attack of the 2xxx ports?

#1 S_K_U_N_X


Posted 11 March 2011 - 10:27 PM

I know there is a list of do's before I should complain about my problems and I understand that. I'm posting this in hops some one recognizes these ports or domains that are attaching to my system. I first noticed the browsers opening sights other then the once I clicked on and had a feeling it was a back door. This system is by hind a linux firewalled server but here is what netstat -a showed me.

the 2xxx ports dont show up after reboot, nor any time soon. But once pages start to choose random sites other then what I select the ports are open.

12080 I'm told is avast. My guess is when avast blocks them.

  TCP    NASNUR:microsoft-ds    NASNUR:0               LISTENING
  TCP    NASNUR:5800            NASNUR:0               LISTENING
  TCP    NASNUR:5900            NASNUR:0               LISTENING
  TCP    NASNUR:1264            localhost:1263         TIME_WAIT
  TCP    NASNUR:2073            localhost:12080        TIME_WAIT
  TCP    NASNUR:2087            localhost:12080        TIME_WAIT
  TCP    NASNUR:2089            localhost:12080        TIME_WAIT
  TCP    NASNUR:2093            localhost:12080        TIME_WAIT
  TCP    NASNUR:2095            localhost:12080        TIME_WAIT
  TCP    NASNUR:2097            localhost:12080        TIME_WAIT
  TCP    NASNUR:2113            localhost:12080        TIME_WAIT
  TCP    NASNUR:2200            localhost:12080        TIME_WAIT
  TCP    NASNUR:2204            localhost:12080        TIME_WAIT
  TCP    NASNUR:2206            localhost:12080        TIME_WAIT
  TCP    NASNUR:2216            localhost:12080        TIME_WAIT
  TCP    NASNUR:2224            localhost:12080        TIME_WAIT
  TCP    NASNUR:2225            localhost:12080        TIME_WAIT
  TCP    NASNUR:2228            localhost:12080        TIME_WAIT
  TCP    NASNUR:2232            localhost:12080        TIME_WAIT
  TCP    NASNUR:2238            localhost:12080        TIME_WAIT
  TCP    NASNUR:2241            localhost:12080        TIME_WAIT
  TCP    NASNUR:2244            localhost:12080        TIME_WAIT
  TCP    NASNUR:2245            localhost:12080        TIME_WAIT
  TCP    NASNUR:2248            localhost:12080        TIME_WAIT
  TCP    NASNUR:2252            localhost:12080        TIME_WAIT
  TCP    NASNUR:2278            localhost:12080        TIME_WAIT
  TCP    NASNUR:2281            localhost:12080        TIME_WAIT
  TCP    NASNUR:2283            localhost:12080        TIME_WAIT
  TCP    NASNUR:2287            localhost:12080        TIME_WAIT
  TCP    NASNUR:2292            localhost:12080        TIME_WAIT
  TCP    NASNUR:2293            localhost:12080        TIME_WAIT
  TCP    NASNUR:2296            localhost:12080        TIME_WAIT
  TCP    NASNUR:2308            localhost:12080        TIME_WAIT
  TCP    NASNUR:2309            localhost:12080        TIME_WAIT
  TCP    NASNUR:2335            localhost:12080        TIME_WAIT
  TCP    NASNUR:2345            localhost:12080        TIME_WAIT
  TCP    NASNUR:2347            localhost:12080        TIME_WAIT
  TCP    NASNUR:2351            localhost:12080        TIME_WAIT
  TCP    NASNUR:2353            localhost:12080        TIME_WAIT
  TCP    NASNUR:2355            localhost:12080        TIME_WAIT
  TCP    NASNUR:2357            localhost:12080        TIME_WAIT
  TCP    NASNUR:2375            localhost:12080        TIME_WAIT
  TCP    NASNUR:2393            localhost:12080        TIME_WAIT
  TCP    NASNUR:2397            localhost:12080        TIME_WAIT
  TCP    NASNUR:2422            localhost:12080        TIME_WAIT
  TCP    NASNUR:2427            localhost:12080        TIME_WAIT
  TCP    NASNUR:2431            localhost:12080        TIME_WAIT
  TCP    NASNUR:2435            localhost:12080        TIME_WAIT
  TCP    NASNUR:2477            localhost:12080        TIME_WAIT
  TCP    NASNUR:2492            localhost:12080        TIME_WAIT
  TCP    NASNUR:5152            NASNUR:0               LISTENING
  TCP    NASNUR:5152            localhost:1265         CLOSE_WAIT
  TCP    NASNUR:11500           NASNUR:0               LISTENING
  TCP    NASNUR:11526           NASNUR:0               LISTENING
  TCP    NASNUR:11526           localhost:2068         TIME_WAIT
  TCP    NASNUR:11526           localhost:2190         TIME_WAIT
  TCP    NASNUR:11526           localhost:2325         TIME_WAIT
  TCP    NASNUR:11526           localhost:2447         TIME_WAIT
  TCP    NASNUR:11527           NASNUR:0               LISTENING
  TCP    NASNUR:11528           NASNUR:0               LISTENING
  TCP    NASNUR:11529           NASNUR:0               LISTENING
  TCP    NASNUR:11530           NASNUR:0               LISTENING
  TCP    NASNUR:11531           NASNUR:0               LISTENING
  TCP    NASNUR:11532           NASNUR:0               LISTENING
  TCP    NASNUR:11533           NASNUR:0               LISTENING
  TCP    NASNUR:12025           NASNUR:0               LISTENING
  TCP    NASNUR:12080           NASNUR:0               LISTENING
  TCP    NASNUR:12080           localhost:2091         TIME_WAIT
