1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Who is This?????

Discussion in 'Virus & Other Malware Removal' started by dabwid, Oct 3, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. dabwid

    dabwid Thread Starter

    Joined:
    Aug 3, 2003
    Messages:
    209
    OrgName: Internet Assigned Numbers Authority
    OrgID: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: USNetRange: 192.168.0.0 - 192.168.255.255
    CIDR: 192.168.0.0/16
    NetName: IANA-CBLK1
    NetHandle: NET-192-168-0-0-1
    Parent: NET-192-0-0-0-0
    NetType: IANA Special Use
    NameServer: BLACKHOLE-1.IANA.ORG
    NameServer: BLACKHOLE-2.IANA.ORG
    Comment: This block is reserved for special purposes.
    Comment: Please see RFC 1918 for additional information.
    Comment:
    RegDate: 1994-03-15
    Updated: 2002-09-16

    OrgAbuseHandle: IANA-IP-ARIN
    OrgAbuseName: Internet Corporation for Assigned Names and Number
    OrgAbusePhone: +1-310-301-5820
    OrgAbuseEmail: [email protected]

    OrgTechHandle: IANA-IP-ARIN
    OrgTechName: Internet Corporation for Assigned Names and Number
    OrgTechPhone: +1-310-301-5820
    OrgTechEmail: [email protected]

    # ARIN WHOIS database, last updated 2003-10-02 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    My firewall has blocked aprox. 50 attempts today from this address. My computer talks to it with C:\Windows\System32\ntoskml.exe
     
  2. BillC

    BillC

    Joined:
    May 28, 2003
    Messages:
    2,366
    I'm not really sure what is going on, but I'd do a virus scan. My search keeps on bring up the W32.FunLove.4099 virus {look here} when I try to figure out what ntoskml.exe is all about.

    I'd update my antivirus definitions and run a scan or do one online at TrendMicro Housecall. It sounds like you might be infected?
     
  3. dabwid

    dabwid Thread Starter

    Joined:
    Aug 3, 2003
    Messages:
    209
    Trend Micro Online scan comes up clean. Panda makes IE stop running. I am using Avast V4.1 Home Edition. It comes up clean. I am using Sygate Personal Firewall 5.1.
    Here is my Hijack log:

    Logfile of HijackThis v1.97.2
    Scan saved at 5:56:24 PM, on 10/3/2003
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\Program Files\Sygate\SPF\Smc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashserv.exe
    C:\WINDOWS\system32\crypserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\regsvc.exe
    C:\WINDOWS\system32\MSTask.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    C:\WINDOWS\StartupMonitor.exe
    C:\Program Files\JonathanGrimes\Simply Transparent 7\SimplyTransparent.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\Find-a-Drug\server.exe
    C:\Program Files\Find-a-Drug\think.exe
    C:\Program Files\Find-a-Drug\tray.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\BearShare\BearShare.exe
    C:\Program Files\BearShare\BearShare.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\PROGRA~1\VCOM\Fix-It\mxtask.exe
    C:\Documents and Settings\All Users\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SaveWealth
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 6.0\READER\ACTIVEX\ACROIEHELPER.DLL
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\PROGRAM FILES\SPYWAREGUARD\DLPROTECT.DLL
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {9527D42F-D666-11D3-B8DD-00600838CD5F} - C:\WINDOWS\system32\IETie.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\Smc.exe -startgui
    O4 - Global Startup: Simply Transparent.lnk = C:\Program Files\JonathanGrimes\Simply Transparent 7\SimplyTransparent.exe
    O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: think.lgo
    O8 - Extra context menu item: &Google Search - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmsimilar.html
    O8 - Extra context menu item: Translate into English - res://C:\PROGRAM FILES\GOOGLE\GOOGLETOOLBAR2.DLL/cmtrans.html
    O9 - Extra button: TREND MICRO HouseCall (HKLM)
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
    O16 - DPF: {737D14F8-4090-11D4-AE0E-0010830243BD} (SysVerChk Control) - http://pointa.autodesk.com/portal/lang/neutral/SysVerChk.ocx
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/76808a0e7ae82f/housecall.antivirus.com/housecall/xscan53.cab
    O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx
    O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37890.9108680556
    O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - http://pointa.autodesk.com/portal/lang/enu/InstBanr.Ocx
    O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - http://pointa.autodesk.com/portal/lang/enu/InstFred.Ocx
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
    O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
     
  4. TOGG

    TOGG

    Joined:
    Apr 2, 2002
    Messages:
    5,856
    IANA is a 'legit' organisation http://www.iana.org/ and I can't imagine why it should want to access your machine.

    Ntoskml.exe appears to be a Windows NT file, is that your OS? Have you run an antivirus scan lately and which port does your firewall claim is being attacked, or at least contacted, by IANA?

    I suppose it is possible that some hacker/cracker has somehow managed to 'spoof' IANA's address in some way (because it is so 'respectable' and trustworthy) but I don't know how that could be done.

    Sorry I can't be of much help. Perhaps you could try contacting IANA and see what they say about your firewall's findings.
     
  5. dabwid

    dabwid Thread Starter

    Joined:
    Aug 3, 2003
    Messages:
    209
    Found two virus,
    win32:kuang C:\windows\system\activescan\imscan.dll
    win95:matyas C;windows\system\activescan\pav.sig
    Found with Avast4.1 Home Edition, TrendMirco missed them.
     
  6. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
    I just wonder since you tried the Panda ActiveScan, if those are some of Panda ActiveScan files that Avast is picking up.



    Note down at the bottom of this web page/

    http://www.pcpitstop.com/safe.asp

     
  7. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
    Did you turn off Avast before you tried the Panda online scan?
     
  8. dabwid

    dabwid Thread Starter

    Joined:
    Aug 3, 2003
    Messages:
    209
    Avast off still can not scan. Firewall also off still get IE error. The file for the active scan had not been accessed since 9/10/03, I have ran several scan since then. I wonder why it just showed up today? Is that file safe to delete?
     
  9. VirtualMe

    VirtualMe

    Joined:
    Sep 27, 2002
    Messages:
    867
    dabwid,

    I've tried three times to use Panda's online scan and it has failed to download all three times for me also.

    It gets down to the last little bit, then I get an error on page.
     
  10. dabwid

    dabwid Thread Starter

    Joined:
    Aug 3, 2003
    Messages:
    209
    I have tried to disable firewall and virus protection and I still can not get Panda to work. I get a password window with no clue as what the password is, none of mine work. I have tried a couple other ones and they work fine.
     
  11. brindle

    brindle

    Joined:
    Jun 14, 2002
    Messages:
    3,520
    Did you read this from Norton?
     
  12. dabwid

    dabwid Thread Starter

    Joined:
    Aug 3, 2003
    Messages:
    209
    Why does it not show up on all the scans I have done. I have done four different virus scans and nothing has shown up.
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/169337

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice