Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

What is going on?


  • Please log in to reply

#1
S.Dizzle

S.Dizzle

    Member

  • Member
  • PipPip
  • 17 posts
Alright. I've been suspecting for some time that my computer has been hijacked, and I've been researching the subject for a while now. I ran the netstat command today, and saw this. Sorry if it's nothing, but I'm getting kinda paranoid. (Screenshot attached) I believe my router is at 192.168.1.1, and I don't know why all these connections would be coming from my comp to it for no reason. Thanks!

Dizzle

Attached Thumbnails

  • Untitled_1.jpg

  • 0

Advertisements


#2
webxican

webxican

    Member

  • Member
  • PipPip
  • 28 posts
Hi,

What command did you use for netstat?

netstat -b -v

Thanks

Webxican
  • 0

#3
S.Dizzle

S.Dizzle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I used the netstat -b command.
  • 0

#4
S.Dizzle

S.Dizzle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Here's 2 more screenshots I took just now. I used the -b -v command this time. I'm still getting all these connections from the 'system' process to my router. There's three whole screens of these connections which seems kinda odd to me. Also, I'd just changed all my router passwords and the SSID earlier today and this started happening not long after. I've never seen this happen before up until today. Any help would be appreciated. Thanks.

Attached Thumbnails

  • Untitled_2.jpg
  • Untitled_3.jpg

  • 0

#5
webxican

webxican

    Member

  • Member
  • PipPip
  • 28 posts
Hi sorry for the slow response time.

Let's try working with the PID information. If you bring up the task manager CTRL+ALT+DEL click the process tab then click view>select colums & check PID see if this shows what PID 4 is on your PC.

I'd also check your startup processes from msconfig. That same unknown process component may be in startup.

Maybe you have a P2P program running? or bit torrent? Or some type of Trojan or Keylogger?

Hopefully the PID will point to what process is attempting those connections.

Thanks

Webxican
  • 0

#6
webxican

webxican

    Member

  • Member
  • PipPip
  • 28 posts
Wait a minute. Now that I think about it PID 4 will only show system as the process. Looking at this further it may be an RPC bug problem. I'll research a little more and let you know what I find.

Is the OS xp sp2? Pro or Home?

Thanks

Webxican
  • 0

#7
S.Dizzle

S.Dizzle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Sorry, I just realized this is in the wrong forum, but I mays well just go from here. You're right, it does indeed show 'system' as the process with PID 4. I'm running XP Pro SP2 with all updates current. I'm also running NAV 2004 Pro, Blackice PC Protection(firewall), and I've been using Ad-aware, Spybot SD and Spyware Blaster. These are also updated frequently. I also have hijack this if you want to see a log. Thanks for your help webxican, its much appreciated.
S.
  • 0

#8
S.Dizzle

S.Dizzle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I've been looking into various things having to do with this subject, and i was poking around my registry. Under hkey users, there are a few entries that seem kinda weird to me. I've got .DEFAULT, then S-1-5-18, S-1-5-19, S-1-5-20, and S-1-5-21-(then a bunch of random numbers separated by dashes). There's also S-1-5-19_classes, S-1-5-20_classes, and 21 classes and well. Now, under these users, Netscape Navigator is installed under software. I haven't used netscape in almost a decade, and I'm sure I've never installed it on this computer. Why would it be there? I'm confused, and this is driving me insane. I'm on a laptop right now, cause I don't want to connect to the net from my main box cause i keep getting all those weird connections. Also, Blackice has been reporting an unusual amount of port scans since I installed it. Some are coming from other computers on my network (I have 3 in total), some from my router, and some from other ips. On my downstairs comp, I had about 60 port scans in about 5 or 10 minutes from my router. Why would my router be running port scans on my boxes/other comps on my network doing the same? Thanks, S.
  • 0

#9
S.Dizzle

S.Dizzle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I just went down to my wired computer, and Blackice had blocked 118 consecutive "TCP Probe Other" from my router to my comp. weird
  • 0

#10
webxican

webxican

    Member

  • Member
  • PipPip
  • 28 posts
Hi,

If you could go ahead & post your hijackthis log. I wouldn't worry too much about the Hkey user keys. I forget which program installs those keys but it's mostly media player info. You will see some keys refer to wmplayer. I have the same registry keys and this PC has never had Netscape.

So let's see if we can spot anything out of the ordinary in the hijackthis log.

Thanks

Webxican
  • 0

Advertisements


#11
S.Dizzle

S.Dizzle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Alright, here's my hijack this log attached. Thanks boss,
S.

Attached Files


  • 0

#12
webxican

webxican

    Member

  • Member
  • PipPip
  • 28 posts
Hi,

I'm at work now so I'll have a look and see if I can spot anything to help us along. I'll post back something in a little while.

Thanks

Webxican
  • 0

#13
webxican

webxican

    Member

  • Member
  • PipPip
  • 28 posts
HI,

I'm having trouble determining what could be the cause of the excessive close_waits from system on your computer. I'm still researching but if you could post your hijackthis log here.

http://www.geekstogo...o_Here-f37.html

You may get a faster resolution. I appreciate your patience and I don't want to hinder your progress. You could also post this thread so you don't have to repeat what you have already posted.
http://www.geekstogo...showtopic=13511

Thanks

Webxican
  • 0

#14
S.Dizzle

S.Dizzle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
will do. thanks again webxican
S.
  • 0

#15
S.Dizzle

S.Dizzle

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Hi again. I just turned on my comp and connected to the internet. Almost immediately, my blackice icon flashed red and upon opening it, it showed the event 'BOOTP_remote_overflow'. The intruder was listed as 192.168.1.1. Here's the page describing the event. This is the first 'high risk' event I've seen since installing the software a couple of weeks ago and its kinda disconcerting. I don't even know what a bootpd server is, so I don't think anything should be happening having to do with it on my comp. Im starting to consider reformatting and resetting my router, cause it might be a faster solution than trying to find the root of the problem. Tell me what you think. Thanks,
S.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP