Tech Support Forum - View Single Post - Trojan/Malware suspected in openining ports

Pansy · 09-30-2008, 03:09 PM

Hello,

Just as a habit, I randomly run netstat -a. and one day, I noticed that I had a tons of ports open. I also noticed that a few websites would randomly time out.

I have a pretty fresh version of windows XP with all the updates.
I currently run Panda AV & FW.
Have scanned with webroot, spybot search and destry and adaware. All came up with zero.

First I will post the hijack this log. Then I will show an example of all the ports open on my system. I have taken steps to block various ports on my router, but the malware just circumvents and changes ports.

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:57:18 PM, on 9/30/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
C:\WINDOWS\system32\PnkBstrA.exe
c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1218456045377
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe
O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe
O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 6992 bytes

When I first start my PC, here is my netstat -a info

Active Connections

Proto Local Address Foreign Address State
TCP pc_name:epmap pc_name:0 LISTENING
TCP pc_name:microsoft-ds pc_name:0 LISTENING
TCP pc_name:1029 pc_name:0 LISTENING
TCP pc_name:31595 pc_name:0 LISTENING
TCP pc_name:netbios-ssn pc_name:0 LISTENING
TCP pc_name:1030 206.57.28.10:http ESTABLISHED
TCP pc_name:1037 192.168.1.1:5000 CLOSE_WAIT
TCP pc_name:1038 192.168.1.1:5000 ESTABLISHED
UDP pc_name:microsoft-ds *:*
UDP pc_name:isakmp *:*
UDP pc_name:4500 *:*
UDP pc_name:ntp *:*
UDP pc_name:1034 *:*
UDP pc_name:1035 *:*
UDP pc_name:1900 *:*
UDP pc_name:18001 *:*
UDP pc_name:18002 *:*
UDP pc_name:44301 *:*
UDP pc_name:ntp *:*
UDP pc_name:netbios-ns *:*
UDP pc_name:netbios-dgm *:*
UDP pc_name:1033 *:*
UDP pc_name:1900 *:*

After I open IE 7.0, I see the following ports open. (say I just goto google.com)

