Inbound port 1463 IE question

Discussion in 'other firewalls' started by pcb, Sep 2, 2003.

Thread Status:
Not open for further replies.
  1. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    Kerio firewall has been warning me persistently of this incoming:
    "Someone from 159.153.229.107, port 20 wants to connect to port 1463 owned by 'Internet Explorer' on your computer".
    Is this a legitimate request?
    When I deny it access, the cursor turns into the busy hourglass, and I have to quit.

    I have another issue which I feel may be related:

    www.searching.net is asking, on a regular basis, to be set up as my Homepage, (though only when I use IE-I mostly use Opera & MYIE2..which are not affected by this).

    Does anyone know how to get rid of this pesky invader?

    Here is my Hijack This log, if needed (every item is, I think, legitimate, apart from the first entry)

    Logfile of HijackThis v1.94.0
    Scan saved at 09:39:19, on 02/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=c:\windows\SYSTEM\blank.htm
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe
    O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1
    O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE"
    O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
    O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: iHarvest (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

    I am using IE6.0.2800 and 98se.


    Many thanks for any help.

    PcB
    PcB
     
  2. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi pcb,

    Not that I expect to find much, but could you download a fresh copy of HijackThis (current version is 1.96.4) and post a new log?

    Regards,

    Pieter
     
  3. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    wilco, Pieter

    PcB
     
  4. BlitzenZeus

    BlitzenZeus Security Expert

    Joined:
    Feb 11, 2002
    Posts:
    451
    Location:
    Oregon, USA
    What were you trying to do when this happened? If you were communicating with a FTP server at the time to download, or upload a file this could have been a legit communication.

    The link would have started with ftp://
     
  5. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    Sorry I took a bit of time, Pieter, But I noticed a program from Javacool- Browser Hijack Blaster. Do you know anything about it..is it worth me using it? It would appear to be just what I need.

    Here is the new Log (I notice the extra entries..running processes):

    Logfile of HijackThis v1.96.4
    Scan saved at 11:32:36, on 02/09/03
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGSERV9.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\KEYBOARD\SPEEDKEY.EXE
    C:\PROGRAM FILES\MICROSOFT HARDWARE\MOUSE\POINT32.EXE
    C:\WINDOWS\SYSTEM\STIMON.EXE
    C:\PROGRAM FILES\GRISOFT\AVG6\AVGCC32.EXE
    C:\PROGRAM FILES\HACE\TASKBAR EXECUTIVE\TTMAN.EXE
    C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE
    C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE
    C:\PROGRAM FILES\CLIPBOARD BUDDY\CLIPBOARD BUDDY.EXE
    C:\PROGRAM FILES\1STCLOCK\1STCLOCK.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\PROGRAM FILES\KERIO\PERSONAL FIREWALL\PERSFW.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\PSTORES.EXE
    C:\PROGRAM FILES\GPSOFTWARE\DIRECTORY OPUS\DOPUS.EXE
    C:\PROGRAM FILES\ACCESSORIES\WORDPAD.EXE
    C:\WINDOWS\SYSTEM\TAPISRV.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\SYSTEM\RNAAPP.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\CIDIAL-MANUALLY INSTALLED\CIDIAL.EXE
    C:\PROGRAM FILES\OUTLOOK EXPRESS\MSIMN.EXE
    C:\PROGRAM FILES\MYIE2\MYIE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS\HIJACKTHIS.EXE

