1. While I am checking port activity with PE, the program itself comes up in red very briefly. I also have it set to ask permission in ZA, and it does not at these times, only when i ping etc... 2. When I run netstat at boot I get: TCP: XXXXXX:1025 localhost 1029 ESTABLISHED TCP: XXXXXX:1026 localhost 1028 ESTABLISHED TCP: XXXXXX:1028 localhost 1026 ESTABLISHED TCP: XXXXXX:1029 localhost 1025 ESTABLISHED TCP: XXXXXX:1047 localhost 1048 ESTABLISHED TCP: XXXXXX:1048 localhost 1047 ESTABLISHED TCP: XXXXXX: a208-38-45-174.deploy.akamaitechnologies.com:HTTP Close_Wait When I open IE or firefox. In PE I get up to 8 of them with more than one IP, and in netstat, the deploy.akamaitechnologies multiply. I thought the local hosts were my own programs, but i logged in safe mode and removed some spyware that was not picked up runinng normal. Upon reboot netstat was clean. I ran a few apps, and now it's back thanks if anyone can offer advice.
Should also mention that since installing ZA yesterday I have had: 1066 Intrusions have been blocked since install 52 of those have been high rated The firewall has blocked 2185 access attempts
Hi, Google is your friend here Take a look at this: http://forum.defcon.org/archive/index.php/t-2550.html This does not appear to be malicious HTH Pilli
I shouldn't have mentioned the akamaitech I realize that is not malicious, it is the other stuff there. I ran a root kit revaler and found some stuff...Next time I tried to run it, my access was denied and it couldn't install. It had said that there was embedded files * and the data didn't match as well as hidden api. This is all after a fresh XP install here's my hijack log Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\System32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\Program Files\ProcessGuard\pgaccount.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\ProcessGuard\procguard.exe C:\WINDOWS\system32\ZoneLabs\isafe.exe C:\Program Files\ProcessGuard\dcsuserprot.exe C:\WINDOWS\system32\drivers\KodakCCS.exe C:\WINDOWS\system32\ScsiAccess.EXE C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\svchost.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Documents and Settings\Thelonious\Desktop\HijackThis.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe" O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe O23 - Service: CAFVQTZUIB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THELON~1\LOCALS~1\Temp\CAFVQTZUIB.exe O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe O23 - Service: DZWKNOFN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THELON~1\LOCALS~1\Temp\DZWKNOFN.exe O23 - Service: GWO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THELON~1\LOCALS~1\Temp\GWO.exe O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE O23 - Service: UUCIHIJ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THELON~1\LOCALS~1\Temp\UUCIHIJ.exe O23 - Service: VROGOBD - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THELON~1\LOCALS~1\Temp\VROGOBD.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Hi again. I am sorry Wilders do not analyse HJT logs any more. Please use this link if you believe that you may have malware on your PC. https://www.wilderssecurity.com/showthread.php?t=50662 I would also suggest that you vist the ZA forums for information regarding it's logs etc. I will close this thread now. Thanks. Pilli