Is this normal?

Discussion in 'Port Explorer' started by Colonel32, Aug 30, 2005.

Thread Status:
Not open for further replies.
  1. Colonel32

    Colonel32 Registered Member

    Joined:
    Aug 30, 2005
    Posts:
    3
    1. While I am checking port activity with PE, the program itself comes up in red very briefly. I also have it set to ask permission in ZA, and it does not at these times, only when i ping etc...





    2. When I run netstat at boot I get:

    TCP: XXXXXX:1025 localhost 1029 ESTABLISHED
    TCP: XXXXXX:1026 localhost 1028 ESTABLISHED
    TCP: XXXXXX:1028 localhost 1026 ESTABLISHED
    TCP: XXXXXX:1029 localhost 1025 ESTABLISHED
    TCP: XXXXXX:1047 localhost 1048 ESTABLISHED
    TCP: XXXXXX:1048 localhost 1047 ESTABLISHED
    TCP: XXXXXX: a208-38-45-174.deploy.akamaitechnologies.com:HTTP
    Close_Wait


    When I open IE or firefox. In PE I get up to 8 of them with more than one IP, and in netstat, the deploy.akamaitechnologies multiply.


    I thought the local hosts were my own programs, but i logged in safe mode and removed some spyware that was not picked up runinng normal. Upon reboot netstat was clean. I ran a few apps, and now it's back


    thanks if anyone can offer advice.
     
  2. Colonel32

    Colonel32 Registered Member

    Joined:
    Aug 30, 2005
    Posts:
    3
    Should also mention that since installing ZA yesterday I have had:

    1066 Intrusions have been blocked since install

    52 of those have been high rated

    The firewall has blocked 2185 access attempts
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  4. Colonel32

    Colonel32 Registered Member

    Joined:
    Aug 30, 2005
    Posts:
    3
    I shouldn't have mentioned the akamaitech ;)


    I realize that is not malicious, it is the other stuff there.


    I ran a root kit revaler and found some stuff...Next time I tried to run it, my access was denied and it couldn't install.

    It had said that there was embedded files * and the data didn't match as well as hidden api. This is all after a fresh XP install

    here's my hijack log

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\System32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    C:\Program Files\ProcessGuard\pgaccount.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\ProcessGuard\procguard.exe
    C:\WINDOWS\system32\ZoneLabs\isafe.exe
    C:\Program Files\ProcessGuard\dcsuserprot.exe
    C:\WINDOWS\system32\drivers\KodakCCS.exe
    C:\WINDOWS\system32\ScsiAccess.EXE
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Thelonious\Desktop\HijackThis.exe

    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
    O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [!1_ProcessGuard_Startup] "C:\Program Files\ProcessGuard\procguard.exe" -minimize
    O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
    O23 - Service: CAFVQTZUIB - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THELON~1\LOCALS~1\Temp\CAFVQTZUIB.exe
    O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
    O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
    O23 - Service: DZWKNOFN - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THELON~1\LOCALS~1\Temp\DZWKNOFN.exe
    O23 - Service: GWO - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THELON~1\LOCALS~1\Temp\GWO.exe
    O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
    O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
    O23 - Service: UUCIHIJ - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THELON~1\LOCALS~1\Temp\UUCIHIJ.exe
    O23 - Service: VROGOBD - Sysinternals - www.sysinternals.com - C:\DOCUME~1\THELON~1\LOCALS~1\Temp\VROGOBD.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
     
  5. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi again. I am sorry Wilders do not analyse HJT logs any more. Please use this link if you believe that you may have malware on your PC.
    https://www.wilderssecurity.com/showthread.php?t=50662

    I would also suggest that you vist the ZA forums for information regarding it's logs etc.

    I will close this thread now.

    Thanks. Pilli
     
Thread Status:
Not open for further replies.