May 14, 200521 yr I am using Windows XP SP2 (all updates), Norton Firewall and Antivirus (always on and up to date). I have a cable internet connected through a cable modem and then router. Recently my firewall began blocking and reporting BO activity. It both comes from external IP's but also from IP 0.0.0.0 (don't know whether it's just a masked or actually means my own comptuer generates it). These scans come on a regular basis several times a day. I did not get such alerts at all before the last week or so, and I have not changed any hardware or software that has to do with my internet connection, IP visibility or firewall, so I'm surprised. Perhaps someone is deliberately targeting my IP (for reasons unknown). The firewall seems to be blocking the scans (it obviously blocks everything it detects), but it may not be able to detect everything. I did a full system scan with Norton Antivirus, then with latest AdAware and SB:SaD, and they all came clean. I also made a HJT log. I used an analyzer and it came clean too, here it is anyways: Logfile of HijackThis v1.99.1 Scan saved at 5:30:28 PM, on 13/05/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss[Caution: ExecutableFile] C:\WINDOWS\system32\winlogon[Caution: ExecutableFile] C:\WINDOWS\system32\services[Caution: ExecutableFile] C:\WINDOWS\system32\lsass[Caution: ExecutableFile] C:\WINDOWS\system32\svchost[Caution: ExecutableFile] C:\WINDOWS\System32\svchost[Caution: ExecutableFile] C:\WINDOWS\system32\spoolsv[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] C:\Program Files\Norton Internet Security\NISUM[Caution: ExecutableFile] C:\Program Files\Norton Internet Security\ccPxySvc[Caution: ExecutableFile] C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] C:\WINDOWS\system32\nvsvc32[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC[Caution: ExecutableFile] C:\WINDOWS\Explorer[Caution: ExecutableFile] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] C:\WINDOWS\SOUNDMAN[Caution: ExecutableFile] C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile] C:\WINDOWS\system32\taskswitch[Caution: ExecutableFile] C:\Program Files\Common Files\Real\Update_OB\realsched[Caution: ExecutableFile] C:\Program Files\Valve\Steam\Steam[Caution: ExecutableFile] C:\Program Files\MSN Messenger\MsnMsgr[Caution: ExecutableFile] C:\Program Files\Internet Explorer\iexplore[Caution: ExecutableFile] C:\Program Files\Internet Explorer\iexplore[Caution: ExecutableFile] C:\Downloads\HijackThis1991[Caution: ExecutableFile] O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll O4 - HKLM\..\Run: [soundMan] SOUNDMAN[Caution: ExecutableFile] O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz[Caution: ExecutableFile] /install O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp[Caution: ExecutableFile]" O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy[Caution: ExecutableFile]" O4 - HKLM\..\Run: [symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon[Caution: ExecutableFile] /Consumer O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32[Caution: ExecutableFile] C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch[Caution: ExecutableFile] O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched[Caution: ExecutableFile]" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask[Caution: ExecutableFile]" -atboottime O4 - HKCU\..\Run: [CTFMON[Caution: ExecutableFile]] C:\WINDOWS\system32\ctfmon[Caution: ExecutableFile] O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL[Caution: ExecutableFile]/3000 O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ5\ICQLite[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQ5\ICQLite[Caution: ExecutableFile] O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs[Caution: ExecutableFile] O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/ ... 0_0_44.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr[Caution: ExecutableFile] O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc[Caution: ExecutableFile] O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc[Caution: ExecutableFile] O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService[Caution: ExecutableFile] O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc[Caution: ExecutableFile] O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM[Caution: ExecutableFile] O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32[Caution: ExecutableFile] O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ[Caution: ExecutableFile] O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc[Caution: ExecutableFile] O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC[Caution: ExecutableFile] I'm not sure what else I can do to prevent these BO scans (or maybe more then scans, I'm not sure how to find out). I'd appreciate any advice or suggestions concerning the matter. Live free or die. First option is exhausted, so guess what remains?
May 14, 200521 yr If the ip address is faked its no threat, as a connection requires both ip addresses to be correct inorder to communicate. I didnt think BackOrifice was still around if someone is deliberatly targeting you its most likly a newbe I personally wouldent worry about it to much. ~Dan64AuSince 27 Aug 2002
May 14, 200521 yr If the ip address is faked its no threat, as a connection requires both ip addresses to be correct inorder to communicate. I didnt think BackOrifice was still around if someone is deliberatly targeting you its most likly a newbe I personally wouldent worry about it to much. A threat is a threat no matter what, and the IP address being 'faked' doesn't mean the person isn't actually connected to you, it just means it is sending BS information to your Firewall. Also, I think BackOrifice had a sever set up to allow anyone infected to be accessed by anyone with the client. So in otherwords, there was a giant database of people with the server infecting their computer, and then anyone could simplylook at the DB, and connect to them... though I could be wrong, there were an awful lot of Trojans I used to deal with. In anycase, make sure you perform fll system scans with adaware spybot and your AV in safemode if you didn't already and I am sure someone will gladly check your HJT, just not me :wink: ...
Create an account or sign in to comment