  TCP    NASNUR:12080           localhost:2099         TIME_WAIT
  TCP    NASNUR:12080           localhost:2115         TIME_WAIT
  TCP    NASNUR:12080           localhost:2116         TIME_WAIT
  TCP    NASNUR:12080           localhost:2144         TIME_WAIT
  TCP    NASNUR:12080           localhost:2147         TIME_WAIT
  TCP    NASNUR:12080           localhost:2150         TIME_WAIT
  TCP    NASNUR:12080           localhost:2152         TIME_WAIT
  TCP    NASNUR:12080           localhost:2159         TIME_WAIT
  TCP    NASNUR:12080           localhost:2160         TIME_WAIT
  TCP    NASNUR:12080           localhost:2167         TIME_WAIT
  TCP    NASNUR:12080           localhost:2177         TIME_WAIT
  TCP    NASNUR:12080           localhost:2179         TIME_WAIT
  TCP    NASNUR:12080           localhost:2185         TIME_WAIT
  TCP    NASNUR:12080           localhost:2186         TIME_WAIT
  TCP    NASNUR:12080           localhost:2192         TIME_WAIT
  TCP    NASNUR:12080           localhost:2194         TIME_WAIT
  TCP    NASNUR:12080           localhost:2202         TIME_WAIT
  TCP    NASNUR:12080           localhost:2208         TIME_WAIT
  TCP    NASNUR:12080           localhost:2210         TIME_WAIT
  TCP    NASNUR:12080           localhost:2211         TIME_WAIT
  TCP    NASNUR:12080           localhost:2250         TIME_WAIT
  TCP    NASNUR:12080           localhost:2256         TIME_WAIT
  TCP    NASNUR:12080           localhost:2262         TIME_WAIT
  TCP    NASNUR:12080           localhost:2266         TIME_WAIT
  TCP    NASNUR:12080           localhost:2268         TIME_WAIT
  TCP    NASNUR:12080           localhost:2269         TIME_WAIT
  TCP    NASNUR:12080           localhost:2271         TIME_WAIT
  TCP    NASNUR:12080           localhost:2290         TIME_WAIT
  TCP    NASNUR:12080           localhost:2298         TIME_WAIT
  TCP    NASNUR:12080           localhost:2299         TIME_WAIT
  TCP    NASNUR:12080           localhost:2304         TIME_WAIT
  TCP    NASNUR:12080           localhost:2305         TIME_WAIT
  TCP    NASNUR:12080           localhost:2312         TIME_WAIT
  TCP    NASNUR:12080           localhost:2313         TIME_WAIT
  TCP    NASNUR:12080           localhost:2322         TIME_WAIT
  TCP    NASNUR:12080           localhost:2326         TIME_WAIT
  TCP    NASNUR:12080           localhost:2329         TIME_WAIT
  TCP    NASNUR:12080           localhost:2331         TIME_WAIT
  TCP    NASNUR:12080           localhost:2333         TIME_WAIT
  TCP    NASNUR:12080           localhost:2339         TIME_WAIT
  TCP    NASNUR:12080           localhost:2341         TIME_WAIT
  TCP    NASNUR:12080           localhost:2361         TIME_WAIT
  TCP    NASNUR:12080           localhost:2370         TIME_WAIT
  TCP    NASNUR:12080           localhost:2371         TIME_WAIT
  TCP    NASNUR:12080           localhost:2383         TIME_WAIT
  TCP    NASNUR:12080           localhost:2390         TIME_WAIT
  TCP    NASNUR:12080           localhost:2401         TIME_WAIT
  TCP    NASNUR:12080           localhost:2405         TIME_WAIT
  TCP    NASNUR:12080           localhost:2408         TIME_WAIT
  TCP    NASNUR:12080           localhost:2411         TIME_WAIT
  TCP    NASNUR:12080           localhost:2413         TIME_WAIT
  TCP    NASNUR:12080           localhost:2414         TIME_WAIT
  TCP    NASNUR:12080           localhost:2417         TIME_WAIT
  TCP    NASNUR:12080           localhost:2419         TIME_WAIT
  TCP    NASNUR:12080           localhost:2421         TIME_WAIT
  TCP    NASNUR:12080           localhost:2433         TIME_WAIT
  TCP    NASNUR:12080           localhost:2439         TIME_WAIT
  TCP    NASNUR:12080           localhost:2441         TIME_WAIT
  TCP    NASNUR:12080           localhost:2443         TIME_WAIT
  TCP    NASNUR:12080           localhost:2445         TIME_WAIT
  TCP    NASNUR:12080           localhost:2448         TIME_WAIT
  TCP    NASNUR:12080           localhost:2453         TIME_WAIT
  TCP    NASNUR:12080           localhost:2455         TIME_WAIT
  TCP    NASNUR:12080           localhost:2462         TIME_WAIT
  TCP    NASNUR:12080           localhost:2466         TIME_WAIT
  TCP    NASNUR:12080           localhost:2468         TIME_WAIT
  TCP    NASNUR:12080           localhost:2469         TIME_WAIT
  TCP    NASNUR:12080           localhost:2472         TIME_WAIT
  TCP    NASNUR:12080           localhost:2473         TIME_WAIT
  TCP    NASNUR:12080           localhost:2480         TIME_WAIT
  TCP    NASNUR:12080           localhost:2484         TIME_WAIT
  TCP    NASNUR:12080           localhost:2490         TIME_WAIT
  TCP    NASNUR:12080           localhost:2496         TIME_WAIT
  TCP    NASNUR:12080           localhost:2497         TIME_WAIT
  TCP    NASNUR:12080           localhost:2500         TIME_WAIT
  TCP    NASNUR:12080           localhost:2501         TIME_WAIT
  TCP    NASNUR:12080           localhost:2504         TIME_WAIT
  TCP    NASNUR:12080           localhost:2505         TIME_WAIT
