Problem undiscovered, symptoms remain!

Discussion in 'Malware Help (A Specialist Will Reply)' started by Kaox, Jul 13, 2005.

  1. Kaox

    Kaox Private E-2

    Hello,

    I've followed all the basic steps as directed in the basic spyware, trojan and virus removal thread, it helped me remove a lot of tracking cookies, and some other stuff I knew nothing about, thanks, but the original problem remains.

    I started to play BF2 recently and have noticed a major connectivity problem, so I tried all the remedies from the EA support site and none work, which made me consider the option that it could be viral.

    I recently installed Norton internet security antispyware addition, and have tried disabling all but the firewall to see if it was the cause (I dont believe it is)

    I have windows XP:HE and Norton internet security up to date, and norton couldnt find anything either.

    The only evidence I have to assume I have some kind of trojan or spyware installed is a netstat reading that seems very odd. Whenever I use the internet in any manner (such as visiting a webpage), I get a flood of port scans that increases the port number scanned every chunk of scans.

    Ex. (1025 is the only thing that appears from local address)
    TCP "name":1025 localhost:2000 timewait
    TCP "name":1025 localhost:2003 timewait
    TCP "name":1025 localhost:2005 timewait
    Ect.

    upto about 80 different events gradually increasing the port number scanned (up to an unknown port number then it repeats). The final reading at the end of the port burst is

    UPD "name":1036 *:* - pid 940

    So I believe that this port scan is occuring rapidly during gameplay causing the connection problem.

    At first when I did netstat -a -b the program was shown as msmsgs.exe doing all the scanning (which for some reason always launched at startup even if all the auto-start and outlook settings were off) so I looked for more ways to disable it and changed msmsgs.exe to msmsgs1.exe to ensure it wouldnt run. The scanning still continued under svchost.exe, it shows the *.dll's "mswsock, WS2_32, DNSAPI, dnsrlvr and RPCRT4"

    On the Norton Internet Security connection status it shows that I have 6 svchost.exe running, 1 TCP "computer name" port 135 that is listening, 5 UPD
    with one localhost port 123 the 4 other as "computer name" 1026, 1036, 1037 and 1900 that appear to be idle.

    So do any of you have an idea as to what is causing this port scan? or any way to detect it other than the required basic detection instructions posted on this forum?
     
    Kaox, Jul 13, 2005
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not sure that this is a malware problem but let's check.

    Please follow the below steps exactly:


    - Download HijackThis 1.99.1

    - Unzip the hijackthis.exe file to a folder you create named C:\Program Files\HJT

    - Do NOT run Hijack This from the Desktop, a temp folder, or a sub-folder of C:\Documents and Settings, or choose to run it directly from the downloaded ZIP file.

    - Before running HijackThis: You must close each of the following:your web browser, e-mail client, instant messenger, and programs like notepad, wordpad, MS Word etc. And any other unnecessary running programs.

    - Run HijackThis and save your log file.

    - Post your log as an ATTACHMENT to your next message. (Do NOT copy/paste the log into your post).
     
    chaslang, Jul 14, 2005
    #2

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds