netstat command

Taishi · Oct 12, 2003

I can see alot of activity on my ports. Netstat output listed below. I
think I have a worm or a trojan. If this is true, Do any of you know what
it is?

Is it possible for a hacker to view my keystrokes, passwords for my banking
account and other private passwords?

Regards,
T

Proto Local Address Foreign Address State
TCP my200srv:echo my200srv:0 LISTENING
TCP my200srv:discard my200srv:0 LISTENING
TCP my200srv:daytime my200srv:0 LISTENING
TCP my200srv:qotd my200srv:0 LISTENING
TCP my200srv:chargen my200srv:0 LISTENING
TCP my200srv:ftp my200srv:0 LISTENING
TCP my200srv:smtp my200srv:0 LISTENING
TCP my200srv:nameserver my200srv:0 LISTENING
TCP my200srv:domain my200srv:0 LISTENING
TCP my200srv:http my200srv:0 LISTENING
TCP my200srv:epmap my200srv:0 LISTENING
TCP my200srv:https my200srv:0 LISTENING
TCP my200srv:microsoft-ds my200srv:0 LISTENING
TCP my200srv:1026 my200srv:0 LISTENING
TCP my200srv:1029 my200srv:0 LISTENING
TCP my200srv:1034 my200srv:0 LISTENING
TCP my200srv:1036 my200srv:0 LISTENING
TCP my200srv:1039 my200srv:0 LISTENING
TCP my200srv:1040 my200srv:0 LISTENING
TCP my200srv:1873 my200srv:0 LISTENING
TCP my200srv:3439 my200srv:0 LISTENING
TCP my200srv:3440 my200srv:0 LISTENING
TCP my200srv:3441 my200srv:0 LISTENING
TCP my200srv:3743 my200srv:0 LISTENING
TCP my200srv:4505 my200srv:0 LISTENING
TCP my200srv:15000 my200srv:0 LISTENING
TCP my200srv:5555 my200srv:0 LISTENING
TCP my200srv:netbios-ssn my200srv:0 LISTENING
TCP my200srv:1873 msnews.microsoft.com:nntp ESTABLISHED
TCP my200srv:3436 64.71.159.243:http TIME_WAIT
TCP my200srv:3439 199.181.132.151:http ESTABLISHED
TCP my200srv:3440 64.71.159.243:http ESTABLISHED
TCP my200srv:3441 64.71.159.243:http SYN_SENT
TCP my200srv:3743 newssvr23-ext.news.prodigy.com:nntp
ESTABLISHED

YoKenny · Oct 12, 2003

Taishi said:
I can see alot of activity on my ports. Netstat output listed below.
I think I have a worm or a trojan. If this is true, Do any of you
know what it is?

Is it possible for a hacker to view my keystrokes, passwords for my
banking account and other private passwords?

Regards,
T

Proto Local Address Foreign Address State
TCP my200srv:echo my200srv:0 LISTENING
TCP my200srv:discard my200srv:0 LISTENING
TCP my200srv:daytime my200srv:0 LISTENING
TCP my200srv:qotd my200srv:0 LISTENING
TCP my200srv:chargen my200srv:0 LISTENING
TCP my200srv:ftp my200srv:0 LISTENING
TCP my200srv:smtp my200srv:0 LISTENING
TCP my200srv:nameserver my200srv:0 LISTENING
TCP my200srv:domain my200srv:0 LISTENING
TCP my200srv:http my200srv:0 LISTENING
TCP my200srv:epmap my200srv:0 LISTENING
TCP my200srv:https my200srv:0 LISTENING
TCP my200srv:microsoft-ds my200srv:0 LISTENING
TCP my200srv:1026 my200srv:0 LISTENING
TCP my200srv:1029 my200srv:0 LISTENING
TCP my200srv:1034 my200srv:0 LISTENING
TCP my200srv:1036 my200srv:0 LISTENING
TCP my200srv:1039 my200srv:0 LISTENING
TCP my200srv:1040 my200srv:0 LISTENING
TCP my200srv:1873 my200srv:0 LISTENING
TCP my200srv:3439 my200srv:0 LISTENING
TCP my200srv:3440 my200srv:0 LISTENING
TCP my200srv:3441 my200srv:0 LISTENING
TCP my200srv:3743 my200srv:0 LISTENING
TCP my200srv:4505 my200srv:0 LISTENING
TCP my200srv:15000 my200srv:0 LISTENING
TCP my200srv:5555 my200srv:0 LISTENING
TCP my200srv:netbios-ssn my200srv:0 LISTENING
TCP my200srv:1873 msnews.microsoft.com:nntp
ESTABLISHED
TCP my200srv:3436 64.71.159.243:http TIME_WAIT
TCP my200srv:3439 199.181.132.151:http ESTABLISHED
TCP my200srv:3440 64.71.159.243:http ESTABLISHED
TCP my200srv:3441 64.71.159.243:http SYN_SENT
TCP my200srv:3743 newssvr23-ext.news.prodigy.com:nntp
ESTABLISHED