Active Connections

Proto Local Address Foreign Address State
TCP PC_name:epmap PC_name:0 LISTENING
TCP PC_name:microsoft-ds PC_name:0 LISTENING
TCP PC_name:1030 PC_name:0 LISTENING
TCP PC_name:1831 localhost:31595 TIME_WAIT
TCP PC_name:1832 localhost:31595 TIME_WAIT
TCP PC_name:1966 localhost:31595 TIME_WAIT
TCP PC_name:2089 localhost:31595 ESTABLISHED
TCP PC_name:2098 localhost:31595 ESTABLISHED
TCP PC_name:2102 localhost:31595 ESTABLISHED
TCP PC_name:2113 localhost:31595 ESTABLISHED
TCP PC_name:31595 PC_name:0 LISTENING
TCP PC_name:31595 localhost:1852 TIME_WAIT
TCP PC_name:31595 localhost:1861 TIME_WAIT
TCP PC_name:31595 localhost:1867 TIME_WAIT
TCP PC_name:31595 localhost:1869 TIME_WAIT
TCP PC_name:31595 localhost:1871 TIME_WAIT
TCP PC_name:31595 localhost:1874 TIME_WAIT
TCP PC_name:31595 localhost:1885 TIME_WAIT
TCP PC_name:31595 localhost:1887 TIME_WAIT
TCP PC_name:31595 localhost:1889 TIME_WAIT
TCP PC_name:31595 localhost:1892 TIME_WAIT
TCP PC_name:31595 localhost:1897 TIME_WAIT
TCP PC_name:31595 localhost:1899 TIME_WAIT
TCP PC_name:31595 localhost:1904 TIME_WAIT
TCP PC_name:31595 localhost:1907 TIME_WAIT
TCP PC_name:31595 localhost:1910 TIME_WAIT
TCP PC_name:31595 localhost:1914 TIME_WAIT
TCP PC_name:31595 localhost:1916 TIME_WAIT
TCP PC_name:31595 localhost:1920 TIME_WAIT
TCP PC_name:31595 localhost:1923 TIME_WAIT
TCP PC_name:31595 localhost:1926 TIME_WAIT
TCP PC_name:31595 localhost:1929 TIME_WAIT
TCP PC_name:31595 localhost:1931 TIME_WAIT
TCP PC_name:31595 localhost:1933 TIME_WAIT
TCP PC_name:31595 localhost:1938 TIME_WAIT
TCP PC_name:31595 localhost:1941 TIME_WAIT
TCP PC_name:31595 localhost:1943 TIME_WAIT
TCP PC_name:31595 localhost:1947 TIME_WAIT
TCP PC_name:31595 localhost:1950 TIME_WAIT
TCP PC_name:31595 localhost:1972 TIME_WAIT
TCP PC_name:31595 localhost:1980 TIME_WAIT
TCP PC_name:31595 localhost:1982 TIME_WAIT
TCP PC_name:31595 localhost:1984 TIME_WAIT
TCP PC_name:31595 localhost:1986 TIME_WAIT
TCP PC_name:31595 localhost:1999 TIME_WAIT
TCP PC_name:31595 localhost:2001 TIME_WAIT
TCP PC_name:31595 localhost:2003 TIME_WAIT
TCP PC_name:31595 localhost:2005 TIME_WAIT
TCP PC_name:31595 localhost:2011 TIME_WAIT
TCP PC_name:31595 localhost:2013 TIME_WAIT
TCP PC_name:31595 localhost:2024 TIME_WAIT
TCP PC_name:31595 localhost:2026 TIME_WAIT
TCP PC_name:31595 localhost:2028 TIME_WAIT
TCP PC_name:31595 localhost:2031 TIME_WAIT
TCP PC_name:31595 localhost:2037 TIME_WAIT
TCP PC_name:31595 localhost:2039 TIME_WAIT
TCP PC_name:31595 localhost:2041 TIME_WAIT
TCP PC_name:31595 localhost:2043 TIME_WAIT
TCP PC_name:31595 localhost:2049 TIME_WAIT
TCP PC_name:31595 localhost:2051 TIME_WAIT
TCP PC_name:31595 localhost:2054 TIME_WAIT
TCP PC_name:31595 localhost:2058 TIME_WAIT
TCP PC_name:31595 localhost:2061 TIME_WAIT
TCP PC_name:31595 localhost:2070 TIME_WAIT
TCP PC_name:31595 localhost:2072 TIME_WAIT
TCP PC_name:31595 localhost:2074 TIME_WAIT
TCP PC_name:31595 localhost:2086 TIME_WAIT
TCP PC_name:31595 localhost:2089 ESTABLISHED
