to include all Win9x and WinNT startups, regardless of platform
> /history - to list version history only
- Written in response to:
- trojan? remote access?? (allegro: Tuesday, December 2, 2003 at 6:40 am)
Responses to this message:
|
|
All messages in this thread [show all]
 |  | re: trojan? remote access?? (worm: Tue, Dec 2, 2003, 7:02 am) |
| |
| |
Return to the Windows Me Discussion Forum
|
|
|
|