Q1: Need the names of the applications running on your system.
Try TCPView as it will give you the application name that is associated with
the connection.
http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Q2: Yes. A keylogger application or trojan can capture and transmit all
your information.

Get a copy of HijackThis from this site:
http://www.tomcoyote.org/hjt/

Go to this forum:
http://forums.spywareinfo.com/index.php?s=d920245b6997106a8e25af1c3d810783&showforum=11

Steven L Umbach · Oct 12, 2003

Not necessarily. This shows you are connected to various websites and a newserver. If
a website is not resolved, cut and paste the address such as the 64.71.159.243 shown
in your browser to see what it resolves to. Also try netstat -an which will list port
numbers. Fport is a utility that can map listening/connected ports to an application
or process. I hope you are using a firewall because you have the services www, smtp,
and ftp listening which unless you are hosting those services or using them
internally are a vulnerability. Ports 139 and 445 tell that you have file and print
sharing enabled also which is another huge hole without a firewall. Go to
http://scan.sygatetech.com/ and do a basic and trojan scan to see what it reports.

Anytime you suspect something, never hesitate to run a virus/trojan scan. Virus scan
should be run at least weekly by schedule anyhow using a program such as Norton that
can do auto updates and scan emails also. I would recommend installing a firewall if
you are not using one ASAP. If you do have one, then you are at much reduced risk
from attacks outside your network and you should enable auditing of account logon
events looking for unusual failures in the security log in Event Viewer. I prefer a
hardware firewall which can be purchased for as little as $80, or if the budget is
tight software firewalls are available for free for personal use. Still you should
disable any services that are not needed. Running Microsoft Baseline Security
Analyzer can help you with that. see links below for more help. --- Steve

http://www.attackdenied.com/security_analyzer.htm
http://www.webattack.com/Freeware/security/fwfirewall.shtml
http://packetstormsecurity.nl/filedesc/fport.zip.html
http://www.netgear.com/products/prod_details.asp?prodID=140&view=
http://www.microsoft.com/security/protect/

Taishi · Oct 12, 2003

Kenny,

Thanks... Here are the apps. I don't see anything suspicious. I will
check out those other 2 websites. It seems like normal Windows Apps. except
for 02k.exe... and actually I don't see port 3440. uhmmm Strange. Any
ideas?

Regards,
T

02k.exe:700 TCP my200srv:15000 my200srv:0 LISTENING
02k.exe:700 TCP my200srv:5555 my200srv:0 LISTENING
dns.exe:1040 TCP my200srv:domain my200srv:0 LISTENING
dns.exe:1040 TCP my200srv:1029 my200srv:0 LISTENING
dns.exe:1040 UDP my200srv:1028 *:*
dns.exe:1040 UDP my200srv:domain *:*
dns.exe:1040 UDP my200srv:1027 *:*
dns.exe:1040 UDP my200srv:domain *:*
explorer.exe:1388 UDP my200srv:1410 *:*
IEXPLORE.EXE:1984 UDP my200srv:3125 *:*
IEXPLORE.EXE:2168 UDP my200srv:3476 *:*
IEXPLORE.EXE:2176 UDP my200srv:1644 *:*
IEXPLORE.EXE:2376 UDP my200srv:3465 *:*
IEXPLORE.EXE:636 UDP my200srv:3437 *:*
IEXPLORE.EXE:636 TCP my200srv:3891 my200srv:0 LISTENING
IEXPLORE.EXE:636 TCP my200srv:3891 199.181.132.151:http ESTABLISHED
inetinfo.exe:1068 TCP my200srv:ftp my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:smtp my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:http my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:https my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:1036 my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:4505 my200srv:0 LISTENING
inetinfo.exe:1068 UDP my200srv:1037 *:*
inetinfo.exe:1068 UDP my200srv:3456 *:*
lsass.exe:248 UDP my200srv:isakmp *:*
msimn.exe:2204 TCP my200srv:3675 my200srv:0 LISTENING
msimn.exe:2204 TCP my200srv:3743 my200srv:0 LISTENING
msimn.exe:2204 TCP my200srv:3817 my200srv:0 LISTENING
msimn.exe:2204 TCP my200srv:3675 msnews.microsoft.com:nntp ESTABLISHED
msimn.exe:2204 TCP my200srv:3743 newssvr23-ext.news.prodigy.com:nntp

ESTABLISHED
msimn.exe:2204 TCP my200srv:3817 msnews.microsoft.com:nntp ESTABLISHED
msimn.exe:2204 UDP my200srv:3556 *:*
msimn.exe:2204 UDP my200srv:1537 *:*
mstask.exe:648 TCP my200srv:1026 my200srv:0 LISTENING
OUTLOOK.EXE:1208 UDP my200srv:4008 *:*
Save.exe:1620 UDP my200srv:1046 *:*
services.exe:236 UDP my200srv:1035 *:*
snmp.exe:864 UDP my200srv:snmp *:*
svchost.exe:424 TCP my200srv:epmap my200srv:0 LISTENING
svchost.exe:424 UDP my200srv:epmap *:*
svchost.exe:508 UDP my200srv:1645 *:*
svchost.exe:508 UDP my200srv:1646 *:*
svchost.exe:508 UDP my200srv:radius *:*
svchost.exe:508 UDP my200srv:radacct *:*
svchost.exe:508 UDP my200srv:1030 *:*
svchost.exe:508 UDP my200srv:1031 *:*
System:8 TCP my200srv:3888 swbellpop-cluster.prodigy.net

op3

TIME_WAIT
System:8 TCP my200srv:microsoft-ds my200srv:0 LISTENING
System:8 TCP my200srv:1040 my200srv:0 LISTENING
System:8 TCP my200srv:netbios-ssn my200srv:0 LISTENING
System:8 UDP my200srv:microsoft-ds *:*
System:8 UDP my200srv:netbios-ns *:*
System:8 UDP my200srv:netbios-dgm *:*
System:8 TCP my200srv:3889 swbellpop-cluster.prodigy.net

op3

TIME_WAIT
tcpsvcs.exe:852 TCP my200srv:echo my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:discard my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:daytime my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:qotd my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:chargen my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:1039 my200srv:0 LISTENING
tcpsvcs.exe:852 UDP my200srv:echo *:*
tcpsvcs.exe:852 UDP my200srv:discard *:*
tcpsvcs.exe:852 UDP my200srv:daytime *:*
tcpsvcs.exe:852 UDP my200srv:qotd *:*
tcpsvcs.exe:852 UDP my200srv:chargen *:*
tcpsvcs.exe:852 UDP my200srv:bootpc *:*
tcpsvcs.exe:852 UDP my200srv:bootps *:*
tcpsvcs.exe:852 UDP my200srv:bootpc *:*
tcpsvcs.exe:852 UDP my200srv:2535 *:*
wins.exe:984 TCP my200srv:nameserver my200srv:0 LISTENING
wins.exe:984 TCP my200srv:1034 my200srv:0 LISTENING
wins.exe:984 UDP my200srv:nameserver *:*
wins.exe:984 UDP my200srv:1033 *:*

YoKenny · Oct 12, 2003

Taishi said:
Kenny,

Thanks... Here are the apps. I don't see anything suspicious. I
will check out those other 2 websites. It seems like normal Windows
Apps. except for 02k.exe... and actually I don't see port 3440.
uhmmm Strange. Any ideas?

