Hi,
So I’m not that computer savvy but lately svchost.exe has been trying to connect to a bunch of random Ip adresses, for example 94.99.85.228, 72.33.95.183, , 77.37.169.29, 96.42.45.52, 88.5.127.227 etc. All through Port 500 using UDP protocol. What is this? Is this something I should be worried about or is it windows update/utorrent/avast anti-virus or something like that?
I was recently affected by a trojan and possibly a rootkit which I removed with avast and other stuff and my hotmail was possibly hacked(or I simply forgot password but pretty sure that was not the case and hotmail can’t tell me if some1 else has logged in or not because of privacy issues or something LOL) so I’m a bit paranoid.
Das
February 20, 2010, 12:33pm
2
Svchost will do that if you don’t lock it down, UDP port 500 is part of IPSEC, if you don’t use it disable the service.
Okay thank you for the answer but how do I know if I’m using IPSEC or not? I googled a bit and it seems like it does stuff for VPN and encrypts information and stuff but I’m not sure whether i can safely turn the service off or not. How do I know?
There is a Windows Service that provides IPSec. You can find the list of Services under Control Panel → Administrative Tools. To disable it right click on it and disable it from starting or set it to manual; when it is running you have to stop it first.
I set the IPsec service to manual but svchost.exe still tries to connect to the Internet at random times. What is wrong?
Is svchost still trying to connect using port 500? What IP addresses is it trying to connect to?
The IP addresses you provided were random addresses; not Microsoft related. That makes it suspected to me.
Download Svchost Process Analyzer and let it scan. After scanning can you show screenshot(s) of warning(s) it gave?
Also note that setting a service to manual does not keep it to start, but merely to automatically start wiyh windows: it can still be started if some application calls it.
If wanting such a service never to start, the correct choice is to disable.
Perhaps it’s just me, but I smell a botnet. http://www.trustedsource.org/query/94.99.85.228 ← Check out that email spam on the IP lol.
To check the traffic and IP/Port of SVCHOST.exe simply go to: Main Window of CIS >> Traffic >> click on any item >> Active Connection window shows up. Now right click and select “show full path” (good for finding if the svchost.exe doesn’t reside in C:\Windows\System32) and look over the list. SVCHost should ONLY be connecting to port 53 and port 80 (port 80 only if you have Windows Update enabled, else it’s a webcrawler xP )
If you see it connecting to other ports, e.g. as you mentioned port 500 or port 25, assume it’s trouble and proceed to block the connections with a custom policy. I’m sure the moderators here can walk you through the process of setting up a Custom Policy and walk you through a cleanup process.
In the mean time, you can always use a Linux LiveCD?
The fact that the calls to svchost are under its normal path system32 are not enough to say they are safe.
The processus called can be ascertained from tasklist at the command line:
tasklist /svc /fi “imagename eq svchost.exe”
It is not true either that legit ports are only 53 and 80: e.g. DHCP normallly calls svchost at boot time, 255.255.255.255, udp out ports 67 and 68.
For a larger comprehension of svchost process, refer to:
Towards understanding listening ports, SvcHost.exe, System and Services (Tutorial)
This tutorial deals with services, which run under the context of SvcHost.exe, Lsass.exe and System,
and how they can be related to listening ports. The...
I will visit this thread more often from now on.
Is svchost still trying to connect using port 500? What IP addresses is it trying to connect to?
The IP addresses you provided were random addresses; not Microsoft related. That makes it suspected to me.
Download Svchost Process Analyzer and let it scan. After scanning can you show screenshot(s) of warning(s) it gave?
Here is a list of some of the ip addresses it’s been connecting to lately:
http://img239.imagevenue.com/loc222/th_60762_Namnls2_122_222lo.jpg http://img7.imagevenue.com/loc388/th_60770_Namnls4_122_388lo.jpg
Here is a screenshot of Svchost Process Analyzer it seems to be saying that winhttp.exe couldn’t be found and there is no explanation to the two warning signs at the top of the list.http://i49.tinypic.com/16hjkuc.jpg
Also note that setting a service to manual does not keep it to start, but merely to automatically start wiyh windows: it can still be started if some application calls it.
