BillCherryAtl Posted October 2, 2009 ID:137083 Share Posted October 2, 2009 Hey folks. I've been receiving an alert that Malwarebytes has blocked out-going traffic with IP xxx.xx.xx.xx (it changes). I've attempted to use my Process Explorer and TCP port viewer to identify what's calling home. I've checked the IP's and in each case it is to places with which I have no connection like China and some advertising firm in California. I've done a HJT scan before checking it myself but could not find the culprit. It was suggested to me that In post it here knowing other eyes may see something I do not see. BTW, the calling home generally occurs shortly after boot but rarely after that.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 07:11:25, on 10/2/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16876)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\hkcmd.exeC:\Program Files\WinAlarm\WinAlarm.exeC:\Program Files\BillP Studios\WinPatrol\winpatrol.exeC:\Program Files\Java\jre6\bin\jusched.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\Program Files\Fanix\As-U-Type\AsutypeFull.exeC:\Program Files\Skype\Phone\Skype.exeC:\Program Files\Secunia\PSI\psi.exeC:\Program Files\Skype\Plugin Manager\skypePM.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\Program Files\Sandboxie\SbieSvc.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\Explorer.EXEC:\PMAIL\Programs\winpm-32.exeC:\Program Files\Mozilla Firefox\firefox.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeC:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeC:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeC:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exeC:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeC:\Program Files\Internet Explorer\iexplore.exeC:\WINDOWS\system32\notepad.exeC:\Program Files\Trend Micro\HijackThis\HijackThis.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dllO2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dllO2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dllO2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dllO2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllO2 - BHO: Ziptionary BHO - {F9FF8423-50F2-4f80-A31D-D1A03DBE9D86} - C:\Program Files\Ziptionary\ziptionary.dllO3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dllO4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exeO4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exeO4 - HKLM\..\Run: [sBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe"O4 - HKLM\..\Run: [WinAlarm] C:\Program Files\WinAlarm\WinAlarm.exeO4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressbootO4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"O4 - HKLM\..\Run: [brMfcWnd] C:\Program Files\Brother\Brmfcmon\BrMfcWnd.exe /AUTORUNO4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] "C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe" /starttrayO4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscriptO4 - HKCU\..\Run: [As-U-Type 3.2.0.5] C:\Program Files\Fanix\As-U-Type\AsutypeFull.exeO4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimizedO4 - Startup: Secunia PSI.lnk = C:\Program Files\Secunia\PSI\psi.exeO4 - Startup: Tiny Watcher Logon Time.lnk = C:\Program Files\Watcher\Watcher.exeO4 - Global Startup: As-U-Type.lnk = C:\Program Files\Fanix\As-U-Type\AsutypeFull.exeO4 - Global Startup: Online Assistant.lnk = C:\Program Files\American Express Online Assistant\OnlineAssistant.exeO8 - Extra context menu item: &Dictionary - http://files.db3nf.com/scripts/ie.htmO8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htmO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exeO15 - Trusted Zone: http://download.windowsupdate.comO16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.apple.com.edgesuite.net/co...ex/qtplugin.cabO16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1209425495265O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://192.168.1.103/activex/AMC.cabO16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} (get_atlcom Class) - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabO18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dllO23 - Service: Adobe Version Cue CS4 - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\Adobe Version Cue CS4\Server\bin\VersionCueCS4.exeO23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exeO23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exeO23 - Service: MBAMService - Malwarebytes Corporation - C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeO23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exeO23 - Service: Sandboxie Service (SbieSvc) - tzuk - C:\Program Files\Sandboxie\SbieSvc.exeO23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exeO23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exeO23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exeO24 - Desktop Component 0: (no name) - (no file)--End of file - 7287 bytesThank you for looking. Link to post Share on other sites More sharing options...
Staff screen317 Posted October 4, 2009 Staff ID:137674 Share Posted October 4, 2009 Hi and welcome to Malwarebytes.Are you connected to the Internet when "it's phoning home?"Download DDS by sUBs and save it to your Desktop.Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.-screen317 Link to post Share on other sites More sharing options...
Staff screen317 Posted October 12, 2009 Staff ID:142085 Share Posted October 12, 2009 Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.Other members who need assistance please start your own topic in a new thread. Thanks! Link to post Share on other sites More sharing options...
Recommended Posts