Weird netstat - Am I being hacked?

dougage · Apr 2, 2004

I am getting these weird netstat logs, anyone know the deal?
I have a router, this is happening as soon as i start the computer, with no programs running.
It does seem to stop when i kill svchost, which also kills my internet.
thanks for any help

cybertech · Apr 2, 2004

Welcome to TSG!!

Download Hijackthis.
Create a folder on your hard drive and save it there.
Unzip the file and extract it to the folder you have created.
Scan your machine, then click on Save Log.

Post a copy back here and someone will be happy to review it.

Don't make any changes until instructed to do so.

dougage · Apr 2, 2004

StartupList report, 4/2/2004, 12:38:53 PM
StartupList version: 1.52
Started from : C:\Program Files\HiJackThis\HijackThis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
==================================================

Running processes:

C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
C:\Program Files\yProxy\yProxy.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINXP\explorer.exe
C:\Program Files\HiJackThis\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\doug\Start Menu\Programs\Startup]
yProxy.exe.lnk = C:\Program Files\yProxy\yProxy.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users.WINXP\Start Menu\Programs\Startup]
ZoneAlarm Pro.lnk = C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINXP\System32\Userinit.exe

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

[ApprovedByRegRun2]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINXP\System32\mshta.exe "%1" %*

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINXP\WIN.INI:

load=*INI file not found*
run=*INI file not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINXP\SYSTEM.INI:

Shell=*INI file not found*
SCRNSAVE.EXE=*INI file not found*
drivers=*INI file not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - c:\program files\google\googletoolbar2.dll - {AA58ED58-01DD-4d91-8333-CF10577473F7}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
OSD = C:\WINXP\Downloaded Program Files\Microsoft XML Parser for Java.osd

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINXP\System32\mswsock.dll
NameSpace #2: C:\WINXP\System32\winrnr.dll
NameSpace #3: C:\WINXP\System32\mswsock.dll
Protocol #1: C:\WINXP\system32\mswsock.dll
Protocol #2: C:\WINXP\system32\mswsock.dll
Protocol #3: C:\WINXP\system32\mswsock.dll
Protocol #4: C:\WINXP\system32\rsvpsp.dll
Protocol #5: C:\WINXP\system32\rsvpsp.dll
Protocol #6: C:\WINXP\system32\mswsock.dll
Protocol #7: C:\WINXP\system32\mswsock.dll
Protocol #8: C:\WINXP\system32\mswsock.dll
Protocol #9: C:\WINXP\system32\mswsock.dll
Protocol #10: C:\WINXP\system32\mswsock.dll
Protocol #11: C:\WINXP\system32\mswsock.dll
Protocol #12: C:\WINXP\system32\mswsock.dll
Protocol #13: C:\WINXP\system32\mswsock.dll
Protocol #14: C:\WINXP\system32\mswsock.dll
Protocol #15: C:\WINXP\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINXP\system32\SHELL32.dll
CDBurn: C:\WINXP\system32\SHELL32.dll
WebCheck: C:\WINXP\System32\webcheck.dll
SysTray: C:\WINXP\System32\stobject.dll

--------------------------------------------------
End of report, 12,100 bytes
Report generated in 0.330 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

dougage · Apr 2, 2004

Logfile of HijackThis v1.97.7
Scan saved at 12:49:28 PM, on 4/2/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINXP\System32\smss.exe
C:\WINXP\system32\winlogon.exe
C:\WINXP\system32\services.exe
C:\WINXP\system32\lsass.exe
C:\WINXP\system32\svchost.exe
C:\WINXP\System32\svchost.exe
C:\WINXP\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\WINXP\system32\ZoneLabs\vsmon.exe
C:\Program Files\yProxy\yProxy.exe
C:\Program Files\eMule\emule.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINXP\explorer.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Winamp\Winamp.exe
C:\Program Files\HiJackThis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINXP\System32\Userinit.exe

cybertech · Apr 2, 2004

Did you edit this log? or have you disabled with msconfig?

dougage · Apr 2, 2004

the log is unedited, i disabled all but the needed stuff in msconfig

cybertech · Apr 2, 2004

Oh, well I can't make any suggestions. Cleanest log I've seen today

dougage · Apr 2, 2004

What does the netstat look like to you?
doesnt it seem strange?
just start about a week ago....

i can have no programs running, yet the traffic on my connection is very active, thats the part thats freakin me out.

KrashedKris · Apr 6, 2004

Maybe you could try something like Active Ports http://download.com.com/3000-2085-10062969.html?part=65960 &subj=dlpage&tag=button

- I believe it can map active ports to the process using them, so you might be able to find out more about your situation. Apparently it is erroneously detected by Norton AV as a threat though, but I have been assured by knowledgeable folks that its a widely used security utility that poses no threat to your system and Norton have got this wrong. Actually I have Active Ports myself but haven't got round to trying it yet.

dougage · Apr 6, 2004

I basically got the same info from netstat, something is very wrong here. I need to block the ip that these ports are connecting to, this program does not do that.
I havent found one that can.
Thanks anyhoo...

