netstat -a

dmdm February 10, 2009 at 10:30:36
Specs: Windows XP
please can explain some of these conections in netstat -a the two that appear most of the time are
reverse120-86.reserver.ru:18031 (normally established)
216.195.52.179:18031 SYN_SENT
and finally
192.168.1.1:2054 ESTABLISHED

the 192.168.1.1 is my router

the fulllist is below
--
Proto Local Address Foreign Address State
TCP whatnow:epmap whatnow:0 LISTENING
TCP whatnow:microsoft-ds whatnow:0 LISTENING
TCP whatnow:912 whatnow:0 LISTENING
TCP whatnow:2869 whatnow:0 LISTENING
TCP whatnow:3163 whatnow:0 LISTENING
TCP whatnow:netbios-ssn whatnow:0 LISTENING
TCP whatnow:1289 61.235.117.81:http ESTABLISHED
TCP whatnow:1533 212-95-32-52.internetserviceteam.com:18031 TIME
_WAIT
TCP whatnow:1538 reverse120-86.reserver.ru:18031 TIME_WAIT
TCP whatnow:1546 reverse120-85.reserver.ru:18031 TIME_WAIT
TCP whatnow:1549 65.55.16.121:https ESTABLISHED
TCP whatnow:1553 216.195.52.179:18031 SYN_SENT
TCP whatnow:2869 192.168.1.1:2054 ESTABLISHED
TCP whatnow:netbios-ssn whatnow:0 LISTENING
TCP whatnow:netbios-ssn whatnow:0 LISTENING


See More: netstat -a

Report •


#1
February 10, 2009 at 12:30:52
What I see when I type netstat -a at the prompt in the cmd window is nothing like what you're getting.
I don't have any whatnow anything or most of the things you're seeing.

Do you have a problem you're trying to troubleshoot?

Apparently you're using server software - you'd probably be better off making a new topic in the Specialty - Windows Server 2003 or 2008 forum on this site, and copying this info there.
....

I took a stab at at....

regarding whatnow - see this:
You're using DDE server software
http://www.computing.net/answers/wi...

http://www.ualberta.ca/dept/chemeng...

search for whatnow in this:
http://www.ecf.utoronto.ca/ut-admin...
....

reverse120-85.reserver.ru
reverse120-86.reserver.ru

120-85.reserver.ru, 20-86.reserver.ru are sites in Russia
http://120-85.reserver.ru/
http://120-86.reserver.ru/
I have no idea what the reverse before them is for, or why you have Russian addresses.

However, a lot of the current attacks people are getting of fake symptoms of malware infecting their computer are being made by Russian authors. It's stuff loaded by you merely visting contaminated web sites, made by authors of so called "rogue" anti-virus, or anti-spyware or anti-malware software, generically, in attempt to get you to buy their legitimate anti-malware software, which may or may not be better than other anti-malware software.

(By the way, I have found the ones of these I have encountered cannot fully install their symptoms on a 98SE system. You merely close IE, or use Task Manager to close IE, or reboot your system.)

If you ARE getting fake symptoms of malware having infected your computer, most common anti-malware software (e.g. AVG, many others) people use does NOT find it, or if it does, it can't completely get rid of the faked symptoms (e.g. SpyBot) . However, you could try searching for and downloading and installing Malwarebytes and Smitfraudfix, and updating and running Malwarebytes, in Safe mode if you can, and then running Smitfraudfix in Safe mode - those two get rid of most "rogue" anti-malware faked symptoms.
The version you download is free of both, Smitfraudfix is continuously being updated and is freeware, but the free version of Malwarebytes has no resident scanner and you must update it before you use it. Apparently, many are buying Malwarebytes in order to be protected from "rogue" anti-malware faked symtoms all the time by it's resident scanner - it can co-exist with most other anti-malware software.
....

216.195.52.179:18031

216.195.52.179 is an Apache server software test page
http://216.195.52.179/
216.195.52.179:18031 is probably a TCP port on an Apache server
.....

212-95-32-52.internetserviceteam.com

When I search using: .internetserviceteam.com
there are some "hits".
Other than that, I have no idea.
......

65.55.16.121

I have no idea
.....

192.168.1.1:2054
192.168.1.1:xxxx
- xxxx being many possible numbers

Probably a TCP port via your router


Report •

#2
February 10, 2009 at 13:55:11
thanks for your post

I am now useing f-secure that seems to help a great deal


Report •

#3
February 11, 2009 at 10:50:29
"If you ARE getting fake symptoms of malware having infected your computer, most common anti-malware software (e.g. AVG, many others) people use does NOT find it, or if it does, it can't completely get rid of the faked symptoms (e.g. SpyBot) ."

Your f-secure software may not be able to get rid of all of the faked symptoms those "rogue" anti-malware progams install either.
Malwarebytes and Smitfraudfix often will.
Malwarebytes usually disables or removes the fake symptoms related stuff that automatically loads or executes, but doesn't always get rid of all of the symptoms, which are often harmless but annoying - in that case usually running Smitfraudfix cleans up the remaining symptoms.
These people who make these "rogue" anti-malware progam make frequent changes as to what and how enables the faked symptoms to load that elude most anti-malware programs. Malwarebytes and Smitfraudfix are specifically trying to keep up with those changes they make, more so than many other anti-malware programs.

Usually the typical scenario is....
You click on a link to some site that is contaminated e.g. that can often be amongst "hits" you get when you are seaching fo something.
Immediately or in a very short time you get messages about your computer being contaminated - whether you answer yes or no to a question about whether you want to download something to scan your computer, or run a scan with something, it downloads or scans in any case. Trying to Close the window or the message box that popped up in often does not help, or it won't close. You may not be able to close your internet browser (e.g. IE). The home page of your internet browser may have changed to one for their anti-malware software - you may not be able to change it to something else. You get frequent messages about there being malware on your computer in Windows and in your internet browser. You may not be able to access C and other drive letters in My Computer and Windows Explorer, yet you can access all drive letters you could previously in cmd mode, IF you can Run: cmd. (The same drive letters are missing in WindowsExplorer and My Computer when you boot into Safe mode or Enable VGA mode.) You may have shorcut icons to one or more anti-malware program web sites on the web on your desktop that nothing you installed yourself placed there, and you may not be able to delete the shortcut(s). There may be entries for things you normally see in the Start menu that are missing - e.g. Run, Control Panel, All Programs, etc. (The same Start menu entries are missing when you boot into Safe mode or Enable VGA mode.) Task Manager may be disabled - Ctrl-Alt-Del does not make it pop up; it's greyed out when you Right click on the Task bar lower right. Etc. Etc.

The faked symptoms make it appear you have malware, you are frequently urged to go to some site to download their program and run a free scan - if you give in and do that, of course the scan finds at least the malware the faked symptoms simulated, but you can't get rid of at least those faked symptoms / the supposed malware until you pay for the program.

Loading the faked symptoms doesn't actually harm anything on your computer - they just make it appear you have malware that has already caused damage and symptoms when usually you do not have anything harmful at all on your computer at the time, other than what were installed along with the faked symptoms.
It's the extremely aggressive tactics these guys use via loading faked symptoms to try to get you to buy their software that most people and other mainstream anti-malware software makers object to. Their anti-malware software may or may not be as good or better than other anti-malware software.

Tips:
When you search with Yahoo, it displays messages about sites it knows about that have dangerous downloads. Some of those MIGHT be web sites that are contaminated with the stuff that loads these faked symptoms.

IE 7 and some anti-malware programs (e.g. AVG 8.x) have an anti-phishing feature you can enable (AVG calls it something else) - that MIGHT prevent some contaminated web sites from loading the faked symptoms when you access them.


Report •

Related Solutions


Ask Question