Annoyances.org
Home » Windows Me Discussion Forum » Message 1070376038 » Entire Thread Search | Help | Home
  
trojan? remote access??
Showing all messages in thread #1070376038
Windows Me Annoyances Discussion Forum

The following are all of the messages in this thread (5 in all), shown in chronological order. Click any message subject to view that message by itself or to view the thread hierarchy.
trojan? remote access??
Tuesday, December 2, 2003 at 6:40 am
Posted by allegro (2 messages posted)

This sucks. I think I'm being hacked/accessed. Here's my hijackthis log: StartupList report, 12/2/2003, 6:41:44 AM StartupList version: 1.52 Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS1.9.7.EXE Detected: Windows ME (Win9x 4.90.3000) Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106) * Using default options * Showing rarely important sections ================================================== Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\SSDPSRV.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\WINDOWS\SYSTEM\HIDSERV.EXE C:\WINDOWS\SYSTEM\HPSYSDRV.EXE C:\PROGRAM FILES\THUNT\THGUARD.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\WINDOWS\RunDLL.exe C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE C:\WINDOWS\WINHLP32.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\SYSTEM\MSTASK.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\PROGRAM FILES\THUNT\TOOLS\AUTOSTART EXPLORER\AUTOSTARTEXPLORER.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE C:\PROGRAM FILES\THUNT\TROJANHUNTER.EXE C:\PROGRAM FILES\THUNT\TOOLS\PROCESS VIEWER\PROCESSVIEWER.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS1.9.7.EXE C:\WINDOWS\NOTEPAD.EXE -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\Run ScanRegistry = C:\WINDOWS\scanregw.exe /autorun TaskMonitor = C:\WINDOWS\taskmon.exe SystemTray = SysTray.Exe LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme Hidserv = Hidserv.exe run HPScanPatch = C:\WINDOWS\SYSTEM\HPScanFix.exe hpsysdrv = c:\windows\system\hpsysdrv.exe Delay = C:\WINDOWS\delayrun.exe THGuard = "C:\PROGRAM FILES\THUNT\THGUARD.EXE" -------------------------------------------------- Autorun entries from Registry: HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme SchedulingAgent = mstask.exe *StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe -------------------------------------------------- Autorun entries from Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY -------------------------------------------------- Enumerating Active Setup stub paths: HKLM\Software\Microsoft\Active Setup\Installed Components (* = disabled by HKCU twin) [{89820200-ECBD-11cf-8B85-00AA005B4395}] * StubPath = regsvr32.exe /s /n /i:U shell32.dll [>PerUser_MSN_Clean] * StubPath = C:\WINDOWS\msnmgsr1.exe [PerUser_LinkBar_URLs] * StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L [{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] * StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl [{89820200-ECBD-11cf-8B85-00AA005B4383}] * StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe -------------------------------------------------- Shell & screensaver key from C:\WINDOWS\SYSTEM.INI: Shell=Explorer.exe SCRNSAVE.EXE= drivers=mmsystem.dll power.drv -------------------------------------------------- Checking for EXPLORER.EXE instances: C:\WINDOWS\Explorer.exe: PRESENT! C:\Explorer.exe: not present C:\WINDOWS\Explorer\Explorer.exe: not present C:\WINDOWS\System\Explorer.exe: not present C:\WINDOWS\System32\Explorer.exe: not present C:\WINDOWS\Command\Explorer.exe: not present C:\WINDOWS\Fonts\Explorer.exe: not present -------------------------------------------------- C:\WINDOWS\WININIT.BAK listing: (Created 26/11/2003, 18:6:40) [rename] C:\WINDOWS\SYSTEM\ssdpapi.dll=C:\WINDOWS\SYSTEM\ssdpapi.001 C:\WINDOWS\SYSTEM\ssdpsrv.exe=C:\WINDOWS\SYSTEM\ssdpsrv.001 C:\WINDOWS\SYSTEM\upnp.dll=C:\WINDOWS\SYSTEM\upnp.001 -------------------------------------------------- C:\AUTOEXEC.BAT listing: SET windir=C:\WINDOWS SET winbootdir=C:\WINDOWS SET COMSPEC=C:\WINDOWS\COMMAND.COM SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND SET PROMPT=$p$g SET TEMP=C:\WINDOWS\TEMP SET TMP=C:\WINDOWS\TEMP -------------------------------------------------- C:\WINDOWS\DOSSTART.BAT listing: mscdex.exe /d:IDECD000 /L:M -------------------------------------------------- Checking for superhidden extensions: .lnk: HIDDEN! (arrow overlay: yes) .pif: HIDDEN! (arrow overlay: yes) .exe: not hidden .com: not hidden .bat: not hidden .hta: not hidden .scr: not hidden .shs: HIDDEN! .shb: HIDDEN! .vbs: not hidden .vbe: not hidden .wsh: not hidden .scf: HIDDEN! (arrow overlay: NO!) .url: HIDDEN! (arrow overlay: yes) .js: not hidden .jse: not hidden -------------------------------------------------- Enumerating Task Scheduler jobs: PCHealth Scheduler for Data Collection.job -------------------------------------------------- Enumerating ShellServiceObjectDelayLoad items: WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL -------------------------------------------------- End of report, 5,906 bytes Report generated in 0.046 seconds Command line options: /verbose - to add additional info on each section /complete - to include empty sections and unsuspicious data /full - to include several rarely-important sections /force9x - to include Win9x-only startups even if running on WinNT /forcent - to include WinNT-only startups even if running on Win9x /forceall - to include all Win9x and WinNT startups, regardless of platform /history - to list version history only