KrashedKris · Apr 8, 2004

I guess you should be able to configure your Zone Alarm firewall to block specific ports and/or IPs. If you need assistance on how to do that well its probably beyond my knowledge - but if you post back here with the specifics then I'm sure someone will be able to help out.

Also I guess its worth running full anti-virus and anti-trojan scans of your machine with the latest definitions, you could use different online scans to cross-check. You could also check out something like Port Explorer http://www.diamondcs.com.au/portexplorer/ to get more of a handle on what's going on - good luck!

webzter · Apr 8, 2004

Re your netstat- had similar issue yesterday- also using Zone Alarm- Watch your ICQ ports- most likely range of ports for a break-through....also try running Spybot, that took out abot two dozen unwanted visitors. Then I tightened-up Zone Alarm and I have been untouched since- Virus and Hijack Scans might not reveal what's affecting your system- that's why I went to Spybot- Identified them and removed them-LOL/WEBZ

dougage · Apr 9, 2004

Thanks for the reply.
I have run Spybot, HiJack This, all web based virus scans, f-protect, AVG, AdAwre, and NONE of them had anything to say.
I guess my question is, does anyone understand exactly what this netstat means and what exactly can i do to stop it?
I have no weird apps running, i have NOTHING in my msconfig start up, I have nothing in my HKLM/software/microsoft/windows/current version/run, I got nothin nowhere, yet I get this weird crap.
How exactly did you 'tighten up' your Zone Alarm?
What caused it to need to be tightened up in the first place?

thanks for the help.

webzter · Apr 9, 2004

do you run an actiontec router in conjunction with a dsl service and are you using Qwest?
WEBZ

dougage · Apr 12, 2004

hey webzter, thanks for the reply.
i run a d-link with dsl through swb.
if you have any thoughts, lemme know.

KrashedKris · Apr 13, 2004

dougage said:
I guess my question is, does anyone understand exactly what this netstat means and what exactly can i do to stop it?

IMHO that's why it might be worth trying out a program like Port Explorer because it does the interpretation for you - as I understand it you will get a lot more information out of it than from netstat without too much effort. Also try out a dedicated anti-trojan like TDS, BOClean or TrojanHunter as these are capable of detecting trojans which are running inside legitimate processes such as svchost. This link seems like quite a good guide to "tightening up" ZA also http://www.dslwebserver.com/main/fr_index.html?/main/sbs-zonealarm-configure.html

KrashedKris · Apr 14, 2004

OK good news! - no need to even invest in Port Explorer - just spotted a new free MS tool on the link below which does the same kind of job - I'll definitely be checking this out myself.

http://www.microsoft.com/downloads/...9B-BAE9-4243-B9D6-63E62B4BCD2E&displaylang=en

KrashedKris · Apr 14, 2004

Some MS info on the netstat "TIME_WAIT" state -

http://support.microsoft.com/default.aspx?scid=kb;en-us;q137984

NB Quote from this article:

"NOTE: It is normal to have a socket in the TIME_WAIT state for a long period of time. The time is specified in RFC793 as twice the Maximum Segment Lifetime (MSL). MSL is specified to be 2 minutes. So, a socket could be in a TIME_WAIT state for as long as 4 minutes. Some systems implement different values (less than 2 minutes) for the MSL."

big_pimp · Apr 15, 2004

Have you checked out who the ip/ip's belong to and maybe asked them? I have adsl, and had a very simular problem, I'm not the most technically gifted here and its really a total guess but maybe the same thing.

i have adsl.. cant remember what firewall i was using at the time.. but i was getting icmp pings and ip's trying to connect literally 4 or 5 times a second, it was absolutely killing my firewall cos i was blocking them all ... was lagging me like crazy cos the firewall was going so crazy. I also checked netstat and had a very simular long list of ip's on wait,

I noticed the Ip's were all in the same range and when i did a trace they all lead back to 1 town ( dunno how reliable those trace things r on firewalls ) i did a whois and found out that all the ip's belonged to my isp, I contacted them because i was sure i was being hacked, they wrote back to me asking for my firewall logs, my logs showed in a period of 3 days over 4000 blocked connection attempts a lot of which were high level cos it gave icmp pings a high lvl warning .. everything else was blocked, anyway the long and the short of it is this, I won't try and explain the technical side cos i was confused enough when i read the email..

the isp i was with used dynamic ip's on adsl, and I can't explain how or why, but to designate an ip when a computer was turned on or connected to the net, i would get pinged and connection attempts.. I really cant explain why cos its beyond me, but i ended up leaving the company anyway as their speed was rarely what was advertised.

also a note on that, if its not ur isp, it's always worth contacting the email iot gives on a whois, if they cant at least give you more info they might be able to try and stop it or if it is a hacker do something about it? .. i dunno good luck with finding out whats goin on.

Weird netstat - Am I being hacked?

dougage

Attachments

cybertech

dougage

dougage

cybertech

dougage

cybertech

dougage

KrashedKris

dougage

KrashedKris

webzter

dougage

webzter

dougage

KrashedKris

KrashedKris

KrashedKris

big_pimp

Top Contributors this Month