TCP PC_name:31595 localhost:2095 TIME_WAIT
TCP PC_name:31595 localhost:2098 ESTABLISHED
TCP PC_name:31595 localhost:2102 ESTABLISHED
TCP PC_name:31595 localhost:2105 TIME_WAIT
TCP PC_name:31595 localhost:2108 TIME_WAIT
TCP PC_name:31595 localhost:2109 TIME_WAIT
TCP PC_name:31595 localhost:2113 ESTABLISHED
TCP PC_name:31595 localhost:2117 TIME_WAIT
TCP PC_name:31595 localhost:2120 TIME_WAIT
TCP PC_name:31595 localhost:2124 TIME_WAIT
TCP PC_name:netbios-ssn PC_name:0 LISTENING
TCP PC_name:1044 8.18.42.89:http CLOSE_WAIT
TCP PC_name:1639 205.203.139.53:http TIME_WAIT
TCP PC_name:1656 205.203.131.98:http TIME_WAIT
TCP PC_name:1660 63-144-121-164.dia.static.qwest.net:http TIME_W
AIT
TCP PC_name:1664 63-144-121-164.dia.static.qwest.net:http TIME_W
AIT
TCP PC_name:1682 205.203.139.53:http TIME_WAIT
TCP PC_name:1694 205.203.139.11:http TIME_WAIT
TCP PC_name:1712 207.46.119.234:http TIME_WAIT
TCP PC_name:1721 69.7.234.203:http TIME_WAIT
TCP PC_name:1739 209-18-43-27.dfw10.tbone.rr.com:http TIME_WAIT
TCP PC_name:1741 209-18-43-65.dfw10.tbone.rr.com:http TIME_WAIT
TCP PC_name:1746 d1.ycs.vip.mud.yahoo.com:http TIME_WAIT
TCP PC_name:1758 209-18-43-27.dfw10.tbone.rr.com:http TIME_WAIT
TCP PC_name:1777 209.62.187.9:http TIME_WAIT
TCP PC_name:1807 bh.contextweb.com:http TIME_WAIT
TCP PC_name:1826 64.79.161.90:http TIME_WAIT
TCP PC_name:1829 205.203.131.55:http TIME_WAIT
TCP PC_name:1836 dal-lv3-n18.panthercdn.com:http TIME_WAIT
TCP PC_name:1840 dal-lv3-n18.panthercdn.com:http CLOSE_WAIT
TCP PC_name:1856 dal-lv3-n18.panthercdn.com:http TIME_WAIT
TCP PC_name:1860 205.203.139.53:http TIME_WAIT
TCP PC_name:1878 dal-lv3-n18.panthercdn.com:http TIME_WAIT
TCP PC_name:1881 ac2.microsoft.com:http TIME_WAIT
TCP PC_name:1902 66.235.142.1:http TIME_WAIT
TCP PC_name:1955 205.203.139.53:http TIME_WAIT
TCP PC_name:1957 205.203.139.53:http TIME_WAIT
TCP PC_name:1968 l1.ycs.vip.mud.yahoo.com:http ESTABLISHED
TCP PC_name:1976 205.203.139.11:http TIME_WAIT
TCP PC_name:1979 205.203.131.98:http TIME_WAIT
TCP PC_name:1994 69.7.234.203:http TIME_WAIT
TCP PC_name:2015 bh.contextweb.com:http TIME_WAIT
TCP PC_name:2018 209-18-43-27.dfw10.tbone.rr.com:http TIME_WAIT
TCP PC_name:2057 209.62.187.9:http TIME_WAIT
TCP PC_name:2065 209.62.187.9:http TIME_WAIT
TCP PC_name:2080 205.203.131.55:http TIME_WAIT
TCP PC_name:2084 l1.ycs.vip.mud.yahoo.com:http ESTABLISHED
TCP PC_name:2090 205.203.139.53:http ESTABLISHED
TCP PC_name:2099 www.ldc.scottrade.wallst.com:http ESTABLISHED
TCP PC_name:2103 205.203.139.53:http ESTABLISHED
TCP PC_name:2114 205.203.131.98:http ESTABLISHED
TCP PC_name:2116 www.sb.marketwatch.com:https ESTABLISHED
UDP PC_name:microsoft-ds *:*
UDP PC_name:isakmp *:*
UDP PC_name:4500 *:*
UDP PC_name:ntp *:*
UDP PC_name:1637 *:*
UDP PC_name:1900 *:*
UDP PC_name:2101 *:*
UDP PC_name:18001 *:*
UDP PC_name:18002 *:*
UDP PC_name:44301 *:*
UDP PC_name:ntp *:*
UDP PC_name:netbios-ns *:*
UDP PC_name:netbios-dgm *:*
UDP PC_name:1900 *:*

I think that is all the important information.

Any help is much appreciated.
Thank you for all your time!

09-30-2008, 03:09 PM	#1 (permalink)
Pansy Registered User Join Date: Sep 2008 Posts: 7 OS: XP	Trojan/Malware suspected in openining ports Hello, Just as a habit, I randomly run netstat -a. and one day, I noticed that I had a tons of ports open. I also noticed that a few websites would randomly time out. I have a pretty fresh version of windows XP with all the updates. I currently run Panda AV & FW. Have scanned with webroot, spybot search and destry and adaware. All came up with zero. First I will post the hijack this log. Then I will show an example of all the ports open on my system. I have taken steps to block various ports on my router, but the malware just circumvents and changes ports. Hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:57:18 PM, on 9/30/2008 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Windows Defender\MsMpEng.exe C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\AVENGINE.EXE C:\WINDOWS\system32\svchost.exe C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe C:\WINDOWS\system32\Ati2evxx.exe C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE C:\Program Files\DAEMON Tools\daemon.exe C:\Program Files\Winamp\winampa.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Windows Defender\MSASCui.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe C:\WINDOWS\system32\PnkBstrA.exe c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\system32\cmd.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\WebProxy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\NOTEPAD.EXE R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/ O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\APVXDWIN.EXE" /s O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033 O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1218456045377 O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsCtrls.exe O23 - Service: Panda Function Service (PAVFNSVR) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PavFnSvr.exe O23 - Service: Panda Process Protection Service (PavPrSrv) - Panda Software - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\pavsrv51.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Panda Host Service (PSHost) - Panda Software International - c:\program files\panda security\panda antivirus + firewall 2008\firewall\PSHOST.EXE O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\PsImSvc.exe O23 - Service: Panda TPSrv (TPSrv) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus + Firewall 2008\TPSrv.exe O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. (www.webroot.com) - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe -- End of file - 6992 bytes When I first start my PC, here is my netstat -a info Active Connections Proto Local Address Foreign Address State TCP pc_name:epmap pc_name:0 LISTENING TCP pc_name:microsoft-ds pc_name:0 LISTENING TCP pc_name:1029 pc_name:0 LISTENING TCP pc_name:31595 pc_name:0 LISTENING TCP pc_name:netbios-ssn pc_name:0 LISTENING TCP pc_name:1030 206.57.28.10:http ESTABLISHED TCP pc_name:1037 192.168.1.1:5000 CLOSE_WAIT TCP pc_name:1038 192.168.1.1:5000 