Inbound port 1463 IE question

Discussion in 'other firewalls' started by pcb, Sep 2, 2003.

Thread Status:
Not open for further replies.
  1. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    Kerio firewall has been warning me persistently of this incoming:
    "Someone from 159.153.229.107, port 20 wants to connect to port 1463 owned by 'Internet Explorer' on your computer".
    Is this a legitimate request?
    When I deny it access, the cursor turns into the busy hourglass, and I have to quit.

    I have another issue which I feel may be related:

    www.searching.net is asking, on a regular basis, to be set up as my Homepage, (though only when I use IE-I mostly use Opera & MYIE2..which are not affected by this).

    Does anyone know how to get rid of this pesky invader?

    Here is my Hijack This log, if needed (every item is, I think, legitimate, apart from the first entry)

    Logfile of HijackThis v1.94.0
    Scan saved at 09:39:19, on 02/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe
    O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1
    O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE"
    O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
    O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: iHarvest (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I am using IE6.0.2800 and 98se.


    Many thanks for any help.

    PcB
    PcB
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi pcb,

    Not that I expect to find much, but could you download a fresh copy of HijackThis (current version is 1.96.4) and post a new log?

    Regards,

    Pieter
     
  3. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    wilco, Pieter

    PcB
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    What were you trying to do when this happened? If you were communicating with a FTP server at the time to download, or upload a file this could have been a legit communication.

    The link would have started with ftp://
     
  5. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    Sorry I took a bit of time, Pieter, But I noticed a program from Javacool- Browser Hijack Blaster. Do you know anything about it..is it worth me using it? It would appear to be just what I need.

    Here is the new Log (I notice the extra entries..running processes):

    Logfile of HijackThis v1.96.4
    Scan saved at 11:32:36, on 02/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\HACE\TASKBAR EXECUTIVE\TTMAN.EXE
    C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE
    C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE
    C:\PROGRAM FILES\CLIPBOARD BUDDY\CLIPBOARD BUDDY.EXE
    C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\GPSOFTWARE\DIRECTORY OPUS\DOPUS.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\CIDIAL-MANUALLY INSTALLED\CIDIAL.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\PROGRAM FILES\MYIE2\MYIE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.meshcopmputers.com/
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe
    O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1
    O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE"
    O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
    O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: iHarvest (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Trying whois -h whois.arin.net 159.153.229.107
    OrgName:    Electronic Arts, Inc. 
    OrgID:      ELECTR-60
    Address:    209 Redwood Shores Parkway
    City:       Redwood City
    StateProv:  CA
    PostalCode: 94065
    Country:    US
    NetRange:   159.153.0.0 - 159.153.255.255 
    CIDR:       159.153.0.0/16 
    NetName:    EA
    NetHandle:  NET-159-153-0-0-1
    Parent:     NET-159-0-0-0-0
    NetType:    Direct Assignment
    NameServer: SEDNS.EA.COM
    NameServer: SWDNS.EA.COM
    Comment:    
    RegDate:    1992-04-29
    Updated:    2001-06-12

    Ring any bells?
    Online game or something similar?

    Regards,

    Pieter
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi pcb,

    Going over your log, this is the only one I can't quite get my finger on:
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    Do you know what it's for?

    Instead of BrowserHijackBlaster I would recommend SpywareGuard: http://www.wilderssecurity.net/spywareguard.html (also by Javacool)
    It has BHB's browser hijack protection built-in.

    Regards,

    Pieter
     
  8. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    BlitzenZeus,

    Not today I wasn't. I've just opened up IE again, (I'm using MYIE2) and my homepage (Google) was displayed. As soon as I clicked on the address drop-down to choose another visisted site, the cursor switched straight away to the hourglass, and Kerio popped up again with the same alert as before.

    I expect deleting the list will cure the problem, but maybe only temporarily?

    Thanks for your input,

    PcB
     
  9. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    Pieter,

    Ist clock.exe is my taskbar clock replacement.

    I have Spyware Blaster already-does a marvellous job- Spybot S&D comes up with nothing ever since I installed it-I used to be inundated!)

    As for your whois search: yesterday my son was trying to download a patch for a EA game- he had problems with the download.

    Funny, I did a search for that IP address on the RIPE Whois, and it came up with nothing!
    Maybe I just don't know how to do a proper search..I've only ever done one before.

    I've Zapped the IE typed url list, and , as I thought it would, the problem disappeared.
    But I still don't know what caused it! I would still like to know, so as to be forewarned in case of a repeat.

    I really appreciate your help with this, Pieter,

    PcB
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    Hi pcb,

    Mind you, SpywareBlaster and SpywareGuard are quite different and ment to complement each other.

    You may like this site for your future Whois searches: http://www.samspade.org/

    Clear out your temp folders as well, since there might be something in there waiting for the rest of the EA patch.

    Regards,

    Pieter
     
  11. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    Pieter,

    I've just tried Samspade.org, and straight away found out how to search for an IP address-it has a dedicated search box. I have bookmarked the site.
    Ripe doesn't!

    Regarding the Temp folder-I have never known whether you can delete the various sub-folders (eg. -ISTMP1.DIR) in the Temp folder. These are presumably created by program installation procedures.
    Since I now have an experts' attention, please would you clarify this for me?
    Can everything be safely deleted?

    Once again my thanks for your help,

    PcB
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,491
    Location:
    Netherlands
    The temp folder is supposed to hold only as the name promises, temporary files. Some malware-writers may think otherwise. ;)
    Anything in there should be safe to delete. What I always do when I'm not sure: I keep the removed files in the recycle bin for a few days, untill I can be sure that no problems arise and then give them the last goodbye.

    Regards,

    Pieter
     
  13. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    That's what I had always figured, but I remember hearing otherwise when I first got into computing-not too long ago)
    And when you delete through Windows Disk Cleanup, by no means are all the files/folders deleted.

    I've got by, so far, but it's good to be in the know! ;)

    Cheers,

    PcB
     
  14. phil-s

    phil-s Guest

    1stclock is a systray clock replacement with with a built-in calendar and NTP time sync. I've been running it for over a year without any problems.
    - Phil S.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.