  TCP    NASNUR:12080           localhost:2514         TIME_WAIT
  TCP    NASNUR:12110           NASNUR:0               LISTENING
  TCP    NASNUR:12119           NASNUR:0               LISTENING
  TCP    NASNUR:12143           NASNUR:0               LISTENING
  TCP    NASNUR:12465           NASNUR:0               LISTENING
  TCP    NASNUR:12563           NASNUR:0               LISTENING
  TCP    NASNUR:12993           NASNUR:0               LISTENING
  TCP    NASNUR:12995           NASNUR:0               LISTENING
  TCP    NASNUR:netbios-ssn     NASNUR:0               LISTENING
  TCP    NASNUR:1255            bos-m058c-sdr3.blue.aol.com:5190  TIME_WAIT
  TCP    NASNUR:1256            cs219p1.msg.sp1.yahoo.com:5050  TIME_WAIT
  TCP    NASNUR:1259            oam-m07a.blue.aol.com:5190  TIME_WAIT
  TCP    NASNUR:1438            106-120-162-69.reverse.lstn.net:http  LAST_ACK
  TCP    NASNUR:1912            a184-26-5-115.deploy.akamaitechnologies.com:http
  TCP    NASNUR:1971            a96-17-106-114.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:1975            a96-17-106-114.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:1977            a96-17-106-114.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:1979            a96-17-106-114.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:1981            a96-17-106-114.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:1983            a96-17-106-114.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:2042            yx-in-f101.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2045            yx-in-f149.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2054            www-10-01-snc2.facebook.com:http  TIME_WAIT
  TCP    NASNUR:2064            a96-17-106-66.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2070            yx-in-f101.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2072            yx-in-f103.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2077            yx-in-f99.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2078            yx-in-f100.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2080            yx-in-f147.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2082            a96-17-106-96.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2086            a96-17-106-96.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2103      TIME_WAIT
  TCP    NASNUR:2106      TIME_WAIT
  TCP    NASNUR:2112            a96-17-106-114.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:2122      TIME_WAIT
  TCP    NASNUR:2126      TIME_WAIT
  TCP    NASNUR:2128      TIME_WAIT
  TCP    NASNUR:2130      TIME_WAIT
  TCP    NASNUR:2132      LAST_ACK
  TCP    NASNUR:2134      TIME_WAIT
  TCP    NASNUR:2141      TIME_WAIT
  TCP    NASNUR:2143      TIME_WAIT
  TCP    NASNUR:2151      LAST_ACK
  TCP    NASNUR:2158            a96-17-106-96.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2164            yx-in-f102.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2166            a96-17-106-114.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:2170            a184-31-243-24.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:2172            www-10-01-snc2.facebook.com:http  TIME_WAIT
  TCP    NASNUR:2174            api-connect-13-02-snc4.facebook.com:http  TIME_W
  TCP    NASNUR:2176            a96-17-106-114.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:2182            a96-17-106-90.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2184      TIME_WAIT
  TCP    NASNUR:2197            g1.v.fwmrm.net:http    TIME_WAIT
  TCP    NASNUR:2215            a96-17-106-75.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2220            a96-17-106-121.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:2221            a96-17-106-88.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2223            a96-17-106-122.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:2231        TIME_WAIT
  TCP    NASNUR:2237            a96-17-106-122.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:2243            tls_server.uslendernetwork.com:http  TIME_WAIT
  TCP    NASNUR:2255            ec2-184-73-247-231.compute-1.amazonaws.com:http
  TCP    NASNUR:2259            a96-17-106-64.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2261            a96-17-106-122.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:2265            a96-17-106-137.deploy.akamaitechnologies.com:htt
  TCP    NASNUR:2275            yx-in-f148.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2277            ec2-184-72-244-174.compute-1.amazonaws.com:http
  TCP    NASNUR:2282            ec2-184-72-244-174.compute-1.amazonaws.com:http
  TCP    NASNUR:2289            a96-17-106-96.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2303            g1.v.fwmrm.net:http    TIME_WAIT
  TCP    NASNUR:2317            g1.v.fwmrm.net:http    TIME_WAIT
  TCP    NASNUR:2319            g1.v.fwmrm.net:http    TIME_WAIT
  TCP    NASNUR:2328            106-120-162-69.reverse.lstn.net:http  CLOSE_WAIT