[Reply or follow-up to this message]

re: trojan? remote access??
Tuesday, December 2, 2003 at 7:02 am
Posted by worm (792 messages posted)

Hi Allegro,

There is nothing in your post that indicates cause for concern. Anybody disagree?

You could consider uninstalling Universal Plug & Play because that holds Port #5000 open, but it's a legitimate Windows application and nothing to be concerned about. To uninstall it, do this:
1. Go to Start > Settings > Control Panel > Add/Remove Programs > Windows Setup (tab).
2. Scroll down to "Communications" and click that word. Make sure you don't remove the checkmark to the left of it
3. Click the "Details" button and then scroll down to "Universal Plug & Play" and remove the checkmark there. Click Apply/OK. Reboot if necessary.

If you're worried about outbound connections, got to Start > Run > type command and click OK.
At the C:\Windows\Desktop prompt, type NETSTAT -AN
Any port listed with a "LISTENING" state is something to be concerned about with the exception of Port #1025 if you've got a firewall called Zone Alarm Pro installed.


On Tuesday, December 2, 2003 at 6:40 am, allegro wrote:
>This sucks. I think I'm being hacked/accessed.
>Here's my hijackthis log:
>
>StartupList report, 12/2/2003, 6:41:44 AM
>StartupList version: 1.52
>Started from : C:\WINDOWS\DESKTOP\HIJACKTHIS1.9.7.EXE
>Detected: Windows ME (Win9x 4.90.3000)
>Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
>* Using default options
>* Showing rarely important sections
>==================================================
>
>Running processes:
>
>C:\WINDOWS\SYSTEM\KERNEL32.DLL
>C:\WINDOWS\SYSTEM\MSGSRV32.EXE
>C:\WINDOWS\SYSTEM\SPOOL32.EXE
>C:\WINDOWS\SYSTEM\mmtask.tsk
>C:\WINDOWS\SYSTEM\MPREXE.EXE
>C:\WINDOWS\SYSTEM\SSDPSRV.EXE
>C:\WINDOWS\TASKMON.EXE
>C:\WINDOWS\SYSTEM\SYSTRAY.EXE
>C:\WINDOWS\SYSTEM\HIDSERV.EXE
>C:\WINDOWS\SYSTEM\HPSYSDRV.EXE
>C:\PROGRAM FILES\THUNT\THGUARD.EXE
>C:\WINDOWS\SYSTEM\WMIEXE.EXE
>C:\WINDOWS\RunDLL.exe
>C:\WINDOWS\SYSTEM\RESTORE\STMGR.EXE
>C:\WINDOWS\WINHLP32.EXE
>C:\WINDOWS\EXPLORER.EXE
>C:\WINDOWS\SYSTEM\MSTASK.EXE
>C:\WINDOWS\SYSTEM\STIMON.EXE
>C:\WINDOWS\SYSTEM\RNAAPP.EXE
>C:\WINDOWS\SYSTEM\TAPISRV.EXE
>C:\PROGRAM FILES\THUNT\TOOLS\AUTOSTART EXPLORER\AUTOSTARTEXPLORER.EXE
>C:\WINDOWS\SYSTEM\DDHELP.EXE
>C:\PROGRAM FILES\AMERICA ONLINE 9.0\WAOL.EXE
>C:\PROGRAM FILES\AMERICA ONLINE 9.0\SHELLMON.EXE
>C:\PROGRAM FILES\COMMON FILES\AOL\ACS\ACSD.EXE
>C:\PROGRAM FILES\THUNT\TROJANHUNTER.EXE
>C:\PROGRAM FILES\THUNT\TOOLS\PROCESS VIEWER\PROCESSVIEWER.EXE
>C:\WINDOWS\DESKTOP\HIJACKTHIS1.9.7.EXE
>C:\WINDOWS\NOTEPAD.EXE
>
>--------------------------------------------------
>
>Autorun entries from Registry:
>HKLM\Software\Microsoft\Windows\CurrentVersion\Run
>
>ScanRegistry = C:\WINDOWS\scanregw.exe /autorun
>TaskMonitor = C:\WINDOWS\taskmon.exe
>SystemTray = SysTray.Exe
>LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
>Hidserv = Hidserv.exe run
>HPScanPatch = C:\WINDOWS\SYSTEM\HPScanFix.exe
>hpsysdrv = c:\windows\system\hpsysdrv.exe
>Delay = C:\WINDOWS\delayrun.exe
>THGuard = "C:\PROGRAM FILES\THUNT\THGUARD.EXE"
>
>--------------------------------------------------
>
>Autorun entries from Registry:
>HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
>
>LoadPowerProfile = Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
>SchedulingAgent = mstask.exe
>*StateMgr = C:\WINDOWS\System\Restore\StateMgr.exe
>SSDPSRV = C:\WINDOWS\SYSTEM\ssdpsrv.exe
>
