Svchost.Exe Hijacked??

Discussion in 'privacy problems' started by nitecruzr, Jul 16, 2003.

Thread Status:
Not open for further replies.
  1. nitecruzr

    nitecruzr Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    15
    Location:
    Northern California
    Curious about what traffic was going thru my router, I installed Port Explorer from DiamondCS on my WinXP workstation. Idly glancing thru the Traffic Log produced by PE, I noticed some interesting host names listed as sending me packets - to my local port 1900 - and successfully received by Svchost.Exe, the owner of the socket.

    The information in the Traffic Log flies by so quickly, and I haven't yet rigged a way to do an intelligent analysis of all the information, so I was only able to make a few idle observations. There are maybe a dozen different hosts listed as sending traffic to port 1900, repeatedly. Several in my LAN, a few in the address space of my ISP, and various around the country (USA). I did various name lookups on the hosts identified outside my LAN, and see NO names which refer to any corporate or commercial enterprises that I recognise - they all appear to be private, home networks or hosts.

    Having just purchased PE, I was intrigued at an opportunity to productively use Socket Spy, one of the selling features of PE. Unfortunately, SS, when started, seems unable to provide ANY details re the reported traffic on port 1900. I am working on that issue with the DCS support folks.

    In the meantime, having regularly run AdAware and Spybot S&D, and found nothing of interest, I am wondering if HijackThis might provide a clue as to why I have been targeted by such traffic. Can anybody see anything in the attached log?

    TIA.

    Chuck
    :eek:

    Logfile of HijackThis v1.95.0
    Scan saved at 10:40:44, on 7/16/2003
    Platform: Windows XP (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\PowerChute\mainserv.exe
    C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Remote Task Manager\RTMService.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\Program Files\DU Meter\DUMeter.exe
    C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Ember\FBZPaper.exe
    C:\Utility\Windows Uptime.exe
    C:\Program Files\FinePixViewer\QuickDCF.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\WallWatcher\WallWatcher.exe
    C:\Program Files\World Time\WorldTime.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    C:\WINDOWS\system32\mmc.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\LVComS.exe
    C:\Program Files\Logitech\ImageStudio\LowLight.exe
    C:\Program Files\PowerChute\apcsystray.exe
    C:\Program Files\Port Explorer\PortExplorer.exe
    C:\Program Files\TCPView\Tcpview.exe
    C:\Program Files\Ping Plotter\PingPlotter.exe
    C:\Program Files\Ping Plotter\PingPlotter.exe
    C:\Program Files\Ping Plotter\PingPlotter.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\VisualRoute\VisualRoute.exe
    C:\WINDOWS\System32\jview.exe
    C:\Program Files\TESP\ABouncer.exe
    C:\Program Files\VisualRoute\exe\vrdns2.exe
    C:\Program Files\Netscape\Netscape 7\Netscp.exe
    C:\Program Files\Agent\agent.exe
    C:\WINDOWS\hh.exe
    C:\Program Files\Ember\Ember.exe
    C:\Program Files\ProcExp\procexp.exe
    C:\WINDOWS\hh.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Utility\HijackThis.exe


    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride=localhost
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
    N3 - Netscape 7: user_pref("browser.startup.homepage", "http://my.yahoo.com/"); (C:\Documents and Settings\ccroll\Application Data\Mozilla\Profiles\default\mj8naw6n.slt\prefs.js)
    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%206%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ccroll\Application Data\Mozilla\Profiles\default\mj8naw6n.slt\prefs.js)
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1.1\SDHelper.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [LogitechGalleryRepair] C:\Program Files\Logitech\ImageStudio\ISStart.exe
    O4 - HKLM\..\Run: [LogitechImageStudioTray] C:\Program Files\Logitech\ImageStudio\LogiTray.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BlazeChanger] C:\Program Files\Ember\FBZPaper.exe
    O4 - HKCU\..\Run: [WindowsUptime] "C:\Utility\Windows Uptime.exe" /i
    O4 - Startup: Command Prompt.lnk = C:\WINDOWS\system32\cmd.exe
    O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\SYSDOC32.EXE
    O4 - Startup: PM - Dell1600.lnk = C:\WINDOWS\system32\PerfMon\Dell 1600 Resources.msc
    O4 - Global Startup: APC UPS Status.lnk = ?
    O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O4 - Global Startup: Task Manager.lnk = C:\WINDOWS\system32\taskmgr.exe
    O4 - Global Startup: WallWatcher.lnk = C:\Program Files\WallWatcher\WallWatcher.exe
    O4 - Global Startup: World Time.lnk = C:\Program Files\World Time\WorldTime.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Trace (HKLM)
    O9 - Extra 'Tools' menuitem: VisualRoute Trace (HKLM)
    O9 - Extra 'Tools' menuitem: Sun Java Console (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
    O9 - Extra button: Net2Phone (HKLM)
    O9 - Extra 'Tools' menuitem: Net2Phone (HKLM)
    O9 - Extra button: Messenger (HKLM)
    O9 - Extra 'Tools' menuitem: Messenger (HKLM)
    O9 - Extra button: SmartWhois (HKLM)
    O9 - Extra 'Tools' menuitem: SmartWhois (HKLM)
    O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: symsupportutil - http://www.symantec.com/techsupp/activedata/symsupportutil.CAB
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security1.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst.cab
    O16 - DPF: {31FD415A-1103-4329-B323-2DE693146C4E} (InstallHelper Class) - http://survey.prod.there.com/qualsurvey/ThereInstallHelper.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/7a020f7646f8a7/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37682.6937847222
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - http://www.symantec.com/techsupp/activedata/ActiveData.cab
    O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
    O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
    O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
     