  TCP    NASNUR:2344            a.tribalfusion.com:http  TIME_WAIT
  TCP    NASNUR:2350            a.tribalfusion.com:http  TIME_WAIT
  TCP    NASNUR:2360            a.tribalfusion.com:http  TIME_WAIT
  TCP    NASNUR:2364            a96-17-106-96.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2367      TIME_WAIT
  TCP    NASNUR:2368            yx-in-f148.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2380        TIME_WAIT
  TCP    NASNUR:2382      TIME_WAIT
  TCP    NASNUR:2386            yx-in-f149.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2389            a96-17-106-88.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2391            ec2-50-18-49-214.us-west-1.compute.amazonaws.com
:http  TIME_WAIT
  TCP    NASNUR:2396        TIME_WAIT
  TCP    NASNUR:2400            yx-in-f148.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2426      TIME_WAIT
  TCP    NASNUR:2430            ec2-184-73-247-231.compute-1.amazonaws.com:http
  TCP    NASNUR:2436            yx-in-f148.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2438            ec2-184-72-244-174.compute-1.amazonaws.com:http
  TCP    NASNUR:2451            ec2-184-72-244-174.compute-1.amazonaws.com:http
  TCP    NASNUR:2454            yx-in-f148.1e100.net:http  TIME_WAIT
  TCP    NASNUR:2460            a96-17-106-96.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2463            ec2-50-17-216-195.compute-1.amazonaws.com:http
  TCP    NASNUR:2464            a96-17-106-88.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2478        TIME_WAIT
  TCP    NASNUR:2483            a96-17-106-75.deploy.akamaitechnologies.com:http
  TCP    NASNUR:2489            ec2-184-72-244-174.compute-1.amazonaws.com:http
  TCP    NASNUR:2495            g1.v.fwmrm.net:http    TIME_WAIT
  TCP    NASNUR:2510            g1.v.fwmrm.net:http    TIME_WAIT
  TCP    NASNUR:2511            g1.v.fwmrm.net:http    TIME_WAIT
  UDP    NASNUR:microsoft-ds    *:*
  UDP    NASNUR:isakmp          *:*
  UDP    NASNUR:4500            *:*
  UDP    NASNUR:ntp             *:*
  UDP    NASNUR:1068            *:*
  UDP    NASNUR:1900            *:*
  UDP    NASNUR:ntp             *:*
  UDP    NASNUR:netbios-ns      *:*
  UDP    NASNUR:netbios-dgm     *:*
  UDP    NASNUR:1900            *:*

C:\Documents and Settings\pam>

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

#2 Blade


  • Local time:10:08 PM

Posted 19 March 2011 - 05:12 PM

Hello and :welcome: to BleepingComputer.

Let's see what we're dealing with here.

Please download RKill by Grinler from one of the 4 links below and save it to your desktop.

Link 1
Link 2
Link 3
Link 4
  • Before we begin, you should disable any anti-malware software you have installed so it does not interfere with RKill running. This is because some anti-malware software mistakenly detects RKill as malicious. Please refer to this page if you are not sure how to disable your security software.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply

Please download Malwarebytes Anti-Malware and save it to your desktop.
alternate download link

IMPORTANT!!! - when you save the file, rename it to something random, such as bubbles.exe This must be done before beginning the download!

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from http://data.mbamupdates.com/tools/mbam-rules.exe'>here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.


In your next reply, please include the following:
Malwarebytes Log