>--------------------------------------------------
>
>Autorun entries from Registry:
>HKCU\Software\Microsoft\Windows\CurrentVersion\Run
>
>Taskbar Display Controls = RunDLL deskcp16.dll,QUICKRES_RUNDLLENTRY
>
>--------------------------------------------------
>
>Enumerating Active Setup stub paths:
>HKLM\Software\Microsoft\Active Setup\Installed Components
>(* = disabled by HKCU twin)
>
>[{89820200-ECBD-11cf-8B85-00AA005B4395}] *
>StubPath = regsvr32.exe /s /n /i:U shell32.dll
>
>[>PerUser_MSN_Clean] *
>StubPath = C:\WINDOWS\msnmgsr1.exe
>
>[PerUser_LinkBar_URLs] *
>StubPath = C:\WINDOWS\COMMAND\sulfnbk.exe /L
>
>[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
>StubPath = C:\WINDOWS\SYSTEM\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl
>
>[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
>StubPath = C:\WINDOWS\SYSTEM\ie4uinit.exe
>
>--------------------------------------------------
>
>Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
>
>Shell=Explorer.exe
>SCRNSAVE.EXE=
>drivers=mmsystem.dll power.drv
>
>--------------------------------------------------
>
>Checking for EXPLORER.EXE instances:
>
>C:\WINDOWS\Explorer.exe: PRESENT!
>
>C:\Explorer.exe: not present
>C:\WINDOWS\Explorer\Explorer.exe: not present
>C:\WINDOWS\System\Explorer.exe: not present
>C:\WINDOWS\System32\Explorer.exe: not present
>C:\WINDOWS\Command\Explorer.exe: not present
>C:\WINDOWS\Fonts\Explorer.exe: not present
>
>--------------------------------------------------
>
>C:\WINDOWS\WININIT.BAK listing:
>(Created 26/11/2003, 18:6:40)
>
>[rename]
>C:\WINDOWS\SYSTEM\ssdpapi.dll=C:\WINDOWS\SYSTEM\ssdpapi.001
>C:\WINDOWS\SYSTEM\ssdpsrv.exe=C:\WINDOWS\SYSTEM\ssdpsrv.001
>C:\WINDOWS\SYSTEM\upnp.dll=C:\WINDOWS\SYSTEM\upnp.001
>
>--------------------------------------------------
>
>C:\AUTOEXEC.BAT listing:
>
>SET windir=C:\WINDOWS
>SET winbootdir=C:\WINDOWS
>SET COMSPEC=C:\WINDOWS\COMMAND.COM
>SET PATH=C:\WINDOWS;C:\WINDOWS\COMMAND
>SET PROMPT=$p$g
>SET TEMP=C:\WINDOWS\TEMP
>SET TMP=C:\WINDOWS\TEMP
>
>--------------------------------------------------
>
>C:\WINDOWS\DOSSTART.BAT listing:
>
>mscdex.exe /d:IDECD000 /L:M
>
>--------------------------------------------------
>
>Checking for superhidden extensions:
>
>.lnk: HIDDEN! (arrow overlay: yes)
>.pif: HIDDEN! (arrow overlay: yes)
>.exe: not hidden
>.com: not hidden
>.bat: not hidden
>.hta: not hidden
>.scr: not hidden
>.shs: HIDDEN!
>.shb: HIDDEN!
>.vbs: not hidden
>.vbe: not hidden
>.wsh: not hidden
>.scf: HIDDEN! (arrow overlay: NO!)
>.url: HIDDEN! (arrow overlay: yes)
>.js: not hidden
>.jse: not hidden
>
>--------------------------------------------------
>
>Enumerating Task Scheduler jobs:
>
>PCHealth Scheduler for Data Collection.job
>
>--------------------------------------------------
>
>Enumerating ShellServiceObjectDelayLoad items:
>
>WebCheck: C:\WINDOWS\SYSTEM\WEBCHECK.DLL
>UPnPMonitor: C:\WINDOWS\SYSTEM\UPNPUI.DLL
>
>--------------------------------------------------
>End of report, 5,906 bytes
>Report generated in 0.046 seconds
>
>Command line options:
> /verbose - to add additional info on each section
> /complete - to include empty sections and unsuspicious data
> /full - to include several rarely-important sections
> /force9x - to include Win9x-only startups even if running on WinNT
> /forcent - to include WinNT-only startups even if running on Win9x
> /forceall - to include all Win9x and WinNT startups, regardless of platform
> /history - to list version history only

