1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

NETSTAT: unwanted connection to mediaplex

Discussion in 'Virus & Other Malware Removal' started by jmc, Oct 9, 2003.

Thread Status:
Not open for further replies.
Advertisement
  1. jmc

    jmc Thread Starter

    Joined:
    Oct 6, 2002
    Messages:
    390
    when I do a netstat command in a DOS prompt, the first thing that is shows is that UNKNOWN-86.mediaplex.com:HTTP is connected through port 2550, and is in a TIME_WAIT state. This cannot be good. I have ZoneAlarm up and running, but there were times recently when I've been diagnosing problems with the broadband connection, and ZA wasn't on.

    I'm still learning, so I don't quite know what a TIME_WAIT is, or even how mediaplex made this connection, or what it means. At any rate, this connection is there, and I don't want it. How do I break this connection, and block mediaplex from connecting through that port?

    What is port 2550's normal function?

    (post copied from its original location under Networking, as it's probably misposted there)
     
  2. mobo

    mobo

    Joined:
    Feb 23, 2003
    Messages:
    16,274
    Download Hijacjthis , unzip it and do a scan. Then copy and paste the saved log here.
     
  3. jmc

    jmc Thread Starter

    Joined:
    Oct 6, 2002
    Messages:
    390
    Here's my HijackThis log. The very last item was indeed the offending connection. I deleted that, but when I did netstat, I found 4 more connections! Obviously, there's a hole in my security somewhere (or is this because I forgot to turn ZA on before establishing my broadband connection this morning?) - any help is appreciated.

    The new connections are:
    207.46.107.53:1863, Status: Established
    216.239.59.104:http (established)
    24.137.12.200:http (time_wait)
    winguides.com:http (time_wait)
    caming.vip.ashb.att.discovery.com:http (established)

    Please, tell me which are the offending lines, and how I can better protect my network! Thanks for the help...

    Logfile of HijackThis v1.97.3
    Scan saved at 9:58:34 AM, on 15-Oct-03
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    D:\WINNT\System32\smss.exe
    D:\WINNT\system32\winlogon.exe
    D:\WINNT\system32\services.exe
    D:\WINNT\system32\lsass.exe
    D:\WINNT\system32\svchost.exe
    D:\WINNT\system32\spoolsv.exe
    D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    D:\WINNT\System32\CTsvcCDA.exe
    D:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    D:\WINNT\System32\svchost.exe
    J:\UTILIT~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
    J:\Utilities\NortonSystemWorks\Norton Utilities\NPROTECT.EXE
    D:\WINNT\system32\regsvc.exe
    D:\WINNT\system32\MSTask.exe
    D:\WINNT\System32\tcpsvcs.exe
    D:\WINNT\System32\snmp.exe
    J:\UTILIT~1\NORTON~1\SPEEDD~1\nopdb.exe
    D:\WINNT\System32\ups.exe
    D:\WINNT\System32\WBEM\WinMgmt.exe
    D:\WINNT\System32\MsPMSPSv.exe
    D:\WINNT\system32\svchost.exe
    J:\Online\DU Meter\DUMeter.exe
    D:\WINNT\system32\atiptaxx.exe
    D:\WINNT\system32\dla\tfswctrl.exe
    J:\hardware\photoscanner\Photo Imaging\Hpi_JetSend.exe
    J:\hardware\photoscanner\Photo Imaging\Hpi_Monitor.exe
    D:\program files\umsd1.3\umsd.exe
    D:\WINNT\system32\CTHELPER.EXE
    D:\Program Files\Common Files\Symantec Shared\ccApp.exe
    J:\Utilities\NortonSystemWorks\Norton Ghost\GhostStartTrayApp.exe
    D:\WINNT\system32\gsicon.exe
    D:\WINNT\system32\dslagent.exe
    J:\HARDWARE\ATI\main\LaunchPd.exe
    J:\HARDWARE\ATI\main\ATISched.EXE
    J:\testing\DS Clock\dsclock.exe
    D:\Program Files\BT Broadband\Help\bin\mpbtn.exe
    J:\Online\AnalogX\Proxy\proxy.exe
    J:\Online\ZoneAlarm\zonealarm.exe
    D:\WINNT\SYSTEM32\ZONELABS\vsmon.exe
    J:\Utilities\NortonSystemWorks\Norton AntiVirus\navapsvc.exe
    D:\WINNT\System32\AQUARIUM.SCR
    J:\Trillian\trillian.exe
    J:\Webcam Watcher2\wcw.exe
    D:\WINNT\explorer.exe
    J:\Eudora\Eudora.exe
    J:\WinZip\winzip32.exe
    J:\Online\Mozilla\mozilla.exe
    D:\WINNT\system32\cmd.exe
    J:\WinZip\winzip32.exe
    D:\DOCUME~1\JODI~1.SIL\LOCALS~1\Temp\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by WildHorse Computing
    O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - j:\acrobatreader\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - J:\Online\Spybot\SDHelper.dll
    O2 - BHO: (no name) - {5CA3D70E-1895-11CF-8E15-001234567890} - D:\WINNT\system32\dla\tfswshx.dll
    O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - J:\Utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: @msdxmLC.dll,[email protected],&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\downloaded program files\googletoolbar_en_2.0.95-deleon.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - J:\Utilities\NortonSystemWorks\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [DU Meter] J:\Online\DU Meter\DUMeter.exe
    O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
    O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
    O4 - HKLM\..\Run: [StorageGuard] "D:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
    O4 - HKLM\..\Run: [dla] D:\WINNT\system32\dla\tfswctrl.exe
    O4 - HKLM\..\Run: [HPIJetSend] J:\hardware\photoscanner\Photo Imaging\Hpi_JetSend.exe
    O4 - HKLM\..\Run: [CXMon] "j:\hardware\photoscanner\Photo Imaging\Hpi_Monitor.exe"
    O4 - HKLM\..\Run: [PLoader] d:\program files\umsd1.3\umsd.exe sys_auto_run D:\Program Files\UMSD1.3
    O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
    O4 - HKLM\..\Run: [UpdReg] D:\WINNT\UpdReg.EXE
    O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [ccRegVfy] "D:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
    O4 - HKLM\..\Run: [GhostStartTrayApp] J:\Utilities\NortonSystemWorks\Norton Ghost\GhostStartTrayApp.exe
    O4 - HKLM\..\Run: [SpybotSnD] "J:\Online\Spybot\SpybotSD.exe" /autocheck
    O4 - HKLM\..\Run: [GSICONEXE] gsicon.exe
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    O4 - HKCU\..\Run: [ATI Launchpad] "J:\HARDWARE\ATI\main\LaunchPd.exe"
    O4 - HKCU\..\Run: [ATI Scheduler] J:\HARDWARE\ATI\main\ATISched.EXE
    O4 - HKCU\..\Run: [DS Clock] J:\testing\DS Clock\dsclock.exe
    O4 - Global Startup: BT Broadband Help.lnk = D:\Program Files\BT Broadband\Help\bin\matcli.exe
    O8 - Extra context menu item: &Google Search - res://d:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsearch.html
    O8 - Extra context menu item: Backward &Links - res://d:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmbacklinks.html
    O8 - Extra context menu item: Cac&hed Snapshot of Page - res://d:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmcache.html
    O8 - Extra context menu item: Si&milar Pages - res://d:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmsimilar.html
    O8 - Extra context menu item: Translate Page - res://d:\winnt\downloaded program files\GoogleToolbar_en_2.0.95-deleon.dll/cmtrans.html
    O9 - Extra button: ATI TV (HKLM)
    O9 - Extra button: Related (HKLM)
    O9 - Extra 'Tools' menuitem: Show &Related Links (HKLM)
    O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://64.124.45.181/downloads/ccpm_0237.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security3.norton.com/SSC/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37883.6369560185
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security3.norton.com/SSC/SharedContent/sc/bin/cabsa.cab
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
     
