Kerio firewall has been warning me persistently of this incoming: "Someone from 159.153.229.107, port 20 wants to connect to port 1463 owned by 'Internet Explorer' on your computer". Is this a legitimate request? When I deny it access, the cursor turns into the busy hourglass, and I have to quit. I have another issue which I feel may be related: www.searching.net is asking, on a regular basis, to be set up as my Homepage, (though only when I use IE-I mostly use Opera & MYIE2..which are not affected by this). Does anyone know how to get rid of this pesky invader? Here is my Hijack This log, if needed (every item is, I think, legitimate, apart from the first entry) Logfile of HijackThis v1.94.0 Scan saved at 09:39:19, on 02/09/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe" O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1 O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE" O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: iHarvest (HKLM) O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab I am using IE6.0.2800 and 98se. Many thanks for any help. PcB PcB
Hi pcb, Not that I expect to find much, but could you download a fresh copy of HijackThis (current version is 1.96.4) and post a new log? Regards, Pieter
What were you trying to do when this happened? If you were communicating with a FTP server at the time to download, or upload a file this could have been a legit communication. The link would have started with ftp://
Sorry I took a bit of time, Pieter, But I noticed a program from Javacool- Browser Hijack Blaster. Do you know anything about it..is it worth me using it? It would appear to be just what I need. Here is the new Log (I notice the extra entries..running processes): Logfile of HijackThis v1.96.4 Scan saved at 11:32:36, on 02/09/03 Platform: Windows 98 SE (Win9x 4.10.2222A) MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106) Running processes: C:\WINDOWS\SYSTEM\KERNEL32.DLL C:\WINDOWS\SYSTEM\MSGSRV32.EXE C:\WINDOWS\SYSTEM\MPREXE.EXE C:\WINDOWS\SYSTEM\mmtask.tsk C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE C:\WINDOWS\EXPLORER.EXE C:\WINDOWS\TASKMON.EXE C:\WINDOWS\SYSTEM\SYSTRAY.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE C:\WINDOWS\SYSTEM\STIMON.EXE C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE C:\PROGRAM FILES\HACE\TASKBAR EXECUTIVE\TTMAN.EXE C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE C:\PROGRAM FILES\CLIPBOARD BUDDY\CLIPBOARD BUDDY.EXE C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE C:\WINDOWS\SYSTEM\WMIEXE.EXE C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE C:\WINDOWS\SYSTEM\SPOOL32.EXE C:\WINDOWS\SYSTEM\PSTORES.EXE C:\PROGRAM FILES\GPSOFTWARE\DIRECTORY OPUS\DOPUS.EXE C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE C:\WINDOWS\SYSTEM\TAPISRV.EXE C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\NOTEPAD.EXE C:\WINDOWS\SYSTEM\RNAAPP.EXE C:\WINDOWS\SYSTEM\DDHELP.EXE C:\PROGRAM FILES\CIDIAL-MANUALLY INSTALLED\CIDIAL.EXE C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE C:\PROGRAM FILES\MYIE2\MYIE.EXE C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.meshcopmputers.com/ O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe O4 - HKLM\..\Run: [SystemTray] SysTray.Exe O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe" O4 - HKLM\..\Run: [POINTER] point32.exe O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1 O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE" O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html O9 - Extra button: Related (HKLM) O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM) O9 - Extra button: iHarvest (HKLM) O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM) O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Trying whois -h whois.arin.net 159.153.229.107 OrgName: Electronic Arts, Inc. OrgID: ELECTR-60 Address: 209 Redwood Shores Parkway City: Redwood City StateProv: CA PostalCode: 94065 Country: US NetRange: 159.153.0.0 - 159.153.255.255 CIDR: 159.153.0.0/16 NetName: EA NetHandle: NET-159-153-0-0-1 Parent: NET-159-0-0-0-0 NetType: Direct Assignment NameServer: SEDNS.EA.COM NameServer: SWDNS.EA.COM Comment: RegDate: 1992-04-29 Updated: 2001-06-12 Ring any bells? Online game or something similar? Regards, Pieter
Hi pcb, Going over your log, this is the only one I can't quite get my finger on: O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE Do you know what it's for? Instead of BrowserHijackBlaster I would recommend SpywareGuard: http://www.wilderssecurity.net/spywareguard.html (also by Javacool) It has BHB's browser hijack protection built-in. Regards, Pieter
BlitzenZeus, Not today I wasn't. I've just opened up IE again, (I'm using MYIE2) and my homepage (Google) was displayed. As soon as I clicked on the address drop-down to choose another visisted site, the cursor switched straight away to the hourglass, and Kerio popped up again with the same alert as before. I expect deleting the list will cure the problem, but maybe only temporarily? Thanks for your input, PcB
Pieter, Ist clock.exe is my taskbar clock replacement. I have Spyware Blaster already-does a marvellous job- Spybot S&D comes up with nothing ever since I installed it-I used to be inundated!) As for your whois search: yesterday my son was trying to download a patch for a EA game- he had problems with the download. Funny, I did a search for that IP address on the RIPE Whois, and it came up with nothing! Maybe I just don't know how to do a proper search..I've only ever done one before. I've Zapped the IE typed url list, and , as I thought it would, the problem disappeared. But I still don't know what caused it! I would still like to know, so as to be forewarned in case of a repeat. I really appreciate your help with this, Pieter, PcB
Hi pcb, Mind you, SpywareBlaster and SpywareGuard are quite different and ment to complement each other. You may like this site for your future Whois searches: http://www.samspade.org/ Clear out your temp folders as well, since there might be something in there waiting for the rest of the EA patch. Regards, Pieter
Pieter, I've just tried Samspade.org, and straight away found out how to search for an IP address-it has a dedicated search box. I have bookmarked the site. Ripe doesn't! Regarding the Temp folder-I have never known whether you can delete the various sub-folders (eg. -ISTMP1.DIR) in the Temp folder. These are presumably created by program installation procedures. Since I now have an experts' attention, please would you clarify this for me? Can everything be safely deleted? Once again my thanks for your help, PcB
The temp folder is supposed to hold only as the name promises, temporary files. Some malware-writers may think otherwise. Anything in there should be safe to delete. What I always do when I'm not sure: I keep the removed files in the recycle bin for a few days, untill I can be sure that no problems arise and then give them the last goodbye. Regards, Pieter
That's what I had always figured, but I remember hearing otherwise when I first got into computing-not too long ago) And when you delete through Windows Disk Cleanup, by no means are all the files/folders deleted. I've got by, so far, but it's good to be in the know! Cheers, PcB
1stclock is a systray clock replacement with with a built-in calendar and NTP time sync. I've been running it for over a year without any problems. - Phil S.