    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.meshcopmputers.com/
    O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - C:\PROGRA~1\STARDO~1\SDIEINT.DLL
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\googletoolbar_en_2.0.95-deleon.dll
    O4 - HKLM\..\Run: [ScanRegistry] c:\windows\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] c:\windows\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Microsoft IntelliType Pro] "C:\Program Files\Microsoft Hardware\Keyboard\speedkey.exe"
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
    O4 - HKLM\..\Run: [AVG_CC] C:\PROGRA~1\GRISOFT\AVG6\avgcc32.exe /STARTUP
    O4 - HKLM\..\RunServices: [Avgserv9.exe] C:\PROGRA~1\GRISOFT\AVG6\Avgserv9.exe
    O4 - HKCU\..\Run: [Taskbar Executive] c:\program files\hace\taskbar executive\ttMan.exe
    O4 - HKCU\..\Run: [WinEjectAutoStart1] C:\PROGRAM FILES\WINEJECT\WINEJECT.EXE -instance:1
    O4 - HKCU\..\Run: [Invisible! 2001] "C:\PROGRAM FILES\MINDBEAT\INVISIBLE! 2001\INVISIBLE.EXE"
    O4 - HKCU\..\Run: [Clipboard Buddy] C:\PROGRA~1\CLIPBO~1\CLIPBO~1.EXE
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    O8 - Extra context menu item: Download with Star Downloader - C:\PROGRAM FILES\STAR DOWNLOADER\sdie.htm
    O8 - Extra context menu item: Add to Ad Hunter - res://C:\PROGRAM FILES\MYIE2\MyIE.exe/blacklist.htm
    O8 - Extra context menu item: &Google Search - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsearch.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmsimilar.html
    O8 - Extra context menu item: Backward &Links - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmbacklinks.html
    O8 - Extra context menu item: Translate Page - res://C:\WINDOWS\GOOGLETOOLBAR_EN_2.0.95-DELEON.DLL/cmtrans.html
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O9 - Extra button: iHarvest (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/ansi/iuctl.CAB?37690.3541782407
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  6. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Trying whois -h whois.arin.net 159.153.229.107
    OrgName:    Electronic Arts, Inc. 
    OrgID:      ELECTR-60
    Address:    209 Redwood Shores Parkway
    City:       Redwood City
    StateProv:  CA
    PostalCode: 94065
    Country:    US
    NetRange:   159.153.0.0 - 159.153.255.255 
    CIDR:       159.153.0.0/16 
    NetName:    EA
    NetHandle:  NET-159-153-0-0-1
    Parent:     NET-159-0-0-0-0
    NetType:    Direct Assignment
    NameServer: SEDNS.EA.COM
    NameServer: SWDNS.EA.COM
    Comment:    
    RegDate:    1992-04-29
    Updated:    2001-06-12

    Ring any bells?
    Online game or something similar?

    Regards,

    Pieter
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi pcb,

    Going over your log, this is the only one I can't quite get my finger on:
    O4 - Startup: 1st Clock.lnk = C:\Program Files\1stClock\1STCLOCK.EXE
    Do you know what it's for?

    Instead of BrowserHijackBlaster I would recommend SpywareGuard: http://www.wilderssecurity.net/spywareguard.html (also by Javacool)
    It has BHB's browser hijack protection built-in.

    Regards,

    Pieter
     
  8. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    BlitzenZeus,

    Not today I wasn't. I've just opened up IE again, (I'm using MYIE2) and my homepage (Google) was displayed. As soon as I clicked on the address drop-down to choose another visisted site, the cursor switched straight away to the hourglass, and Kerio popped up again with the same alert as before.

    I expect deleting the list will cure the problem, but maybe only temporarily?

    Thanks for your input,

    PcB
     
  9. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    Pieter,

    Ist clock.exe is my taskbar clock replacement.

    I have Spyware Blaster already-does a marvellous job- Spybot S&D comes up with nothing ever since I installed it-I used to be inundated!)

    As for your whois search: yesterday my son was trying to download a patch for a EA game- he had problems with the download.

    Funny, I did a search for that IP address on the RIPE Whois, and it came up with nothing!
    Maybe I just don't know how to do a proper search..I've only ever done one before.

    I've Zapped the IE typed url list, and , as I thought it would, the problem disappeared.
    But I still don't know what caused it! I would still like to know, so as to be forewarned in case of a repeat.

    I really appreciate your help with this, Pieter,

    PcB
     
  10. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi pcb,

    Mind you, SpywareBlaster and SpywareGuard are quite different and ment to complement each other.

    You may like this site for your future Whois searches: http://www.samspade.org/

    Clear out your temp folders as well, since there might be something in there waiting for the rest of the EA patch.

    Regards,

    Pieter
     
  11. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    Pieter,

    I've just tried Samspade.org, and straight away found out how to search for an IP address-it has a dedicated search box. I have bookmarked the site.
    Ripe doesn't!

    Regarding the Temp folder-I have never known whether you can delete the various sub-folders (eg. -ISTMP1.DIR) in the Temp folder. These are presumably created by program installation procedures.
    Since I now have an experts' attention, please would you clarify this for me?
    Can everything be safely deleted?

    Once again my thanks for your help,

    PcB
     
  12. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    The temp folder is supposed to hold only as the name promises, temporary files. Some malware-writers may think otherwise. ;)
    Anything in there should be safe to delete. What I always do when I'm not sure: I keep the removed files in the recycle bin for a few days, untill I can be sure that no problems arise and then give them the last goodbye.

    Regards,

    Pieter
     
  13. pcb

    pcb Registered Member

    Joined:
    Jun 6, 2003
    Posts:
    27
    That's what I had always figured, but I remember hearing otherwise when I first got into computing-not too long ago)
    And when you delete through Windows Disk Cleanup, by no means are all the files/folders deleted.

    I've got by, so far, but it's good to be in the know! ;)

    Cheers,

    PcB
     
  14. phil-s

    phil-s Guest

    1stclock is a systray clock replacement with with a built-in calendar and NTP time sync. I've been running it for over a year without any problems.
    - Phil S.
     
Loading...
Thread Status:
Not open for further replies.