ESTABLISHED UDP pc_name:microsoft-ds : UDP pc_name:isakmp : UDP pc_name:4500 : UDP pc_name:ntp : UDP pc_name:1034 : UDP pc_name:1035 : UDP pc_name:1900 : UDP pc_name:18001 : UDP pc_name:18002 : UDP pc_name:44301 : UDP pc_name:ntp : UDP pc_name:netbios-ns : UDP pc_name:netbios-dgm : UDP pc_name:1033 : UDP pc_name:1900 : After I open IE 7.0, I see the following ports open. (say I just goto google.com) Active Connections Proto Local Address Foreign Address State TCP PC_name:epmap PC_name:0 LISTENING TCP PC_name:microsoft-ds PC_name:0 LISTENING TCP PC_name:1030 PC_name:0 LISTENING TCP PC_name:1831 localhost:31595 TIME_WAIT TCP PC_name:1832 localhost:31595 TIME_WAIT TCP PC_name:1966 localhost:31595 TIME_WAIT TCP PC_name:2089 localhost:31595 ESTABLISHED TCP PC_name:2098 localhost:31595 ESTABLISHED TCP PC_name:2102 localhost:31595 ESTABLISHED TCP PC_name:2113 localhost:31595 ESTABLISHED TCP PC_name:31595 PC_name:0 LISTENING TCP PC_name:31595 localhost:1852 TIME_WAIT TCP PC_name:31595 localhost:1861 TIME_WAIT TCP PC_name:31595 localhost:1867 TIME_WAIT TCP PC_name:31595 localhost:1869 TIME_WAIT TCP PC_name:31595 localhost:1871 TIME_WAIT TCP PC_name:31595 localhost:1874 TIME_WAIT TCP PC_name:31595 localhost:1885 TIME_WAIT TCP PC_name:31595 localhost:1887 TIME_WAIT TCP PC_name:31595 localhost:1889 TIME_WAIT TCP PC_name:31595 localhost:1892 TIME_WAIT TCP PC_name:31595 localhost:1897 TIME_WAIT TCP PC_name:31595 localhost:1899 TIME_WAIT TCP PC_name:31595 localhost:1904 TIME_WAIT TCP PC_name:31595 localhost:1907 TIME_WAIT TCP PC_name:31595 localhost:1910 TIME_WAIT TCP PC_name:31595 localhost:1914 TIME_WAIT TCP PC_name:31595 localhost:1916 TIME_WAIT TCP PC_name:31595 localhost:1920 TIME_WAIT TCP PC_name:31595 localhost:1923 TIME_WAIT TCP PC_name:31595 localhost:1926 TIME_WAIT TCP PC_name:31595 localhost:1929 TIME_WAIT TCP PC_name:31595 localhost:1931 TIME_WAIT TCP PC_name:31595 localhost:1933 TIME_WAIT TCP PC_name:31595 localhost:1938 TIME_WAIT TCP PC_name:31595 localhost:1941 TIME_WAIT TCP PC_name:31595 localhost:1943 TIME_WAIT TCP PC_name:31595 localhost:1947 TIME_WAIT TCP PC_name:31595 localhost:1950 TIME_WAIT TCP PC_name:31595 localhost:1972 TIME_WAIT TCP PC_name:31595 localhost:1980 TIME_WAIT TCP PC_name:31595 localhost:1982 TIME_WAIT TCP PC_name:31595 localhost:1984 TIME_WAIT TCP PC_name:31595 localhost:1986 TIME_WAIT TCP PC_name:31595 localhost:1999 TIME_WAIT TCP PC_name:31595 localhost:2001 TIME_WAIT TCP PC_name:31595 localhost:2003 TIME_WAIT TCP PC_name:31595 localhost:2005 TIME_WAIT TCP PC_name:31595 localhost:2011 TIME_WAIT TCP PC_name:31595 localhost:2013 TIME_WAIT TCP PC_name:31595 localhost:2024 TIME_WAIT TCP PC_name:31595 localhost:2026 TIME_WAIT TCP PC_name:31595 localhost:2028 TIME_WAIT TCP PC_name:31595 localhost:2031 TIME_WAIT TCP PC_name:31595 localhost:2037 TIME_WAIT TCP PC_name:31595 localhost:2039 TIME_WAIT TCP PC_name:31595 localhost:2041 TIME_WAIT TCP PC_name:31595 localhost:2043 TIME_WAIT TCP PC_name:31595 localhost:2049 TIME_WAIT TCP PC_name:31595 localhost:2051 TIME_WAIT TCP PC_name:31595 localhost:2054 TIME_WAIT TCP PC_name:31595 localhost:2058 TIME_WAIT TCP PC_name:31595 localhost:2061 TIME_WAIT TCP PC_name:31595 localhost:2070 