Sorry, do not see anything out of the ordinary. Have a look at Stephen's
post as it has some more help.

Mike Burgess · Oct 13, 2003

Taishi,
Save.exe is usually from WhenU (parasite)
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm
[more info]
http://doxdesk.com/parasite/SaveNow.html
http://www.symantec.com/avcenter/venc/data/adware.savenow.html
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 10-10-03]
Please post replies to this Newsgroup, email address is invalid
--

Taishi · Oct 14, 2003

Mike,

Have you ever heard of

http://www.tomcoyote.org/hjt/ web site??

And http://tomcoyote.org/SPYBOT/ SD (Search and Destroy)???

I'll try to get rid of save.exe. Thanks...

Mike Burgess said:
Taishi,
Save.exe is usually from WhenU (parasite)
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm
[more info]
http://doxdesk.com/parasite/SaveNow.html
http://www.symantec.com/avcenter/venc/data/adware.savenow.html
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 10-10-03]
Please post replies to this Newsgroup, email address is invalid
--

Taishi said:

Kenny,

Thanks... Here are the apps. I don't see anything suspicious. I will
check out those other 2 websites. It seems like normal Windows Apps. except
for 02k.exe... and actually I don't see port 3440. uhmmm Strange. Any
ideas?

Regards,
T

02k.exe:700 TCP my200srv:15000 my200srv:0 LISTENING
02k.exe:700 TCP my200srv:5555 my200srv:0 LISTENING
dns.exe:1040 TCP my200srv:domain my200srv:0 LISTENING
dns.exe:1040 TCP my200srv:1029 my200srv:0 LISTENING
dns.exe:1040 UDP my200srv:1028 *:*
dns.exe:1040 UDP my200srv:domain *:*
dns.exe:1040 UDP my200srv:1027 *:*
dns.exe:1040 UDP my200srv:domain *:*
explorer.exe:1388 UDP my200srv:1410 *:*
IEXPLORE.EXE:1984 UDP my200srv:3125 *:*
IEXPLORE.EXE:2168 UDP my200srv:3476 *:*
IEXPLORE.EXE:2176 UDP my200srv:1644 *:*
IEXPLORE.EXE:2376 UDP my200srv:3465 *:*
IEXPLORE.EXE:636 UDP my200srv:3437 *:*
IEXPLORE.EXE:636 TCP my200srv:3891 my200srv:0 LISTENING
IEXPLORE.EXE:636 TCP my200srv:3891 199.181.132.151:http ESTABLISHED
inetinfo.exe:1068 TCP my200srv:ftp my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:smtp my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:http my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:https my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:1036 my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:4505 my200srv:0 LISTENING
inetinfo.exe:1068 UDP my200srv:1037 *:*
inetinfo.exe:1068 UDP my200srv:3456 *:*
lsass.exe:248 UDP my200srv:isakmp *:*
msimn.exe:2204 TCP my200srv:3675 my200srv:0 LISTENING
msimn.exe:2204 TCP my200srv:3743 my200srv:0 LISTENING
msimn.exe:2204 TCP my200srv:3817 my200srv:0 LISTENING
msimn.exe:2204 TCP my200srv:3675 msnews.microsoft.com:nntp ESTABLISHED
msimn.exe:2204 TCP my200srv:3743 newssvr23-ext.news.prodigy.com:nntp

ESTABLISHED
msimn.exe:2204 TCP my200srv:3817 msnews.microsoft.com:nntp ESTABLISHED
msimn.exe:2204 UDP my200srv:3556 *:*
msimn.exe:2204 UDP my200srv:1537 *:*
mstask.exe:648 TCP my200srv:1026 my200srv:0 LISTENING
OUTLOOK.EXE:1208 UDP my200srv:4008 *:*
Save.exe:1620 UDP my200srv:1046 *:*
services.exe:236 UDP my200srv:1035 *:*
snmp.exe:864 UDP my200srv:snmp *:*
svchost.exe:424 TCP my200srv:epmap my200srv:0 LISTENING
svchost.exe:424 UDP my200srv:epmap *:*
svchost.exe:508 UDP my200srv:1645 *:*
svchost.exe:508 UDP my200srv:1646 *:*
svchost.exe:508 UDP my200srv:radius *:*
svchost.exe:508 UDP my200srv:radacct *:*
svchost.exe:508 UDP my200srv:1030 *:*
svchost.exe:508 UDP my200srv:1031 *:*
System:8 TCP my200srv:3888 swbellpop-cluster.prodigy.netop3

TIME_WAIT
System:8 TCP my200srv:microsoft-ds my200srv:0 LISTENING
System:8 TCP my200srv:1040 my200srv:0 LISTENING
System:8 TCP my200srv:netbios-ssn my200srv:0 LISTENING
System:8 UDP my200srv:microsoft-ds *:*
System:8 UDP my200srv:netbios-ns *:*
System:8 UDP my200srv:netbios-dgm *:*
System:8 TCP my200srv:3889 swbellpop-cluster.prodigy.netop3

TIME_WAIT
tcpsvcs.exe:852 TCP my200srv:echo my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:discard my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:daytime my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:qotd my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:chargen my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:1039 my200srv:0 LISTENING
tcpsvcs.exe:852 UDP my200srv:echo *:*
tcpsvcs.exe:852 UDP my200srv:discard *:*
tcpsvcs.exe:852 UDP my200srv:daytime *:*
tcpsvcs.exe:852 UDP my200srv:qotd *:*
tcpsvcs.exe:852 UDP my200srv:chargen *:*
tcpsvcs.exe:852 UDP my200srv:bootpc *:*
tcpsvcs.exe:852 UDP my200srv:bootps *:*
tcpsvcs.exe:852 UDP my200srv:bootpc *:*
tcpsvcs.exe:852 UDP my200srv:2535 *:*
wins.exe:984 TCP my200srv:nameserver my200srv:0 LISTENING
wins.exe:984 TCP my200srv:1034 my200srv:0 LISTENING
wins.exe:984 UDP my200srv:nameserver *:*
wins.exe:984 UDP my200srv:1033 *:*

associated
with

Click to expand...

http://forums.spywareinfo.com/index.php?s=d920245b6997106a8e25af1c3d810783&s

Mike Burgess · Oct 14, 2003

Taishi,

Have you ever heard of"

Not sure I understand the question .... as those are links on the URL
I refered you to ... BTW: http://mvps.org/winhelp2002/unwanted.htm
That page is from "my" site .....
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 10-10-03]
Please post replies to this Newsgroup, email address is invalid
--

Taishi said:
Mike,

Have you ever heard of

http://www.tomcoyote.org/hjt/ web site??

And http://tomcoyote.org/SPYBOT/ SD (Search and Destroy)???

I'll try to get rid of save.exe. Thanks...

Mike Burgess said:

Taishi,
Save.exe is usually from WhenU (parasite)
Dealing with Unwanted Spyware, Parasites, Toolbars and Search Engines
http://mvps.org/winhelp2002/unwanted.htm
[more info]
http://doxdesk.com/parasite/SaveNow.html
http://www.symantec.com/avcenter/venc/data/adware.savenow.html
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 10-10-03]
Please post replies to this Newsgroup, email address is invalid
--

Taishi said:

Kenny,

Thanks... Here are the apps. I don't see anything suspicious. I will
check out those other 2 websites. It seems like normal Windows Apps. except
for 02k.exe... and actually I don't see port 3440. uhmmm Strange. Any
ideas?

Regards,
T

02k.exe:700 TCP my200srv:15000 my200srv:0 LISTENING
02k.exe:700 TCP my200srv:5555 my200srv:0 LISTENING
dns.exe:1040 TCP my200srv:domain my200srv:0 LISTENING
dns.exe:1040 TCP my200srv:1029 my200srv:0 LISTENING
dns.exe:1040 UDP my200srv:1028 *:*
dns.exe:1040 UDP my200srv:domain *:*
dns.exe:1040 UDP my200srv:1027 *:*
dns.exe:1040 UDP my200srv:domain *:*
explorer.exe:1388 UDP my200srv:1410 *:*
IEXPLORE.EXE:1984 UDP my200srv:3125 *:*
IEXPLORE.EXE:2168 UDP my200srv:3476 *:*
IEXPLORE.EXE:2176 UDP my200srv:1644 *:*
IEXPLORE.EXE:2376 UDP my200srv:3465 *:*
IEXPLORE.EXE:636 UDP my200srv:3437 *:*
IEXPLORE.EXE:636 TCP my200srv:3891 my200srv:0 LISTENING
IEXPLORE.EXE:636 TCP my200srv:3891 199.181.132.151:http ESTABLISHED
inetinfo.exe:1068 TCP my200srv:ftp my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:smtp my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:http my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:https my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:1036 my200srv:0 LISTENING
inetinfo.exe:1068 TCP my200srv:4505 my200srv:0 LISTENING
inetinfo.exe:1068 UDP my200srv:1037 *:*
inetinfo.exe:1068 UDP my200srv:3456 *:*
lsass.exe:248 UDP my200srv:isakmp *:*
msimn.exe:2204 TCP my200srv:3675 my200srv:0 LISTENING
msimn.exe:2204 TCP my200srv:3743 my200srv:0 LISTENING
msimn.exe:2204 TCP my200srv:3817 my200srv:0 LISTENING
msimn.exe:2204 TCP my200srv:3675 msnews.microsoft.com:nntp ESTABLISHED
msimn.exe:2204 TCP my200srv:3743 newssvr23-ext.news.prodigy.com:nntp

ESTABLISHED
msimn.exe:2204 TCP my200srv:3817 msnews.microsoft.com:nntp ESTABLISHED
msimn.exe:2204 UDP my200srv:3556 *:*
msimn.exe:2204 UDP my200srv:1537 *:*
mstask.exe:648 TCP my200srv:1026 my200srv:0 LISTENING
OUTLOOK.EXE:1208 UDP my200srv:4008 *:*
Save.exe:1620 UDP my200srv:1046 *:*
services.exe:236 UDP my200srv:1035 *:*
snmp.exe:864 UDP my200srv:snmp *:*
svchost.exe:424 TCP my200srv:epmap my200srv:0 LISTENING
svchost.exe:424 UDP my200srv:epmap *:*
svchost.exe:508 UDP my200srv:1645 *:*
svchost.exe:508 UDP my200srv:1646 *:*
svchost.exe:508 UDP my200srv:radius *:*
svchost.exe:508 UDP my200srv:radacct *:*
svchost.exe:508 UDP my200srv:1030 *:*
svchost.exe:508 UDP my200srv:1031 *:*
System:8 TCP my200srv:3888 swbellpop-cluster.prodigy.netop3

TIME_WAIT
System:8 TCP my200srv:microsoft-ds my200srv:0 LISTENING
System:8 TCP my200srv:1040 my200srv:0 LISTENING
System:8 TCP my200srv:netbios-ssn my200srv:0 LISTENING
System:8 UDP my200srv:microsoft-ds *:*
System:8 UDP my200srv:netbios-ns *:*
System:8 UDP my200srv:netbios-dgm *:*
System:8 TCP my200srv:3889 swbellpop-cluster.prodigy.netop3

