Svchost.Exe Hijacked??

Curious about what traffic was going thru my router, I installed Port Explorer from DiamondCS on my WinXP workstation. Idly glancing thru the Traffic Log produced by PE, I noticed some interesting host names listed as sending me packets - to my local port 1900 - and successfully received by Svchost.Exe, the owner of the socket.

The information in the Traffic Log flies by so quickly, and I haven't yet rigged a way to do an intelligent analysis of all the information, so I was only able to make a few idle observations. There are maybe a dozen different hosts listed as sending traffic to port 1900, repeatedly. Several in my LAN, a few in the address space of my ISP, and various around the country (USA). I did various name lookups on the hosts identified outside my LAN, and see NO names which refer to any corporate or commercial enterprises that I recognise - they all appear to be private, home networks or hosts.

Having just purchased PE, I was intrigued at an opportunity to productively use Socket Spy, one of the selling features of PE. Unfortunately, SS, when started, seems unable to provide ANY details re the reported traffic on port 1900. I am working on that issue with the DCS support folks.

In the meantime, having regularly run AdAware and Spybot S&D, and found nothing of interest, I am wondering if HijackThis might provide a clue as to why I have been targeted by such traffic. Can anybody see anything in the attached log?

TIA.

Chuck


Logfile of HijackThis v1.95.0
Scan saved at 10:40:44, on 7/16/2003
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PowerChute\mainserv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Remote Task Manager\RTMService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\Program Files\Logitech\ImageStudio\LogiTray.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Ember\FBZPaper.exe
C:\Utility\Windows Uptime.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\WallWatcher\WallWatcher.exe
C:\Program Files\World Time\WorldTime.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\LVComS.exe
C:\Program Files\Logitech\ImageStudio\LowLight.exe
C:\Program Files\PowerChute\apcsystray.exe
C:\Program Files\Port Explorer\PortExplorer.exe
C:\Program Files\TCPView\Tcpview.exe
C:\Program Files\Ping Plotter\PingPlotter.exe
C:\Program Files\Ping Plotter\PingPlotter.exe
C:\Program Files\Ping Plotter\PingPlotter.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\VisualRoute\VisualRoute.exe
C:\WINDOWS\System32\jview.exe
C:\Program Files\TESP\ABouncer.exe
C:\Program Files\VisualRoute\exe\vrdns2.exe
C:\Program Files\Netscape\Netscape 7\Netscp.exe
C:\Program Files\Agent\agent.exe
C:\WINDOWS\hh.exe
C:\Program Files\Ember\Ember.exe
C:\Program Files\ProcExp\procexp.exe
C:\WINDOWS\hh.exe
C:\WINDOWS\system32\notepad.exe
C:\Utility\HijackThis.exe


R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\ccroll\Application Data\Mozilla\Profiles\default\mj8naw6n.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ccroll\Application Data\Mozilla\Profiles\default\mj8naw6n.slt\prefs.js)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [BlazeChanger] C:\Program Files\Ember\FBZPaper.exe
O4 - HKCU\..\Run: [WindowsUptime] "C:\Utility\Windows Uptime.exe" /i
O4 - Startup: Command Prompt.lnk = C:\WINDOWS\system32\cmd.exe
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
O4 - Startup: PM - Dell1600.lnk = C:\WINDOWS\system32\PerfMon\Dell 1600 Resources.msc
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
O4 - Global Startup: WallWatcher.lnk = C:\Program Files\WallWatcher\WallWatcher.exe
O4 - Global Startup: World Time.lnk = C:\Program Files\World Time\WorldTime.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Trace (HKLM)
O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: Net2Phone (HKLM)
O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Messenger (HKLM)
O9 - Extra button: SmartWhois (HKLM)
O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: symsupportutil - http://www.symantec.com/techsupp/activedata/symsupportutil.CAB
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
O16 - DPF: {31FD415A-1103-4329-B323-2DE693146C4E} (InstallHelper Class) - http://survey.prod.there.com/qualsurvey/ThereInstallHelper.cab
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7a020f7646f8a7/housecall.antivirus.com/housecall/xscan53.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37682.6937847222
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab

 

Hi nitecruzr

I don't see anything that might account for the behaviour you noted. I have been reading with interst the thread in the DCS forum and have done some searches but have found nothing definitive yet. Unfortunately I am not too familiar with XP. I do have a couple ideas which I will post there though.

Regards,

Dan

 

Did WorldTime really not get a spyware alert or do you run it with the alert cleansed from it? SbS&D and Ad-Aware both alarmed on it here.
I uninstalled it for that reason.
You might like to get that MSOffice from the startup too, unless you use it the whole day.
Looking deeper, waiting for others' comments.

 

Jooske,

I've been using WT for years. Never seen an alert on it. Just checked my AA and Spybot logs, and I don't see anything there either. Is it possible you downloaded yours from a dodgy site?

Don't care about M$ components tho. I suffer from M$ induced blindness - there's so much of it, I tend to ignore it. I think that was automatically installed by MSO originally. A lot of folks call Windoze a virus - but I've not seen NAI, Symantec, nor Kaspersky identify it as such.

 

Disable the SSDP Discovery Service and the Universal Plug and Play Device Host.
http://www.updatexp.com/upnp_security.html

 

Thank you all for your comments and suggestions. The traffic was caused by about a dozen UPnP enabled hosts, all within my ISPs address space, repeatedly conversing with each other. And, after disabling UPnP, the traffic has stopped.

I now have to deal with the problems in Port Explorer which contributed to the confusion. Also I need to ask questions of my ISP, which apparently filters UPnP traffic at its outer borders (??). And I may have to deal with reduced functionality in MSN Messenger (which is what prompted me to enable UPnP originally).

 

Hi nitecruzr,

I was wondering why you put the command prompt in your startup:
O4 - Startup: Command Prompt.lnk = C:\WINDOWS\system32\cmd.exe

That´s about the only extraordinary item I can find in your log.

Regards,

Pieter

 

Pieter,

I like to have a Command window open for quick access to command line utilities. I put it in Startup so it's at the top of the Toolbar so I can find it quickly. I have a 4 line toolbar cause I multitask a lot.

Cheers,

Chuck

 

That will change as soon as they find a way to remove it and run without it.

On a more serious note. I can´t find any other suspicious items in your log either.

Following up on some guy's advice, have a look here: http://www.blackviper.com/WinXP/servicecfg.htm

Regards,

Pieter