[S.Dizzle]

Alright. I've been suspecting for some time that my computer has been hijacked, and I've been researching the subject for a while now. I ran the netstat command today, and saw this. Sorry if it's nothing, but I'm getting kinda paranoid. (Screenshot attached) I believe my router is at 192.168.1.1, and I don't know why all these connections would be coming from my comp to it for no reason. Thanks!

Dizzle

Attached Thumbnails

• 

[Advertisements]

Hi,

What command did you use for netstat?

netstat -b -v

Thanks

Webxican

[webxican]

Hi,

What command did you use for netstat?

netstat -b -v

Thanks

Webxican

[S.Dizzle]

I used the netstat -b command.

[S.Dizzle]

Here's 2 more screenshots I took just now. I used the -b -v command this time. I'm still getting all these connections from the 'system' process to my router. There's three whole screens of these connections which seems kinda odd to me. Also, I'd just changed all my router passwords and the SSID earlier today and this started happening not long after. I've never seen this happen before up until today. Any help would be appreciated. Thanks.

Attached Thumbnails

• 
• 

[webxican]

Hi sorry for the slow response time.

Let's try working with the PID information. If you bring up the task manager CTRL+ALT+DEL click the process tab then click view>select colums & check PID see if this shows what PID 4 is on your PC.

I'd also check your startup processes from msconfig. That same unknown process component may be in startup.

Maybe you have a P2P program running? or bit torrent? Or some type of Trojan or Keylogger?

Hopefully the PID will point to what process is attempting those connections.

Thanks

Webxican

[webxican]

Wait a minute. Now that I think about it PID 4 will only show system as the process. Looking at this further it may be an RPC bug problem. I'll research a little more and let you know what I find.

Is the OS xp sp2? Pro or Home?

Thanks

Webxican

[S.Dizzle]

Sorry, I just realized this is in the wrong forum, but I mays well just go from here. You're right, it does indeed show 'system' as the process with PID 4. I'm running XP Pro SP2 with all updates current. I'm also running NAV 2004 Pro, Blackice PC Protection(firewall), and I've been using Ad-aware, Spybot SD and Spyware Blaster. These are also updated frequently. I also have hijack this if you want to see a log. Thanks for your help webxican, its much appreciated.
S.

[S.Dizzle]

I've been looking into various things having to do with this subject, and i was poking around my registry. Under hkey users, there are a few entries that seem kinda weird to me. I've got .DEFAULT, then S-1-5-18, S-1-5-19, S-1-5-20, and S-1-5-21-(then a bunch of random numbers separated by dashes). There's also S-1-5-19_classes, S-1-5-20_classes, and 21 classes and well. Now, under these users, Netscape Navigator is installed under software. I haven't used netscape in almost a decade, and I'm sure I've never installed it on this computer. Why would it be there? I'm confused, and this is driving me insane. I'm on a laptop right now, cause I don't want to connect to the net from my main box cause i keep getting all those weird connections. Also, Blackice has been reporting an unusual amount of port scans since I installed it. Some are coming from other computers on my network (I have 3 in total), some from my router, and some from other ips. On my downstairs comp, I had about 60 port scans in about 5 or 10 minutes from my router. Why would my router be running port scans on my boxes/other comps on my network doing the same? Thanks, S.

[S.Dizzle]

I just went down to my wired computer, and Blackice had blocked 118 consecutive "TCP Probe Other" from my router to my comp. weird

[webxican]

Hi,

If you could go ahead & post your hijackthis log. I wouldn't worry too much about the Hkey user keys. I forget which program installs those keys but it's mostly media player info. You will see some keys refer to wmplayer. I have the same registry keys and this PC has never had Netscape.

So let's see if we can spot anything out of the ordinary in the hijackthis log.

Thanks

Webxican

[S.Dizzle]

Alright, here's my hijack this log attached. Thanks boss,
S.

Attached Files

•  hijackthisMarch2705.txt   9.34KB   176 downloads

[webxican]

Hi,

I'm at work now so I'll have a look and see if I can spot anything to help us along. I'll post back something in a little while.

Thanks

Webxican

[webxican]

HI,

I'm having trouble determining what could be the cause of the excessive close_waits from system on your computer. I'm still researching but if you could post your hijackthis log here.

http://www.geekstogo...o_Here-f37.html

You may get a faster resolution. I appreciate your patience and I don't want to hinder your progress. You could also post this thread so you don't have to repeat what you have already posted.
http://www.geekstogo...showtopic=13511

Thanks

Webxican

[S.Dizzle]

will do. thanks again webxican
S.

[S.Dizzle]

Hi again. I just turned on my comp and connected to the internet. Almost immediately, my blackice icon flashed red and upon opening it, it showed the event 'BOOTP_remote_overflow'. The intruder was listed as 192.168.1.1. Here's the page describing the event. This is the first 'high risk' event I've seen since installing the software a couple of weeks ago and its kinda disconcerting. I don't even know what a bootpd server is, so I don't think anything should be happening having to do with it on my comp. Im starting to consider reformatting and resetting my router, cause it might be a faster solution than trying to find the root of the problem. Tell me what you think. Thanks,
S.