Hijack Log

Hi all,

I am experiancing servicehost wanting to send udp to net everytime I boot and it was suggested to me in a previous post that I might have adware but all my scans show I am clean. Useing Ad aware SE, SpyBot, SpywareBlaster, SpywareGuard, NOD 32 AV (current signiture) TDS-3 Trojan Hunter, and all find nothing. Can some one look at my HJT log and tell me if there something needing to be removed? The address it trys to send to is 239.255.255.250 and I deny it always but it is getting annoying.

Thanks in advance,
FireDancer


Logfile of HijackThis v1.97.7
Scan saved at 11:26:44 PM, on 12/11/2004
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Kerio\Personal Firewall\persfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\mozilla.org\Mozilla\Mozilla.exe
D:\SoftWare\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://windowsupdate.microsoft.com/
O1 - Hosts: 64.91.255.87 www.dcsresearch.com
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SBAutoUpdate] "C:\Program Files\SpywareBlaster\sbautoupdate.exe "
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O10 - Broken Internet access because of LSP provider 'imon.dll' missing
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.c...ls/en/x86/client/wuweb_site.cab?1102574274833

 

Does This help?

If not, give a yell and I'll try to put that link and other similar ones into English but I really hope that one will do it. I really, really do.

Short answer - it is not spyware and not dangerous but can be annoying.

 

Soory i advised you wrongly that it may be adware. That port is used by Windows SSDP & Windows Messenger (not to be confused with MSN Messenger the chat program), both can be disabled.

Heres more detaills:

In XP, the Simple Service Discovery Protocol (SSDP) discovery service searches for Universal Plug and Play devices on your home network. SSDP searches for upstream Internet gateways using UDP port 1900 at startup. This is a potential security risk many people will want to block.

Programs like Nortons Internet Security have a block on Port 1900 built in. If you have a firewall block port 1900 for UDP protocol in and outbound stops SSDP.

The Universal Plug and Play Network Address Translation (NAT) traversal discovery used by Windows Messenger broadcasts on UDP 1900 as well.

To turn off Windows Messenger's broadcasts using regedit:

Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\DirectPlayNATHelp\DPNHUPnP
Name: UPnPMode
Type: REG_DWORD
Value: 2 (disabled) <<<<====What u need to change (to)

With UPnPMode=2, Universal Plug and Play Network Address Translation (NAT) traversal discovery does not occur.

You can also turn off "Messenger" service in Admin Tools-Services but havent tested if this works by itself.

So Windows is doing the talk on UDP 1900 not adware. If you need more help let me know.

 

Topic "Hijack Log" see Posting rules item 3
Logfile of HijackThis v1.97.7, a current version might show us more

AVGFREE & Nod32, its not recommend to have more that one AV or firewall
running or even installed at the same time.

Regards

 

Newt, Dez and Lonny

Thanks for the replys and I appologize for posting in the wrong area. First I did remove AVG, I had forgotten it was loaded because I dont keep many icons on my desk top and it was set not to start on boot. I have removed it, as Lonny is right there is no need for 2 AV's on one pc. My NOD is very powerfull and I am happy with it.

Dez dont be sorry for trying to help who knows I might of had a bug in there that wasnt detected, that was my first thought that maybe my scanners were not finding a nasty and it was trying to phone home.

Newt thanks for the links but that went way over my head LOL!!!! What I did do for now is went into my firewall settings and wrote a rule for Service Host to be denied both ways on any port TCP/UDP. To catch you all up on some recent changes tho as it might or might not have anything to do with this problem, I am working in Fl on a national catastrope team and will be here for a year or longer and my work consists of uploading and downloading files everyday to the home office. 2 other co-workers and I moved into a local condo and we can work out of our home... so I got the local internet co to install a router so we would have high speed, I went out and bought a Link Sys wireless router and set up a secure acsess point.

I have it set up so that only these three pc's can use it. WEP/open DHCP broadcast is disabled and I am useing MAC addressing for the 3 pc's. I am the only one with the 4 key codes as I control the router config from my pc and have it secured with a admin password. Do I need to reconfig it? Is this part of my problem? I am thinking not. Thanks for all your help in advance.

FireDancer

 

That may work for you but it may cause unexpected problems.

Svchost.exe is not a normal program. It's a 'wrapper' for various program-type files and some of them may need internet access via TCP or UDP or both. Hard to tell but I'd say if any apps that did work suddenly quit, you may have overtightened things.

Here is a list from my PC of what all is running under the various sessions of svchost.exe

Code:

Image Name                   PID Services                                     
========================= ====== =============================================
svchost.exe                  868 DcomLaunch, TermService                      
svchost.exe                  928 RpcSs                                        
svchost.exe                 1024 AudioSrv, Browser, CryptSvc, Dhcp, dmserver, 
                                 ERSvc, EventSystem, helpsvc, lanmanserver,   
                                 lanmanworkstation, Netman, Nla, RasMan,      
                                 Schedule, seclogon, SENS, SharedAccess,      
                                 ShellHWDetection, TapiSrv, Themes, TrkWks,   
                                 W32Time, winmgmt, wscsvc, wuauserv, WZCSVC   
svchost.exe                 1072 Dnscache                                     
svchost.exe                 1164 LmHosts, RemoteRegistry, SSDPSRV, WebClient  
svchost.exe                 1940 stisvc

 

Yes as Newt says, and as i replied to the other thread about this today, dont block svchost itself as many other programs need it to function. Only block udp port 1900.