|
-
February 12th, 2004, 10:39 PM
#1
Junior Member
Strange connections
My computer has been running slow lately. So I go to the command prompt and see what connections I have: I find a bunch of TCP connections to weird IPs which are changing every ten seconds or so:
first: i get 12-217-246-149.client.mchsi.com:1804
10 seconds later: mr-elansing-238-248.dmisinetworks.com:3740
10 seconds later: dhcp1718.hrn.resnet.group.upenn.edu:3541
10 seconds later: syru230-064.syr.edu:1399
I have zone alarms installed and allow the following programs access to the internet:
svcpack.exe
spooler subsystem app
mozilla
aim (as both access and server)
Generic Host Process for Win32 Services
Adobe Reader 6.0
I also have Norton Antivirus installed and have run a check. Is there anyway to find which program or process is using these ports?
-
February 12th, 2004, 10:47 PM
#2
Ummm.. svcpack.exe might be a trojan. Might want to deny access out for that one and see if those connections die. Sophos has some info on it.
-
February 12th, 2004, 10:58 PM
#3
client.mchsi.com:1804
dmisinetworks.com
hrn.resnet.group.upenn.edu
syru230-064.syr.edu:
I ran a google search on these, and even broke them down and researched them. They all came up blank.
If it is not a trojan as MsMittens suggests, then I would get some spyware removale tools and start there.
\"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
Author Unknown
-
February 12th, 2004, 11:03 PM
#4
Junior Member
I wouldn't think that spyware would cycle through different connections, my guess is a trojan. I do get a connection to mjxads.internet.com with no browsers open.
-
February 13th, 2004, 12:14 AM
#5
Senior Member
Originally posted here by newinnash
I wouldn't think that spyware would cycle through different connections, my guess is a trojan. I do get a connection to mjxads.internet.com with no browsers open.
^^^^^ :P
>> get pstools (sysinternals.com), fport (foundstone.com) and a commandline
let fport map procs' IDs to the listenig ports
something you do not know ??
pskill #pid
check with netstat -an for the unwanted connections
if still there kill the next
and for that mjxads.internet.com:
i like the line:
63.146.109.212 mjxads.internet.com
in /etc/hosts
-
February 13th, 2004, 12:55 AM
#6
Senior Member
MsMittens is correct and check the link to remove it
http://www.computing.net/security/ww...orum/7160.html
Life is a shipwreck but we must not forget to sing in the lifeboats. ~Voltaire
-
February 13th, 2004, 01:24 AM
#7
Senior Member
better you do new install, 'cos yoou can't be shure that there aren't no more compromisations like new admins, or new services...
it could be possible that your passwords ad been stolen.
-
February 13th, 2004, 02:03 AM
#8
Junior Member
Yes svcpack.exe was a trojan, removed the registry key that loaded it. thanks.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
