Possible trojan showing up in netstat

Discussion in 'malware problems & news' started by Rikavich, Jun 3, 2006.

Thread Status:
Not open for further replies.
  1. Rikavich

    Rikavich Registered Member

    Joined:
    Jun 2, 2006
    Posts:
    2
    Hi guys,

    I'll try and keep this short and sweet. Everytime that I have an open Firefox broswer or World of Warcraft, and run a netstat in the command prompt, I come up with entries like these:

    Active Connections

    Proto Local Address Foreign Address State
    TCP Rikavich:1035 205.188.8.80:5190 ESTABLISHED
    TCP Rikavich:1039 oam-d25c.blue.aol.com:5190 ESTABLISHED
    TCP Rikavich:1053 600pics.com:1054 ESTABLISHED
    TCP Rikavich:1054 600pics.com:1053 ESTABLISHED

    The way I stumbled across these '600pics.com' entries in the first place was because of generally high latency (200-300ms) on an otherwise fast connection, and constant lag spikes where everything cuts off for up to ten seconds. Two of those ghost connections appear for every browser I have open. Surprisingly, they don't show up with IE, but I haven't use it since I upgraded to 7.0 (horrible interface).

    So far, I've run a combination of registered AVG, NOD32, WinPatrol, CCleaner, Spybot S&D, and Ad-Aware in efforts to find the culprit. There was a malware file - dmzkh.exe - that I removed and has yet to reappear, as well as some trojan files found in the Sun Java directory which has also been removed. Other than that, my system seems to be very clean right now and I still can't find the culprit. Appreciate any advice!

    Sean
     
  2. Rikavich

    Rikavich Registered Member

    Joined:
    Jun 2, 2006
    Posts:
    2
    Disregard this query please. :) I knew nothing about the 'HOSTS' file in the System32 folder, which tricks your computer from downloading questionable/malicious content by making your computer think it's hosting the file, instead of said site. When the file is not found it is simply skipped. That '600pics.com' entry was showing up on the netstat TCP connection display simply because it is the first site listed in the hosts file.

    Didn't resolve my connection woes, but fortunately I've removed and protected myself against lots of other nasties while trying to figure out what that was all about.
     
  3. controler

    controler Guest

    Also as you know WOW has some call home copy protection in it right?

    I think greg Hoglund wrote some stuff for it.
     
Loading...
Thread Status:
Not open for further replies.