[Reply or follow-up to this message]

re: trojan? remote access??
Tuesday, December 2, 2003 at 7:36 am
Posted by allegro (2 messages posted) 

I have the following ports listening and connections established. It seems screwed 
up. I am using AOL on their broadband/dsl dialup. Does that matter?

TCP    0.0.0.0:1808           0.0.0.0:0              LISTENING
TCP    0.0.0.0:1847           0.0.0.0:0              LISTENING
TCP    0.0.0.0:5000           0.0.0.0:0              LISTENING
TCP    0.0.0.0:1787           0.0.0.0:0              LISTENING
TCP    172.XXX.XXX.XXX:1847   64.125.XXX.XXX:80      ESTABLISHED
TCP    172.XXX.XXX.XXX  0.0.0.0:0              LISTENING
TCP    172.194.244.221:1694   0.0.0.0:0              LISTENING
TCP    172.XXX.XXX.XXX:1694   64.12.X.XX:13784       ESTABLISHED
TCP    172.XXX.XXX.XXX:1787   64.125.138.190:7514    ESTABLISHED
UDP    0.0.0.0:68             *:*
UDP    127.0.0.1:1696         *:*
UDP    127.0.0.1:1699         *:*
UDP    172.XXX.XXX.XXX:1900   *:*
UDP    172.XXX.XXX.XXX:137    *:*
UDP    172.XXX.XXX.XXX:138    *:*







On Tuesday, December 2, 2003 at 7:02 am, worm wrote:
>Hi Allegro, 

>

>There is nothing in your post that indicates cause for concern. Anybody disagree?