If wanting such a service never to start, the correct choice is to disable.
Okay I’m gonna try disabling it completly.
Gonna try the other tips soon but I’m quite busy.
I decided to look up 2 of the addresses. It wasn’t much help
121.44.30.179 ppp121-44-30-179.lns20.syd6.internode.on.net
City Region/State Postal Code
MANLY NEW SOUTH WALES -
Country Name Country Code Time Zone
AUSTRALIA AU +10:00
ISP Latitude Longitude
INTERNET SERVICE PROVIDER -33.8 151.2833
Domain Name Net Speed IP Decimal
ON.NET DSL 2032934579
94.27.93.188 SOL-FTTB.188.93.27.94.sovam.net.ua
City Region/State Postal Code
- - -
Country Name Country Code Time Zone
UKRAINE UA +02:00
ISP Latitude Longitude
DHCP-FTTB-ZP-94-27-93-GTUA 50.433 30.517
Domain Name Net Speed IP Decimal
SOVAM.NET.UA DSL 1578851772
can you post a hijack this report here???
also can you download “asquared free”
update it (be sure to include beta updates in the options) and run it and post the results here. We tell if there is anything to delete or not
Here is HJT LOG:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 20:21:10, on 2010-03-07
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\DAEMON Tools Lite\DTLite.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\TrendMicro\HiJackThis\jackrenamed.exe
C:\Windows\system32\DllHost.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_se&c=91&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_se&c=91&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_se&c=91&bd=Presario&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
O4 - Global Startup: BankID säkerhetsprogram.lnk = C:\Program Files\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{038A3904-F670-45F2-9FC2-9B9F71D14680}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2E91E99-A20E-4AA6-8E79-A2CB42C7FAD4}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{038A3904-F670-45F2-9FC2-9B9F71D14680}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{038A3904-F670-45F2-9FC2-9B9F71D14680}: NameServer = 156.154.70.22,156.154.71.22
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 7715 bytes
E-squared found like 31 object and 2 of them it couldn’t remove something called trace.directory.carnivalCasino!A2(this one was found in a directory I don’t even have called c:/casino) and something called tracetrackingcookie.count!a2 but I didn’t do a full system scan cause I didnt have time it only got to like 40% then I had to abort, will do one again tomorrow and will use avast and malwarebytes too.
Let start here (if any problems happen after removing these, hijack creates a backup copy for this very reason)
O4 - Global Startup: BankID säkerhetsprogram.lnk = C:\Program Files\Personal\bin\Personal.exe <-----Do you know what this is?????? If you don't, delete the folder "PERSONAL"
C:\Program Files\eMule\emule.exe <---Are you using emule??? if not delete it
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_se&c=91&bd=Presario&pf=cnnb
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_se&c=91&bd=Presario&pf=cnnb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=sv_se&c=91&bd=Presario&pf=cnnb
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O1 - Hosts: ::1 localhost
O13 - Gopher Prefix:
delete this, (one or two of them might come back, don't worry if it does)
O17 - HKLM\System\CCS\Services\Tcpip\..\{038A3904-F670-45F2-9FC2-9B9F71D14680}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{C2E91E99-A20E-4AA6-8E79-A2CB42C7FAD4}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS1\Services\Tcpip\..\{038A3904-F670-45F2-9FC2-9B9F71D14680}: NameServer = 156.154.70.22,156.154.71.22
O17 - HKLM\System\CS2\Services\Tcpip\..\{038A3904-F670-45F2-9FC2-9B9F71D14680}: NameServer = 156.154.70.22,156.154.71.22
delete this
C:\Program Files\SMINST\BLService.exe <— upload this to www.virustotal.com <— this is to get a second opinion from multiable anti-virus companys
O23 - Service: Norton Internet Security - Unknown owner - C:\Program Files\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe (file missing) <---Do you still use this. Also Since your missing the file, you might as while delete this.
