1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Weird netstat - Am I being hacked?

Discussion in 'Virus & Other Malware Removal' started by dougage, Apr 2, 2004.

Thread Status:
Not open for further replies.
Advertisement
  1. dougage

    dougage Thread Starter

    Joined:
    Apr 2, 2004
    Messages:
    8
    I am getting these weird netstat logs, anyone know the deal?
    I have a router, this is happening as soon as i start the computer, with no programs running.
    It does seem to stop when i kill svchost, which also kills my internet.
    thanks for any help
     

    Attached Files:

  2. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Welcome to TSG!!

    Download Hijackthis.
    Create a folder on your hard drive and save it there.
    Unzip the file and extract it to the folder you have created.
    Scan your machine, then click on Save Log.

    Post a copy back here and someone will be happy to review it.

    Don't make any changes until instructed to do so.
     
  3. dougage

    dougage Thread Starter

    Joined:
    Apr 2, 2004
    Messages:
    8
    StartupList report, 4/2/2004, 12:38:53 PM
    StartupList version: 1.52
    Started from : C:\Program Files\HiJackThis\HijackThis.EXE
    Detected: Windows XP SP1 (WinNT 5.01.2600)
    Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    * Using default options
    * Including empty and uninteresting sections
    ==================================================

    Running processes:

    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\Explorer.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINXP\system32\ZoneLabs\vsmon.exe
    C:\Program Files\yProxy\yProxy.exe
    C:\Program Files\eMule\emule.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINXP\explorer.exe
    C:\Program Files\HiJackThis\HijackThis.exe

    --------------------------------------------------

    Listing of startup folders:

    Shell folders Startup:
    [C:\Documents and Settings\doug\Start Menu\Programs\Startup]
    yProxy.exe.lnk = C:\Program Files\yProxy\yProxy.exe

    Shell folders AltStartup:
    *Folder not found*

    User shell folders Startup:
    *Folder not found*

    User shell folders AltStartup:
    *Folder not found*

    Shell folders Common Startup:
    [C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup]
    ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

    Shell folders Common AltStartup:
    *Folder not found*

    User shell folders Common Startup:
    *Folder not found*

    User shell folders Alternate Common Startup:
    *Folder not found*

    --------------------------------------------------

    Checking Windows NT UserInit:

    [HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    UserInit = C:\WINXP\System32\Userinit.exe

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
    *Registry value not found*

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

    *Registry key not found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

    *No values found*

    --------------------------------------------------

    Autorun entries from Registry:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run

    [OptionalComponents]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

    [ApprovedByRegRun2]
    *No values found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
    *Registry key not found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
    *No subkeys found*

    --------------------------------------------------

    Autorun entries in Registry subkeys of:
    HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
    *Registry key not found*

    --------------------------------------------------

    File association entry for .EXE:
    HKEY_CLASSES_ROOT\exefile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .COM:
    HKEY_CLASSES_ROOT\comfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .BAT:
    HKEY_CLASSES_ROOT\batfile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .PIF:
    HKEY_CLASSES_ROOT\piffile\shell\open\command

    (Default) = "%1" %*

    --------------------------------------------------

    File association entry for .SCR:
    HKEY_CLASSES_ROOT\scrfile\shell\open\command

    (Default) = "%1" /S

    --------------------------------------------------

    File association entry for .HTA:
    HKEY_CLASSES_ROOT\htafile\shell\open\command

    (Default) = C:\WINXP\System32\mshta.exe "%1" %*

    --------------------------------------------------

    Enumerating ICQ Agent Autostart apps:
    HKCU\Software\Mirabilis\ICQ\Agent\Apps

    *Registry key not found*

    --------------------------------------------------

    Load/Run keys from C:\WINXP\WIN.INI:

    load=*INI file not found*
    run=*INI file not found*

    Load/Run keys from Registry:

    HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry value not found*
    HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
    HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
    HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
    HKCU\..\Windows NT\CurrentVersion\Windows: load=
    HKCU\..\Windows NT\CurrentVersion\Windows: run=
    HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
    HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

    --------------------------------------------------

    Shell & screensaver key from C:\WINXP\SYSTEM.INI:

    Shell=*INI file not found*
    SCRNSAVE.EXE=*INI file not found*
    drivers=*INI file not found*

    Shell & screensaver key from Registry:

    Shell=explorer.exe
    SCRNSAVE.EXE=*Registry value not found*
    drivers=*Registry value not found*

    Policies Shell key:

    HKCU\..\Policies: Shell=*Registry value not found*
    HKLM\..\Policies: Shell=*Registry value not found*

    --------------------------------------------------


    Enumerating Browser Helper Objects:

    (no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

    --------------------------------------------------

    Enumerating Task Scheduler jobs:

    *No jobs found*

    --------------------------------------------------

    Enumerating Download Program Files:

    [Microsoft XML Parser for Java]
    OSD = C:\WINXP\Downloaded Program Files\Microsoft XML Parser for Java.osd

    --------------------------------------------------

    Enumerating Winsock LSP files:

    NameSpace #1: C:\WINXP\System32\mswsock.dll
    NameSpace #2: C:\WINXP\System32\winrnr.dll
    NameSpace #3: C:\WINXP\System32\mswsock.dll
    Protocol #1: C:\WINXP\system32\mswsock.dll
    Protocol #2: C:\WINXP\system32\mswsock.dll
    Protocol #3: C:\WINXP\system32\mswsock.dll
    Protocol #4: C:\WINXP\system32\rsvpsp.dll
    Protocol #5: C:\WINXP\system32\rsvpsp.dll
    Protocol #6: C:\WINXP\system32\mswsock.dll
    Protocol #7: C:\WINXP\system32\mswsock.dll
    Protocol #8: C:\WINXP\system32\mswsock.dll
    Protocol #9: C:\WINXP\system32\mswsock.dll
    Protocol #10: C:\WINXP\system32\mswsock.dll
    Protocol #11: C:\WINXP\system32\mswsock.dll
    Protocol #12: C:\WINXP\system32\mswsock.dll
    Protocol #13: C:\WINXP\system32\mswsock.dll
    Protocol #14: C:\WINXP\system32\mswsock.dll
    Protocol #15: C:\WINXP\system32\mswsock.dll

    --------------------------------------------------

    Enumerating Windows NT logon/logoff scripts:
    *No scripts set to run*

    Windows NT checkdisk command:
    BootExecute = autocheck autochk *

    Windows NT 'Wininit.ini':
    PendingFileRenameOperations: *Registry value not found*

    --------------------------------------------------

    Enumerating ShellServiceObjectDelayLoad items:

    PostBootReminder: C:\WINXP\system32\SHELL32.dll
    CDBurn: C:\WINXP\system32\SHELL32.dll
    WebCheck: C:\WINXP\System32\webcheck.dll
    SysTray: C:\WINXP\System32\stobject.dll

    --------------------------------------------------
    End of report, 12,100 bytes
    Report generated in 0.330 seconds

    Command line options:
    /verbose - to add additional info on each section
    /complete - to include empty sections and unsuspicious data
    /full - to include several rarely-important sections
    /force9x - to include Win9x-only startups even if running on WinNT
    /forcent - to include WinNT-only startups even if running on Win9x
    /forceall - to include all Win9x and WinNT startups, regardless of platform
    /history - to list version history only
     
  4. dougage

    dougage Thread Starter

    Joined:
    Apr 2, 2004
    Messages:
    8
    Logfile of HijackThis v1.97.7
    Scan saved at 12:49:28 PM, on 4/2/2004
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\Explorer.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
    C:\WINXP\system32\ZoneLabs\vsmon.exe
    C:\Program Files\yProxy\yProxy.exe
    C:\Program Files\eMule\emule.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINXP\explorer.exe
    C:\Program Files\Yahoo!\Messenger\YPager.exe
    C:\Program Files\Winamp\Winamp.exe
    C:\Program Files\HiJackThis\HijackThis.exe

    F2 - REG:system.ini: UserInit=C:\WINXP\System32\Userinit.exe
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Did you edit this log? or have you disabled with msconfig?
     
