Old 17-August-2004, 17:39
Posts: n/a
Default Help please. Netstat.

Ran netstat and got the following results.

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\>netstat

Active Connections

Proto Local Address Foreign Address State
TCP g-p10y3drit3eft:1026 SYN_SENT
TCP g-p10y3drit3eft:1027 SYN_SENT
TCP g-p10y3drit3eft:1028 SYN_SENT
TCP g-p10y3drit3eft:1029 SYN_SENT
TCP g-p10y3drit3eft:1030 SYN_SENT
TCP g-p10y3drit3eft:1031 SYN_SENT
TCP g-p10y3drit3eft:1032 SYN_SENT
TCP g-p10y3drit3eft:1033 SYN_SENT
TCP g-p10y3drit3eft:1034 SYN_SENT
TCP g-p10y3drit3eft:1035 SYN_SENT
TCP g-p10y3drit3eft:1036 SYN_SENT
TCP g-p10y3drit3eft:1037 SYN_SENT
TCP g-p10y3drit3eft:1038 SYN_SENT
TCP g-p10y3drit3eft:1039 SYN_SENT
TCP g-p10y3drit3eft:1040 SYN_SENT
TCP g-p10y3drit3eft:1041 SYN_SENT
TCP g-p10y3drit3eft:1042 SYN_SENT
TCP g-p10y3drit3eft:1043 SYN_SENT
TCP g-p10y3drit3eft:1044 SYN_SENT
TCP g-p10y3drit3eft:1045 SYN_SENT
TCP g-p10y3drit3eft:1046 SYN_SENT
TCP g-p10y3drit3eft:1047 SYN_SENT
TCP g-p10y3drit3eft:1048 SYN_SENT
TCP g-p10y3drit3eft:1049 SYN_SENT
TCP g-p10y3drit3eft:1050 SYN_SENT
TCP g-p10y3drit3eft:1051 SYN_SENT
TCP g-p10y3drit3eft:1052 SYN_SENT
TCP g-p10y3drit3eft:1053 SYN_SENT
TCP g-p10y3drit3eft:2112 ds80-237-205-33.dedicated.hosteurope.de:4661 ES
TCP g-p10y3drit3eft:4557 ESTABLISHED
TCP g-p10y3drit3eft:4558 ESTABLISHED
TCP g-p10y3drit3eft:4960 SYN_SENT
TCP g-p10y3drit3eft:4961 SYN_SENT
TCP g-p10y3drit3eft:4962 SYN_SENT
TCP g-p10y3drit3eft:4963 SYN_SENT
TCP g-p10y3drit3eft:4964 SYN_SENT
TCP g-p10y3drit3eft:4965 SYN_SENT
TCP g-p10y3drit3eft:4966 SYN_SENT
TCP g-p10y3drit3eft:4967 SYN_SENT
TCP g-p10y3drit3eft:4968 SYN_SENT
TCP g-p10y3drit3eft:4969 SYN_SENT
TCP g-p10y3drit3eft:4970 SYN_SENT
TCP g-p10y3drit3eft:4971 SYN_SENT
TCP g-p10y3drit3eft:4972 SYN_SENT
TCP g-p10y3drit3eft:4973 SYN_SENT
TCP g-p10y3drit3eft:4974 SYN_SENT
TCP g-p10y3drit3eft:4975 SYN_SENT
TCP g-p10y3drit3eft:4976 SYN_SENT
TCP g-p10y3drit3eft:4977 SYN_SENT
TCP g-p10y3drit3eft:4978 SYN_SENT
TCP g-p10y3drit3eft:4979 SYN_SENT
TCP g-p10y3drit3eft:4980 SYN_SENT
TCP g-p10y3drit3eft:4981 SYN_SENT
TCP g-p10y3drit3eft:4982 SYN_SENT
TCP g-p10y3drit3eft:4983 SYN_SENT
TCP g-p10y3drit3eft:4984 SYN_SENT
TCP g-p10y3drit3eft:4985 SYN_SENT
TCP g-p10y3drit3eft:4986 SYN_SENT
TCP g-p10y3drit3eft:4987 SYN_SENT
TCP g-p10y3drit3eft:4988 SYN_SENT
TCP g-p10y3drit3eft:4989 SYN_SENT
TCP g-p10y3drit3eft:4990 SYN_SENT
TCP g-p10y3drit3eft:4991 SYN_SENT
TCP g-p10y3drit3eft:4992 SYN_SENT
TCP g-p10y3drit3eft:4993 SYN_SENT
TCP g-p10y3drit3eft:4994 SYN_SENT
TCP g-p10y3drit3eft:4995 SYN_SENT
TCP g-p10y3drit3eft:4996 SYN_SENT
TCP g-p10y3drit3eft:4997 SYN_SENT
TCP g-p10y3drit3eft:4998 SYN_SENT
TCP g-p10y3drit3eft:4999 SYN_SENT
TCP g-p10y3drit3eft:5000 SYN_SENT

I notice that if I block spools.exe via the software firewall this goes away.

Ran virus/trojan and spy checks. Online scans at RAV, Panda and Symantec including security checks. All report a clean and secure system.

Behind a NAT router so is the spools exe just trying to find anything else on the 10.x.x.x network?

Any advice gratefully accepted

Reply With Quote
Old 17-August-2004, 18:29
Posts: n/a

All the entries are internal to your network except the following (Do a lookup if you're not certain what these are):
TCP g-p10y3drit3eft:2112 ds80-237-205-33.dedicated.hosteurope.de:4661 ES
TCP g-p10y3drit3eft:4557 ESTABLISHED
TCP g-p10y3drit3eft:4558 ESTABLISHED

SYN_SENT means that an application has issued a request for a TCP session, but has not received the return SYN+ACK packet.
This could point to a problem with your network.
What was actually running at this time?

Try setting the spooler service to manual rather than automatic via the services management console. It should then only run when requested to do so.
Reply With Quote
Old 17-August-2004, 21:01
Posts: n/a

Thanks for the info ZerO.

Stopping the spools.exe resulted in

TCP g-p10y3drit3eft:2112 ds80-237-205-33.dedicated.hosteurope.de:4661 SYN_SENT

This entry was always there on a netstat run.

Checked in msconfig>startup and noticed two entrys for spools.exe but only spools.exe, not the usual C:\windows\etc. Disabled both of these entrys and hey presto a clean netstat.

I think either.

a) the "malware" was either trying to infect other PCs on my network of which there are none (just one PC connected).


b) the "malware" was trying a DoS attack.

Any thoughts and can I follow the register location, shown in msconfig>startup, to delete it from the reg?

Thanks again,

Reply With Quote
Old 17-August-2004, 22:07
Posts: n/a

Results of lookup:

% This is the RIPE Whois server.
% The objects are in RPSL format.
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-serv...copyright.html

inetnum: -
remarks: INFRA-AW
netname: HE-DEDIC-CGN-205
descr: Hosteurope GmbH
descr: koeln@hosteurope.de
country: DE
admin-c: HER4-RIPE
tech-c: HER12-RIPE
notify: notify@hosteurope.de
mnt-by: ONE2ONE-MNT
changed: hostmaster@hosteurope.de 20040721
source: RIPE

descr: DE-HEC-80-237-128
origin: AS20773
notify: notify@one-2-one.net
mnt-by: ONE2ONE-MNT
changed: hostmaster@hosteurope.de 20011114
source: RIPE

role: Host Europe Ripehandle
address: Hansestr. 109
address: 51149 Koeln
phone: +49 2203 1045 0
e-mail: hostmaster@hosteurope.de
trouble: hostmaster@hosteurope.de
admin-c: DART
admin-c: FLX
admin-c: WIRR
tech-c: DART
tech-c: FLX
tech-c: WIRR
nic-hdl: HER12-RIPE
notify: hostmaster@hosteurope.de
mnt-by: ONE2ONE-MNT
changed: hostmaster@hosteurope.de 20010720
changed: hostmaster@hosteurope.de 20020617
changed: hostmaster@hosteurope.de 20021115
changed: hostmaster@hosteurope.de 20031029
changed: fs@hosteurope.de 20040521
changed: fs@hosteurope.de 20040524
source: RIPE

person: Uwe Braun
address: Hansestr. 109
address: 51149 Koeln
phone: +49 2203 1045 7000
e-mail: uwe.braun@hosteurope.de
nic-hdl: HER4-RIPE
changed: hostmaster@hosteurope.de 20011123
changed: hostmaster@hosteurope.de 20031029
source: RIPE
mnt-by: ONE2ONE-MNT

Grab yourself a copy of TDS 3 and run a complete scan. This software is fully functional except that it has to be manually updated and it's a time limited trial.
Reply With Quote
Old 17-August-2004, 22:27
Posts: n/a

Great call ZerO

Scan Control Dumped @ 22:24:56 17-08-04
RegVal Trace: Suspicious please submit: HKEY_LOCAL_MACHINE
File: Software\Microsoft\Windows\CurrentVersion\RunServi ces [Print Spooler=spools.exe]

Thats without installing the update. BTW How do you install the update?:D


Last edited by shred; 17-August-2004 at 23:11.
Reply With Quote
Old 17-August-2004, 22:47
Posts: n/a

Sorted replace the td3 file.

Thanks again,

Reply With Quote
Old 17-August-2004, 23:17
Posts: n/a

As you have discovered, TDS-3 is a very powerful piece of software. It's probably the best anti trojan suite on the market.
Reply With Quote
Old 05-March-2009, 06:53
Posts: n/a
Default Re: Help please. Netstat.

hey zero ... i had the same prob.. i installed tds3, however it did not find anything but i cannot see anymore syn packet sent over microsoft-ds port.
i doubt the problem is going to hit again.... do you have any idea on any such free softwares like tds3 or if you have the crack for tds 3 and related diamond softwares....

please let me know


Reply With Quote

123, crack, email, free, line, lookup, nat, network, online, port, router, security, settings, software, trojan, virus, windows, zero

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

All times are GMT +1. The time now is 21:35.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2019, vBulletin Solutions, Inc.
Copyright 1999-2014 The Scream!