>

>You could consider uninstalling Universal Plug & Play because that holds Port #5000 
>open, but it's a legitimate Windows application and nothing to be concerned about. 
>To uninstall it, do this:

>1. Go to Start > Settings > Control Panel > Add/Remove Programs > Windows Setup 
(tab). 
>

>2. Scroll down to "Communications" and click that word. Make sure you don't remove 
>the checkmark to the left of it

>3. Click the "Details" button and then scroll down to "Universal Plug & Play" and 
>remove the checkmark there. Click Apply/OK. Reboot if necessary. 

>

>If you're worried about outbound connections, got to Start > Run > type command 
>and click OK. 

>At the C:\Windows\Desktop prompt, type NETSTAT -AN
Any port listed with 
>a "LISTENING" state is something to be concerned about with the exception of Port 
>#1025 if you've got a firewall called Zone Alarm Pro installed. 
>

[Reply or follow-up to this message]

re: trojan? remote access??
Tuesday, December 2, 2003 at 9:25 am
Posted by worm (792 messages posted)

Hi Allegro,

I think you should be concerned about this:

TCP    172.XXX.XXX.XXX:1787   64.125.138.190:7514    ESTABLISHED

The IP address 64.125.138.190 belongs to www.gay.com. Port #7514 is used by a spamming program called "Backdoor.jeem". More info HERE
This doesn't mean that you've got that installed on your system, but your machine may possibly be acting as "Open Relay". This means that you are unknowlingly acting as a server to bounce SPAM to other users throughout the world. To find out whether that's the case or not, the best thing you can do is to test it HERE
Theoretically AOL should be filtering it and the IP address that starts with 172.XXX belongs to AOL. I think it would be in your interests to contact AOL and report these incidents.


On Tuesday, December 2, 2003 at 7:36 am, allegro wrote: 
>I have the following ports listening and connections established. It seems screwed 
>up. I am using AOL on their broadband/dsl dialup. Does that matter?
>
>TCP    0.0.0.0:1808           0.0.0.0:0              LISTENING
>TCP    0.0.0.0:1847           0.0.0.0:0              LISTENING
>TCP    0.0.0.0:5000           0.0.0.0:0              LISTENING
>TCP    0.0.0.0:1787           0.0.0.0:0              LISTENING
>TCP    172.XXX.XXX.XXX:1847   64.125.XXX.XXX:80      ESTABLISHED
>TCP    172.XXX.XXX.XXX  0.0.0.0:0              LISTENING
>TCP    172.194.244.221:1694   0.0.0.0:0              LISTENING
>TCP    172.XXX.XXX.XXX:1694   64.12.X.XX:13784       ESTABLISHED
>TCP    172.XXX.XXX.XXX:1787   64.125.138.190:7514    ESTABLISHED
>UDP    0.0.0.0:68             *:*
>UDP    127.0.0.1:1696         *:*
>UDP    127.0.0.1:1699         *:*
>UDP    172.XXX.XXX.XXX:1900   *:*
>UDP    172.XXX.XXX.XXX:137    *:*
>UDP    172.XXX.XXX.XXX:138    *:*
>
>
>


[Reply or follow-up to this message]
re: trojan? remote access??
Tuesday, December 2, 2003 at 10:50 am
Posted by Jack Gulley (5917 messages posted)

A few of Windows ME modules can be cleaned out also to reduce problems. See: Windows ME Fixes

There some good links to check your system GRC.com and PCFLANK.com

[Reply or follow-up to this message]

Tip: Use one of the [Reply or follow-up to this message] links above to add a message to this thread
Return to the Windows Me Discussion Forum

All content at Annoyances.org is Copyright © 1995-2008 Creative Elementtm All rights reserved.
Please do not plagiarize; redistributing these pages without permission is strictly prohibited.