Weird netstat - Am I being hacked?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

dougage

Thread Starter
Joined
Apr 2, 2004
Messages
8
I am getting these weird netstat logs, anyone know the deal?
I have a router, this is happening as soon as i start the computer, with no programs running.
It does seem to stop when i kill svchost, which also kills my internet.
thanks for any help
 

Attachments

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Welcome to TSG!!

Download Hijackthis.
Create a folder on your hard drive and save it there.
Unzip the file and extract it to the folder you have created.
Scan your machine, then click on Save Log.

Post a copy back here and someone will be happy to review it.

Don't make any changes until instructed to do so.
 

dougage

Thread Starter
Joined
Apr 2, 2004
Messages
8
StartupList report, 4/2/2004, 12:38:53 PM
StartupList version: 1.52
Started from : C:\Program Files\HiJackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
==================================================

Running processes:

C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
C:\Program Files\yProxy\yProxy.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINXP\explorer.exe
C:\Program Files\HiJackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\doug\Start Menu\Programs\Startup]
yProxy.exe.lnk = C:\Program Files\yProxy\yProxy.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup]
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINXP\System32\Userinit.exe

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

[ApprovedByRegRun2]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINXP\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINXP\WIN.INI:

load=*INI file not found*
run=*INI file not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINXP\SYSTEM.INI:

Shell=*INI file not found*
SCRNSAVE.EXE=*INI file not found*
drivers=*INI file not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
OSD = C:\WINXP\Downloaded Program Files\Microsoft XML Parser for Java.osd

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINXP\System32\mswsock.dll
NameSpace #2: C:\WINXP\System32\winrnr.dll
NameSpace #3: C:\WINXP\System32\mswsock.dll
Protocol #1: C:\WINXP\system32\mswsock.dll
Protocol #2: C:\WINXP\system32\mswsock.dll
Protocol #3: C:\WINXP\system32\mswsock.dll
Protocol #4: C:\WINXP\system32\rsvpsp.dll
Protocol #5: C:\WINXP\system32\rsvpsp.dll
Protocol #6: C:\WINXP\system32\mswsock.dll
Protocol #7: C:\WINXP\system32\mswsock.dll
Protocol #8: C:\WINXP\system32\mswsock.dll
Protocol #9: C:\WINXP\system32\mswsock.dll
Protocol #10: C:\WINXP\system32\mswsock.dll
Protocol #11: C:\WINXP\system32\mswsock.dll
Protocol #12: C:\WINXP\system32\mswsock.dll
Protocol #13: C:\WINXP\system32\mswsock.dll
Protocol #14: C:\WINXP\system32\mswsock.dll
Protocol #15: C:\WINXP\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINXP\system32\SHELL32.dll
CDBurn: C:\WINXP\system32\SHELL32.dll
WebCheck: C:\WINXP\System32\webcheck.dll
SysTray: C:\WINXP\System32\stobject.dll

--------------------------------------------------
End of report, 12,100 bytes
Report generated in 0.330 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
 

dougage

Thread Starter
Joined
Apr 2, 2004
Messages
8
Logfile of HijackThis v1.97.7
Scan saved at 12:49:28 PM, on 4/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
C:\Program Files\yProxy\yProxy.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINXP\explorer.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\HiJackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINXP\System32\Userinit.exe
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Did you edit this log? or have you disabled with msconfig?
 

dougage

Thread Starter
Joined
Apr 2, 2004
Messages
8
the log is unedited, i disabled all but the needed stuff in msconfig
 

cybertech

Retired Moderator
Joined
Apr 16, 2002
Messages
72,115
Oh, well I can't make any suggestions. Cleanest log I've seen today :)
 

dougage

Thread Starter
Joined
Apr 2, 2004
Messages
8
What does the netstat look like to you?
doesnt it seem strange?
just start about a week ago....

i can have no programs running, yet the traffic on my connection is very active, thats the part thats freakin me out.
 
Joined
Dec 23, 2003
Messages
262
Maybe you could try something like Active Ports http://download.com.com/3000-2085-10062969.html?part=65960 &subj=dlpage&tag=button

- I believe it can map active ports to the process using them, so you might be able to find out more about your situation. Apparently it is erroneously detected by Norton AV as a threat though, but I have been assured by knowledgeable folks that its a widely used security utility that poses no threat to your system and Norton have got this wrong. Actually I have Active Ports myself but haven't got round to trying it yet.
 

dougage

Thread Starter
Joined
Apr 2, 2004
Messages
8
I basically got the same info from netstat, something is very wrong here. I need to block the ip that these ports are connecting to, this program does not do that.
I havent found one that can.
Thanks anyhoo...
 
Joined
Dec 23, 2003
Messages
262
I guess you should be able to configure your Zone Alarm firewall to block specific ports and/or IPs. If you need assistance on how to do that well its probably beyond my knowledge - but if you post back here with the specifics then I'm sure someone will be able to help out.

Also I guess its worth running full anti-virus and anti-trojan scans of your machine with the latest definitions, you could use different online scans to cross-check. You could also check out something like Port Explorer http://www.diamondcs.com.au/portexplorer/ to get more of a handle on what's going on - good luck! :)
 
Joined
May 4, 2003
Messages
777
Re your netstat- had similar issue yesterday- also using Zone Alarm- Watch your ICQ ports- most likely range of ports for a break-through....also try running Spybot, that took out abot two dozen unwanted visitors. Then I tightened-up Zone Alarm and I have been untouched since- Virus and Hijack Scans might not reveal what's affecting your system- that's why I went to Spybot- Identified them and removed them-LOL/WEBZ
 

dougage

Thread Starter
Joined
Apr 2, 2004
Messages
8
Thanks for the reply.
I have run Spybot, HiJack This, all web based virus scans, f-protect, AVG, AdAwre, and NONE of them had anything to say.
I guess my question is, does anyone understand exactly what this netstat means and what exactly can i do to stop it?
I have no weird apps running, i have NOTHING in my msconfig start up, I have nothing in my HKLM/software/microsoft/windows/current version/run, I got nothin nowhere, yet I get this weird crap.
How exactly did you 'tighten up' your Zone Alarm?
What caused it to need to be tightened up in the first place?

thanks for the help.
 
Joined
May 4, 2003
Messages
777
do you run an actiontec router in conjunction with a dsl service and are you using Qwest?
WEBZ
 

dougage

Thread Starter
Joined
Apr 2, 2004
Messages
8
hey webzter, thanks for the reply.
i run a d-link with dsl through swb.
if you have any thoughts, lemme know.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Members online

Top