TIME_WAIT
tcpsvcs.exe:852 TCP my200srv:echo my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:discard my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:daytime my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:qotd my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:chargen my200srv:0 LISTENING
tcpsvcs.exe:852 TCP my200srv:1039 my200srv:0 LISTENING
tcpsvcs.exe:852 UDP my200srv:echo *:*
tcpsvcs.exe:852 UDP my200srv:discard *:*
tcpsvcs.exe:852 UDP my200srv:daytime *:*
tcpsvcs.exe:852 UDP my200srv:qotd *:*
tcpsvcs.exe:852 UDP my200srv:chargen *:*
tcpsvcs.exe:852 UDP my200srv:bootpc *:*
tcpsvcs.exe:852 UDP my200srv:bootps *:*
tcpsvcs.exe:852 UDP my200srv:bootpc *:*
tcpsvcs.exe:852 UDP my200srv:2535 *:*
wins.exe:984 TCP my200srv:nameserver my200srv:0 LISTENING
wins.exe:984 TCP my200srv:1034 my200srv:0 LISTENING
wins.exe:984 UDP my200srv:nameserver *:*
wins.exe:984 UDP my200srv:1033 *:*

Taishi wrote:
I can see alot of activity on my ports. Netstat output listed below.
I think I have a worm or a trojan. If this is true, Do any of you
know what it is?

Is it possible for a hacker to view my keystrokes, passwords for my
banking account and other private passwords?

Regards,
T

Proto Local Address Foreign Address State
TCP my200srv:echo my200srv:0 LISTENING
TCP my200srv:discard my200srv:0 LISTENING
TCP my200srv:daytime my200srv:0 LISTENING
TCP my200srv:qotd my200srv:0 LISTENING
TCP my200srv:chargen my200srv:0 LISTENING
TCP my200srv:ftp my200srv:0 LISTENING
TCP my200srv:smtp my200srv:0 LISTENING
TCP my200srv:nameserver my200srv:0 LISTENING
TCP my200srv:domain my200srv:0 LISTENING
TCP my200srv:http my200srv:0 LISTENING
TCP my200srv:epmap my200srv:0 LISTENING
TCP my200srv:https my200srv:0 LISTENING
TCP my200srv:microsoft-ds my200srv:0 LISTENING
TCP my200srv:1026 my200srv:0 LISTENING
TCP my200srv:1029 my200srv:0 LISTENING
TCP my200srv:1034 my200srv:0 LISTENING
TCP my200srv:1036 my200srv:0 LISTENING
TCP my200srv:1039 my200srv:0 LISTENING
TCP my200srv:1040 my200srv:0 LISTENING
TCP my200srv:1873 my200srv:0 LISTENING
TCP my200srv:3439 my200srv:0 LISTENING
TCP my200srv:3440 my200srv:0 LISTENING
TCP my200srv:3441 my200srv:0 LISTENING
TCP my200srv:3743 my200srv:0 LISTENING
TCP my200srv:4505 my200srv:0 LISTENING
TCP my200srv:15000 my200srv:0 LISTENING
TCP my200srv:5555 my200srv:0 LISTENING
TCP my200srv:netbios-ssn my200srv:0 LISTENING
TCP my200srv:1873 msnews.microsoft.com:nntp
ESTABLISHED
TCP my200srv:3436 64.71.159.243:http TIME_WAIT
TCP my200srv:3439 199.181.132.151:http ESTABLISHED
TCP my200srv:3440 64.71.159.243:http ESTABLISHED
TCP my200srv:3441 64.71.159.243:http SYN_SENT
TCP my200srv:3743 newssvr23-ext.news.prodigy.com:nntp
ESTABLISHED

Q1: Need the names of the applications running on your system.
Try TCPView as it will give you the application name that is associated
with
the connection.
http://www.sysinternals.com/ntw2k/source/tcpview.shtml

Q2: Yes. A keylogger application or trojan can capture and

Click to expand...

transmit
all

your information.

Get a copy of HijackThis from this site:
http://www.tomcoyote.org/hjt/

Go to this forum:

Click to expand...

Click to expand...

http://forums.spywareinfo.com/index.php?s=d920245b6997106a8e25af1c3d810783&s

netstat command

Taishi

YoKenny

Steven L Umbach

Taishi

YoKenny

Mike Burgess

Taishi

Mike Burgess