0

Thank you in advance for helping me if you can. I am having a problem when I access internet explorer I get a tcp connection to the same remote ip along with the one I type in. I noticed this when I ran netstat and Active Ports program. I also ran virus and adware scans. Both negative. Please help me if you think there is a problem. Thank you. Here is my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:18:26 AM, on 7/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\VisualICE\VisualICE.exe
C:\Documents and Settings\He\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wcpo.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn\ycomp5_6_2_0.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BlackICE PC Protection.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: VisualICE Report Utility.lnk = C:\Program Files\VisualICE\VisualICE.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1120025166515
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I can also run a startdreck program if that is needed. Not to sure about silentrunners though. My anti-virus program alerted me of a possible malicious script when I tried to open the file.

3
Contributors
13
Replies
14
Views
12 Years
Discussion Span
Last Post by crunchie
0

Although HijackThis is far from the final word on this, I don't see anything in your log which indicates malicious infections.

Can you give us the IP address and port number associated with the suspicious connection? Post anything else in your firewall, etc. logs that might help as well.

0

Could it be a web accelerator? If so I did not download it. With some investigating I determined that when I access the internet my computer gets a tcp connection to a remote ip through port 80. The ip is 205.188.228.136. If I block this connection with zone alarm I can only access my home page and anything on my favorites. When I did netstat after it was blocked It said the ip was "SYN_SENT" and another ip came up as established. The ip was 64.12.145.14 "deploy.akamaitechnologies". Seems to be the same people. I blocked that and netstat said "SYN_SENT" on that one too. It even said "FIN_WAIT" one time. No idea what that means. Zone Alarm also catches packets from ip 64.12.145.136. Please help me clear this up.

0

can ANYONE help. Please I need to get this figured out. It is very strange and discouraging. I have seen many sites talk abotu akamaitechnologies and their "usefulness" but I read something at PC World Forum and got another oppinion that you might find interesting. Not so "friendly" after all.

http://pressf1.co.nz/archive/index.php/t-33444.html.

0

Not so "friendly" after all.

http://pressf1.co.nz/archive/index.php/t-33444.html.

Umm... did you happen to notice that the person who posted the "information" you're referring to:

A) Gave no verifiable sources of that information, nor any supporting evidence for his claims whatsoever.

B) Mentions that the Israeli government uses Akami's services as thought there's something ominoius about that, but conveniently forgets to mention that other governments (including the US) also use Akami.

C) Ends his post by going off on a rather paranoid rant about cyberterrorists and how he might "blow the cover" on Akami himself?

I won't even go into his mind-bogglingly convoluted discourse on the use of "dashes" in Akami identification strings at the beginning of the post.

Akami is a company which provides a number of Internet services. Some of them are irritating (serving streaming/animated ads for customers' websites, for example), while some of them are quite legit (hosting websites, download, and DNS services for many major corporations, providing streaming video for major sports events, etc.). Even Microsoft and Symantec have used Akami servers (and may still) to deliver their online updates in ordeer to take some of the load off their own servers.

So the upshot is this: If you visit a major site on the web, there's a good chance (15% was the estimate I read last year) that the comany whose site you're visiting is piping you at least some of their content from an Akami server. This is why may see a concurrent connection made to an Akami address when you connect to the actual site that you want to go to.

0

DMR you may be right but I was just stating that other peope have opinions about "akamai" and that its "cached" imformation could be kept for illegitimate purposes. The fact is since the government does contract out it's use it could be abused ( in my opinion :) ) And why does EVERY website I visit, EVERY internet logon that I do have to go through akamaitechnologies either ip 205.188.221.21 or 64.12.145.14 or (13) The ports from my computer vary and the connections are tcp to their port 80. Sometimes they try to send me packets too. I have been using my isp for years and this is the first time I've noticed it.

Oh, another thing...you google akamaitechnologies and mysteriously nothing is there...but it comes up on my traceroute. The closest thing on the net is akamai.com.

0

I'm not saying that Akamai's services aren't immune to abuse, and I'm not certainly not saying that everything Akamai does or has done is all "warm and fuzzy" either. Akamai, however, is not a "cyberterrorist" or anything close to that.

- Who's your ISP? Perhaps they've recently started using Akamai's services.

- The possibilty certainly exists that there's something fishy going on; I just don't see any indication of that at all in your HJT log.

0

Yes "cyberterrorist" does sound a little extreme and I'm not saying that I agree with the statement I just wanted someone to admit that akamai services can and probably are being abused. If that is happening to me, well, that remains to be seen.

0

I guess you can find a conspiracy in anything

lol.

I thought I found a conspiracy in my fridge once, but it just turned out to be some potato salad I'd forgotten about for a few months...

0

I found out what the problem was....my isp has service through akamai. I just have to make sure what packets are being sent and what I receive...my firewall should be sufficient.

0

Aww- now I'm going to have to find another conspiracy. Oh well, back to the fridge....

:mrgreen:

0

This thread is now closed. If you need it reopened, please send a PM to one of our Mods.

Include the link to the thread and detail why you need it reopened.

If this is not your thread please start a New Topic.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.