 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Forum / Windows XP / General Topics 1 / May 2008Something on my system is trying to connect to outside. But what???
Hi, Some process is making repeated attempts (every 5 seconds or so) to connect to ip: 216.168.41.231 TCP ports 135 and 524. That ip appears to belong to Digital Forest in Seattle, WA. Digital Forest appears to be a web hosting company. My firewall is blocking these attempts. It's the firewall log that alerted me to this situation. I'd like to kill the process that's doing this, but have no idea how to find the process. Netstat is no help b/c there is no open connection; just an attempt. Any ideas how to track this down? Thanks, Frank From: "Frank Dreyfus" <fdreyfus@nyw.com> | Hi, | [quoted text clipped - 16 lines] | | Frank Start by downloading the Sysinternals TCPView GUI utility. This utility will show what process is trying to connect to the Internet. http://download.sysinternals.com/Files/TcpView.zip  SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp > Start by downloading the Sysinternals TCPView GUI utility. Thanks! A very handy utility indeed. For future users with this issue... It turned out to be HPBPRO.exe. An HP utility installed along with the printer driver. It doesn't appear to be needed at all and some users have found that it consumes 100% CPU time when it runs (that's every 5 seconds!). See here: http://forums12.itrc.hp.com/service/forums/questionanswer.do? admit=109447627+1211341805724+28353475&threadId=370850 for a discussion and methods for disabling it. I used John Fleming's method and it seems to work perfectly. Don't know why they install this stuff in the first place. Thanks for your help, Frank On 21 May, 03:41, "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote: > From: "Frank Dreyfus" <fdrey...@nyw.com> > [quoted text clipped - 27 lines] > Davehttp://www.claymania.com/removal-trojan-adware.html > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp I used to use Active Ports.. and netstat for a snapshot.. But even then. Suppose it says svchost.exe Then what would -you-/readers do? From: <jameshanley39@yahoo.co.uk> | I used to use Active Ports.. and netstat for a snapshot.. | But even then. | Suppose it says svchost.exe | | Then what would -you-/readers do? If the communication is not from a separete EXE file then you have to determine what is loaded into the OS through a utility such as Process Explorer. You would suspend processes until the communication stops and then isolate the process. Then you have a clue to what the actual process is and you can then delve into what modules are loaded by that process. Not easy for a beginner. SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp On 21 May, 21:35, "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote: > From: <jameshanle...@yahoo.co.uk> > [quoted text clipped - 11 lines] > > -- ok... I see the process is for techies.. no problem, most here are techies.. Just warn the non-techies! your method sounds a bit better than the one I have seen. The method I saw was using "sysinternals" process explorer, see what DLLs are using the process. If one looked suspicious e.g. it was called skjfdfd.dll !!!! Then rename the dll. And looking at the company listed as publisher - though that can be spoofed. (of course, renaming a dll in use, is like the methods of deleting an "undeletable" file. unlocker, safe mode. If all else fails - bart pe will do it without any difficulty. ) I guess when you say isolate and suspend processes (to find the cultprit process), you mean suspend the dll. Since really it is only one EXE/process that is being used/abused/hijacled. How would you "suspend the process" ? From: <jameshanley39@yahoo.co.uk> | ok... I see the process is for techies.. no problem, most here are | techies.. Just warn the non-techies! [quoted text clipped - 14 lines] | | How would you "suspend the process" ? Using Process Explorer, Right-Click on the process and choose Suspend. Now in a case of a DLL such as; skjfdfd.dll You would want to determine the loading vector and fully qualified name and path. Example FQN: %windir%\system32\skjfdfd.dll You can search the Registry for; skjfdfd.dll and thus find the loading vector. The Systinternal utility AutoRuns can also be used. http://download.sysinternals.com/Files/Autoruns.zip Lets sys it uses Winlogin/Notify to load. Example: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\skjfdfd You can try to delete the key. Chances are it is protecting itself and you can't delete that key but you can try. If you are successful, you can then reboot the PC and delete the DLL. If the key (in the example) Winlogon\Notify\skjfdfd could NOT be deleted then you can boot into the Recovery Console and logon as Administrator. In the Recovery Console you can the rename/delete the file %windir%\system32\skjfdfd.dll and then reboot. NOTE: The above is NOT all inclusive. They are variations to the above approach and possible additional steps. SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp On 21 May, 22:32, "David H. Lipman" <DLipman~nosp...@Verizon.Net> wrote: > From: <jameshanle...@yahoo.co.uk> > [quoted text clipped - 47 lines] > Davehttp://www.claymania.com/removal-trojan-adware.html > Multi-AV -http://www.pctipp.ch/downloads/dl/35905.asp that's a great post.. Are there any forums that have descriptions like this, which collectively, are fairly all-inclusive ? From: <jameshanley39@yahoo.co.uk> | that's a great post.. | | Are there any forums that have descriptions like this, which | collectively, are fairly all-inclusive ? Such discussions go on in various spyware and virus related news groups. SignatureDave http://www.claymania.com/removal-trojan-adware.html Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.