  4. jmc

    jmc Thread Starter

    Joined:
    Oct 6, 2002
    Messages:
    390
    AAARGH, they're breeding! Just ran netstat again, there's more connections. ZoneAlarm IS running, as is NAV. SpyBot found nothing untoward. AdAware6 found 'alexa' but removal of this didn't fix the problem. Really need some help here, apparently.

    Also, I did a route print, near as I can tell everything is OK there, except:

    Network destination: 217.32.9.50
    Netmask: 255.255.255.255
    Gateway: [my broadband gateway]
    Interface: [same]

    On reboot, all connections were gone, and the offending route print entry was also gone. There was a line in Hijack This that reappeared, I re-deleted it (but darn, forgot to write it down!) After reconnecting the broadband, the same IP in route print reappeared, and new (mostly different) unwanted connections are showing in netstat.

    What would be the correct syntax to block the listed IP address shown in route print? Are the entries in netstat and route print related?

    Any ideas?
     
  5. jmc

    jmc Thread Starter

    Joined:
    Oct 6, 2002
    Messages:
    390
    This is the item from HijakThis that I remove using the program, but reappears on a reboot:

    O17 - HKLM\System\CCS\Services\Tcpip\..\{FA7C57DE-EDCB-4AF0-A5D6-D1F4686EF5F8}: NameServer = 194.72.9.34 194.74.65.68

    I'm assuming this is something bad, but how and where do I delete whatever is making it persistent?
     
  6. dvk01

    dvk01 Moderator Malware Specialist

    Joined:
    Dec 14, 2002
    Messages:
    56,181
    First Name:
    Derek
    you need that o17 entry it's BT name servers without it you will be unable to find any sites on the net

    mediaplex etc are advert sites sites that many other wb pages link to to display the ads.

    for example on these forums the adverts are hosted by burstnet.com so if you did a netstat whilst on the forum, you would have entries for TSG, burstnet and which ever other advertising host the forums are currently using

    provided you are running an antivirus & your firewall don't panoic

    Nothing untoward is happening, just normal net behaviour.
     
  7. jmc

    jmc Thread Starter

    Joined:
    Oct 6, 2002
    Messages:
    390
    thank you. I feel better now.
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/170821

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice