Tom's Guide | Tom's Hardware | Tom's Games
 |
 |
 |
I posted this in the Windows XP forum, but realized its much better suited for here.. Yesterday I decided to do a netstat -a for the hell of it, and the results are very alarming and confusing.. The range of ports seems to change every now and then, but basically this is what comes up..
Ports Foreign Address State
epmap goatse.cx:0 LISTENING
microsoft-ds goatse.cx:0 LISTENING
1025 goatse.cx:0 LISTENING
1029 goatse.cx:0 LISTENING
10025 goatse.cx:0 LISTENING
10110 goatse.cx:0 LISTENING
netbios-ssn goatse.cx:0 LISTENINGAlso, today when doing a netstat I've noticed a TON of www.altnet.com Addresses.. Not sure what thats about.
Anyway, I've scanned for viruses and spyware with no results... I'm really not sure what to do, I'm thinking a reformat is probably in order.
Do you have a firewall in-place ?
Is it hardware (router), software or both ?
Are you having some problems with the PC ?0. http://www.auditmypc.com/
1. http://www.dslreports.com/secureme_go
2. https://grc.com/
3. http://hackerwhacker.com/
4. http://www.pcflank.com/about.htm
5. http://scan.sygatetech.com/probe.html
B4 you criticize a bigger man, walk a mile in his shoes. That way, you're a mile away, and you have his shoes.
0 
I'm using Kerio Personal Firewall, and also have a router with the firewall turned on. I haven't experienced any kinds of problems really, I just stumbled upon this and it kinda freaked me out. I've read a bunch about some of the ports, namely the 1024-1030 range. I'm just not sure how anyone could even find these ports open, if they were, considering the protection I have in place.
I'm not sure exactly what all of it means in netstat, and I'm extremely confused as to why THAT website is listed as listening.. Could it be someone masking their IP with that URL?
Anyway, lots of links for me to click, here I go.
0
I'm thinking a reformat is probably in order
If you get to that point, first try posting a HijackThis log to SpywareWarrior.com. They may see something which doesn't belong which was missed by the scans.
It also wouldn't hurt to check your hosts file (windows\system32\drivers\etc) to see if there are any redirects in there.
0
All your ports should be STEALTHED !!!, you need to fix the closed port(s).
B4 you criticize a bigger man, walk a mile in his shoes. That way, you're a mile away, and you have his shoes.
0
Eh, I ran all the tests again and it shows all ports stealthed..
Anyway, I posted my hijackthis log on the spyware warrior forums, so hopefully they'll see something I couldn't..
I guess I'll probably format some time tomorrow. Thanks for all the help.
0
Alright, not sure if anyone will see this. But I opened my hosts file and found tons of strange links, including "goatse.cx". INTERESTING. Now if only I knew what this file was actually for..
0
You have no visible anti-virus software.
http://www.spywarewarrior.com/viewtopic.php?t=9962Here are two free ones;
One of them updated may find your problem.
0
Ok, so now I'm incredibly confused. I went into my windows/system32/drivers/etc/hosts file and found a handful of entries prefaced with 0.0.0.0, one of these was goatse.cx.. It says that anything with the 0.0.0.0 in front of it just redirects to my system if I attempt to go to one of those sites.. But I figured I might as well try and delete those entries, and after doing so there is no longer a goatse.cx entry when I do netstat -a.. Instead, however, is sitefinder.Verisign.com.. I have no idea what this is all about.
And now I have tons of www.altnet.com entries showing up too. I did some research, and tried to find any registry keys related to altnet and found none...
Ugh, what is going on?
0
Give this a try,
Download the Hoster : http://members.aol.com/toadbee/hoster.zip
unzip and start it
press 'Restore Original Hosts' followed by 'OK'
Close the program.Reboot
Side note: this is what AVG looks like in a log.
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGCC.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGEMC.exe
O4 - HKLM\..\Run: [AVG7_AMSVR] C:\PROGRA~1\GRISOFT\AVGFRE~1\AVGAMSVR.exeDid not see it in your log.
If above is no help, wait for help from other forum. You may want to post an updated log there if you installed it after the original post.
0
Meh, yeah, I had uninstalled AVG temporarily when I posted that, forgot all about it really. It wasn't auto updating, but I now find it just takes a while to connect.
I'm not 100% sure how the hosts file works exactly, but I basically just got rid of everything besides localhost. While this has gotten rid of the strange naming while doing netstat, I still have a few strange things coming up.
I get a bunch of localhost:port as established, and did a netstat -o and found the PIDs to match up with my firewall. Before the ports were 1024-1040 on some of these. The shields up entry for these ports, while I don't fully understand, seem to be somewhat exploitable. So it seems strange to me that my firewall would be using them..
I saw was because NOW when I do netstat, the ports for these localhost entries are 1866-1870, though there are a couple of entries LISTENING on the 1024-1040 ports..
Its all just way too much for me, I'm trying to present the information to everyone in a useful way, but I end up jumbling everything up, heh. I really do appreciate all the help.
0
HOSTS file operation is quite simple.
When Internet Explorer is given a URL to access it first scans through the HOSTS file for a match (in the right column). If a match is found it uses the IP address on the left for that access. Else it proceeds as normal to contact your ISP's DNS server for the URL to IP address translation, and uses the IP address it sends back.
(The Internet works using IP address. URLs have to be translated to an IP address before your system can contact it.)
By placing 127.0.0.1 or 0.0.0.0 on the left the HOSTS file is telling WinSock to send the request back to your system, in effect blocking IE from accessing the URL and replacing the request with a web page not found error message. This is used to block you IE from accessing specific URLs, like ADs in a web page.
If another IP address is used, URL matches are redirected to that IP address instead. Some browser hijackers use this to redirect your requests to some sites to their hosts instead. Or prevent you from accessing sites that might help you remove their hijack of your computers.
One use of the HOSTS file is if you access specific sites a lot, yet get slow access because your ISP's DNS server is slow or you have slow links to it, you can place the sites URL and IP address in the HOSTS file. Then IE will be able to skip the step of having to go to your ISP's DNS server to have the translation made. Gives a little faster access.
Because the goatse.cx shows up on your system, it indicates that at one point your system was hacked or infected by some program that was trying to redirect you to goatse.cx.com web page. That site was taken down a year ago.
Doing a reformat once a year or so is not a bad idea. It cleans out a lot minor problems and forces you to update all your programs.
0  |
 |
 |
This post is quite old and has been locked from receiving new replies. Please create a new posting instead.
| Ads by Google |