  2. Dan Perez

    Dan Perez Retired Moderator

    Joined:
    May 18, 2003
    Posts:
    1,495
    Location:
    Sunny San Diego
    Hi nitecruzr

    I don't see anything that might account for the behaviour you noted. I have been reading with interst the thread in the DCS forum and have done some searches but have found nothing definitive yet. Unfortunately I am not too familiar with XP. I do have a couple ideas which I will post there though.

    Regards,

    Dan
     
  3. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Did WorldTime really not get a spyware alert or do you run it with the alert cleansed from it? SbS&D and Ad-Aware both alarmed on it here.
    I uninstalled it for that reason.
    You might like to get that MSOffice from the startup too, unless you use it the whole day.
    Looking deeper, waiting for others' comments.
     
  4. nitecruzr

    nitecruzr Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    15
    Location:
    Northern California
    Jooske,

    I've been using WT for years. Never seen an alert on it. Just checked my AA and Spybot logs, and I don't see anything there either. Is it possible you downloaded yours from a dodgy site? :rolleyes:

    Don't care about M$ components tho. I suffer from M$ induced blindness - there's so much of it, I tend to ignore it. I think that was automatically installed by MSO originally. A lot of folks call Windoze a virus - but I've not seen NAI, Symantec, nor Kaspersky identify it as such. ;)
     
  5. some guy

    some guy Guest

    Disable the SSDP Discovery Service and the Universal Plug and Play Device Host.
    http://www.updatexp.com/upnp_security.html
     
  6. nitecruzr

    nitecruzr Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    15
    Location:
    Northern California
    Thank you all for your comments and suggestions. The traffic was caused by about a dozen UPnP enabled hosts, all within my ISPs address space, repeatedly conversing with each other. And, after disabling UPnP, the traffic has stopped.

    I now have to deal with the problems in Port Explorer which contributed to the confusion. Also I need to ask questions of my ISP, which apparently filters UPnP traffic at its outer borders (??). And I may have to deal with reduced functionality in MSN Messenger (which is what prompted me to enable UPnP originally).

    :rolleyes:
     
  7. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    Hi nitecruzr,

    I was wondering why you put the command prompt in your startup:
    O4 - Startup: Command Prompt.lnk = C:\WINDOWS\system32\cmd.exe

    That´s about the only extraordinary item I can find in your log.

    Regards,

    Pieter
     
  8. nitecruzr

    nitecruzr Registered Member

    Joined:
    Jul 10, 2003
    Posts:
    15
    Location:
    Northern California
    Pieter,

    I like to have a Command window open for quick access to command line utilities. I put it in Startup so it's at the top of the Toolbar so I can find it quickly. I have a 4 line toolbar cause I multitask a lot.

    Cheers,

    Chuck
     
  9. Pieter_Arntz

    Pieter_Arntz Spyware Veteran

    Joined:
    Apr 27, 2002
    Posts:
    13,331
    Location:
    Netherlands
    That will change as soon as they find a way to remove it and run without it. :D

    On a more serious note. I can´t find any other suspicious items in your log either.

    Following up on some guy's advice, have a look here: http://www.blackviper.com/WinXP/servicecfg.htm

    Regards,

    Pieter
     
Thread Status:
Not open for further replies.