  6. dougage

    dougage Thread Starter

    Joined:
    Apr 2, 2004
    Messages:
    8
    the log is unedited, i disabled all but the needed stuff in msconfig
     
  7. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Oh, well I can't make any suggestions. Cleanest log I've seen today :)
     
  8. dougage

    dougage Thread Starter

    Joined:
    Apr 2, 2004
    Messages:
    8
    What does the netstat look like to you?
    doesnt it seem strange?
    just start about a week ago....

    i can have no programs running, yet the traffic on my connection is very active, thats the part thats freakin me out.
     
  9. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    Maybe you could try something like Active Ports http://download.com.com/3000-2085-10062969.html?part=65960 &subj=dlpage&tag=button

    - I believe it can map active ports to the process using them, so you might be able to find out more about your situation. Apparently it is erroneously detected by Norton AV as a threat though, but I have been assured by knowledgeable folks that its a widely used security utility that poses no threat to your system and Norton have got this wrong. Actually I have Active Ports myself but haven't got round to trying it yet.
     
  10. dougage

    dougage Thread Starter

    Joined:
    Apr 2, 2004
    Messages:
    8
    I basically got the same info from netstat, something is very wrong here. I need to block the ip that these ports are connecting to, this program does not do that.
    I havent found one that can.
    Thanks anyhoo...
     
  11. KrashedKris

    KrashedKris

    Joined:
    Dec 23, 2003
    Messages:
    262
    I guess you should be able to configure your Zone Alarm firewall to block specific ports and/or IPs. If you need assistance on how to do that well its probably beyond my knowledge - but if you post back here with the specifics then I'm sure someone will be able to help out.

    Also I guess its worth running full anti-virus and anti-trojan scans of your machine with the latest definitions, you could use different online scans to cross-check. You could also check out something like Port Explorer http://www.diamondcs.com.au/portexplorer/ to get more of a handle on what's going on - good luck! :)
     
  12. webzter

    webzter

    Joined:
    May 4, 2003
    Messages:
    777
    Re your netstat- had similar issue yesterday- also using Zone Alarm- Watch your ICQ ports- most likely range of ports for a break-through....also try running Spybot, that took out abot two dozen unwanted visitors. Then I tightened-up Zone Alarm and I have been untouched since- Virus and Hijack Scans might not reveal what's affecting your system- that's why I went to Spybot- Identified them and removed them-LOL/WEBZ
     
  13. dougage

    dougage Thread Starter

    Joined:
    Apr 2, 2004
    Messages:
    8
    Thanks for the reply.
    I have run Spybot, HiJack This, all web based virus scans, f-protect, AVG, AdAwre, and NONE of them had anything to say.
    I guess my question is, does anyone understand exactly what this netstat means and what exactly can i do to stop it?
    I have no weird apps running, i have NOTHING in my msconfig start up, I have nothing in my HKLM/software/microsoft/windows/current version/run, I got nothin nowhere, yet I get this weird crap.
    How exactly did you 'tighten up' your Zone Alarm?
    What caused it to need to be tightened up in the first place?

    thanks for the help.
     
  14. webzter

    webzter

    Joined:
    May 4, 2003
    Messages:
    777
    do you run an actiontec router in conjunction with a dsl service and are you using Qwest?
    WEBZ
     
  15. dougage

    dougage Thread Starter

    Joined:
    Apr 2, 2004
    Messages:
    8
    hey webzter, thanks for the reply.
    i run a d-link with dsl through swb.
    if you have any thoughts, lemme know.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/216772

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice