NETSTAT: unwanted connection to mediaplex

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

jmc

Thread Starter
Joined
Oct 6, 2002
Messages
390
when I do a netstat command in a DOS prompt, the first thing that is shows is that UNKNOWN-86.mediaplex.com:HTTP is connected through port 2550, and is in a TIME_WAIT state. This cannot be good. I have ZoneAlarm up and running, but there were times recently when I've been diagnosing problems with the broadband connection, and ZA wasn't on.

I'm still learning, so I don't quite know what a TIME_WAIT is, or even how mediaplex made this connection, or what it means. At any rate, this connection is there, and I don't want it. How do I break this connection, and block mediaplex from connecting through that port?

What is port 2550's normal function?

(post copied from its original location under Networking, as it's probably misposted there)
 

jmc

Thread Starter
Joined
Oct 6, 2002
Messages
390
Here's my HijackThis log. The very last item was indeed the offending connection. I deleted that, but when I did netstat, I found 4 more connections! Obviously, there's a hole in my security somewhere (or is this because I forgot to turn ZA on before establishing my broadband connection this morning?) - any help is appreciated.

The new connections are:
207.46.107.53:1863, Status: Established
216.239.59.104:http (established)
24.137.12.200:http (time_wait)
winguides.com:http (time_wait)
caming.vip.ashb.att.discovery.com:http (established)

Please, tell me which are the offending lines, and how I can better protect my network! Thanks for the help...

Logfile of HijackThis v1.97.3
Scan saved at 9:58:34 AM, on 15-Oct-03
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINNT\System32\CTsvcCDA.exe
D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
D:\WINNT\System32\svchost.exe
J:\UTILIT~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
J:\Utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\System32\tcpsvcs.exe
D:\WINNT\System32\snmp.exe
J:\UTILIT~1\NORTON~1\SPEEDD~1\nopdb.exe
D:\WINNT\System32\ups.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\MsPMSPSv.exe
D:\WINNT\system32\svchost.exe
J:\Online\DU Meter\DUMeter.exe
D:\WINNT\system32\atiptaxx.exe
D:\WINNT\system32\dla\tfswctrl.exe
J:\hardware\photoscanner\Photo Imaging\Hpi_JetSend.exe
J:\hardware\photoscanner\Photo Imaging\Hpi_Monitor.exe
D:\program files\umsd1.3\umsd.exe
D:\WINNT\system32\CTHELPER.EXE
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
J:\Utilities\NortonSystemWorks\Norton Ghost\GhostStartTrayApp.exe
D:\WINNT\system32\gsicon.exe
D:\WINNT\system32\dslagent.exe
J:\HARDWARE\ATI\main\LaunchPd.exe
J:\HARDWARE\ATI\main\ATISched.EXE
J:\testing\DS Clock\dsclock.exe
D:\Program Files\BT Broadband\Help\bin\mpbtn.exe
J:\Online\AnalogX\Proxy\proxy.exe
J:\Online\ZoneAlarm\zonealarm.exe
D:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
J:\Utilities\NortonSystemWorks\Norton AntiVirus\navapsvc.exe
D:\WINNT\System32\AQUARIUM.SCR
J:\Trillian\trillian.exe
J:\Webcam Watcher2\wcw.exe
D:\WINNT\explorer.exe
J:\Eudora\Eudora.exe
J:\WinZip\winzip32.exe
J:\Online\Mozilla\mozilla.exe
D:\WINNT\system32\cmd.exe
J:\WinZip\winzip32.exe
D:\DOCUME~1\JODI~1.SIL\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WildHorse Computing
O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - j:\acrobatreader\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - J:\Online\Spybot\SDHelper.dll
O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - D:\WINNT\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - J:\Utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - J:\Utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [DU Meter] J:\Online\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [StorageGuard] "D:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [dla] D:\WINNT\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [HPIJetSend] J:\hardware\photoscanner\Photo Imaging\Hpi_JetSend.exe
O4 - HKLM\..\Run: [CXMon] "j:\hardware\photoscanner\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [PLoader] d:\program files\umsd1.3\umsd.exe sys_auto_run D:\Program Files\UMSD1.3
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] D:\WINNT\UpdReg.EXE
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [GhostStartTrayApp] J:\Utilities\NortonSystemWorks\Norton Ghost\GhostStartTrayApp.exe
O4 - HKLM\..\Run: [SpybotSnD] "J:\Online\Spybot\SpybotSD.exe" /autocheck
O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKCU\..\Run: [ATI Launchpad] "J:\HARDWARE\ATI\main\LaunchPd.exe"
O4 - HKCU\..\Run: [ATI Scheduler] J:\HARDWARE\ATI\main\ATISched.EXE
O4 - HKCU\..\Run: [DS Clock] J:\testing\DS Clock\dsclock.exe
O4 - Global Startup: BT Broadband Help.lnk = D:\Program Files\BT Broadband\Help\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://d:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://d:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
O8 - Extra context menu item: Si&milar Pages - res://d:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page - res://d:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
O9 - Extra button: ATI TV (HKLM)
O9 - Extra button: Related (HKLM)
O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security3.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37883.6369560185
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security3.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
 

jmc

Thread Starter
Joined
Oct 6, 2002
Messages
390
AAARGH, they're breeding! Just ran netstat again, there's more connections. ZoneAlarm IS running, as is NAV. SpyBot found nothing untoward. AdAware6 found 'alexa' but removal of this didn't fix the problem. Really need some help here, apparently.

Also, I did a route print, near as I can tell everything is OK there, except:

Network destination: 217.32.9.50
Netmask: 255.255.255.255
Gateway: [my broadband gateway]
Interface: [same]

On reboot, all connections were gone, and the offending route print entry was also gone. There was a line in Hijack This that reappeared, I re-deleted it (but darn, forgot to write it down!) After reconnecting the broadband, the same IP in route print reappeared, and new (mostly different) unwanted connections are showing in netstat.

What would be the correct syntax to block the listed IP address shown in route print? Are the entries in netstat and route print related?

Any ideas?
 

jmc

Thread Starter
Joined
Oct 6, 2002
Messages
390
This is the item from HijakThis that I remove using the program, but reappears on a reboot:

O17 - HKLM\System\CCS\Services\Tcpip\..\{FA7C57DE-EDCB-4AF0-A5D6-D1F4686EF5F8}: NameServer = 194.72.9.34 194.74.65.68

I'm assuming this is something bad, but how and where do I delete whatever is making it persistent?
 

dvk01

Retired Moderator Retired Malware Specialist
Joined
Dec 14, 2002
Messages
56,452
First Name
Derek
you need that o17 entry it's BT name servers without it you will be unable to find any sites on the net

mediaplex etc are advert sites sites that many other wb pages link to to display the ads.

for example on these forums the adverts are hosted by burstnet.com so if you did a netstat whilst on the forum, you would have entries for TSG, burstnet and which ever other advertising host the forums are currently using

provided you are running an antivirus & your firewall don't panoic

Nothing untoward is happening, just normal net behaviour.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top