Kerio firewall has been warning me persistently of this incoming:
"Someone from 159.153.229.107, port 20 wants to connect to port 1463 owned by 'Internet Explorer' on your computer".
Is this a legitimate request?
When I deny it access, the cursor turns into the busy hourglass, and I have to quit.

I have another issue which I feel may be related:

www.searching.net is asking, on a regular basis, to be set up as my Homepage, (though only when I use IE-I mostly use Opera & MYIE2..which are not affected by this).

Does anyone know how to get rid of this pesky invader?

Here is my Hijack This log, if needed (every item is, I think, legitimate, apart from the first entry)

Logfile of HijackThis v1.94.0
Scan saved at 09:39:19, on 02/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe
O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1
O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE"
O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE
O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: iHarvest (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

I am using IE6.0.2800 and 98se.


Many thanks for any help.

PcB
PcB

Hi pcb,

Not that I expect to find much, but could you download a fresh copy of HijackThis (current version is 1.96.4) and post a new log?

Regards,

Pieter

wilco, Pieter

PcB

What were you trying to do when this happened? If you were communicating with a FTP server at the time to download, or upload a file this could have been a legit communication.

The link would have started with ftp://

Sorry I took a bit of time, Pieter, But I noticed a program from Javacool- Browser Hijack Blaster. Do you know anything about it..is it worth me using it? It would appear to be just what I need.

Here is the new Log (I notice the extra entries..running processes):

Logfile of HijackThis v1.96.4
Scan saved at 11:32:36, on 02/09/03
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
C:\PROGRAM FILES\HACE\TASKBAR EXECUTIVE\TTMAN.EXE
C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE
C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE
C:\PROGRAM FILES\CLIPBOARD BUDDY\CLIPBOARD BUDDY.EXE
C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\WINDOWS\SYSTEM\PSTORES.EXE
C:\PROGRAM FILES\GPSOFTWARE\DIRECTORY OPUS\DOPUS.EXE
C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\PROGRAM FILES\CIDIAL-MANUALLY INSTALLED\CIDIAL.EXE
C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
C:\PROGRAM FILES\MYIE2\MYIE.EXE
C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.meshcopmputers.com/
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe
O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1
O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE"
O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE
O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm
O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O9 - Extra button: iHarvest (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

Trying whois -h whois.arin.net 159.153.229.107
OrgName:****Electronic*Arts,*Inc.*
OrgID:******ELECTR-60
Address:****209*Redwood*Shores*Parkway
City:*******Redwood*City
StateProv:**CA
PostalCode:*94065
Country:****US
NetRange:***159.153.0.0*-*159.153.255.255*
CIDR:*******159.153.0.0/16*
NetName:****EA
NetHandle:**NET-159-153-0-0-1
Parent:*****NET-159-0-0-0-0
NetType:****Direct*Assignment
NameServer:*SEDNS.EA.COM
NameServer:*SWDNS.EA.COM
Comment:****
RegDate:****1992-04-29
Updated:****2001-06-12

Ring any bells?
Online game or something similar?

Regards,

Pieter

Hi pcb,

Going over your log, this is the only one I can't quite get my finger on:
O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
Do you know what it's for?

Instead of BrowserHijackBlaster I would recommend SpywareGuard: http://www.wilderssecurity.net/spywareguard.html (also by Javacool)
It has BHB's browser hijack protection built-in.

Regards,

Pieter

BlitzenZeus,

Not today I wasn't. I've just opened up IE again, (I'm using MYIE2) and my homepage (Google) was displayed. As soon as I clicked on the address drop-down to choose another visisted site, the cursor switched straight away to the hourglass, and Kerio popped up again with the same alert as before.

I expect deleting the list will cure the problem, but maybe only temporarily?

Thanks for your input,

PcB

Pieter,

Ist clock.exe is my taskbar clock replacement.

I have Spyware Blaster already-does a marvellous job- Spybot S&D comes up with nothing ever since I installed it-I used to be inundated!)

As for your whois search: yesterday my son was trying to download a patch for a EA game- he had problems with the download.

Funny, I did a search for that IP address on the RIPE Whois, and it came up with nothing!
Maybe I just don't know how to do a proper search..I've only ever done one before.

I've Zapped the IE typed url list, and , as I thought it would, the problem disappeared.
But I still don't know what caused it! I would still like to know, so as to be forewarned in case of a repeat.

I really appreciate your help with this, Pieter,

PcB

Hi pcb,

Mind you, SpywareBlaster and SpywareGuard are quite different and ment to complement each other.

You may like this site for your future Whois searches: http://www.samspade.org/

Clear out your temp folders as well, since there might be something in there waiting for the rest of the EA patch.

Regards,

Pieter

Pieter,

I've just tried Samspade.org, and straight away found out how to search for an IP address-it has a dedicated search box. I have bookmarked the site.
Ripe doesn't!

Regarding the Temp folder-I have never known whether you can delete the various sub-folders (eg. -ISTMP1.DIR) in the Temp folder. These are presumably created by program installation procedures.
Since I now have an experts' attention, please would you clarify this for me?
Can everything be safely deleted?

Once again my thanks for your help,

PcB

The temp folder is supposed to hold only as the name promises, temporary files. Some malware-writers may think otherwise. ;)
Anything in there should be safe to delete. What I always do when I'm not sure: I keep the removed files in the recycle bin for a few days, untill I can be sure that no problems arise and then give them the last goodbye.

Regards,

Pieter

That's what I had always figured, but I remember hearing otherwise when I first got into computing-not too long ago)
And when you delete through Windows Disk Cleanup, by no means are all the files/folders deleted.

I've got by, so far, but it's good to be in the know! ;)

Cheers,

PcB

1stclock is a systray clock replacement with with a built-in calendar and NTP time sync. I've been running it for over a year without any problems.
- Phil S.