TIME_WAIT TCP PC_name:31595 localhost:2072 TIME_WAIT TCP PC_name:31595 localhost:2074 TIME_WAIT TCP PC_name:31595 localhost:2086 TIME_WAIT TCP PC_name:31595 localhost:2089 ESTABLISHED TCP PC_name:31595 localhost:2095 TIME_WAIT TCP PC_name:31595 localhost:2098 ESTABLISHED TCP PC_name:31595 localhost:2102 ESTABLISHED TCP PC_name:31595 localhost:2105 TIME_WAIT TCP PC_name:31595 localhost:2108 TIME_WAIT TCP PC_name:31595 localhost:2109 TIME_WAIT TCP PC_name:31595 localhost:2113 ESTABLISHED TCP PC_name:31595 localhost:2117 TIME_WAIT TCP PC_name:31595 localhost:2120 TIME_WAIT TCP PC_name:31595 localhost:2124 TIME_WAIT TCP PC_name:netbios-ssn PC_name:0 LISTENING TCP PC_name:1044 8.18.42.89:http CLOSE_WAIT TCP PC_name:1639 205.203.139.53:http TIME_WAIT TCP PC_name:1656 205.203.131.98:http TIME_WAIT TCP PC_name:1660 63-144-121-164.dia.static.qwest.net:http TIME_W AIT TCP PC_name:1664 63-144-121-164.dia.static.qwest.net:http TIME_W AIT TCP PC_name:1682 205.203.139.53:http TIME_WAIT TCP PC_name:1694 205.203.139.11:http TIME_WAIT TCP PC_name:1712 207.46.119.234:http TIME_WAIT TCP PC_name:1721 69.7.234.203:http TIME_WAIT TCP PC_name:1739 209-18-43-27.dfw10.tbone.rr.com:http TIME_WAIT TCP PC_name:1741 209-18-43-65.dfw10.tbone.rr.com:http TIME_WAIT TCP PC_name:1746 d1.ycs.vip.mud.yahoo.com:http TIME_WAIT TCP PC_name:1758 209-18-43-27.dfw10.tbone.rr.com:http TIME_WAIT TCP PC_name:1777 209.62.187.9:http TIME_WAIT TCP PC_name:1807 bh.contextweb.com:http TIME_WAIT TCP PC_name:1826 64.79.161.90:http TIME_WAIT TCP PC_name:1829 205.203.131.55:http TIME_WAIT TCP PC_name:1836 dal-lv3-n18.panthercdn.com:http TIME_WAIT TCP PC_name:1840 dal-lv3-n18.panthercdn.com:http CLOSE_WAIT TCP PC_name:1856 dal-lv3-n18.panthercdn.com:http TIME_WAIT TCP PC_name:1860 205.203.139.53:http TIME_WAIT TCP PC_name:1878 dal-lv3-n18.panthercdn.com:http TIME_WAIT TCP PC_name:1881 ac2.microsoft.com:http TIME_WAIT TCP PC_name:1902 66.235.142.1:http TIME_WAIT TCP PC_name:1955 205.203.139.53:http TIME_WAIT TCP PC_name:1957 205.203.139.53:http TIME_WAIT TCP PC_name:1968 l1.ycs.vip.mud.yahoo.com:http ESTABLISHED TCP PC_name:1976 205.203.139.11:http TIME_WAIT TCP PC_name:1979 205.203.131.98:http TIME_WAIT TCP PC_name:1994 69.7.234.203:http TIME_WAIT TCP PC_name:2015 bh.contextweb.com:http TIME_WAIT TCP PC_name:2018 209-18-43-27.dfw10.tbone.rr.com:http TIME_WAIT TCP PC_name:2057 209.62.187.9:http TIME_WAIT TCP PC_name:2065 209.62.187.9:http TIME_WAIT TCP PC_name:2080 205.203.131.55:http TIME_WAIT TCP PC_name:2084 l1.ycs.vip.mud.yahoo.com:http ESTABLISHED TCP PC_name:2090 205.203.139.53:http ESTABLISHED TCP PC_name:2099 www.ldc.scottrade.wallst.com:http ESTABLISHED TCP PC_name:2103 205.203.139.53:http ESTABLISHED TCP PC_name:2114 205.203.131.98:http ESTABLISHED TCP PC_name:2116 www.sb.marketwatch.com:https ESTABLISHED UDP PC_name:microsoft-ds : UDP PC_name:isakmp : UDP PC_name:4500 : UDP PC_name:ntp : UDP PC_name:1637 : UDP PC_name:1900 : UDP PC_name:2101 : UDP PC_name:18001 : UDP PC_name:18002 : UDP PC_name:44301 : UDP PC_name:ntp : UDP PC_name:netbios-ns : UDP PC_name:netbios-dgm : UDP PC_name:1900 : I think that is all the important information. Any help is much appreciated. Thank you for all your time!