Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

017 -tcpip Nameserver Nameserver = 209.244.0.3 209.244.0.4


  • This topic is locked This topic is locked
5 replies to this topic

#1 JeffBerry

JeffBerry

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 13 December 2006 - 10:42 PM

Hi, I don't think I have much on my computer but I think this one entry is a problem:
O17 - HKLM\System\CCS\Services\Tcpip\..\{451379D8-7AF3-45F6-A515-F895450F63E2}: NameServer = 209.244.0.3 209.244.0.4

In Zonealarm I will watch as I first have to 'ok' SVCHOST.EXE first, and then yet a second time again!
which is results in the 017 -Tcpip Nameserver NameServer = 209.244.0.3 209.244.0.4 HJT entry appearing.
It seems that the first and presumably legit SVCHOST.exe opens a second one right after the first, this can't be right can it?

I have scanned with various tools, I have even removed various Tcpip Registry entries. but directly after 'ok'ing' the first Legit SVCHOST.exe the second one then asks for permission and then WHAMMO
I get back the Registry entries I deleted and I get the 017 - Nameserver HJT entry even after doing fix checked.

Please if anyone can help me or tell me what this NameServer = 209.244.0.3 is exactly and if it is bad and how to remove it please.
Thank you.


Logfile of HijackThis v1.99.1
Scan saved at 10:28:59 PM, on 12/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
D:\SCAN\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\WINDOWS\SYSTEM32\notepad.exe
D:\FIREFOX\firefox.exe
C:\hijack\analyse.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://register.autodesk.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [Zone Labs Client] "D:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{451379D8-7AF3-45F6-A515-F895450F63E2}: NameServer = 209.244.0.3 209.244.0.4
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\SCAN\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:56 AM

Posted 14 December 2006 - 12:05 AM

Does this mean anything to you:

OrgName: Level 3 Communications, Inc.
OrgID: LVLT
Address: 1025 Eldorado Blvd.
City: Broomfield
StateProv: CO
PostalCode: 80021
Country: US

If this is your ISP then removing the O17 may break your internet connection.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#3 JeffBerry

JeffBerry
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 14 December 2006 - 01:47 AM

Hi, thanks very much for any help here.

I use MSN dialup.

Typically my dynamic IP# resolves to - [Level3 (Level 3 Communications)]

When I go online a few things happen with my current Zone Alarm settings & in this order.

1.) ZA asks : SVCHOST.exe is trying to access -239.255.255.250:Port 1900. (From what I have learned this is a function of Windows PnP Networked stuff and I guess is ok.)

2.) ZA asks : SVCHOST.exe is trying to access - 209.244.0.3 DNS. MSN dialup ISP ?

3.) ZA asks : Firefox wants to access the Trusted Zone - 127.0.0.1:1044 - This is Localhost and I guess normal?

4.) ZA asks : Firefox wants to access the internet - 216.239.37.104:HTTP - This is Google


Perhaps then Level 3 must connect both with TWO instances of SVCHOST.exe I will then see running concurrently in ZA. 216.239.37.104:HTTP must be MSN or Level 3? I guess? I just thought it strange to see it listed as running twice in ZoneAlarm and assumed this second instance is a trojan.

I am sorry for my ignorance but am just worried.
Because also after connecting everything, SVCHOST.exe will also even then subsequently ask to now then additionally 'accept connections from the internet' at 209.244.0.3 and 209.244.0.4
However if I disallow this, I still can view webpages etc.

So with any guidance would it therefore be safe to assume in comparing my dynamic IP# to Level 3 and this mystery 209.244.0.3 to also 'Level 3' it is just my ISp?

I HAVE seen this similair type of HJT - 017 Tcpip/ nameserver : entry listed by other people but do not know as I must be the last person to still have dialup with MSN.

Again any help would be great, thank you very much.

Lastly would there be any other suspect listings you see in my HJT log?
I seem to recognize most, even autodesk.com as its my 3DMAX program.

Thank you.

#4 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:56 AM

Posted 14 December 2006 - 02:20 AM

The O17 entries in HJT are there to check for Domain Hacks. These are when the Hijacker changes the DNS servers on your machine to point to their own server, where they can direct you to any site they want.

O17 entries are not particularly common and quite often relate to infections such as Wareout, however, they can be legitimate. They appear in the HJT log from my machine for my ISP for example. That is why I asked you if you recognized the domain as belonging to your ISP.

"Level 3 is one of the largest providers of wholesale dial-up service to ISPs in North America..." I can't walk you through all the various connections your setup of IE is making when you go online as that's not my field but I can tell you that your O17 entry isn't hacked - both the IPs resolve to Level 3.

The rest of your log looks OK.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here

#5 JeffBerry

JeffBerry
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 14 December 2006 - 11:59 PM

Thank you very much for taking the time in helping me. I sincerely appreciate your genoristy.

I recently had to re-install Win XP due to viruses and had feared again more problems.

I do hope everything else as you say is ok, again thank you very much.

#6 Daemon

Daemon

    Security Expert


  • Members
  • 1,446 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:03:56 AM

Posted 15 December 2006 - 01:45 AM

You're welcome - glad to help :thumbsup:

To help keep you clean follow the recommendations in the article here:

So how did I get infected?



As this problem has been resolved the topic will be closed. If you need this topic reopened, please email the moderating team - be sure to include the address of the thread and the name you posted under.
Posted Image

Have I helped you? Please consider donating to help me continue with the fight against malware. Click here




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users