Dizzle
What is going on?
Started by
S.Dizzle
, Mar 25 2005 04:46 PM
#1
Posted 25 March 2005 - 04:46 PM
Dizzle
#2
Posted 25 March 2005 - 05:17 PM
Hi,
What command did you use for netstat?
netstat -b -v
Thanks
Webxican
What command did you use for netstat?
netstat -b -v
Thanks
Webxican
#3
Posted 25 March 2005 - 08:22 PM
I used the netstat -b command.
#4
Posted 26 March 2005 - 03:21 AM
Here's 2 more screenshots I took just now. I used the -b -v command this time. I'm still getting all these connections from the 'system' process to my router. There's three whole screens of these connections which seems kinda odd to me. Also, I'd just changed all my router passwords and the SSID earlier today and this started happening not long after. I've never seen this happen before up until today. Any help would be appreciated. Thanks.
#5
Posted 26 March 2005 - 12:04 PM
Hi sorry for the slow response time.
Let's try working with the PID information. If you bring up the task manager CTRL+ALT+DEL click the process tab then click view>select colums & check PID see if this shows what PID 4 is on your PC.
I'd also check your startup processes from msconfig. That same unknown process component may be in startup.
Maybe you have a P2P program running? or bit torrent? Or some type of Trojan or Keylogger?
Hopefully the PID will point to what process is attempting those connections.
Thanks
Webxican
Let's try working with the PID information. If you bring up the task manager CTRL+ALT+DEL click the process tab then click view>select colums & check PID see if this shows what PID 4 is on your PC.
I'd also check your startup processes from msconfig. That same unknown process component may be in startup.
Maybe you have a P2P program running? or bit torrent? Or some type of Trojan or Keylogger?
Hopefully the PID will point to what process is attempting those connections.
Thanks
Webxican
#6
Posted 26 March 2005 - 12:13 PM
Wait a minute. Now that I think about it PID 4 will only show system as the process. Looking at this further it may be an RPC bug problem. I'll research a little more and let you know what I find.
Is the OS xp sp2? Pro or Home?
Thanks
Webxican
Is the OS xp sp2? Pro or Home?
Thanks
Webxican
#7
Posted 26 March 2005 - 02:56 PM
Sorry, I just realized this is in the wrong forum, but I mays well just go from here. You're right, it does indeed show 'system' as the process with PID 4. I'm running XP Pro SP2 with all updates current. I'm also running NAV 2004 Pro, Blackice PC Protection(firewall), and I've been using Ad-aware, Spybot SD and Spyware Blaster. These are also updated frequently. I also have hijack this if you want to see a log. Thanks for your help webxican, its much appreciated.
S.
S.
#8
Posted 26 March 2005 - 06:07 PM
I've been looking into various things having to do with this subject, and i was poking around my registry. Under hkey users, there are a few entries that seem kinda weird to me. I've got .DEFAULT, then S-1-5-18, S-1-5-19, S-1-5-20, and S-1-5-21-(then a bunch of random numbers separated by dashes). There's also S-1-5-19_classes, S-1-5-20_classes, and 21 classes and well. Now, under these users, Netscape Navigator is installed under software. I haven't used netscape in almost a decade, and I'm sure I've never installed it on this computer. Why would it be there? I'm confused, and this is driving me insane. I'm on a laptop right now, cause I don't want to connect to the net from my main box cause i keep getting all those weird connections. Also, Blackice has been reporting an unusual amount of port scans since I installed it. Some are coming from other computers on my network (I have 3 in total), some from my router, and some from other ips. On my downstairs comp, I had about 60 port scans in about 5 or 10 minutes from my router. Why would my router be running port scans on my boxes/other comps on my network doing the same? Thanks, S.
#9
Posted 26 March 2005 - 06:30 PM
I just went down to my wired computer, and Blackice had blocked 118 consecutive "TCP Probe Other" from my router to my comp. weird
#10
Posted 26 March 2005 - 07:17 PM
Hi,
If you could go ahead & post your hijackthis log. I wouldn't worry too much about the Hkey user keys. I forget which program installs those keys but it's mostly media player info. You will see some keys refer to wmplayer. I have the same registry keys and this PC has never had Netscape.
So let's see if we can spot anything out of the ordinary in the hijackthis log.
Thanks
Webxican
If you could go ahead & post your hijackthis log. I wouldn't worry too much about the Hkey user keys. I forget which program installs those keys but it's mostly media player info. You will see some keys refer to wmplayer. I have the same registry keys and this PC has never had Netscape.
So let's see if we can spot anything out of the ordinary in the hijackthis log.
Thanks
Webxican
#11
Posted 27 March 2005 - 01:16 PM
Alright, here's my hijack this log attached. Thanks boss,
S.
S.
Attached Files
#12
Posted 27 March 2005 - 07:14 PM
Hi,
I'm at work now so I'll have a look and see if I can spot anything to help us along. I'll post back something in a little while.
Thanks
Webxican
I'm at work now so I'll have a look and see if I can spot anything to help us along. I'll post back something in a little while.
Thanks
Webxican
#13
Posted 27 March 2005 - 11:37 PM
HI,
I'm having trouble determining what could be the cause of the excessive close_waits from system on your computer. I'm still researching but if you could post your hijackthis log here.
http://www.geekstogo...o_Here-f37.html
You may get a faster resolution. I appreciate your patience and I don't want to hinder your progress. You could also post this thread so you don't have to repeat what you have already posted.
http://www.geekstogo...showtopic=13511
Thanks
Webxican
I'm having trouble determining what could be the cause of the excessive close_waits from system on your computer. I'm still researching but if you could post your hijackthis log here.
http://www.geekstogo...o_Here-f37.html
You may get a faster resolution. I appreciate your patience and I don't want to hinder your progress. You could also post this thread so you don't have to repeat what you have already posted.
http://www.geekstogo...showtopic=13511
Thanks
Webxican
#14
Posted 28 March 2005 - 12:50 AM
will do. thanks again webxican
S.
S.
#15
Posted 28 March 2005 - 02:40 PM
Hi again. I just turned on my comp and connected to the internet. Almost immediately, my blackice icon flashed red and upon opening it, it showed the event 'BOOTP_remote_overflow'. The intruder was listed as 192.168.1.1. Here's the page describing the event. This is the first 'high risk' event I've seen since installing the software a couple of weeks ago and its kinda disconcerting. I don't even know what a bootpd server is, so I don't think anything should be happening having to do with it on my comp. Im starting to consider reformatting and resetting my router, cause it might be a faster solution than trying to find the root of the problem. Tell me what you think. Thanks,
S.
S.
Similar Topics
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users