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL <-----do you use skype??? if not, delete this
do you know avast 5 is out???
Infections that can’t be removed can be done in windows safe mode. When using safe mode, after it’s cleaned. Run it again to make sure it didn’t come back
Also after your SURE your computer is clean, delete all the “system restore” points and THEN create a new one
I didnt have time it only got to like 40% then I had to abort, will do one again tomorrow and will use avast and malwarebytes too.
First update it THEN run these in Windows "safe mode"
Okay ran updated avast, a-squared and malwarebytes today in safemode. After that I deleted the stuff in HJT(didn’t delete personal.exe it’s my bank software) blservice.exe had 0/41 detection so it seems alright. Lost Internet connection for a while which was wierd(I think it was the firewall messing about) but now it seems to work. Here is my HJT log now, I’ll wait and see what happens from now on. Gonna update to avast 5 too.
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 16:06:14, on 2010-03-08
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal
Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\COMODO\COMODO Internet Security\cfp.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\wuauclt.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\hj\hjt\jackrenamed.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.se/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [UpdatePSTShortCut] "C:\Program Files\CyberLink\DVD Suite\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\DVD Suite" UpdateWithCreateOnce "Software\CyberLink\PowerStarter"
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [UpdateP2GoShortCut] "C:\Program Files\CyberLink\Power2Go\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\Power2Go" UpdateWithCreateOnce "SOFTWARE\CyberLink\Power2Go\6.0"
O4 - HKLM\..\Run: [UpdatePDIRShortCut] "C:\Program Files\CyberLink\PowerDirector\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\PowerDirector" UpdateWithCreateOnce "SOFTWARE\CyberLink\PowerDirector\7.0"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [COMODO Internet Security] "C:\Program Files\COMODO\COMODO Internet Security\cfp.exe" -h
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\DTLite.exe" -autorun
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NÄTVERKSTJÄNST')
O4 - Global Startup: BankID säkerhetsprogram.lnk = C:\Program Files\Personal\bin\Personal.exe
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referensinformation - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\Windows\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: COMODO Internet Security Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\COMODO Internet Security\cmdagent.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Program Files\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
--
End of file - 6366 bytes
didn't delete personal.exe it's my bank software
cool, since I didn't know what that was. That's why I ask :)
Lost Internet connection for a while which was wierd
even though your connected and it's back to normal, save the backupcopy from hijackthis
As for the new hijack this report… seems good to me :-TU
blservice.exe had 0/41 detection so it seems alright.
that's good, you can do that with anything you find suspicious
ONLY as long as your computer is working perfectly, delete the old system restore backups and create a new one
check to see if you have the lastest java (this is nothing to to with infections, it’s checking that your up to date in thingshttp://www.java.com/en/download/index.jsp
Have Fun
I’m not really having any noticeable problems but it’s still copulating connecting to random IPs. Here are a bunch from the last couple of days. Wtf could it be? Could this just be something legitimate?
http://img237.imagevenue.com/loc2/th_36814_Kalle_122_2lo.jpg
I'm not really having any noticeable problems
Are you playing games online, using P2P (or equivalent), or anything of that nature. Maybe skype or something
Das
March 13, 2010, 3:52am
18
As I mentioned in my first post, UDP port 500 is used by IPSEC. This is often used in VPN connections, particularly L2TP based connections.
If you don’t use a VPN or if you use PPTP you don’t need to have IPSEC running, Did you disable the service?
If you have done this but are still seeing these events in your logs, create a global rule to block them but remember to select not to log.
Yeah disabled Ipsec Policy Agent. Could it be spotify or utorrent doing this?
Das
March 13, 2010, 7:41am
20
I don’t know anything about spotify, but its quite possible these are connection requests from a torrent client. Most people don’t bother to configure their firewall rules correctly for these applications, they just let them do what ever they wish, so connections can be made to and from any port.
As i said, its possible to create global rules to block unnecessary incoming traffic, just don’t check the log box. If you look around the forum theres a guide on how to set up torrent clients and if you use utorrent there are guides on that site too
